142 lines
5.7 KiB
Text
142 lines
5.7 KiB
Text
MAILATTACH
|
|
|
|
This program starts a process which listens on the LOOPBACKv4 address for
|
|
incoming connections from postfix. The postfix master should view this as an
|
|
advanced filter as explained in their documentation for post queue filtering:
|
|
|
|
http://www.postfix.org/FILTER_README.html
|
|
|
|
The original attempt was to implement this as a pre queue filter, but this
|
|
required the milter protocol and postfix currently does not implement the
|
|
replace body function from libmilter.
|
|
|
|
You can specify the following command line options:
|
|
|
|
--abort-pgp --noabort-pgp
|
|
To either abort the attachment process if PGP encryption or signatures
|
|
have been detected or not. If true, the mail will not be modified.
|
|
|
|
--abort-dkim --noabort-dkim
|
|
To either abort the attachment process if DKIM signatures have been
|
|
detected or not. If true, the mail will not be modified.
|
|
|
|
--in-port -i
|
|
The incoming smtp port/the port from which mail is received. Defaults to
|
|
4269.
|
|
|
|
--out-port -o
|
|
The outgoing smtp port/the port to which mail ist passed through.
|
|
Defaults 4270
|
|
|
|
--directory -d
|
|
The directory inside of which the attachments will be stored in. Please
|
|
DON'T specify a / at the end!
|
|
|
|
--url -u
|
|
The base which should point to the same location as the directory does,
|
|
for exaple if the directory is /var/www/html and the URL base is
|
|
https://example.com then a file in /var/www/html/attachment01.pdf should
|
|
be linkable via https://example.com/attachment01.pdf
|
|
Ah and please, please, pretty please disable directory indexing on your
|
|
webserver!
|
|
That WILL BE a security riks!
|
|
Please don't specify a / at the end, and have the URL encoded!
|
|
|
|
--other-base64 --only-base64
|
|
Decides wether ONLY base64 encoded files should be removed from the
|
|
actual mail, or ALL files.
|
|
|
|
--minfilesize -s
|
|
The minimum file size which a file has to have before beeing attached.
|
|
Thissize is before base64 decoding if nescessary. Size is in bytes,
|
|
ONLY bytes. Do NOT prefix a M or K, it will not be parsed! Defaults to
|
|
500Kb. If 0 is specified, all files will be attached. A negative value
|
|
effectively disables us.
|
|
|
|
HOWTO
|
|
|
|
We essentially are MITM sniffing your email traffic and playing proxy from your
|
|
postfix to your postfix. That's how this is intended to work according to the
|
|
postfix website.
|
|
|
|
This program needs to be started via it's own systemd service on system boot.
|
|
You need to add the in and oputput ports to your postfix queue as described in
|
|
the link above. For example, a setup with the default values looks like this:
|
|
|
|
|-------| SMTP |-----------| SMTP |-------|
|
|
|POSTFIX| --> | MAILATTACH| --> |POSTFIX|
|
|
|-------| n 4269 |-----------| n 4270 |-------|
|
|
|
|
|
|
|
|
v
|
|
|-----------|
|
|
|Attachments|
|
|
|-----------|
|
|
|
|
POSTFIX CONFIGURATION
|
|
|
|
The following is an example postfix configuration which I deploy with opendkim
|
|
and spamassassin as well as mailattach itself:
|
|
|
|
master.cf:
|
|
|
|
smtp inet n - n - - smtpd
|
|
-o content_filter=scan:localhost:4269
|
|
-o receive_override_options=no_address_mappings,no_milters
|
|
smtps inet n - n - - smtpd
|
|
-o content_filter=scan:localhost:4269
|
|
-o receive_override_options=no_address_mappings,no_milters
|
|
... Rest of config file
|
|
scan unix - - n - 10 smtp
|
|
-o smtp_send_xforward_command=yes
|
|
-o disable_mime_output_conversion=yes
|
|
-o smtp_tls_security_level=none
|
|
localhost:4270 inet n - n - 10 smtpd
|
|
-o content_filter=spamassassin
|
|
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
|
|
-o smtpd_helo_restrictions=
|
|
-o smtpd_client_restrictions=
|
|
-o smtpd_sender_restrictions=
|
|
# Postfix 2.10 and later: specify empty smtpd_relay_restrictions.
|
|
-o smtpd_relay_restrictions=
|
|
-o smtpd_recipient_restrictions=permit_mynetworks,reject
|
|
-o mynetworks=127.0.0.0/8
|
|
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
|
|
-o smtp_tls_security_level=none
|
|
spamassassin unix - n n - - pipe
|
|
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}
|
|
|
|
|
|
Of course your configuration may vary, but I will try to explain some parts
|
|
which are important:
|
|
|
|
- In the first two smtp/smtps commands the no_milters option has been specified.
|
|
This was done to avoid dkim signing of the incoming email before it's
|
|
attachments have been removed. The same goes for the localhost:4270 service.
|
|
|
|
- The no_address_mappings options have been specified because "This is
|
|
typically specified BEFORE an external content filter. ". It disables address
|
|
macro expansion.
|
|
|
|
- The smtp_tls_security_level=none options in the scan and localhost:4720
|
|
services prevent postfix from starting a TLS connection via the STARTTLS
|
|
command. Note that this is ONLY INTERNALLY. It will receive external
|
|
STARTTLS connections.
|
|
|
|
The remaining configuration options have been more or less taken from the
|
|
postfix manual and are explained in more depth there:
|
|
|
|
http://www.postfix.org/FILTER_README.html
|
|
|
|
DIRECTORY CLEANING
|
|
|
|
If you want to regularly purge old files from the directory, you can start the
|
|
shell script clean.sh in this repository via a chron job. It will by default
|
|
remove all files older than 10 days. If you want to write your own shell script
|
|
or let something else do the job for you, the directories where files are stored
|
|
are structured like this:
|
|
2020-01-01T1430-3893482323323
|
|
^DATE ^TIME^RANDOM NUMBER
|
|
|
|
The random number at the end consists of several signed integers, therefore it
|
|
sometimes has one or more - in it.
|