initial commit

author: Sam Chudnick <sam@chudnick.com> 2023-07-02 19:04:30 -0400
committer: Sam Chudnick <sam@chudnick.com> 2023-07-02 19:04:30 -0400
commit: 724d877995dfcc10c462a18dcb4ea6c8b60c2d03 (patch)
tree: 270537b8fca585717c1ffa7708e492593f7b2ed5 /roles/postfix/files
2 files changed, 13 insertions, 0 deletions
diff --git a/roles/postfix/files/body_checks b/roles/postfix/files/body_checks
new file mode 100644
index 0000000..795c922
--- /dev/null
+++ b/roles/postfix/files/body_checks
@@ -0,0 +1,2 @@
+#Block iframe vulnerability
+/<iframe/ REJECT
diff --git a/roles/postfix/files/header_checks b/roles/postfix/files/header_checks
new file mode 100644
index 0000000..f655904
--- /dev/null
+++ b/roles/postfix/files/header_checks
@@ -0,0 +1,11 @@
+#Block attachments with executable extensions
+/name=[^>]*\.(exe|pif|com|dll|vbs|bat|sh|bash|so|zip|tar|gz|cpio)/ REJECT
+# Block message/partial vulnerability
+/message\/partial/ REJECT
+# CVE-2022-1328 mitigation - block messages with uuencode
+/^Content-Transfer-Encoding:.*uuencode.*/       REJECT
+# Remove Received string that is created when spamassassin reinjects message into postfix
+# This is to prevent leaking the userid of the spamassassin user
+/^Received:.*userid.*/  IGNORE
+# Remove User-Agent strings from headers
+/^User-Agent: .*/       IGNORE
author	Sam Chudnick <sam@chudnick.com>	2023-07-02 19:04:30 -0400
committer	Sam Chudnick <sam@chudnick.com>	2023-07-02 19:04:30 -0400
commit	724d877995dfcc10c462a18dcb4ea6c8b60c2d03 (patch)
tree	270537b8fca585717c1ffa7708e492593f7b2ed5 /roles/postfix/files

diff --git a/roles/postfix/files/body_checks b/roles/postfix/files/body_checks new file mode 100644 index 0000000..795c922 --- /dev/null +++ b/roles/postfix/files/body_checks
@@ -0,0 +1,2 @@
	1	#Block iframe vulnerability
	2	/<iframe/ REJECT


diff --git a/roles/postfix/files/header_checks b/roles/postfix/files/header_checks new file mode 100644 index 0000000..f655904 --- /dev/null +++ b/roles/postfix/files/header_checks
@@ -0,0 +1,11 @@
	1	#Block attachments with executable extensions
	2	/name=[^>]*\.(exe\|pif\|com\|dll\|vbs\|bat\|sh\|bash\|so\|zip\|tar\|gz\|cpio)/ REJECT
	3	# Block message/partial vulnerability
	4	/message\/partial/ REJECT
	5	# CVE-2022-1328 mitigation - block messages with uuencode
	6	/^Content-Transfer-Encoding:.uuencode./ REJECT
	7	# Remove Received string that is created when spamassassin reinjects message into postfix
	8	# This is to prevent leaking the userid of the spamassassin user
	9	/^Received:.userid./ IGNORE
	10	# Remove User-Agent strings from headers
	11	/^User-Agent: .*/ IGNORE