我遇到了垃圾邮件从垃圾邮件发送问题,从我的服务器发送垃圾邮件和登陆黑名单。 所以我遵循了用amavis设置postfix的指导原则:
一切似乎工作正常,但我想阻止传出的垃圾邮件/病毒邮件,而是通知发件人,他的电子邮件已被拒绝(例如通过MAILER-DAEMON)。 有没有可能做到这一点? 我只能弄清楚如何:
Aug 25 12:05:35 ns207813 amavis[24728]: (24728-01) Blocked SPAM {NoBounceOpenRelay,Quarantined}, <[email protected]> -> <[email protected]>, quarantine: J/spam-Jfuzg0ScCmKf.gz, Message-ID: <[email protected]>, mail_id: Jfuzg0ScCmKf, Hits: 1004.054, size: 935, 2013 ms Aug 25 12:19:10 ns207813 amavis[25182]: (25182-01) Passed SPAM {RelayedTaggedInbound,Quarantined}, [217.230.20.223]:65071 [217.230.20.223] <[email protected]> -> <[email protected]>, quarantine: i/spam-iy3rVCiRk8k2.gz, Queue-ID: 5B9D722AAA, Message-ID: <[email protected]>, mail_id: iy3rVCiRk8k2, Hits: 999.001, size: 2663, queued_as: DD67222ABE, 1379 ms 我目前的amavis设置是:
$sa_spam_subject_tag = '[SPAM] '; $sa_tag_level_deflt = undef; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 5; # add 'spam detected' headers at that level $sa_kill_level_deflt = 20; # triggers spam evasive actions $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine) $final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
如果可能的话,我还希望将传入的病毒标记为病毒,而不是完全拒绝邮件(因此不会丢失邮件)。
感谢您的帮助!
你想要做的事情需要把来自用户的邮件作为他们的MSA(即他们的出局中继)与来自第三方(即当你的邮件服务器是以MXangular色行事时)不同的策略来对待。 幸运的是,amavis对你来说只是一个正确的工具:政策银行。
让我们来看看如何为用户定义一个策略:
$policy_bank{'PREQ-SUB'} = { originating => 1, # indicates client is ours, allows signing final_spam_destiny => D_DISCARD, # discard spam final_virus_destiny => D_DISCARD, # discard spam warnspamsender => 1, # send a warning forward_method => 'smtp:127.0.0.1:10025', # you probably need to adjust this smtpd_discard_ehlo_keywords => ['8BITMIME'], # force mail conversion to Q/P smtpd_greeting_banner => '${helo-name} ${protocol} ${product} SUBMISSION service ready', spam_admin_maps => ["postmaster\@example.net"], # warn of spam from us virus_admin_maps => ["postmaster\@example.net"], # warn of viruses from us };
从这个策略库的命名,你已经可以猜测,我正在运行这个作为一个预先队列filter,如果通过提交TCP端口587邮件传递,会触发。为了使这个configuration工作,我告诉我的Postfix MTA将提交服务收到的邮件发送到端口10028上的本地主机(而作为公共MX,服务器将邮件转发到端口10024)。 要激活amavis中的两个端口并将PREQ-SUB策略绑定到端口10028,我正在使用这些设置:
# policy bank definition $inet_socket_port = [10024, 10028]; # listen on listed inet tcp ports $interface_policy{'10028'} = 'PREQ-SUB'; # mail submitted using TLS on submission/smtps port
Postfix对应的master.cf条目是:
submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o tls_preempt_cipherlist=$submission_tls_preempt_cipherlist -o smtpd_tls_protocols=$submission_smtpd_tls_protocols -o smtpd_tls_ciphers=$submission_smtpd_tls_ciphers -o smtpd_tls_exclude_ciphers=$submission_smtpd_tls_exclude_ciphers -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=$submission_smtpd_recipient_restrictions -o milter_macro_daemon_name=ORIGINATING -o smtpd_proxy_filter=127.0.0.1:10028 -o syslog_name=postfix-submission/smtpd -o receive_override_options=no_header_body_checks
请注意,这实际上不仅仅是发送邮件给amavis,比如设置密码列表等等(你会注意到main.cfvariables引用)。
那么,如果你的用户不在587端口上提交邮件,你可以做什么? 那么,你将不得不离开100%确定的土地。 amavis可以分析邮件的内容,并根据标题的存在进行操作。 如果你设置了smtpd_sasl_authenticated_header = yes,那么这样的头文件可能就是Postfix添加的authentication用户的名字。 然后你可以告诉amavis在这个标题上采取行动:
package Amavis::Custom; use strict; BEGIN { import Amavis::Conf qw(:platform :confvars c cr ca $myhostname); import Amavis::Util qw(do_log untaint safe_encode safe_decode); import Amavis::rfc2821_2822_Tools; import Amavis::Notify qw(build_mime_entity); } sub new { my($class,$conn,$msginfo) = @_; my($self) = bless {}, $class; my $auth_sender = 0; foreach my $line (@{$msginfo->{'orig_header'}}) { $line =~ s/\n / /g; # WARNING: you need to improve this to AT LEAST also match # for your OWN mail servers name! $auth_sender = 1 if $line =~ m/^Authenticated sender/i; } if ($auth_sender) { do_log(2, sprintf("Load pre-queue submission policy bank")); Amavis::load_policy_bank('PREQ-SUBMISSION') } return $self; } 1; # insure a defined return
请不要忽略此代码中的警告:标头很容易被伪造,其他邮件服务器也可以插入一个“Authenticated sender”标头,所以更好地匹配“your-mailserver.example.net。* Authenticated sender” 。
在最后一点,关于你的一个评论:运行一个邮件服务器需要花费很多时间,并要求你经常监视它的滥用。 谈到参与全球电子邮件系统,没有“摆脱监狱”的卡!