Postfix: How to make complex attachment filtering

postfixspam-filter

I have Postfix on our server.
I need to filter attachments in incoming mail not only by it type, but also check what inside of it. Exactly by now I need to filter attachment that:

is a .zip archive
contains .exe inside archive
is about 10-20k of size

Is it possible to pass attachment to external script? (Actually I'm able to write script that analyze the above conditions) Is it possible using Postfix only or do I need some external tool like spammassasin or Amavis?

Best Answer

Is it possible to pass attachment to external script? (Actually I'm able to write script that analyze the above conditions)

If you have some capabilities to creating a script to checks such conditions, then you may interested in this page: Postfix simple content filter. With this feature, your script will read email content via stdin. You can also pass some variable like sender, recipient, etc.

Of course the script needs to extract the attachment as postfix doesn't have capabilities to extract it. Another downside is you can't filter email submitted by mail command, such as email generated by PHP script in your server.

If this feature doesn't meet your needs, then you may look into advanced content filter section.

Related Solutions

Linux – Postfix how to triggering the script when outgoing email status is sent

This is only for logging message headers.

By default postix already logs most of this information, though not in one line. It doesn't, however, log the subject or message-id. We can add that in by using header_checks 5.
Note: for all mail and not just outgoing, use header_checks instead of smtp_header_checks.

#main.cf
smtp_header_checks = regexp:$config_directory/header-logging.cf


#header-logging.cf
/^subject:/      INFO
/^Subject:/      INFO
/^Message-Id:/   INFO

These messages will be logged to syslog in the facility specified by syslog_facility (default: mail).

Apr  9 15:37:25 mta-msa postfix/smtps/smtpd[14688]: DA75A231C600: client=192-0-2-5.example.com[192.0.2.5], sasl_method=LOGIN, sasl_username=foo
Apr  9 15:37:25 mta-msa postfix/cleanup[14686]: DA75A231C600: message-id=<000401d07315$bf0ea5a0$3d2bf0e0$@example.com>
Apr  9 15:37:25 mta-msa postfix/qmgr[14653]: DA75A231C600: from=<foo@example.com>, size=6495, nrcpt=1 (queue active)
Apr  9 15:37:26 mta-msa postfix/smtp[14675]: DA75A231C600: info: header Subject: RE: please email as you leave
Apr  9 15:37:26 mta-msa postfix/smtp[14675]: DA75A231C600: info: header Message-ID: <000401d07315$bf0ea5a0$3d2bf0e0$@example.com>
Apr  9 15:37:26 mta-msa postfix/smtp[14675]: DA75A231C600: to=<bar@example.org>, relay=mx.example.org[198.51.100.0]:25, delay=0.65, relays=0.01/0/0.33/0.31, dsn=2.0.0, status=sent (250 2.0.0 1tnx2ya0mh-1 Message accepted for delivery)
Apr  9 15:37:26 mta-msa postfix/qmgr[14653]: DA75A231C600: removed

How to block attachments on incoming mails only using Postfix

I will rewrite your question become:

How can I use different _header_checks for smtpd (port 25) and submission (port 587)?

This canonical problem can be divided with several conditions

I want turn off header_checks for one of smtpd or submission.
I want to run different header_checks for smtpd and submission.

1. I want turn off header_checks for one of smtpd or submission.

For the example I assume that you want to turn off the header_checks for submission (outgoing email).

Solution 1: receive_override_options method

You can use postfix parameter called receive_override_options. With the parameter you can override global header_check switch, so the filter won't run. #main.cf header_checks = pcre:/path/to/header_checks

#master.cf
submission inet n       -       n       -       -       smtpd
    -o receive_override_options=no_header_body_checks

Caveats: this will turn off ALL _header_checks and body_checks defined in man 5 header_checks. For the completed control which parameter that will be turned off, see Solution 2.

Solution 2: Multiple cleanup service method

We can multiple-cleanup-service technique for your problem as *_header_checks was performed by cleanup service. You can see the example of this setup in amavisd-new tutorial.

The magic parameter for this configuration is cleanup_service_name. With this parameter, we can use different cleanup service for each smtpd process. First we define one additional cleanup service (called no-headerchecks) in master.cf

no-headerchecks unix    n       -       n       -       0       cleanup
    -o mime_header_checks=

In this cleanup, we define empty mime_header_checks to disable filtering. The last step is tell submission service to use our no-headerchecks

submission inet n       -       n       -       -       smtpd
    -o cleanup_service_name=no-headerchecks

2. I want to run different header_checks for smtpd and submission.

For this problem you can use multiple cleanup service method as described above.

First we define one additional cleanup service (called second-headerchecks) in master.cf

second-headerchecks unix    n       -       n       -       0       cleanup
    -o mime_header_checks=pcre:/path/to/2ndheaderchecks

In this cleanup, we define second mime_header_checks to other PCRE table. The last step is tell submission service to use our second-headerchecks

submission inet n       -       n       -       -       smtpd
    -o cleanup_service_name=second-headerchecks

Note:

Your case looks similar with this question. Unfortunately the answer from Laurentiu Roescu only works if you want enable header_checks for outgoing mail that use smtp as transport. The good news is his first sentence about cleanup daemon gives us some idea for second solution.
Multiple cleanup service method can be applied if you want different header_checks, body_checks and other parameters defined in man 5 header_checks.