OpenBSD Journal

Filtering Swen with OpenBSD

Contributed by jose on from the replacing-a-duplicate-PF-article dept.

Ok, now Daniel is at it again ... this time he shows you how to enable milter-based regex mail filtering on your OpenBSD mail server. You can use this to block viruses, for example, in an efficient manner. This won't work for everything but it will work for common mail-born viruses.

(Comments are closed)


Comments
  1. By Steph L () on http://mutt.free.fr/milter/

    Looks really interesting. Daniel rocks :-)
    Sendmail's Milter API offers many solutions to
    common problems(spam, virus, policy, rate control,...)
    Have a look at http://mutt.free.fr/milter/ for
    more information about Milter and have a list
    of other existing Milter solutions.
    Feedback welcome on milter AT free.fr

  2. By Sleepy () sleepy@maximumunix.org on http://www.maximumunix.org

    This is great, but how hard would it be to get this to work for qmail or postfix?
    is there a smtp-proxy that work in a similar way to the ftp-proxy so people could redirect smtp traffic to it for inspection?
    Thanks

    Comments
    1. By Daniel Hartmeier () daniel@benzedrine.cx on mailto:daniel@benzedrine.cx

      I'm not familiar with other MTAs, but I'd first check google for ways to do the same with built-in features of those MTAs.

      Doing it in a proxy would be possible, but there's no way to properly tell the receiving MTA that the proxy would like to abort the transaction (without potentially causing annoying warnings about what would appear to the MTA to be connections dropped or transactions incompleted by the real sender), at least that I know of.

      And I don't see how you could implement 'discard' in a proxy, either. The proxy would have to complete the transaction with the sender, while causing the receiver to discard the message. That ends up taking over some parts of the SMTP dialogue, making the proxy more complex.

      The milter API allows to do all of this with the MTA (sendmail) being aware that an intermediate process is causing the rejections, solving those problems elegantly. If other MTAs have similar mechanisms (or, even better, built-in regexp filtering capabilities), I'd prefer those.

    2. By schubert () on http://schubert.cx/

      For qmail I would suggest using the qmail-queue patch, then install qmail-scanner which supports various backends like SpamAssassin and ClamAV (both in ports)

    3. By Peter Hessler () spambox@theapt.org on http://www.theapt.org

      in Postfix:

      in main.cf:
      mime_header_checks = regexp:/etc/postfix/mime_header_checks

      In /etc/postfix/mime_header_checks:
      name=[^>]*.(ade|adp|asd|bas|bat|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|inf|ins|isp|lnk|js|jse|lnk|ocx|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pi|pif|prf|reg|scf|scr|sct|shb|shm|shs|swf|uue|vb|vbe|vbs|vbx|vxd|wab|wsc|wsf|wsh)/ DISCARD MS_EXE was attached


      No spaces in the regex. I use DISCARD so no bounces are generated. There is only one Windows user on my network, and I told her what I was doing, and have her friends zip up anything program they want to send her.

      Comments
      1. By Anonymous Coward () on

        DELETE PARENT!

    4. By Peter Hessler () spambox@theapt.org on http://www.theapt.org

      in Postfix:

      in main.cf:
      mime_header_checks = regexp:/etc/postfix/mime_header_checks

      In /etc/postfix/mime_header_checks:
      /name=[^>]*.(ade|adp|asd|bas|bat|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|inf|ins|isp|lnk|js|jse|lnk|ocx|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pi|pif|prf|reg|scf|scr|sct|shb|shm|shs|swf|uue|vb|vbe|vbs|vbx|vxd|wab|wsc|wsf|wsh)/ DISCARD MS_EXE was attached


      No spaces in the regex. I use DISCARD so no bounces are generated. There is only one Windows user on my network, and I told her what I was doing, and have her friends zip up anything program they want to send her.

      Comments
      1. By Anonymous Coward () on

        how would something like this be implemented in milter-regex?

        reject MS Attachment
        /name=[^>]*.(ade|adp|asd|bas|bat|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|inf|ins|isp|lnk|js|jse|lnk|ocx|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pi|pif|prf|reg|scf|scr|sct|shb|shm|shs|swf|uue|vb|vbe|vbs|vbx|vxd|wab|wsc|wsf|wsh)/

        yes? no?

    5. By Hugo Villeneuve () on http://EINTR.net

      In postfix, you have "header_checks" and "body_checks" which can be mapped into "regexp" or "pcre" maps to do something similar.

  3. By jordan () on http://www.roaringpenguin.com/mimedefang/

    Been using mimeDefang for a year and am quite pleased with it's ease of integrating several antivirus and spamassasin perl mod and perl regular expressions. I am curious how this differs in use as it seems similar to me, with mimeDefang being more mature (no denying daniels trackrecord for coding replacements for more mature code in the past ;) It would be interesting to benchmark several of these milter plugins...

    Comments
    1. By Steph L () on http://mutt.free.fr/milter/

      MIMEDefang is a "Swiss Army knife" Milter but most people will find it more difficult to set-up : you need a bunch of perl Modules and perl knowledge to configure it to deal with worms (mimedefang-filter to write) and it requires a bit more resources (multiplextor + creation of several temporary files for each incoming messages)

      Daniel's filter requires only a C compiler + sendmail with Milter support. It's a more easy solution to fight agains worms. Of course if you want to do virus scanning with sendmail set-up amavisd-new or MIMEDefang.

  4. By collin () collin-deadly@betaversion.net on mailto:collin-deadly@betaversion.net

    Hi all,

    checkout MessageWall (an SMTP proxy) it is specially designed to block spam during the transfer process (in SMTP). It works for all MTAs since it's backend does SMTP too. Check it out at: www.messagewall.org

    Comments
    1. By Steph L () on http://mutt.free.fr/milter/

      Is this project still really alive ?
      The latest official release was made out quite a long time ago...
      It works in "sandwitch mode" so is less efficient than a Milter filter (Milter uses threads) but of course it offers more features.

  5. By Paul Pruett () ppruett@webengr.com on http://www.cocoavillagepublishing.com/

    Thanks Daniel, something low resource to put up a quick block for a known pattern, and we don't have to make install a bunch of perl ports to use... (yes we do have to make build for sendmail w/ milter, but thats easier these days by a simple edit to mk.conf).

    Also I would think if you are using spam assassin and you like one or several of the rules to be site wide that are pattern matching, you could do a regex equivalent. Because this is compiled and not perl or otherwise it should be faster,

    QUESTION - We could remove the regexp stuff for header maching we have the in sendmail.mc and is in some /usr/share/sendmail/cf/*.mc examples and use this instead, would that be better?
    #
    # Reject mail based on regexp above
    #
    SLocal_check_mail
    R$* $: $>Parse0 $>3 $1
    R$+ $: $(checkaddress $1 $)
    R@MATCH $#error $: "553 Header error"

  6. By Frank Denis () j@pureftpd.org on http://www.pureftpd.org/


    rdr proto tcp from any os { "Windows" "SCO" }
    to any port smtp -> 127.0.0.1 port spamd

  7. By sthen () on

    Exim with the exiscan-acl patch supports inline/filtering too - my recent background has been mainly-Postfix, so Exim was a bit of a different mindset to learn, but I think it was well worth it, it's incredibly flexible. For example, exiscan can do: inline SpamAssassin, rejecting very-high-scoring mails and tagging medium-scoring mails, with a single pass... inline virus scanning... different processing of large mails (maybe you want to bypass SA for 500kb+ mails to keep the load down)... Exim itself probably has more options for mail processing than even sendmail.cf but it's far easier to use.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]