Re: best practice anti virus integration & custom reject messages

Mon, 17 Sep 2018 07:19:29 -0700 

Stefan Bauer:
> Hi,
> 
> I like the clean and easy milter way and having clamd this way integrated
> in postfix. But i can not use custom reject message in case clamd detects
> virus.
> 
> postfix/cleanup[4292]: BD6BA80ACA: milter-reject: END-OF-MESSAGE from
> (...): 5.7.1 Command rejected; from=<me> to=<recipient> proto=ESMTP
> helo=<my internal mailserver>
>
> This message lacks basic information - virus detected.

That is because the Milter did not provide that a reason in the
response to Postfix. The milter could be changed to provide a reason:
see discussion below.

>  smtp_delivery_status_filters seems to not work in this case. Right?

As documented that is applicable for SENDING, not RECEIVING email.

> Pulling in amavis as well might give option to have custom reject
> messages, but i do not like to have an additonal service in the
> chain.

Postfix has no 'milter reply filter' feature and it is unlikely to
happen.

To solve this problem you'd pass the Milter response through another
program, or you would use a virus detector that produces more
informative responses.

The Milter replies with code SMFIR_REJECT, which supports no
indication why mail is rejected:

  * SMFIR_REJECT 
    In response to a RCPT command, indicates that the recipient
    should be rejected with a permanent error. In any other context
    this indicates that the entire message should be rejected with
    a permanent error and that no further milter commands or responses
    will be exchanged.

The Milter could be improved by sending SMFIR_REPLYCODE instead,
which allows the Milter to provide the complete SMTP server response
to Postfix, including SMTP code and text.
 
  * SMFIR_REPLYCODE 
    In response to a RCPT command, indicates that the recipient
    should be rejected with the specified error. In any other context
    this indicates that the entire message should be rejected with
    the specified error and that no further milter commands or
    responses will be exchanged.

Below is the code that handles the Milter response.

        Wietse

        case SMFIR_REJECT:
            if (data_size != 0)
                break;
            if (IN_CONNECT_EVENT(event)) {
#ifdef LIBMILTER_AUTO_DISCONNECT
                milter8_close_stream(milter);
#endif
                milter->state = MILTER8_STAT_REJECT_CON;
                MILTER8_EVENT_BREAK(milter8_def_reply(milter, "550 5.7.1 
Command rejected"));
            } else {
                MILTER8_EVENT_BREAK("550 5.7.1 Command rejected");
            }

Reply via email to