postfix mta - global procmailrc and sendmail execution rights -
i setting procmail on debian jessie mail server following global procmail config file (/etc/procmailrc):
shell="/bin/bash" deliver="/usr/lib/dovecot/deliver" logfile="$home/.procmail.log" default="$home/maildir/" maildir="$home/maildir/" orgmail="$home/maildir/" # verbose=on # invoke spambayes :0 fw | sb_filter -d /home/shared_directories/spambayes # if mail contains dangerous file, send admin. :0 wb * ^((content-disposition:.*(|$)[ ]*filename)|(content-type:.*(|$)[ ]*name))=.*\.(0|000|386|3gr|7z|7z\.001|7z\.002|9|a00|a01|a02|ace|add|ade|aepl|agg|ain|alz|apz|ar|arc|archiver|arh|ari|arj|ark|aru|asp|asr|atm|aut|b1|b64|ba|bas|bat|bh|bhx|bin|bkd|blf|bll|bmw|bndl|boo|bps|bqf|buk|bundle|bup|bxz|bz|bz2|bza|bzip|bzip2|c00|c01|c02|c10|car|cb7|cba|cbr|cbt|cbz|cc|cdz|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|comppkg_hauptwerk_rar|comppkg\.hauptwerk\.rar|cp9|cpgz|cpl|cpt|crt|ctbl|cxarchive|cxq|cyw|czip|dar|dbd|dbx|dd|deb|delf|dev|dgc|dist|dl_|dlb|dli|dll|dllx|docm|dom|drv|dx|dxz|dyv|dyz|dz|ecs|efw|egg|epi|exe|exe1|exe_renamed|ezt|f|fag|fdp|fjl|fnr|fon|fp8|fuj|fzbz|fzpz|gca|gmz|gz|gz2|gza|gzi|gzip|gzquar|ha|hbc|hbc2|hbe|hki|hki1|hki2|hki3|hlp|hlw|hpk|hsq|hta|hts|hyp|iadproj|ice|inf|ins|ipg|ipk|ish|isp|isx|ita|iva|iws|ize|j|jar|jar\.pack|jgz|jic|js|jse|jsonlz4|kcd|kgb|kz|layout|lbr|lemon|let|lha|libzip|lik|lkh|lnk|lnx|lok|lpaq5|lqr|lz|lzh|lzm|lzma|lzo|lzx|md|mdb|mde|mfu|mint|mjg|mjz|mou|mpkg|msc|msi|msp|mst|mzp|nex|nls|nz|oar|ocx|osa|oz|ozd|p01|p19|package|pack\.gz|pae|pak|paq6|paq7|paq8|paq8f|paq8l|paq8p|par|par2|pax|pbi|pcd|pcv|pcx|pea|pet|pf|pgm|php3|pid|pif|pim|pit|piz|pkg|plc|pr|psz|pup|puz|pwa|qda|qit|qrn|r0|r00|r01|r02|r03|r1|r2|r21|r30|rar|reg|rev|rhk|rk|rna|rnc|rp9|rpm|rsc_tmp|rte|rz|s00|s01|s02|s7p|s7z|sar|sbx|scr|sct|sdc|sdn|sea|sen|sfg|sfs|sfx|sh|shar|shb|shk|shr|shs|sifz|sit|sitx|ska|smm|smpf|smtmp|snappy|snb|sop|spam|spt|sqx|srep|ssy|stproj|swf|sy_|sys|tar\.bz2|tar\.gz|tar\.gz2|tar\.lz|tar\.lzma|tar\.xz|tar\.z|taz|tbz|tbz2|tg|tgz|tko|tlz|tlzma|tps|trs|tsa|tti|tx_|txs|txz|tz|uc2|ufs\.uzip|uha|upa|url|uzip|uzy|vb|vba|vbe|vbs|vbx|vem|vexe|vsi|vxd|vzr|wa|waff|war|wlb|wlpginstall|wmf|wot|ws|wsc|wsf|wsh|xar|xdu|xef|xez|xir|xlm|xlv|xmcdz|xnt|xnxx|xtbl|xx|xz|xzm|y|yz|yz1|z|z01|z02|z03|z04|zap|zfsendtotarget|zi|zip|zipx|zix|zl|zoo|zpi|zsplit|zvz|zw|zz) { :0 fw | formail -i "x-dangerous-attachment: yes" :0 w ! spam@localhost } # handle ham: send copy admin :0 c * ^x-spambayes-classification: ham ! spam@localhost # handle spam , unsure: send mail admin :0 w * ^x-spambayes-classification: (spam|unsure) ! spam@localhost :0 w | $deliver with above global config file, following log output:
procmail: [7287] mon jul 25 19:57:52 2016 procmail: executing "sb_filter,-d,/home/shared_directories/spambayes" procmail: [7287] mon jul 25 19:57:53 2016 procmail: no match on "^((content-disposition:.*(|$)[ ]*filename)|(content-type:.*(|$)[ ]*name))=.*\.(0|000|386|3gr|7z|7z\.001|7z\.002|9|a00|a01|a02|ace|add|ade|aepl|agg|ain|alz|apz|ar|arc|archiver|arh|ari|arj|ark|aru|asp|asr|atm|aut|b1|b64|ba|bas|bat|bh|bhx|bin|bkd|blf|bll|bmw|bndl|boo|bps|bqf|buk|bundle|bup|bxz|bz|bz2|bza|bzip|bzip2|c00|c01|c02|c10|car|cb7|cba|cbr|cbt|cbz|cc|cdz|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|comppkg_hauptwerk_rar|comppkg\.hauptwerk\.rar|cp9|cpgz|cpl|cpt|crt|ctbl|cxarchive|cxq|cyw|czip|dar|dbd|dbx|dd|deb|delf|dev|dgc|dist|dl_|dlb|dli|dll|dllx|docm|dom|drv|dx|dxz|dyv|dyz|dz|ecs|efw|egg|epi|exe|exe1|exe_renamed|ezt|f|fag|fdp|fjl|fnr|fon|fp8|fuj|fzbz|fzpz|gca|gmz|gz|gz2|gza|gzi|gzip|gzquar|ha|hbc|hbc2|hbe|hki|hki1|hki2|hki3|hlp|hlw|hpk|hsq|hta|hts|hyp|iadproj|ice|inf|ins|ipg|ipk|ish|isp|isx|ita|iva|iws|ize|j|jar|jar\.pack|jgz|jic|js|jse|jsonlz4|kcd|kgb|kz|layout|lbr|lemon|let|lha|libzip|lik|lkh|lnk|lnx|lok|lpaq5|lqr|lz|lzh|lzm|lzma|lzo|lzx|md|mdb|mde|mfu|mint|mjg|mjz|mou|mpkg|msc|msi|msp|mst|mzp|nex|nls|nz|oar|ocx|osa|oz|ozd|p01|p19|package|pack\.gz|pae|pak|paq6|paq7|paq8|paq8f|paq8l|paq8p|par|par2|pax|pbi|pcd|pcv|pcx|pea|pet|pf|pgm|php3|pid|pif|pim|pit|piz|pkg|plc|pr|psz|pup|puz|pwa|qda|qit|qrn|r0|r00|r01|r02|r03|r1|r2|r21|r30|rar|reg|rev|rhk|rk|rna|rnc|rp9|rpm|rsc_tmp|rte|rz|s00|s01|s02|s7p|s7z|sar|sbx|scr|sct|sdc|sdn|sea|sen|sfg|sfs|sfx|sh|shar|shb|shk|shr|shs|sifz|sit|sitx|ska|smm|smpf|smtmp|snappy|snb|sop|spam|spt|sqx|srep|ssy|stproj|swf|sy_|sys|tar\.bz2|tar\.gz|tar\.gz2|tar\.lz|tar\.lzma|tar\.xz|tar\.z|taz|tbz|tbz2|tg|tgz|tko|tlz|tlzma|tps|trs|tsa|tti|tx_|txs|txz|tz|uc2|ufs\.uzip|uha|upa|url|uzip|uzy|vb|vba|vbe|vbs|vbx|vem|vexe|vsi|vxd|vzr|wa|waff|war|wlb|wlpginstall|wmf|wot|ws|wsc|wsf|wsh|xar|xdu|xef|xez|xir|xlm|xlv|xmcdz|xnt|xnxx|xtbl|xx|xz|xzm|y|yz|yz1|z|z01|z02|z03|z04|zap|zfsendtotarget|zi|zip|zipx|zix|zl|zoo|zpi|zsplit|zvz|zw|zz)" procmail: no match on "^x-spambayes-classification: ham" procmail: match on "^x-spambayes-classification: (spam|unsure)" procmail: executing "/usr/sbin/sendmail,-oi,spam@localhost" sendmail: warning: postfix sendmail command has set-uid root file permissions sendmail: warning: or command run set-uid root process sendmail: warning: postfix sendmail command must installed without set-uid root file permissions procmail: assigning "lastfolder=/usr/sbin/sendmail -oi spam@localhost" procmail: notified comsat: "testuser@:/usr/sbin/sendmail -oi spam@localhost" david@sardari.eu mon jul 25 19:57:52 2016 subject: test folder: /usr/sbin/sendmail -oi spam@localhost 2922 procmail complains sendmail command having sticky bit. but, that's not case:
root@mail2:~# ls -l /usr/sbin/sendmail -rwxr-xr-x 1 root root 25964 nov 4 2014 /usr/sbin/sendmail i don't error if place config file in user's home folder (~/.procmailrc).
questions:
- how rid of sticky bit warning in procmail log?
- how can place code in curly brackets in 1 line, e.g.
| formail -i "x-dangerous-attachment: yes" ! spam@localhost? - did cover every possibility find attachment's filename? there possibility of being informed on attachment's filename besides "filename=" after "content-disposition" , "name=" after "content-type"?
when executing /etc/procmailrc, procmail running setuid root. postfix doesn't that.
the simplest solution put dropprivs=yes somewhere above delivering action. perhaps this;
# below last :0fw filter, of course :0cw | $deliver dropprivs=yes # unprivileged actions here :0 ! spam@localhost because seem end delivering spam@localhost took out conditions.
Comments
Post a Comment