[Dovecot] question about scripts sieves

Stan Hoeppner stan at hardwarefreak.com
Fri May 21 19:07:54 EEST 2010


fakessh put forth on 5/21/2010 7:22 AM:
> hello list
> hello dovecot network
> hello all the reader
> 
> here is a sieve script

<snip>

> I tested that emails are not from japan and korea
> I would like to add one condition: 
> that is, the emails from japan or korea who are destined for which I am
> mailling subscriber does not end up in Junk
> and I do the same test in the header: contains "Content-Type"

First, why aren't you rejecting spam outright with your MTA at SMTP time
instead of accepting it and filing into the junk folder?  Always reject spam
at SMTP if at all possible, or drop spam connections at the firewall.

Second, _never_ reject spam in a sieve script.  It creates backscatter bounces
to innocent 3rd parties whose addresses were forged as the sender or just
clogs you with NDAs if the sender addresses are bogus.

For mailing list subscriptions filter on "List Id: xxxxxxx" and fileinto the
appropriate list mail folders.  Stick an entry in your MTA whitlist for the IP
addresses or RHS domain names of the Japanese and Korean list servers you are
subscribed to.  Then block .jp and .kr with a REGEX, PCRE, or ipdeny cidr
file.  For a hash whitelist and pcre blacklist in Postfix, you can use
something like this to whitelist the listservs and block all other sending
hosts with rDNS ending in .jp and .kr:

/etc/postfix/main.cf
smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
	check_client_access hash:/etc/postfix/whitelist
        check_client_access pcre:/etc/postfix/ptr-tld.pcre
	....

/etc/postfix/whitelist
...
example.listserv.jp	OK
example.listserv.kr	OK
...

/etc/postfix/ptr-tld.pcre
...
/^.*?(kr|jp)$/i 550 We do not accept mail from .$1 domains
...

Doing this eliminates the possibility of backscatter spam because the inbound
spam is rejected at SMTP time, returning an error code to the sending MTA,
_NOT_ a bounce to the sender address, which is usually forged with an innocent
third party's address.

I kill all my spam with Postfix, my MX MTA, at SMTP time, as you should.  I
use sieve strictly to sort mail into the proper folders.  If you'd like tips
on fighting spam with your MTA, I suggest joining the mailing list for your
MTA, or joining a spam fighting or mail operators list such as spam-l, mailop,
or maybe even NANAE, although from what I understand NANAE can require a thick
skin, and there's ton 'o traffic.  Also read the documentation and howto's for
your MTA.

I guess I'm in a sharing mood this Friday.  Below is my Postfix spam fighting
config, not including lookup table contents for the draconian local black
lists (which are _very_ large).  The complete config kills over 97% of inbound
spam _without_ using content filters of any kind.  It rejects strictly based
upon sending host IP address, rDNS characteristics, bad HELO, certain header
stamps, for instance a 41.x.x.x IP anywhere in the received header, IP or
domain listing in two Spamhaus zones, and finally via super selective
greylisting.

Most of the magic is in 3 lookup tables, fqrdns.regexp, countries.cidr, and
spammer.cidr.  Countries is an ipdeny cidr list of about 8 or 9 countries' IP
space, mostly in Eastern Europe and Asia, West Africa, one in Central America.
 Spammer.cidr is mostly US based snowshoe networks but probably paints with
too broad a brush for general use at most sites.  The regexp file is about
1500 fully qualified rDNS patterns matching mostly dynamic IP ranges worldwide
and is very safe for anyone to use.  The other two are pretty draconian.
Here's a copy of the regexp table if anyone wants to try it out.  I actually
received it from another mail OP a while back and I'm pretty pleased with its
performance and zero FP rate.  It should work on any MTA with POSIX regular
expression support:
http://www.hardwarefreak.com/fqrdns.regexp

My Postfix anti spam config:

cidr=cidr:/etc/postfix/cidr_files
smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        check_recipient_access hash:/etc/postfix/whitelist
        check_sender_access hash:/etc/postfix/whitelist
        check_client_access hash:/etc/postfix/whitelist
        check_client_access hash:/etc/postfix/blacklist
        check_client_access proxy:regexp:/etc/postfix/fqrdns.regexp
        check_client_access pcre:/etc/postfix/ptr-tld.pcre
        check_client_access proxy:${cidr}/countries
        check_client_access proxy:${cidr}/spammer
        check_client_access proxy:${cidr}/misc-spam-srcs
        reject_unknown_reverse_client_hostname
        reject_non_fqdn_sender
        reject_non_fqdn_helo_hostname
        reject_invalid_helo_hostname
        reject_unknown_helo_hostname
        reject_unlisted_recipient
        reject_rbl_client zen.spamhaus.org
        reject_rhsbl_client dbl.spamhaus.org
        reject_rhsbl_sender dbl.spamhaus.org
        reject_rhsbl_helo dbl.spamhaus.org
        check_policy_service inet:127.0.0.1:60000


Here's my sieve script, which strictly sorts valid mail, mostly list mail,
after Postfix kills the spam:


require "fileinto";

if false {}

elsif header :contains "List-Id" "linux-ide.vger.kernel.org" {
        fileinto "1-Linux-IDE";
        stop;
}
elsif header :contains "List-Id" "XFS" {
        fileinto "1-XFS";
        stop;
}
elsif header :contains "List-Post" "postfix-users at postfix.org" {
        fileinto "1-Postfix-Users";
        stop;
}
elsif header :contains "List-Id" "users.lists.roundcube.net" {
        fileinto "1-Roundcube";
        stop;
}
elsif header :contains "List-Id" "dovecot.dovecot.org" {
        fileinto "1-Dovecot";
        stop;
}
elsif address :contains "to" "postmaster at hardwarefreak.com" {
        fileinto "Postmaster";
        stop;
}
elsif header :contains "Received" "for <postmaster at hardwarefreak.com>" {
        fileinto "Postmaster";
        stop;
}
elsif header :contains "List-Id" "debian-user.lists.debian.org" {
        fileinto "1-Debian-Users";
        stop;
}
elsif header :contains "List-Id" "spam-l.spam-l.com" {
        fileinto "1-Spam-l";
        stop;
}
elsif header :contains "List-Id" "samba.lists.samba.org" {
        fileinto "1-Samba";
        stop;
}
else {
        fileinto "INBOX";
}


-- 
Stan


More information about the dovecot mailing list