Postfix check outgoing mail for spam

Below is a config "stub" for also checking outgoing messages.

In main.cf:

smtpd_sender_restrictions = 
   check_client_access cidr:/etc/postfix/internal_clients_filter

And: /etc/postfix/internal_clients_filter

192.168.0.0/24 FILTER smtp:[127.0.0.1]:12501
10.0.0.0/24 FILTER smtp:[127.0.0.1]:12501

(you could also do this in other ways for logged in users, ip, from etc..)

Use a policybank in Amavisd-new:

$interface_policy{'12501'} = 'INTERNAL'; 
$policy_bank{'INTERNAL'} = {  # mail originating from clients in cidr:/etc/postfix/internal_clients_filter
  bypass_spam_checks_maps   => [0],  # spam-check outgoing mail 
  bypass_banned_checks_maps => [0],  # banned-check outgoing mail 
  bypass_header_checks_maps => [0],  # header-check outgoing mail  
  forward_method => 'smtp:[127.0.0.1]:12502', # relay to Postfix listener on port 12502
};

And the reinject path in postfix:

127.0.0.1:12502 inet    n    -    n    -    -    smtpd
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_data_restrictions
    -o smtpd_end_of_data_restrictions=
    -o local_header_rewrite_clients=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

This is an old question but I thought I would share some configuration that allows use of an outbound Procmail filter. Firstly, in master.cf:

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o broken_sasl_auth_clients=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
  -o content_filter=procmail-outbound

procmail-outbound unix  -       n       n       -       -       pipe
  flags=Rq user=mail argv=/usr/bin/procmail -t -m SENDER=${sender} RECIPIENT=${recipient} /etc/procmail/outbound.rc

and then you can run whatever procmail recipes you need in outbound.rcbefore reinjecting the processed message with sendmail like the below example recipe does:

# Send mail
:0 w
| /usr/bin/sendmail -G -i -f $SENDER $RECIPIENT

(Note the example accepts mail on the submission service (port 587) rather than the smtp service which is for relaying and delivery.)


Your clients send mail using an smtp server - presumably that is this postfix server.

Outgoing mail gets passed through Postfix's smtp transport, and the config above is passing that all through amavisd via the content_filter - so I think your outbound mail is getting processed already.

I suggest you test to satisfy yourself whether this is the case.

If the server is not very busy you tail your maillog, and watch what happens when you send a test message containing the GTUBE string (XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X). Amavisd/spamassassin should catch the message. If so then you know your mail is being scanned on the way out.