NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-05

Re: smtpd_data_restrictions vs header_checks (sequence of execution)

From: Eddy Beliveau (eddy.beliveauhec.ca)
Date: Fri May 02 2008 - 14:08:14 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>> Eddy Beliveau wrote:
>>Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
>>execution)
...cut...
>> smtpd_data_restrictions =
>> check_sender_access ldap:ldap_add_header
>> ldap_add_header_query_filter = (mail=%s)
>> ...cut...
>> ldap_add_header_result_attribute = privileges
>> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
>> But, I also want to be sure to remove any forged similar header
>> so, I added this rule to my header_checks file:
>> /^X-Sender-Privileges:/ IGNORE
...cut...
>> It seems that "smtpd_data_restrictions" is execute before header_checks
>> step.

"Noel Jones" <njonesmegan.vbhcs.org> replies:
> Right, smtpd_*_restrictions happen before header/body checks (with the
> exception of smtpd_end_of_data_restrictions which can't add headers).
> ...cut...
> - have the pre-amavis postfix remove forged headers, and the post-amavis
> postfix add your headers. This would require either multiple postfix
> instances, or defining multiple cleanup services in master.cf.

Hi! Noel,

Many thanks for your reply.

Currently, emails received by postfix (port 25) are passed to smtp-amavis
(127.0.0.1:10024)
which passed them back to postfix (127.0.0.1:10025) for final delivery with
lmtp/smtp

Here is a part of my current master.cf said:
smtp inet n - n - - smtpd
-o receive_override_options=no_address_mappings

cleanup unix n - n - 0 cleanup
lmtp unix - - n - - lmtp
smtp unix - - n - - smtp

smtp-amavis unix - - n - 10 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookup=yes
    -o max_use=20

127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_data_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o mynetworks_style=host
    -o strict_rfc821_envelopes=yes
    -o in_flow_delay=0
    -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks

My current header_checks file contains:
/^X-Sender-Privileges:/ IGNORE

I like your multiple cleanup solution.
Do you mean the following:

smtp inet n - n - - smtpd
        -o receive_override_options=no_address_mappings
        -o cleanup_service_name=pre-cleanup
        -o smtpd_data_restrictions=

pre-cleanup unix n - n - 0 cleanup

cleanup unix n - n - 0 cleanup
-o header_checks=

127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
## -o smtpd_data_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o mynetworks_style=host
    -o strict_rfc821_envelopes=yes
    -o in_flow_delay=0
    -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks

Thanks again,
Eddy

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]