LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 04-10-2007, 04:59 PM   #1
quackking
LQ Newbie
 
Registered: Feb 2004
Distribution: mandrake 9.2+
Posts: 19

Rep: Reputation: 0
How do I use a regexp in Postfix alias table?


Hi, I am successfully using web-cyradm+postfix+cyrus-imap+SASL+Mysql on a
variety of Linux boxes, mostly running Ubuntu 6.06LTS. This system works well
for me and I have not upgraded past web-cyradm version 0.54 yet. I generally have ten or more virtual domains receiving mail on a server. I also posted more or less this same question to the web-cyradm list, but I have not got the info that I think I want.

Recently I have started to be mail-bombed in this way; some fool out there is
sending spam with return addresses in this form

triyant*******@mydomain.com

The emails bounce to my server, which rejects them. However the volume is large
and I would prefer to simply /dev/null all email with a recipient that begins
with the letters 'triyant'.

Postfix 2.2.10 allows you to use regexp in the alias table, but I don't know how
to do it. I tried creating an alias 'triyant^' (without the quotes) but that
does not work. If I alias a specific address, like 'triyantooopl' to /dev/null,
it works fine, but since there are billions of variants (all beginning with
'triyant') a regexp is obviously the way to go.

I would really be grateful for any help. What I want is probably really simple.
(maybe instead of 'triyant^' I should say 'regexp:triyant^' ?)

Thanks in advance.

Note: I use Webmin 1.3.0 to administer this server - Webmin's Postfix page has a list of predefined aliases that redirect to different destinations, for instance 'marketing' goes to 'postmaster', etc.. When I say that I have aliased a specific 'triyant****' address, what I mean is that I have added that specific address to the /etc/postfix/aliases file using the Webmin tool.

Last edited by quackking; 04-10-2007 at 05:03 PM.
 
Old 04-10-2007, 09:41 PM   #2
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
I would recommend to use spamassassin. It allows you to easily create a blacklist of email addresses that you don't want to accept messages from and then it drops the message. Another thing you can do is specify not to accept email from the server that is sending these messages through /etc/hosts.deny.
 
Old 04-10-2007, 09:57 PM   #3
quackking
LQ Newbie
 
Registered: Feb 2004
Distribution: mandrake 9.2+
Posts: 19

Original Poster
Rep: Reputation: 0
I don't want to run another piece of software for this problem - and the incoming mail is coming from hundreds of different servers (remember, it is caused because someone is forging fake usernames in a real domain, and the actual spam victims are receiving the spam from him, and replying to me.)

The simplest thing is exactly what I asked for above - how can I alias everything beginning with 'triyant' and direct it with no further processing to /dev/null ?

Anybody? This can't be that hard to do, but I can't figure out the syntax in the alias file.

Again, thanks a lot.
 
Old 04-11-2007, 08:07 AM   #4
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
I do not recommend that you have postfix do the mail filtering. Especially if you have a busy server. It postfix does the body checks it will slow down a lot especially when it is busy. It is better to have postfix accept all mail then to have spamassassin process it in the background. Afterward you should monitor the number of messages comming from that spammer so you can reject the connection all together using hosts.deny.

If you still want to use SMTP body checks through postfix then here's what you do:

Create the file /etc/postfix/body_checks as follows:

/^From: triyant*******@mydomain.com/ REJECT

Run 'postmap /etc/postfix/body_checks' then make sure it has the correct file permissions.

Add the following to /etc/postfix/main.cf:

body_checks = regexp:/etc/postfix/body_checks

Reload postfix with command:

/etc/init.d/postfix reload

You may want to create a test mail account with a free service such as yahoo or hotmail and then try testing with it first in case of interruptions. Drop me an Email if you need more help. Good Luck.
 
Old 04-11-2007, 08:08 AM   #5
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
Correction:

body_checks = hash:/etc/postfix/body_checks
 
Old 04-11-2007, 12:14 PM   #6
quackking
LQ Newbie
 
Registered: Feb 2004
Distribution: mandrake 9.2+
Posts: 19

Original Poster
Rep: Reputation: 0
Thanks. I will probably email you - I am wondering why body_checks needs to be involved instead of /etc/postfix/aliases - I do not want to read the emails, all the information is available in the 'to:' field, and as I say, I am successfully /dev/null-ing (is that a word?) specific aliases - all of which are located only in the aliases file, and not in body_checks!

It sounds like if I could use exactly your syntax except in the aliases file and not in body_checks, that is what I am looking for.

If I want to do that in the aliases databases, and the present entry for 'Alias databases used by the local delivery agent' is 'hash:/etc/postfix/aliases', and a specific entry in that table looks like this:

triyantaoizen: /dev/null


then how would a regexp: equivalent be constructed?

--------

Again, just so you understand - there is not a single source of these emails - I am not receiving mail from a specific 'spammer', and of course I am already using spamhaus, etc - all the usual RBL lists. I am receiving mail from thousands of victims of the original spammer, who has used 'triyant^@mydomain.com' as his return address. I can't fix this by blocking a single IP or sender - this is a different sort of problem.
 
Old 04-11-2007, 01:18 PM   #7
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
I just realized that it is header_checks instead of body_checks. Use the following instead. This will check the header of every message and if it finds triyant@mydomain.com in the header then it will reject the message:

In main.cf:

header_checks = hash:/etc/postfix/header_checks

/etc/postfix/header_checks:

/^from: *triyant@mydomain\.com$/ REJECT

Run 'postmap /etc/postfix/header_checks && /etc/init.d/postfix reload'.
 
Old 04-11-2007, 01:21 PM   #8
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
quaccking, to do what you want,

in main.cf, add a new source of aliases:
Code:
alias_maps = hash:/etc/aliases regexp:/etc/aliases-regexp
aliases-regexp might look like this:
Code:
/^triyant.*/     /dev/null
See the regexp_table man page for the syntax.

Note that this isn't very efficient compared to rejecting the recipient during the smtp conversation.

Last edited by Berhanie; 04-11-2007 at 11:07 PM.
 
Old 04-12-2007, 08:27 PM   #9
quackking
LQ Newbie
 
Registered: Feb 2004
Distribution: mandrake 9.2+
Posts: 19

Original Poster
Rep: Reputation: 0
Almost!

I have header_checks set to the proper file. When I try this

/^from: triyant*************@mydomain\.com/

Postfix (via Webmin 1.330 interface) responds

Error while saving a mapping : Invalid regular expression - must be like /something/

I want to reject all mail with a from address beginning with the seven characters 'triyant'. At this point (since I have no users with that name) I don't care if I reject them from one or all of the domains I serve.

Very close, not quite. At this point it is my ignorance of regexp that is doing the damage.

Thanks for all this help, btw.
 
Old 04-12-2007, 10:02 PM   #10
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
My last post will work. Go through it thoroughly and try it. Also you should not use a regex (regular expression) table; use a hash table instead, it is processed much faster by postfix, especially if the table is long.
 
Old 04-13-2007, 09:28 AM   #11
quackking
LQ Newbie
 
Registered: Feb 2004
Distribution: mandrake 9.2+
Posts: 19

Original Poster
Rep: Reputation: 0
This is mainly for ramram, but thanks to all your assistance on the regexp question.

ramram's last post seems incorrect. I don't want to /dev/null the literal string 'triyant@mydomain.com' - that would be too easy. I want to get rid of everything *beginning* 'triyant' - for example,

triyantooouk@mydomain.com
triyantabc@mydomain.com
triyantuekfljm@mydomain.com

...

etc. - Note that the string before the '@' sign could be just the seven characters 'triyant', or anything, even thirty characters long, but with the first seven characters always 'triyant'.

Doesn't what you suggest in the fragment below

----

In main.cf:

header_checks = hash:/etc/postfix/header_checks

/etc/postfix/header_checks:

/^from: *triyant@mydomain\.com$/ REJECT

----

just match the literal string 'triyant@mydomain.com'?

Thanks again!
 
Old 04-13-2007, 12:10 PM   #12
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
yes but you can also do:

/^from: *triyant / REJECT

That should reject anything starting with triyant. You may want to review the postfix UCE rules, to see what is the best solution for wildcards using header_checks; it should work. I've had it work for me a while ago.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix Alias Problem irishred Linux - Server 3 01-16-2007 02:12 PM
Postfix local catch-all alias cdhgee Linux - Software 2 06-30-2006 03:02 AM
Postfix: restrict delivery of mail to users in alias table noeffred Linux - Software 1 02-02-2005 04:05 PM
postfix regexp question wijnands Linux - Newbie 1 06-03-2004 06:19 AM
Mysql - Postfix alias domain paulten Linux - Networking 0 11-03-2003 04:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration