Score:0

Regexp header_checks in postfix for a match over multiple lines

eg flag

Here's my /etc/postfix/main.cf header_checks line:

header_checks = regexp:/etc/postfix/maps/header_checks

And here is header_checks:

/From:.*email@my\.com.(\n|.)*?To:.*email@my\.com./     DISCARD

Here's portion of the header from the emails I'm trying to match:

Received: from localhost (localhost [127.0.0.1])
    by mail.server.com (Postfix) with ESMTP id 690649204C0
    for <[email protected]>; Mon,  7 Nov 2022 13:27:00 -0600 (CST)
From: "White Carb Tricks" <[email protected]>
To: "email" <[email protected]>
Subject: Clear artery-blocking plaque overnight
Date: Mon, 7 Nov 2022 09:42:42 -0600

As you can see I'm trying to match when spammers spoof the "For" and the "To" to look like the user sent it.

If I test the regular expression in header_checks via an online regex tool it matches the "From" and "To" lines like I want.

regex produces one match when applied to the full email headers

When I do:

postmap -q $'From: "White Carb Tricks" <[email protected]>\r\nTo: "email" <[email protected]>' regexp:/etc/postfix/maps/header_checks

It returns "DISCARD" as expected.

When I paste the header text into a test file and test it like this:

postmap -q - regexp:/etc/postfix/maps/header_checks < /etc/postfix/maps/regex-test 

...it returns blank.

I should note that Postfix isn't discarding them either. The user keeps getting the emails.

I also changed this in master.cf:

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

to

-o receive_override_options=no_unknown_recipient_checks,no_address_mappings

...based on another thread I read.

Any ideas what I'm doing wrong? Is it my regex in header_checks?

Score:0
fr flag
anx

It does not work like that, as documented man 5 header_checks (emphasis mine):

Note: message headers are examined one logical header at a time, even when a message header spans multiple lines. Body lines are always examined one line at a time.

You could have tested this by calling postmap as its meant to be:

# does not mimic header_checks, trues the whole lookup key.
postmap -q $'HA: value\r\nHB: value2' regexp:header_checks.pcre
# does mimic header_checks, one header (including continuation) at a time:
postmap -h -q $'HA: value\r\nHB: value2' regexp:header_checks.pcre

If you want to match multiple headers at once, plug in a tool fit for the purpose. Popular choices geared towards the spam fighting use case include SpamAssassin (dated, but still works) and Rspamd.

If you want people to stop using your domain name, look into DMARC.

Denny avatar
eg flag
Thanks for this clarification. I see why the headers in this case aren't being flagged. As far as DMARC, this client has a proper DMARC in place. The "From" in question isn't from the "Received From" but is, instead the mail "From'" in the header. This seems to make a difference? Apparently the DMARC grabs the From info from the "Received From". Am I getting this wrong?
anx avatar
fr flag
anx
@Denny The result of the DMARC validation is the combination of a check whether the message is signed/sent by an an authorized party AND the header sender is aligned with what was checked. If the client has published and is enforcing a DMARC policy, and you are seeing email with that name spoofed in the `From:` header, you want to have a stern look at the `Authentication-Results:` headers.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.