Easier Handling of Banned Content and Bad Header Messages

[liverpoolfcfan]

I have been trying to set up an easier way to manage emails that have bad headers and/or banned content attachments.

I have come up the following configuration, and would like to hear feedback on whether I am introducing any unexpected weaknesses into the system by doing the following.

1. Adding the following two settings in amavisd.conf.in file in /opt/zimbra/conf in order to send the items to a quarantine email account instead of a folder.

$bad_header_quarantine_to = 'quarantineadmin@myco....com';
$banned_quarantine_to = 'quarantineadmin@myco....com';

2. Adding the following settings at the end of the master.conf.in file in /opt/zimbra/postfix/conf to allow smtp connections to postfix from a single machine on our network (192.168.1.100) to the server (192.168.1.209)

192.168.1.209:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o virtual_mailbox_maps=
-o virtual_alias_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_milters=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,rej ect
-o mynetworks_style=host
-o mynetworks=192.168.1.100/32
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_ unknown_recipient_checks,no_address_mappings

3. Adding an IMAP Account to Thunderbird (or other email client) running on the machine with IP 192.168.1.100 (as defined in mynetworks setting above) for user quarantineadmin@myco....com to allow the examination of any quarantined emails. This user account can then forward any emails that are deemed to be acceptable directly to the local user through the new postfix connection bypassing the avavisd checks.


For those of you who are more postfix savvy than I, is there a way to further restrict use of this smtpd connection to only the quarantineadmin@myco....com user.

Thanks in advance for your thoughts.

[arifsaha]

Thanks for sharing your solution!

Can the quarantine email account in Zimbra server, i.e. if we setup the quarantine email account in the same domain as the one amavis work on, will that e-mail go through amavis again, quarantined again, and become a infinite loop until the e-mail become too big from additional headers?

Thanks!

[liverpoolfcfan]

Thanks for sharing your solution!

Can the quarantine email account in Zimbra server, i.e. if we setup the quarantine email account in the same domain as the one amavis work on, will that e-mail go through amavis again, quarantined again, and become a infinite loop until the e-mail become too big from additional headers?

Thanks!

Not if you set it up as I did with the additional allowed connection from an administrative machine to port 10025.

By default amavisd listens on 10024, and the mail system passes emails to 10024 - through amavisd - then out from there to 10025 which is the mail sender.

By configuring this special administrative connection direct to port 10025 - your client is sending the email directly to the mail sender - not back into amavisd.

By the way - I use Thunderbird with an Add-on called Mail Redirect - which allows me to do a Resend on the good emails - this has the advantage that the original from address is intact in the SMTP envelope.

[Klug]

Nice one.

There'll be stg handy in 7.0 : Bug 11061 : amavisd virus quarantine should be to a mailbox