Postfix header_checks seemingly ignored

Discussion in 'General' started by Richard Foley, Jun 5, 2021.

  1. Richard Foley

    Richard Foley Member

    hi there,
    I'm running postfix with several header_checks that appear to be being ignored. eg; I don't see anything in the mail.log relating to the entries which should be found (and rejected). This may be something obvious (it usually is), but I'm scratching my head here.

    Here's a snippet of email header that I'm trying to block, which is still getting through:
    Code:
    Return-Path: <[email protected]>
    This is part of the header_checks file, entered via the ISPConfig3 email content filter interface:
    Code:
    # cat /etc/postfix/header_checks
    /^Return-Path: .*(?=rfi\.net@mail\.).*/  REJECT spam_40
    /(GB2312|koi[78]-r|iso-2022-jp)/  REJECT spam_12
    /^((To|Cc|From):.*@(icq|qq)\.)/  REJECT spam_45
    
    This file is referenced in postfix's main.cf:
    Code:
    # grep header_checks /etc/postfix/main.cf
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    I've reloaded and restarted postfix several times, here is the current postfix status:
    Code:
    # systemctl status postfix
    ● postfix.service - Postfix Mail Transport Agent
       Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor preset: enabled)
       Active: active (exited) since Sat 2021-06-05 18:48:20 UTC; 5min ago
      Process: 17009 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
     Main PID: 17009 (code=exited, status=0/SUCCESS)
    
    Jun 05 18:48:20 mythic.rfi.net systemd[1]: Starting Postfix Mail Transport Agent...
    Jun 05 18:48:20 mythic.rfi.net systemd[1]: Started Postfix Mail Transport Agent.
    
    This is the relevant log file entry - empty - where I'd expect to see a REJECT for the above email header:
    Code:
    # grep spam_ /var/log/mail.log
    #
    I have ISPConfig3 3.2.4 running on a Debian Buster
    Linux mythic.rfi.net 4.19.0-8-686-pae #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) i686 GNU/Linux

    I'd be keen to hear any helpful suggestions.
    Many thanks in advance.
     
    Last edited: Jun 5, 2021
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    The return-path header is added by postfix itself, so it is not present when the message is processes with header checks.
     
    Richard Foley likes this.
  3. Richard Foley

    Richard Foley Member

    Ah, good to know that, and many thanks Jesse for the clarification.

    I'll go back to the drawing board on that filter then :oops:

     
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Return-path just records the smtp sender, so you could use anything which access it, eg. a map in smtpd_sender_restrictions. Personally I would probably use a custom rspamd rule.
     
    Richard Foley likes this.
  5. Richard Foley

    Richard Foley Member

    I think I've discovered why my header_checks were not being used (in addition to the filter in the original post being ignored as per your comment, Jesse).
    In master.cf I have this:
    Code:
            -o receive_override_options=no_unknown_recipient_checks #,no_header_body_checks
    
    Note the `no_header_checks` is now commented out and my filter rules are now being observed - so all fine on that front.

    What is still a little strange is I have 2 nearly identical entries where the above code is used in master.cf
    The first for port 10025 and the second for port 10027 - I think these are for the internal routing postfix/amavis/etc.
    The point being that I've uncommented no_header_checks from both blocks, and am unsure if this is the correct approach.
    The 10025 block is identical to the 10027 block except for the 10027 block including:
    Code:
                -o milter_default_action=accept
            -o milter_macro_daemon_name=ORIGINATING
    
    Does this make sense?
     
    Last edited: Jun 8, 2021
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    That is correct, the port 10025 and 10027 smtpd instances receive mail from amavis and have nearly all checks disabled, the port 25 smtpd will be performing the header checks.
     
    Richard Foley likes this.
  7. Richard Foley

    Richard Foley Member

    This just to confirm that your advice was spot-on, Jesse.
    The Return-Path was the wrong place to be looking to filter and the no_header_body_checks was a wild-goose chase.
    I've reinstated the no_header_body_checks for ports 10025 + 10027 and everything appears to be working correctly again.
    Many thanks!

     

Share This Page