I had problems with outgoing spam emails from compromised email accounts sending spam mails from my server and landing on blacklists. So I followed the guidelines for setting up postfix with amavis:
- https://workaround.org/ispmail/lenny/amavis-filtering-spam-and-viruses
- http://wiki.ubuntuusers.de/Amavis-Spam-Virenfilter
Everything seems to work fine, however I'd like to block outgoing spam/virus emails and rather notify the sender, that his e-mail has been rejected (via MAILER-DAEMON for example). Is there any possibility to do this? I only was able to figure out how to:
- Reject the mail completely and not notify the sender (which isn't really good, is it?):
Aug 25 12:05:35 ns207813 amavis[24728]: (24728-01) Blocked SPAM {NoBounceOpenRelay,Quarantined}, <root@mail.org> -> <john@example.com>, quarantine: J/spam-Jfuzg0ScCmKf.gz, Message-ID: <GTUBE1.1010101@example.net>, mail_id: Jfuzg0ScCmKf, Hits: 1004.054, size: 935, 2013 ms
- Send the mail anyways (but marked as "SPAM"):
Aug 25 12:19:10 ns207813 amavis[25182]: (25182-01) Passed SPAM {RelayedTaggedInbound,Quarantined}, [217.230.20.223]:65071 [217.230.20.223] <removed@mail.me> -> <removed@mail.com>, quarantine: i/spam-iy3rVCiRk8k2.gz, Queue-ID: 5B9D722AAA, Message-ID: <74576B87-1986-4179-A262-B96640387C9E@mail.me>, mail_id: iy3rVCiRk8k2, Hits: 999.001, size: 2663, queued_as: DD67222ABE, 1379 ms
My current amavis settings are:
$sa_spam_subject_tag = '[SPAM] ';
$sa_tag_level_deflt = undef; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 20; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)
$final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
I'd also like to mark incoming viruses as a virus instead of rejecting the mail completely, if possible (so no mail gets lost).
Thank you for your help!
Best Answer
What you want to do requires to treat mails from users using your server as their MSA (i.e. their outgoing relay) with a different policy than those received from 3rd parties (i.e. when your mailserver is acting in it's MX role). Fortunately, amavis has just the right tool for you: Policy Banks.
Let's see how you could define a policy for your users:
From the naming of this policy bank, you can already guess that I'm running this as a pre-queue filter that get's triggered if mail is delivered via the submission TCP port 587. To make this configuration work, I told my Postfix MTA to deliver mails that the submission service received to localhost on port 10028 (whereas, when acting as public MX, the server forwards mail to port 10024). To activate two ports in amavis and bind the PREQ-SUB policy to port 10028, I'm using these settings:
The corresponding master.cf entry for Postfix is:
Note that this does actually do a bit more than simply send mails to amavis, e.g. set cipher lists and so on (you'll notice the main.cf variable references).
So, what can you do if your users do NOT submit their mail on port 587, or not all of them do? Well, you'll have to leave the land of 100% certainty then. amavis can analyze the contents of a mail and act on the presence of headers. One such headers could be the authenticated user's name which Postfix adds if you set smtpd_sasl_authenticated_header = yes. You could then tell amavis to act on this header:
Please don't ignore the warning within this code: Headers are easily fakeable, and other mail servers could insert an "Authenticated sender" header, too, so better match for something like "your-mailserver.example.net.*Authenticated sender".
On a final note, regarding one of your comments: Running a mail server DOES take a lot of time, and requires you to constantly monitor it for abuse. There is not "get out of jail free" card when it comes to taking part in the global email system!