Re: best practice anti virus integration & custom reject messages
Thank you! I was too stupid to RTFM. Clamd can provide custom reject messages. Am Mo., 17. Sep. 2018 um 16:18 Uhr schrieb Wietse Venema < wie...@porcupine.org>: > Stefan Bauer: > > Hi, > > > > I like the clean and easy milter way and having clamd this way integrated > > in postfix. But i can not use custom reject message in case clamd detects > > virus. > > > > postfix/cleanup[4292]: BD6BA80ACA: milter-reject: END-OF-MESSAGE from > > (...): 5.7.1 Command rejected; from= to= proto=ESMTP > > helo= > > > > This message lacks basic information - virus detected. > > That is because the Milter did not provide that a reason in the > response to Postfix. The milter could be changed to provide a reason: > see discussion below. > > > smtp_delivery_status_filters seems to not work in this case. Right? > > As documented that is applicable for SENDING, not RECEIVING email. > > > Pulling in amavis as well might give option to have custom reject > > messages, but i do not like to have an additonal service in the > > chain. > > Postfix has no 'milter reply filter' feature and it is unlikely to > happen. > > To solve this problem you'd pass the Milter response through another > program, or you would use a virus detector that produces more > informative responses. > > The Milter replies with code SMFIR_REJECT, which supports no > indication why mail is rejected: > > * SMFIR_REJECT > In response to a RCPT command, indicates that the recipient > should be rejected with a permanent error. In any other context > this indicates that the entire message should be rejected with > a permanent error and that no further milter commands or responses > will be exchanged. > > The Milter could be improved by sending SMFIR_REPLYCODE instead, > which allows the Milter to provide the complete SMTP server response > to Postfix, including SMTP code and text. > > * SMFIR_REPLYCODE > In response to a RCPT command, indicates that the recipient > should be rejected with the specified error. In any other context > this indicates that the entire message should be rejected with > the specified error and that no further milter commands or > responses will be exchanged. > > Below is the code that handles the Milter response. > > Wietse > > case SMFIR_REJECT: > if (data_size != 0) > break; > if (IN_CONNECT_EVENT(event)) { > #ifdef LIBMILTER_AUTO_DISCONNECT > milter8_close_stream(milter); > #endif > milter->state = MILTER8_STAT_REJECT_CON; > MILTER8_EVENT_BREAK(milter8_def_reply(milter, "550 5.7.1 > Command rejected")); > } else { > MILTER8_EVENT_BREAK("550 5.7.1 Command rejected"); > } > >
Re: best practice anti virus integration & custom reject messages
Stefan Bauer: > Hi, > > I like the clean and easy milter way and having clamd this way integrated > in postfix. But i can not use custom reject message in case clamd detects > virus. > > postfix/cleanup[4292]: BD6BA80ACA: milter-reject: END-OF-MESSAGE from > (...): 5.7.1 Command rejected; from= to= proto=ESMTP > helo= > > This message lacks basic information - virus detected. That is because the Milter did not provide that a reason in the response to Postfix. The milter could be changed to provide a reason: see discussion below. > smtp_delivery_status_filters seems to not work in this case. Right? As documented that is applicable for SENDING, not RECEIVING email. > Pulling in amavis as well might give option to have custom reject > messages, but i do not like to have an additonal service in the > chain. Postfix has no 'milter reply filter' feature and it is unlikely to happen. To solve this problem you'd pass the Milter response through another program, or you would use a virus detector that produces more informative responses. The Milter replies with code SMFIR_REJECT, which supports no indication why mail is rejected: * SMFIR_REJECT In response to a RCPT command, indicates that the recipient should be rejected with a permanent error. In any other context this indicates that the entire message should be rejected with a permanent error and that no further milter commands or responses will be exchanged. The Milter could be improved by sending SMFIR_REPLYCODE instead, which allows the Milter to provide the complete SMTP server response to Postfix, including SMTP code and text. * SMFIR_REPLYCODE In response to a RCPT command, indicates that the recipient should be rejected with the specified error. In any other context this indicates that the entire message should be rejected with the specified error and that no further milter commands or responses will be exchanged. Below is the code that handles the Milter response. Wietse case SMFIR_REJECT: if (data_size != 0) break; if (IN_CONNECT_EVENT(event)) { #ifdef LIBMILTER_AUTO_DISCONNECT milter8_close_stream(milter); #endif milter->state = MILTER8_STAT_REJECT_CON; MILTER8_EVENT_BREAK(milter8_def_reply(milter, "550 5.7.1 Command rejected")); } else { MILTER8_EVENT_BREAK("550 5.7.1 Command rejected"); }
best practice anti virus integration & custom reject messages
Hi, I like the clean and easy milter way and having clamd this way integrated in postfix. But i can not use custom reject message in case clamd detects virus. postfix/cleanup[4292]: BD6BA80ACA: milter-reject: END-OF-MESSAGE from (...): 5.7.1 Command rejected; from= to= proto=ESMTP helo= This message lacks basic information - virus detected. smtp_delivery_status_filters seems to not work in this case. Right? Pulling in amavis as well might give option to have custom reject messages, but i do not like to have an additonal service in the chain. Any other option available?