Postfix – subject, from and to log

This is a little trick for Postfix, it lets you log the subject, from and to of all the emails postfix sends (or which pass through it if you run it as a relay). It comes in handy when you need to debug an email issue and need to confirm your mailserver has sent the message.

First create the file /etc/postfix/header_checks and insert this into it:

/^subject:/      WARN
/^to:/           WARN
/^from:/         WARN
/^Subject:/      WARN
/^To:/           WARN
/^From:/         WARN

Now, in your postfix /etc/postfix/main.cf add the following to the end of the file:

header_checks = regexp:/etc/postfix/header_checks

And restart postfix:

service postfix restart

You will hopefully now get log items.

More header_checks examples:

Header pattern to block attachments with bad file name extensions. For convenience, the PCRE /x flag is specified, so that there is no need to collapse the pattern into a single line of text. The purpose of the [[:xdigit:]] sub-expressions is to recognize Windows CLSID strings.

/etc/postfix/main.cf:
    header_checks = pcre:/etc/postfix/header_checks.pcre
/etc/postfix/header_checks.pcre:
    /^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)(
      ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
      hlp|ht[at]|
      inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
      \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
      ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
      vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
        REJECT Attachment name "$2" may not end with ".$4"

Body pattern to stop a specific HTML browser vulnerability exploit.

/etc/postfix/main.cf:
    body_checks = regexp:/etc/postfix/body_checks
/etc/postfix/body_checks:
    /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
        REJECT IFRAME vulnerability exploit

How to stop a specific header exploit

master.cf
header_checks = pcre:/etc/postfix/header_checks

/etc/postfix/header_checks
/^Delivered-To: .*/
	  REJECT Header Exploit

In the file header_checks we can add our regular expressions. For example to block Chinese encoding you would have the following line:

/^Subject: =?big5?/     REJECT Chinese encoding not accepted by this server

Here is the contents of my header_checks file:

/^Received:/ HOLD

/^Subject: =?big5?/     REJECT Chinese encoding not accepted by this server

/^Subject: =?EUC-KR?/   REJECT Korean encoding not allowed by this server

/^Subject: ADV:/        REJECT Advertisements not accepted by this server

/^Subject: =?Windows-1251?/     REJECT Russian encoding not allowed by this server

/^Subject: =\?KOI8-R\?/ REJECT Russian encoding not allowed by this server

/^Subject:.*=\?(big5|euc-kr|gb2312|ks_c_5601-1987)\?/   REJECT Language not accepted by this server as it is probably spam

/[^[:print:]]{8}/       REJECT Sorry, ascii characters only permitted by this server

/^From:.*\@.*\.cn/      REJECT Sorry, Chinese mail not allowed here

/^From:.*\@.*\.kr/      REJECT Sorry, Korean mail not allowed here

/^From:.*\@.*\.tr/      REJECT Sorry, Turkish mail not allowed here

/^From:.*\@.*\.ru/      REJECT Sorry, Russian mail not allowed here

/^From:.*\@.*\.ro/      REJECT Sorry, Romanian mail not allowed here

/^(Received|Message-Id|X-(Mailer|Sender)):.*\b(AutoMail|E-Broadcaster|Emailer Platinum|Thunder Server|eMarksman|Extractor|e-Merge|from stealth[^.]|Global Messenger|GroupMaster|Mailcast|MailKing|Match10|MassE-Mail|massmail\.pl|News Breaker|Powermailer|Quick Shot|Ready Aim Fire|WindoZ|WorldMerge|Yourdora|Lite)\b/ REJECT No mass mailers allowed. You are probably sending spam

/^X-Mailer:.*\b(Aristotle|Avalanche|Blaster|Bomber|DejaVu|eMerge|Extractor|UltraMail|Sonic|Floodgate|GeoList|Mach10|MegaPro|Aureate|MultiMailer|Bluecom|Achi-Kochi Mail|Direct Email|Andrew's SuperCool Blastoise|MailerGear|Advanced Mass Sender|SpireMail|MailWorkZ|UltimDBMail|Mabry|Lite)\b/ REJECT No mass mailers allowed. You are probably sending spam.

/^(To|From|Cc|Reply-To):.*@optonline/   REJECT Sorry, your message is probably spam

The REJECT in the above example means that your Postfix will send a rejection message with the message Chinese encoding not accepted by this server to the originating MTA. If you would rather reject them outright without sending a non delivery report change REJECT to DISCARD.

More. Example file: ‘/etc/postfix/header_checks’

/^From:.*Casino/ REJECT Casino spam detected in headers. Your message was marked as spam. #Rule 1
/^Subject:.*naked/ REJECT Explicit content detected in headers. Your message was marked as spam. #Rule 2

Simple method to block email messages by content (body)

regexp:/etc/postfix/body_checks

Example file: ‘/etc/postfix/body_checks’

/mdaemon/ REJECT Your email client is used for spam. #Rule 1
/cialis/ REJECT Email messages with drugs are not allowed. #Rule 2
/casino/ REJECT Email messages regarding casino are not allowed. #Rule 3
/search engine registration/ REJECT Nigga. I dont need your fake services. #Rule 4
/thecreativelogos.com/ REJECT Invaders must die #Rule 5

After file creation, you must run ‘postmap filename’ and reload postfix.

postmap /etc/postfix/body_checks 
postmap /etc/postfix/header_checks