OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: smtpd_data_restrictions vs header_checks (sequence of execution)

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Fri May 02 2008 - 15:30:18 CDT

Eddy Beliveau wrote:
>>> Eddy Beliveau wrote:
>>> Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
>>> execution)
> ...cut...
>>> smtpd_data_restrictions =
>>> check_sender_access ldap:ldap_add_header
>>> ldap_add_header_query_filter = (mail=%s)
>>> ...cut...
>>> ldap_add_header_result_attribute = privileges
>>> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
>>> But, I also want to be sure to remove any forged similar header
>>> so, I added this rule to my header_checks file:
>>> /^X-Sender-Privileges:/ IGNORE
> ...cut...
>>> It seems that "smtpd_data_restrictions" is execute before
>>> header_checks step.
>
> "Noel Jones" <njonesmegan.vbhcs.org> replies:
>> Right, smtpd_*_restrictions happen before header/body checks (with the
>> exception of smtpd_end_of_data_restrictions which can't add headers).
>> ...cut...
>> - have the pre-amavis postfix remove forged headers, and the
>> post-amavis postfix add your headers. This would require either
>> multiple postfix instances, or defining multiple cleanup services in
>> master.cf.
>
>
> Hi! Noel,
>
> Many thanks for your reply.
>
> Currently, emails received by postfix (port 25) are passed to
> smtp-amavis (127.0.0.1:10024)
> which passed them back to postfix (127.0.0.1:10025) for final delivery
> with lmtp/smtp
>
...
> My current header_checks file contains:
> /^X-Sender-Privileges:/ IGNORE
>
>
> I like your multiple cleanup solution.
> Do you mean the following:

Now that I think about it a little more, since you're using
no_header_body_checks on the post-amavisd postfix
127.0.0.1:10025 all you need to do is tell
smtpd_data_restrictions on the post-amavisd postfix to add
your header. The IGNORE header check won't be run a second time.

This means you don't need to mess with the
cleanup_service_name overrides or multiple cleanup services,
making it just a little simpler.

127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o mynetworks_style=host
    -o strict_rfc821_envelopes=yes
    -o in_flow_delay=0
    -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o
smtpd_data_restrictions=check_sender_access,ldap:/etc/postfix/add_my_header.cf

--
Noel Jones