Postfix check outgoing mail for spam

Solution 1:

Below is a config "stub" for also checking outgoing messages.

In main.cf:

smtpd_sender_restrictions = 
   check_client_access cidr:/etc/postfix/internal_clients_filter

And: /etc/postfix/internal_clients_filter

192.168.0.0/24 FILTER smtp:[127.0.0.1]:12501
10.0.0.0/24 FILTER smtp:[127.0.0.1]:12501

(you could also do this in other ways for logged in users, ip, from etc..)

Use a policybank in Amavisd-new:

$interface_policy{'12501'} = 'INTERNAL'; 
$policy_bank{'INTERNAL'} = {  # mail originating from clients in cidr:/etc/postfix/internal_clients_filter
  bypass_spam_checks_maps   => [0],  # spam-check outgoing mail 
  bypass_banned_checks_maps => [0],  # banned-check outgoing mail 
  bypass_header_checks_maps => [0],  # header-check outgoing mail  
  forward_method => 'smtp:[127.0.0.1]:12502', # relay to Postfix listener on port 12502
};

And the reinject path in postfix:

127.0.0.1:12502 inet    n    -    n    -    -    smtpd
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_data_restrictions
    -o smtpd_end_of_data_restrictions=
    -o local_header_rewrite_clients=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

Solution 2:

This is an old question but I thought I would share some configuration that allows use of an outbound Procmail filter. Firstly, in master.cf:

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o broken_sasl_auth_clients=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
  -o content_filter=procmail-outbound

procmail-outbound unix  -       n       n       -       -       pipe
  flags=Rq user=mail argv=/usr/bin/procmail -t -m SENDER=${sender} RECIPIENT=${recipient} /etc/procmail/outbound.rc

and then you can run whatever procmail recipes you need in outbound.rcbefore reinjecting the processed message with sendmail like the below example recipe does:

# Send mail
:0 w
| /usr/bin/sendmail -G -i -f $SENDER $RECIPIENT

(Note the example accepts mail on the submission service (port 587) rather than the smtp service which is for relaying and delivery.)