Sanitizing Mail on Panther Server

Listen Print Discuss

Sanitizing Mail on Panther Server

by Jason Deraleau
01/27/2004

With Mac OS X Server 10.3, Apple has replaced Apple Mail Server with the Postfix and Cyrus software packages. Postfix handles message delivery and routing via SMTP, while Cyrus is used to allow the server's mail users to access their mail via POP3 or IMAP. Due to the versatility of the Postfix mail package, it's possible to use common Unix and open source tools to perform various tasks with your mail. One of these tools, Procmail, allows mail messages to be processed based upon special "recipes."

There are Procmail recipes to perform a wide range of actions, but one of its most valued is the ability to pipe mail messages through external utilities. One such utility is the Anomy Sanitizer. This free Perl script is designed to scan email messages for dangerous file attachments, malicious JavaScript, or even pass attachments through an anti-virus program. By configuring Mac OS X Server's Postfix to use Procmail, it's possible to have your mail server pass messages through the sanitizing script.

Once I've walked you through configuring Postfix to use Procmail, I'll explain installing Anomy's Sanitizer and configuring it to use a common anti-virus package, Virex. Virex is an excellent virus scanner and works well for this situation because of its command-line interface features. Virex is also in common use, this having a lot to do with the fact that it is free to Apple's .Mac members.

Configuring Postfix

This article will assume that you have properly configured Postfix and are able to successfully send and receive mail through your Mac OS X Server. By default, Panther's Postfix does not pass data through Procmail. In order to enable this feature, we'll need to add it as a transport to Postfix. This involves editing two files: main.cf and master.cf. Both of these files are located in the /etc/postfix directory.

We'll add the transport to master.cf first. Start by opening up a new Terminal (/Applications/Utilities) session and issuing the command sudo cp /etc/postfix/master.cf /etc/postfix/master.cf.back. If prompted, enter your user account password. This command will create a backup copy of the file, in case you need to revert back at a later date. Now, enter the command sudo pico -w /etc/postfix/master.cf. You'll be presented with the pico editor and the contents of the master.cf file. Hold down Ctrl+V to scroll to the bottom of the file and paste the two lines below into the file. These lines are long, so be careful of line wrapping. Make sure you end up with just two lines in the Postfix configuration file.

Note: For readability, an extra line break was inserted into Line 2. Lines 2 and 3 should be entered on one line.

procmail  unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/bin/procmail -t -m USER=${user} 
  EXTENSION=${extension} /etc/procmailrc

Now that we've added the transport mechanism, we need to make the Postfix master daemon aware of the new Procmail connection and to use it for local deliveries. This involves editing the file /etc/postfix/main.cf. First, make a backup of the file with the command sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.back . Next, open up the file in the pico editor with the command sudo pico -w /etc/postfix/main.cf. In the file, comment out the line that says mailbox_transport = cyrus by placing a # in front of it. Then, at the end of the file, add these two lines:

mailbox_command = /usr/bin/procmail -t -a "$EXTENSION" 
mailbox_transport = procmail

Configuring Procmail

Now that Postfix is configured to pass messages destined for local delivery through Procmail, you'll need to configure Procmail to then continue the mail chain and deliver the messages to the Cyrus mail system. To do this, we'll work with the file /etc/procmailrc. This is the system-wide configuration file for Procmail and will be used when Postfix passes the messages through Procmail. Open the file in the pico editor with the command sudo pico -w /etc/procmailrc. If there is anything in the file, remove it by holding down Ctrl+K. Then, paste the contents below into the file:


#
# /etc/procmailrc - System-wide procmail recipes
#

# Uncomment the line below to allow users to specify individual
# procmail recipes
#INCLUDERC=/Users/$USER/.procmailrc

# Default: Deliver mail that makes it to this point to the user's
# Cyrus INBOX
:0 w
    | /usr/bin/cyrus/bin/deliver -e -a $USER -m user/$USER

Once you've saved these changes, enter the command sudo postfix reload to restart the Postfix daemons. Congratulations! At this point, you have a functioning Postfix server with Procmail support. Now, let's bring in some helpful tools.

Setting Up the Sanitizer

With Procmail in the mix, messages bound for local delivery now come in through Postfix, pass through Procmail, and then finally get delivered in the Cyrus mail stores. We're now going to add a stage that will insert the Anomy Sanitizer in the Procmail stage. First, we'll need to download the latest version of the Sanitizer package. You can find the latest release in the Downloads section of the Anomy mail tools site. Download the most recent version to your Desktop and issue this command to extract it to an appropriate place on the system: sudo tar -zxvf ~/Desktop/anomy-sanitizer-1.66.tar.gz -C /opt/.

The Sanitizer is now installed, we just need to configure it for basic attachment screening. This configuration file is a simple set up for the Sanitizer. It has two policy groups. The first detaches inbound attachments that have an extension of any of the common Windows executable formats (e.g. EXE or COM). The detached files are stored according to the value of file_name_tpl, and a message is inserted in the email, which informs the recipient that the attachment was stripped. This policy helps prevent many Visual Basic scripts and executable viruses from coming in through the mail server. The second policy group passes many common binary data files (e.g. JPG or MPG) through unmodified. Finally, the default policy of defang will help make HTML-formatted emails and other attachments a bit safer.

To have the Sanitizer start up with this configuration, first create the directory /var/quarantine with the command sudo mkdir /var/quarantine. Now, enter the command sudo chmod 1777 /var/quarantine to make sure that stripped attachments can be saved to this location easily. Next, insert the contents of the configuration file into /opt/anomy/sanitizer.cfg by opening it up in the pico editor (sudo pico -w /opt/anomy/sanitizer.cfg) and then pasting. Next, we'll need to set up Procmail to call the Sanitizer as each message comes in. Open the /etc/procmailrc file like we did earlier and modify it so it looks as follows:


#
# /etc/procmailrc - System-wide procmail recipes
#

# Uncomment the line below to allow users to specify individual
# procmail recipes
#INCLUDERC=/Users/$USER/.procmailrc

# Run sanitizer on locally delivered messages
ANOMY=/opt/anomy/
:0 fw
    |/opt/anomy/bin/sanitizer.pl /opt/anomy/sanitizer.cfg
    
# Default: Deliver mail that makes it to this point to the user's
# Cyrus INBOX
:0 w
    | /usr/bin/cyrus/bin/deliver -e -a $USER -m user/$USER

Once you've saved the file, the changes take effect immediately, so be careful as you type or you run the risk of losing inbound mail. Try testing the system by sending one of your mail users a message with an empty attachment named test.vbs. If all went well, the recipient will get an email that explains what happened to the attachment, as well as an attached log of what the Sanitizer did. In addition, you'll find a renamed copy of the file on the server in the /var/quarantine directory.

Incorporating Virex

While the Sanitizer configuration will certainly help eliminate a lot of common nasties coming through via email, it is still based around blocking certain types of attachments, which may still allow trouble to come in. For example, the filter will allow Word documents in, which could have a virus in the form of a macro. To help eliminate these kinds of problems, the Sanitizer can pass attachments through a virus scanner.

I chose Virex for this solution not only because it was free with my .Mac account, but also because it has a decent command-line interface. The Sanitizer expects certain responses from the virus scanner to help it determine how to treat the attachment after it's been scanned. I wrote a small wrapper shell script for Virex, which you can find listed below. Once you've installed Virex (and updated your virus definitions!), continue with these instructions to incorporate it with your mail Sanitizer.


#!/bin/sh
#
# virex.sh - wrapper script for Virex 7.2
#

# *******************************************
#                Exit Status
# *******************************************
#  Status:      1       Uninfected file
#               2       Cleaned file
#               3       Infected file
#               4       Error encountered
# *******************************************
EXITSTATUS=0

if [ -d /usr/local/vscanx ]; then
    if [ -f "$1" ] && [ "$1" != $(basename $1) ]; then
        cd /usr/local/vscanx
        ./vscanx $1 2>&1 >/dev/null
        
        case "$?" in
            0)          # Found no viruses
                        EXITSTATUS=1
                        ;;
            19)         # Found a virus, but cleaned it
                        EXITSTATUS=2
                        ;;
            12 | 13)    # Found a virus and file remains infected
                        EXITSTATUS=3
                        ;;
            *)          # Some sort of error occurred
                        EXITSTATUS=4
                        ;;
        esac
    else
        # The argument specified (if any) could not be found or is not a
        # full path
        echo "The file $1 could not be found. Please specify its full path."
        EXITSTATUS=4
    fi
else
    # Virex is not installed
    echo "Virex was not found in /usr/local/vscanx."
    EXITSTATUS=4

fi

exit $EXITSTATUS

Paste the contents of this script into /opt/anomy/bin/virex.sh using pico. Then, make the script executable with the command sudo chmod 0755 /opt/anomy/bin/virex.sh. Now that we have the script in place, we'll need to modify our Sanitizer configuration to make use of it. Open /opt/anomy/sanitizer.cfg and modify it to match this configuration file.

The new configuration adds a policy group that passes many common document formats (e.g. DOC or XLS) through the virus scanner. If the file passes as uninfected, it is included in the message normally. If the file fails to pass the virus scan, it will be deleted and a notification will be included in the email message. If an error of some sort is encountered, the attachment will be saved, much like our first policy group.

To test your new virus scanner, create a new file named eicar.doc using Text Edit (/Applications) and paste the following into it:


X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

When you send one of your mail users this file, the attachment will be stripped by the Sanitizer and placed in the quarantine area. The Sanitizer will then use the virex.sh script to have Virex scan the attachment. Virex will detect that the file is infected, causing the wrapper script to return an exit code of 3. Our policy for this exit code will be to drop the attachment. The file is removed from the quarantine (and thus the system completely) and a message is inserted into the email informing the recipient of the attachment's status.

Final Thoughts

While the configuration we've just set up is great for processing email attachments, much more can be done with these tools than can easily be described in a single article. Anomy's Sanitizer is an excellent tool for working with email attachments. I strongly suggest perusing their documentation for information on customizing directives and performing other types of scans.

Much more can be done with Procmail as well, especially performing actions based on mail headers or body texts. For example, it's quite trivial to have Procmail drop all mail from a specific sender, a troublesome domain, or even based upon words in the subject. There are a lot of great sites for Procmail recipes. Take a look at Timo's Procmail Tips and Recipes to get a head start on using this powerful utility.

Jason Deraleau works as a systems administrator by day, IT consultant and technical writer by night, and is the coauthor of the upcoming Running Mac OS X Tiger.

Return to the Mac DevCenter.

Please add any additional tips you have for sanitizing mail when using the Panther server.
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 38 of 38.

Testing your config
2004-10-27 06:01:58 PeterTattersall [Reply | View]

Once you have implemented this, you can test it from http://www.testvirus.org/ which will (after confirming your address) send an EICAR.COM laden message to your address. Some files still get through....

Anomy vs Spamassassin
2004-03-22 05:20:25 ijonb [Reply | View]

Anyone care to comment on Anomy vs Spamassassin? Is one better than the other? Should I just use both?

Thanks!

Not sure what local delivery in the context used here means exactly...
2004-03-13 11:59:44 halesgarcia [Reply | View]

I am interested in setting up an SMTP/Sanitizing server and a separate POP/IMAP server, mainly for load balancing.

Do I need to make other manual configurations than those mentioned in this article to do this?

I have user's mail in Workgroup Manager configured to forward to the POP/IMAP server. I see from the master.cf configuration that postfix is executed as the user cyrus. Will then local delivery only be to the SMTP server and forwarding to my POP/IMAP server not occur?

Not sure what local delivery in the context used here means exactly...
2004-03-22 05:28:49 Jason Deraleau | [Reply | View]

Forwarded mail does not pass through the local delivery transport, so those messages are not scanned by the sanitizer. Only mail delivered to the local machine is scanned.

procmailrc config file
2004-03-09 09:22:51 rykar [Reply | View]

I changed the main.cf and master.cf files, and changed procmailrc to the setting in the article but mail isn't getting delivered. Should I change the end of the cyrus delivery line from "user/$USER" to "/var/spool/imap/user/$USER" which is the location of the mail store?

how to not defang encrypted mail?
2004-03-06 21:18:40 tjtjt [Reply | View]

I've had no problem following this article and getting sanitizer and virex working fine here (on Mac OS X Server 10.3). Really helpful!

The only issue appears to be that email that is sent to a recipient on the server that is encrypted (using Mail's built-in encryption stuff with X.509 certificates) gets completely defanged. I.e., the message content is removed and all that's left if a mangled certificate as an attachment.

Is there an easy way to let this mail through without being defanged?

Thanks!

- tjtjt

Deferred Looping?
2004-02-20 15:08:26 juhnke [Reply | View]

I have over a hundred users on my server (Panther). Spamassassin, Anomy/Virex are installed and this message appears frequently in the mail.log:

Feb 20 17:02:13 postmaster postfix/pipe[14910]: 42B1614D7B7: to=<user@domain.com>, relay=procmail, delay=26, status=deferred (temporary failure)

Because the traffic is so massive, it's hard to locate the "from" entry to determine if that is a factor.

The deferred emails appear to build up and finally bounce. Legitimate emails are bouncing.

What is causing the deferral? How do I debug?

Deferred Looping?
2004-02-21 13:55:50 loganj1 [Reply | View]

It's possible that you're suffering from the (procmail) case sensitive username delivery problem mentioned elsewhere in these followup notes - a solution is also provided. You can verify this easily by sending a message to one of your users with the username in upper case.

You can debug a deferred message using the file name of the message from a directory listing of "/var/spool/postfix/deferred/*/*" as the "queue-id" argument in the "postsuper" command, as follows:

postsuper -r 5DF2216EDC4 deferred

(where "5DF2216EDC4" is the filename of the message)

This will cause the message to be requeued immediately, with new entries in "/var/log/mail.log" that you can work with.

Deferred Looping?
2004-02-21 13:58:37 loganj1 [Reply | View]

And once you've fixed the problem you can cause all the deferred messages to be delivered with the command ...

postsuper -r ALL deferred

Server Admin overwriting main.cf solution
2004-02-10 00:11:27 loganj1 [Reply | View]
Proceed at your own risk - advise arranging for new employment first ...

1. Use "Server Admin" to shut down the Mail service.
2. Quit out of "Server Admin" - required.
3. Make a backup copy of the xml file "/etc/MailServicesOther.plist".
4. Use a text editor to modify the file "/etc/MailServicesOther.plist".
5. Add the following two lines, replacing the parenthesis (below) with angle brackets. I added these lines just before the line "(key maps_rbl_domains(/key)", but it probably works in other places in the "postfix" section. Important note: the space after "mailbox_transport" is required to avoid problems.
6. Save the file and exit the editor.
7. Start "Server Admin", and start the Mail service.
8. Make a configuration change in the Mail server that will cause the "/etc/postfix/main.cf" file to be rewritten - for example, make any change to the filters and click on "Save".

The tail end of the "main.cf" file should now show "mailbox_transport = procmail", and you won't need to make configuration changes when the Mail service is restarted (for whatever reason).

The xml file mentioned above can also be used to manually pre-populate or sort data in the Mail service filters, but doing so requires the same "Server Admin"/Mail service shutdown-edit-restart procedure.

It works for me. Cheers!

procmail line is removed from master.cf every restart
2004-02-09 01:32:21 jaydisc [Reply | View]

It appears that the changes made in /etc/postfix/master.cf are lost as soon as the mail server is started.

procmail line is removed from master.cf every restart
2004-02-10 00:32:48 loganj1 [Reply | View]

Add those lines to the file "master.cf.defaultserver" and they won't be lost.

Cheers!

BTW kids, it's case-sensitive
2004-02-04 16:04:06 dalcarls [Reply | View]

Messages now sitting in my queue appear to only be sitting there because there is capitlization somewhere in the email address. I've added:

lmtp_downcase_rcpt: yes

to the imapd.conf file, as well as added:

flags=Ru

as opposed to flags=R in the master.cf file, but to no avail.

BTW kids, it's case-sensitive
2004-02-11 16:25:53 loganj1 [Reply | View]
Not the preferred solution, but it works ...

1. Put the following shell script in the file "/usr/local/bin/deliver":

# This is a front end script for the Cyrus "deliver" program # that forces the username to lowercase # # usage: deliver $USER # if [ -n "$1" ]; then user=`echo $1 | tr A-Z a-z` /usr/bin/cyrus/bin/deliver -e -a $user -m user/$user; fi
2. Change the last line of the file "/etc/procmailrc" to ...

BTW kids, it's case-sensitive
2004-05-26 12:33:32 furbo_dude [Reply | View]

A simpler solution is to do the case conversion in /etc/procmailrc:

# convert user name to all lowercase
USER=`echo $USER | tr "[:upper:]" "[:lower:]"`

# if no matches above, deliver message to the user's inbox
:0w
| /usr/bin/cyrus/bin/deliver -a $USER -m user/$USER

-ch

BTW kids, it's case-sensitive
2004-03-03 11:50:28 juhnke [Reply | View]

Loganj! Thanks for this script. We've been having a terrible time with the case sensitivity issue. We've run into a strange catch. It seems with this case script in place Spamassassin (through spamd) is no longer able to move the detected spam to the appropriate folder.

Have you had this experience? What should we be looking at?

Thanks!

BTW kids, it's case-sensitive
2004-05-11 10:24:54 loganj1 [Reply | View]

Hmmmm, in the script above replace "loganj" with "postmaster" or someone that you want to be notified about errors. I didn't post this script originally because it's world class ugly, but I haven't had time to improve it - anyone with a better solution?

BTW kids, it's case-sensitive
2004-05-11 10:06:35 loganj1 [Reply | View]

Sorry for the slow response. I actually use the script below, where the folder name is an optional parameter. You might need to visit the spamassassin scripts and change any $default delivery mechanism to the following ...

/usr/local/bin/deliver $user $foldername

# This is a front end script for the Cyrus "deliver" program
# that forces the username to lowercase, and formats a mailbox
# name properly (per RFC821) except that mailbox names can not
# have two adjacent spaces.
#
# usage: deliver $USER ["MailBoxName"]
#
if [ -z "$1" ]; then
/usr/bin/cyrus/bin/deliver -e -a loganj -m user/loganj;
else
user=`echo $1 | tr A-Z a-z`
mbox=`echo $2 | sed -e "s; ;\\\\\\ ;g"`
if [ -z "$2" ]; then
/usr/bin/cyrus/bin/deliver -e -a $user -m user/$user;
else
/usr/bin/cyrus/bin/deliver -e -a $user -m "user/$user/$mbox";
fi
fi

Great article, but...
2004-02-04 11:42:16 dalcarls [Reply | View]

I read with great interest how to set this up. Got all the entries done in main.cf and master.cf (after making backups), created procmailrc, did a postfix reload, and then tried receiving mail. Nothing. "Strange", I thought, and ran mailq and saw this:

(temporary failure. Command output: procmail: Program failure (65) of "/usr/bin/cyrus/bin/deliver" )

Before reverting back to the old main.cf and master.cf files, nobody was getting mail from outside our mail server. Internal email was fine. I reverted back to the old main.cf and master.cf files, and things were back to normal.

Thoughts anyone?

Great article, but...
2004-02-04 12:18:44 dalcarls [Reply | View]

Ok. Got that licked. There was a tab after the first line in the main.cf file. Now I'm seeing this in system.log:

fatal: connect #11 to subsystem private/procmail: Connection refused

Weird.

Great article, but...
2004-02-25 13:50:35 celsomaiolo [Reply | View]

Hello- I'm also being clobbered by this error? Has anyone determined what this is caused by? Any help would be appreciated!

Thanks

Celso

-----------------
Feb 25 11:16:47 mydomain postfix/local[7134]: fatal: connect #11 to subsystem private/procmail: No such file or directory
Feb 25 11:16:48 mydomain postfix/qmgr[392]: warning: premature end-of-input on private/local socket while reading input attribute name
Feb 25 11:16:48 mydomain postfix/qmgr[392]: warning: private/local socket: malformed response
Feb 25 11:16:48 mydomain postfix/qmgr[392]: warning: transport local failure -- see a previous warning/fatal/panic logfile record for the problem description
------------------------

I am hosed.
2004-02-02 12:43:42 mecran01 [Reply | View]

I used postfix enabler to get postfix working, then worked through the steps in this article. My incoming email disappeared, and even after switching back to the default main.cf, etc. no incoming email. What a bummer.

A Note From the Author
2004-02-02 12:26:42 Jason Deraleau | [Reply | View]

Some users have been reporting issues with this configuration after they've made new changes in Server Admin. Server Admin has a bad habit of overwriting changes made to configuration files. If you setup your server as this article describes and later make changes to your Mail settings, Server Admin will overwrite /etc/postfix/main.cf's mailbox_transport setting, changing it back to cyrus. If this happens, you'll just need to remodify it so that it says procmail.

If you'd like to lock the file from changes, take a look at this hack: http://www.oreillynet.com/pub/h/372

A Note From the Author
2004-03-13 12:40:22 halesgarcia [Reply | View]

Thank you for your informative and very relevant article.

The problem of manual and GUI changes corrupting each other has been a problem with Mac OS X Server from the beginning. Apple has fixed the problem with some services, most notably Apache, by adding documentation in files explaining how to manually edit them. But I've noticed the documentation comes late and only if Apple is invested in the technology. In the mean time administrators have to learn by trail-and-error what works and what doesn't as I see occuring among your readers.

I would very much like to see an O'Reilly article explaining the idiocyncracies of editing Mac OS X Server services. Depending on Apple's interest in the technology and its tenure on the platform the methods of manual editing can vary widely. Sometimes files should be only edited with the GUI applications provided, sometimes a combination of GUI and manual editing works, sometimes editing includes editing Plist files, or Netinfo directories, or LDAP attibutes in addition to the etc files.

procmail problems
2004-01-31 02:31:12 raffaell [Reply | View]

I have some questions about postfix-procmail-cyrus:
- why there is no entrance in email header about procmail pass? There is still only postfix and cyrus entrance:
Received: from xserve ([unix socket]) by xserve (Cyrus v2.1.13) with LMTP; Sat, 31 Jan 2004 10:15:09 +0100
Received: from vsmtp14.tin.it (vsmtp14.tin.it [xxx.xxx.xxx.xxx]) by xserve (Postfix) with ESMTP id 06D1A8B51E2; Sat, 31 Jan 2004 10:15:09 +0100 (CET)

- why postfix can deliver well emails to users (short users name) but not to other names (for example "p.pallino" is a second name of user "pinco"):
Jan 31 11:04:06 xserve postfix/pipe[16851]: 7EEDC8B5BE6: to=<pinco@domain.com>, relay=procmail, delay=1, status=sent (xserve)
Jan 31 11:05:04 xserve postfix/pipe[16851]: 6D6D18B5C15: to=<p.pallino@domain.com>, relay=procmail, delay=0, status=deferred (temporary failure. Command output: procmail: Program failure (65) of "/usr/bin/cyrus/bin/deliver" )

procmail problems
2004-11-08 12:12:44 Criss_Ittermann [Reply | View]

I haven't been able to fix the program failure (65) from deliver (cf. cyrus documentation on "deliver", or "man deliver") Nor can I find out exactly what a 65 means.

However this will be useful for people who get this message and are missing emails:

If you invoke procmail with the -t switch (add -t to the options to invoke procmail) [already done in this article] then the mail will be delivered -- probably to a plaintext file at /var/mail/cyrus

When you fall back to going from postfix->cyrus and skip procmail, this is how to redeliver those "lost" emails:

sudo mv /var/mail/cyrus /var/mail/cyrus.sent; sudo cat /var/mail/cyrus.sent | formail -s sendmail -t -bm -v

This will move the spooled flat file to cyrus.sent (so that the next time you try this you don't just append to the cyrus mail file), and pipe the text of the file to formail, which will split it into individual messages and requeue it for delivery from the beginning of the entire mail chain (sendmail) so that it actually gets delivered. Once those mails are delivered, another round of server changes can be attempted.

Criss

procmail problems
2004-02-02 12:42:11 Jason Deraleau | [Reply | View]

I am not sure why procmail does not create an entry in the message's delivery path. It hasn't historically in any configuration I'm aware of. I imagine, however, that you could make a procmail recipe that would add a header of some sort to indicate it had passed through.

As far as multiple short names not working, I'm not totally surprised. Sorry I had not considered it as a notice in the article somehow. The reason it does not work with multiple short names is because procmail attempts to deliver mail to a specific mailbox. When you create multiple shortnames for a user account, only a single mailbox is made, which has the name of the first shortname used. When procmail attempts to deliver to one of these alternate names, it can't resolve the name properly because its box doesn't exist.

I'm not sure how you're using the shortnames. I haven't found a practical use for them in my organization's server. However, if you're just using them for aliases to the same mailbox, you should be able to modify Postfix's /etc/aliases file (and then run newaliases) to create aliases for the mailbox. The aliases should work properly with the above described config, since the resolution of the alias occurs prior to the pipe to Procmail.

procmail problems
2004-02-08 07:14:19 raffaell [Reply | View]

I am using others name for my users' email addresses. In my studio all email are first letter of the name dot surname (p.pallino). Since the user's short name cannot include a point character I have to use second, third name.
Another thing: reading log file I saw that postfix has problems to transfer email (addressed to second user's name) to procmail, but email is not deleted. It arrives after I come back to original configuration.

Previous message - ignore "problem #3"
2004-01-29 02:13:26 notmicro [Reply | View]

My mistake, Sanitizer appears to be working correctly for POP-only users.

Series of problems/questions
2004-01-29 02:02:20 notmicro [Reply | View]

I was extremely grateful for this article; I have just completed migration to Server 10.3 (from 10.1), which supports corp e-mail for approx 100 users. I needed to start using Procmail, and get some filtering going (hopefully eventually using SpamAssassin).

I very carefully implemented the file-changes outlined in this document, using copy-and-paste to get everything updated (I did not implement Virex). Sanitizer correctly handled a test e-mail to me with an attachment named "test.vbs". However subsequent problems have caused me to deactivate it.

Problem #1 - the OS X "Mail" app receives the e-mail with the original message-text encoded in a MIME document which Mail cannot handle; the result is that the original message "disappears".

Problem #2 - Then I started noticing that the system-log is full of new error-messages like:
localhost lmtpd auxpropfunc error -1
localhost pop3d auxpropfunc error -1
I started looking into this. A Restart didn't make any difference. This is still unresolved.

Problem #3 - I figured out that if Sanitizer intercepts an e-mail, and the User's Mail settings are defined for POP only and not IMAP, the e-mail disappears and is never received. Most of our users are POP-only because the various old e-mail clients in use do not support IMAP yet.

Series of problems/questions
2004-08-06 16:09:42 oag [Reply | View]

I'm hoping that people contributing to these articles might have encounter the need to transfer mail between different types of IMAP servers.

In my case, I used UW IMAP under Linux, for years This built up a huge mailbox repository of valuable data. As I migrated to 10.3 Server and Cyrus/Postfix, I saw the need to move all that data over cleanly and safely.

My first attempt was that of mounting both IMAP servers, Linux and Cyrus, via Mail.app. Then dragging mailboxes across. It all seemed to work, especially for those small mailboxes. However, I have noticed that for the large mailboxes, not all messages have transferred.

Any other suggestions?

Thanks in advance.

-otto

Series of problems/questions
2004-03-03 13:08:34 jurg [Reply | View]

wrt problem #1:
I seem not to encounter this problem after setting

feat_force_name = 1

in /opt/anomy/sanitizer.cfg

No luck yet
2004-01-28 13:10:50 ozguru [Reply | View]

I have put a test syslog call in the top of sanitizer.pl (so that I can see when it is called) but it ain't happening. The only (possibly) relevant error in the system log is:

postfix/local[19903]: fatal: connect #11 to subsystem private/procmail: No such file or directory

Restarting mail doesn't seem to solve the problem - mail is just hiding in the system somewhere. If I change the main.cf back to cyrus then the missing mail gets delivered (but obviously not via procmail).

RE: No luck yet
2004-01-28 13:40:38 Jason Deraleau | [Reply | View]

Strange... I haven't seen that problem come up yet. I just finished following the article's instructions on a brand new Panther Server install and that didn't have any issues. Try this:

Make sure that the master.cf lines are correct. Extraneous white space _shouldn't_ make a difference, but you might have picked up an extra line break or something during your copy and paste. Double check the text in that file, making sure it's on two lines.

Also, make sure that in main.cf you have uncommented the mailbox_transport to cyrus. Finally, try completely stopping mail services (sudo postfix stop) and then starting them back up (sudo postfix start). For some reason your Postfix daemons might not be picking up on the changes. A complete stop/start will hopefully help.

RE: No luck yet
2004-01-28 14:45:24 ozguru [Reply | View]

The complete stop and start seems to have fixed the problem. Mind you a complete stop was hard to achieve (I was not on-site and the server manager kept restarting mail). Anyway it looks like it is all working now. Thanks a million.

Thanks! Works great. Two questions.
2004-01-28 08:44:33 laredo [Reply | View]

This was well writen and easy to follow, thanks. I only use the terminal maybe once a month so if I can follow the directions then it was well written.

I went on to add the Virex portion and this seemed to disable the sanitizer, went back to the first config file all was well. Hmmmm.

Also using the sanitizer.cfg I would really like it if it did not defang HTML files, and its not that clear how to exempt these files. Any help?

Thanks

Brian

RE: Two questions.
2004-01-28 10:03:19 Jason Deraleau | [Reply | View]

Hello Brian,

To answer your second question, you can disable HTML scanning by changing the feat_html value to 0. You can also easily disable the default action of defanging if you change
file_default_policy to accept (to pass them through untouched) or save (to detach them and store them in the quarantine). Keep in mind the default isn't consulted until after the other file list policies have been exhasted.

The first question... I'm actually using the second config, so I'm not quite sure what might be causing problems. Did you copy and paste the exact config or just add the additional lines? If the latter, you might have forgotten to increment the file_list_rules value.

Thanks
2004-01-28 13:19:04 laredo [Reply | View]

Feature Value to Zero works great. Folks in my office receive a lot of HTML newsletters so they were a bit peeved this am.

I am using the first config, and all is well, when I copy and paste the second config, then all passes thru. I will look closer later at the second config. I probably have Virex in the wrong place.
Panther 10.3.2

Thanks again.

Brian

Sanitizing Mail on Panther Server

Configuring Postfix

Configuring Procmail

Setting Up the Sanitizer

Incorporating Virex

Final Thoughts

Tagged Articles

Sponsored Resources

Related to this Article