The Postfix mail server is a popular and highly configurable Mail Transfer Agent (MTA) used for routing and delivering email messages within a network or across the internet. Similar to the Sendmail MTA, it can use Milter (protocol) to scan incoming emails for spam or malware. On incoming emails, compatible MTAs use the Milter protocol to communicate with an extra service, which also speaks the Milter protocol. This extra service scans the email and responds with its findings. Based on the response of the extra service the MTA can filter, discard, or quarantine the email. postfix2thunderstorm is a free and open-source implementation of a Milter Service which allows you to scan emails using THOR Thunderstorm. Read more about this in the following blog post
Requires Go >= 1.20
go build -o postfix2thunderstorm cmd/main/main.go./postfix2thunderstorm -h-config string
Config filepath (default "./p2t.config.yaml")
-debug
Debug flag
./postfix2thunderstorm --config p2t.config.yamlBelow is an example configuration that can be used with postfix2thunderstorm
log_filepath: ./postfix2thunderstorm.log # log filepath
max_filesize_bytes: 50_000_000 # max size in bytes
active_mode: true # if true mails are quarantied based on 'quarantine_expression', else its in 'passive-mode'
milter_host: localhost # host to listen on, postfix will connect here
milter_port: 11337 # port to listen on
thorthunderstorm_url: http://localhost:8080/api/check # Thor Thunderstorm endpoint
quarantine_expression: one(Matches, {.Subscore > 90}) or FullMatch.Score > 90 # Expression (https://github.com/antonmedv/expr) used for deciding if email should be quarantined
# Objects (e.g., '.Subscore' and FullMatch) to work with can be found in "milter.go:16"There is an automatic log file rotation (~ 3 months of logs):
- MaxSize: 500 megabytes
- MaxBackups: 3
- MaxAge: 31 days
It might be a good idea to monitor the log file for level warning and error messages.
Notably you want to look for warning level lines with the following message:
msg:"Finding"--> THOR Thunderstorm found something suspiciousmsg:"Quarantined email"--> THOR Thunderstorm found something and thequarantine_expressiontriggered.
Postfix will place quarantined mails into its "hold" queue where they can be inspected and released or deleted.
Tested with version 3.6.4 - but should work with any recent version.
Add the follwoing to your Postfix config (/etc/postfix/main.cf) and restart it:
# See https://www.postfix.org/MILTER_README.html for more information
smtpd_milters = inet:<IP>:<Port> # IP/Port of host where the postfix2thunderstorm service is running (might be a good idea to make it the localhost (or use TLS))
milter_default_action = accept # default action in case of error/timeout/...