[筆記] 修改iredmail 的 postfix 在mail header加入自訂的 tag

2016-12-19

之前因為公司的MAIL SERVER遭受退信攻擊

USER收到非常大量的退信，由於Anti-SPAM的機制目前沒有比較完整的處理方式

所以我跟工程師討論之後，提出在現有SPF/DKIM以外，是不是可以在mail header加入一個特定的tag

當收到退信，而這封退信的header中沒有包含我設定的tag，那就可以確定這是SPAM，直接丟掉就好

可惜的是，現在用的SPAM Gateway沒有這樣的功能，只能直接把account 加入拒收退信名單(有點鴕鳥心態..)

不過有個稽核的機制可以搭配使用，如果我能夠在postfix 中，對於寄出的信件加入tag，那這個稽核機制就可以在信件進來的時候進行檢查

假如是退信而且header中包含有tag，就是正常的退信，否則就直接丟掉

OK，那就要先來研究怎麼在postfix中，在header加入tag，其實方法很簡單

而且這個方法之前在還沒有建置郵件過濾軟體時，就有用來過濾含有病毒的附件

只要在postfix的 main.cf 加入

header_checks = pcre:/etc/postfix/header_checks
然後修改 /etc/postfix/header_checks 內容如下
/^From:.*@abc.org.*/i PREPEND tag: sendfromabcorg

/^From:.*@123.com.cn.*/i PREPEND tag: sendfrom123comcn
語法是正規化表示式，其實我也不太懂，大概的意思是找到From:xxxxx@abc.org 的那一行，在前面加入 tag:sendfromabcorg

當然 tag要改成什麼可以自行定義，不同的DOMAIN要分開來寫

好了之後，產生db 然後重起postfix

postmap -f /etc/postfix/header_checks

service postfix restart
接著寄出信件測試看看，底下這是我寄到微軟Office 365的信箱的郵件標頭，可以看到微軟自己也加了很多header進去，然後前面提到的SPF & DKIM也都有生效了。

Received: from HK2PR01MB0785.apcprd01.prod.exchangelabs.com (10.165.54.151) by

KL1PR01MB0789.apcprd01.prod.exchangelabs.com (10.165.16.151) with Microsoft

SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.761.9 via Mailbox

Transport; Wed, 14 Dec 2016 05:35:00 +0000

Received: from SG2PR01CA0069.apcprd01.prod.exchangelabs.com (10.165.10.37) by

HK2PR01MB0785.apcprd01.prod.exchangelabs.com (10.165.54.151) with Microsoft

SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.761.9; Wed, 14 Dec

2016 05:34:58 +0000

Received: from HK2APC01FT052.eop-APC01.prod.protection.outlook.com

(2a01:111:f400:7ebc::203) by SG2PR01CA0069.outlook.office365.com

(2a01:111:e400:79a7::37) with Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.761.9 via Frontend

Transport; Wed, 14 Dec 2016 05:34:58 +0000

Authentication-Results: spf=pass (sender IP is 123.123.123.123)

smtp.mailfrom=abc.org; def.us; dkim=pass (signature was verified)

header.d=abc.org;def.us; dmarc=bestguesspass action=none

header.from=abc.org;def.us; dkim=pass (signature was verified)

header.d=abc.org;

Received-SPF: Pass (protection.outlook.com: domain of abc.org designates

123.123.123.123 as permitted sender) receiver=protection.outlook.com;

client-ip=123.123.123.123; helo=iredmail.abc.org;

Received: from iredmail.abc.org (123.123.123.123) by

HK2APC01FT052.mail.protection.outlook.com (10.152.248.244) with Microsoft

SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.761.6 via Frontend

Transport; Wed, 14 Dec 2016 05:34:56 +0000

X-IncomingTopHeaderMarker: OriginalChecksum:;UpperCasedChecksum:;SizeAsReceived:1619;Count:17

Received: from iredmail.abc.org (localhost [127.0.0.1])

by iredmail.abc.org (Postfix) with ESMTP id 55E6441D4A

for <mc@def.us>; Wed, 14 Dec 2016 13:30:51 +0800 (CST)

Authentication-Results: iredmail.abc.org (amavisd-new);

dkim=pass (1024-bit key) reason=”pass (just generated, assumed good)”

header.d=abc.org

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=abc.org; h=

user-agent:message-id:subject:subject:to:from:from:date:date

:content-transfer-encoding:content-type:content-type

:mime-version; s=dkim; t=1481693448; x=1482557449; bh=t1I5qi5Iyz

cB1IzeIAdCFQ+GnzUuHHMeCINT2eeH7dQ=; b=S789EtkuZDA2JbKpApkW+Spe3L

epmjIgdyA7AigMyYfAzK5DD2fbiIZ41o0dPYhO7+KNo8KA/P2ncUPdGLHqPAGmWC

rqfHf+lNSGVAUf5nJ6+eOYqmLyBFwh8EBC3gsH4P7OXo99HEemTc7ehhBNSfBnvQ

NcqEPVvrugB7xjc0c=

X-Virus-Scanned: amavisd-new at iredmail.abc.org

Received: from iredmail.abc.org ([127.0.0.1])

by iredmail.abc.org (iredmail.abc.org [127.0.0.1]) (amavisd-new, port 10026)

with ESMTP id q6WPshsekkVi for <mc@def.us>;

Wed, 14 Dec 2016 13:30:48 +0800 (CST)

Received: from iredmail.abc.org (localhost [127.0.0.1])

by iredmail.abc.org (Postfix) with ESMTPSA id E302341995

for <mc@def.us>; Wed, 14 Dec 2016 13:30:47 +0800 (CST)

MIME-Version: 1.0

Content-Type: text/plain; charset=”US-ASCII”; format=flowed

Content-Transfer-Encoding: 7bit

Date: Wed, 14 Dec 2016 13:30:47 +0800

tag: sendfromabcorg

From: mc@abc.org

To: mc@def.org

Subject: DKIM and SPF Test

Message-ID: <cec6f4052e6853c945fbe7b1401dac7e@abc.org>

X-Sender: mc@abc.org

X-Sender: mc@abc.org

User-Agent: Roundcube Webmail

X-IncomingHeaderCount: 17

Return-Path: mc@abc.org

X-MS-Exchange-Organization-Network-Message-Id: 9edc853e-86cc-4b50-2a64-08d423e2f07d

X-EOPAttributedMessage: 0

X-EOPTenantAttributedMessage: 70116e8e-9694-4e77-924c-3e6cb9fdebb2:0

X-MS-Exchange-Organization-MessageDirectionality: Incoming

X-Forefront-Antispam-Report: CIP:123.123.123.123;IPV:NLI;CTRY:TW;EFV:NLI;SFV:NSPM;SFS:(6009001)(8196002)(2990300002)(438002)(199003)(189002)(2160300002)(230700001)(47776003)(558084003)(450100001)(54356999)(3480700004)(108616004)(588024002)(3250700002)(77096006)(33646002)(38730400001)(50986999)(92566002)(50466002)(83506001)(76506005)(356003)(53416004)(956001)(305945005)(1096003)(106466001)(85782001)(8896002)(81166006)(81156014)(55920200001)(2361001)(8676002)(2810700001)(189998001)(2351001)(93046001)(23726003)(236004)(86362001)(5660300001)(626004)(6916009)(24736003)(4270600005)(110136003)(107886002)(7126002)(4001350100001)(36756003)(69596002)(7099028)(85772001);DIR:INB;SFP:;SCL:1;SRVR:HK2PR01MB0785;H:iredmail.abc.org;FPR:;SPF:Pass;PTR:60-251-177-4.HINET-IP.hinet.net;A:1;MX:1;LANG:en;

X-Microsoft-Exchange-Diagnostics: 1;HK2APC01FT052;1:ew53ZhRD979FZT1RtwHWaJXr6nX94/pSosUc5YYzEK4/2RDIfQ7vO01nm75BpbWWlbXDkn4y237jrnDXGZEtF2iGl3Tuw2RZWIM0W71t+8MJRDMwqVgoxfI3h5ER546fw+T97frvoCKtyJJmncj0U3r6Sk7Kgl2IU6hSMsrbdDcA8gFiHXDXKCyA+U7E2njAZCdc/9Yza3TSYeNSOACpHnam2CW7naXU6lHdXb2dfxkOWTwBAvGGSg2IeMZAJjOCNAH1jUN6jzp0RAceAUw1Bc19PZtHFgOleZPhDDNqf1mWQM6U17+TShIWR4ynIwPWsZ6fXitCyO7/VAu/vlweuvo2iHcB6u3EDzcKEXWKrT7sHWhcRpa8yJ6tZRNvMV0+4j1wTuDk2SIMQynqMz1l3wF0bx1eYqhADVFg9MtLALCGkg6OkijfbfLfhxybIEPVyGJBNz0siW45d4q19JfcaPMFGVeWTrtJOjjS8vFJ6JCGK2r+HMaHOEYLbZpXQvEmF8VkA4JPtABBdAl0dOxM3rGvCSpExF7qfYfbb/vaRPk=

X-MS-Office365-Filtering-Correlation-Id: 9edc853e-86cc-4b50-2a64-08d423e2f07d

X-DkimResult-Test: Passed

X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(81800161)(8251501002)(3001016)(71701004)(71702072);SRVR:HK2PR01MB0785;

……………………

……………………….

底下省略數十行…
到這邊，在mail header加入tag的工作就完成了，剩下就要看那個NOPAM的稽核機制，能不能達成我要的功能了。