Re: best practice anti virus integration & custom reject messages

2018-09-18 Thread Stefan Bauer 
Thank you! I was too stupid to RTFM. Clamd can provide custom reject
messages.

Am Mo., 17. Sep. 2018 um 16:18 Uhr schrieb Wietse Venema <
wie...@porcupine.org>:

> Stefan Bauer:
> > Hi,
> >
> > I like the clean and easy milter way and having clamd this way integrated
> > in postfix. But i can not use custom reject message in case clamd detects
> > virus.
> >
> > postfix/cleanup[4292]: BD6BA80ACA: milter-reject: END-OF-MESSAGE from
> > (...): 5.7.1 Command rejected; from= to= proto=ESMTP
> > helo=
> >
> > This message lacks basic information - virus detected.
>
> That is because the Milter did not provide that a reason in the
> response to Postfix. The milter could be changed to provide a reason:
> see discussion below.
>
> >  smtp_delivery_status_filters seems to not work in this case. Right?
>
> As documented that is applicable for SENDING, not RECEIVING email.
>
> > Pulling in amavis as well might give option to have custom reject
> > messages, but i do not like to have an additonal service in the
> > chain.
>
> Postfix has no 'milter reply filter' feature and it is unlikely to
> happen.
>
> To solve this problem you'd pass the Milter response through another
> program, or you would use a virus detector that produces more
> informative responses.
>
> The Milter replies with code SMFIR_REJECT, which supports no
> indication why mail is rejected:
>
>   * SMFIR_REJECT
> In response to a RCPT command, indicates that the recipient
> should be rejected with a permanent error. In any other context
> this indicates that the entire message should be rejected with
> a permanent error and that no further milter commands or responses
> will be exchanged.
>
> The Milter could be improved by sending SMFIR_REPLYCODE instead,
> which allows the Milter to provide the complete SMTP server response
> to Postfix, including SMTP code and text.
>
>   * SMFIR_REPLYCODE
> In response to a RCPT command, indicates that the recipient
> should be rejected with the specified error. In any other context
> this indicates that the entire message should be rejected with
> the specified error and that no further milter commands or
> responses will be exchanged.
>
> Below is the code that handles the Milter response.
>
> Wietse
>
> case SMFIR_REJECT:
> if (data_size != 0)
> break;
> if (IN_CONNECT_EVENT(event)) {
> #ifdef LIBMILTER_AUTO_DISCONNECT
> milter8_close_stream(milter);
> #endif
> milter->state = MILTER8_STAT_REJECT_CON;
> MILTER8_EVENT_BREAK(milter8_def_reply(milter, "550 5.7.1
> Command rejected"));
> } else {
> MILTER8_EVENT_BREAK("550 5.7.1 Command rejected");
> }
>
>

Re: best practice anti virus integration & custom reject messages

2018-09-17 Thread Wietse Venema 
Stefan Bauer:
> Hi,
> 
> I like the clean and easy milter way and having clamd this way integrated
> in postfix. But i can not use custom reject message in case clamd detects
> virus.
> 
> postfix/cleanup[4292]: BD6BA80ACA: milter-reject: END-OF-MESSAGE from
> (...): 5.7.1 Command rejected; from= to= proto=ESMTP
> helo=
>
> This message lacks basic information - virus detected.

That is because the Milter did not provide that a reason in the
response to Postfix. The milter could be changed to provide a reason:
see discussion below.

>  smtp_delivery_status_filters seems to not work in this case. Right?

As documented that is applicable for SENDING, not RECEIVING email.

> Pulling in amavis as well might give option to have custom reject
> messages, but i do not like to have an additonal service in the
> chain.

Postfix has no 'milter reply filter' feature and it is unlikely to
happen.

To solve this problem you'd pass the Milter response through another
program, or you would use a virus detector that produces more
informative responses.

The Milter replies with code SMFIR_REJECT, which supports no
indication why mail is rejected:

  * SMFIR_REJECT 
In response to a RCPT command, indicates that the recipient
should be rejected with a permanent error. In any other context
this indicates that the entire message should be rejected with
a permanent error and that no further milter commands or responses
will be exchanged.

The Milter could be improved by sending SMFIR_REPLYCODE instead,
which allows the Milter to provide the complete SMTP server response
to Postfix, including SMTP code and text.
 
  * SMFIR_REPLYCODE 
In response to a RCPT command, indicates that the recipient
should be rejected with the specified error. In any other context
this indicates that the entire message should be rejected with
the specified error and that no further milter commands or
responses will be exchanged.

Below is the code that handles the Milter response.

Wietse

case SMFIR_REJECT:
if (data_size != 0)
break;
if (IN_CONNECT_EVENT(event)) {
#ifdef LIBMILTER_AUTO_DISCONNECT
milter8_close_stream(milter);
#endif
milter->state = MILTER8_STAT_REJECT_CON;
MILTER8_EVENT_BREAK(milter8_def_reply(milter, "550 5.7.1 
Command rejected"));
} else {
MILTER8_EVENT_BREAK("550 5.7.1 Command rejected");
}

best practice anti virus integration & custom reject messages

2018-09-16 Thread Stefan Bauer 
Hi,

I like the clean and easy milter way and having clamd this way integrated
in postfix. But i can not use custom reject message in case clamd detects
virus.

postfix/cleanup[4292]: BD6BA80ACA: milter-reject: END-OF-MESSAGE from
(...): 5.7.1 Command rejected; from= to= proto=ESMTP
helo=

This message lacks basic information - virus detected.

smtp_delivery_status_filters seems to not work in this case. Right?

Pulling in amavis as well might give option to have custom reject messages,
but i do not like to have an additonal service in the chain.

Any other option available?