Henk van Oers wrote:
On Sat, 14 Mar 2009, Wietse Venema wrote:
Henk van Oers:
Quote from header_checks (5):
""
DUNNO Pretend that the input line did not match any pat-
tern, and inspect the next input line. This action
can be used to shorten the table search.
For backwards compatibility reasons, Postfix also
accepts OK but it is (and always has been) treated
as DUNNO.
""
I was trying to use action OK to jump out of header checks.
That is: not only skip the next patterns, but also the next
input lines.
According to the above documentation, Postfix does not work that
way.
Whitelisting based on a single header line is unsafe.
I know. spammers can insert/spoof whatever.
Doing a proper job requires an external content filter.
I want to reject as mutch as posible, so i have a header_checks file.
To bypass the header check for trusted senders i tryed:
if /^Return-Path:/
/trusted_sender/ OK
endif
As i now understand it, i have to put this header check in a
separate file and the other header_check file will be ignored.
Right?
No, using multiple header_checks files changes nothing.
There is no bypass method for header_checks. You can bypass
further checks *for an individual line* by using DUNNO (or the
deprecated form OK), but subsequent lines will still be
checked. This is not configurable.
The header_checks feature is a blunt tool intended for checks
safe for all your mail. If you need finer control, there are
other tools to use; content_filter, smtpd_proxy_filter, or
milters. All mail is subject to header_checks, so don't use
checks not appropriate for everybody.
And all the above applies to body_checks too.
This behavior is not likely to be changed anytime soon.
It is possible to use separate header_checks and body_checks
for the submission service in master.cf. See the archives for
details. I think an example was posted about 10 days ago.
History lesson:
Back in the dark ages, postfix header_checks documentation
listed OK as the action verb to bypass further checks *on that
individual header*. The use of OK raised the false
expectation that subsequent header lines would not be checked,
and led to many questions on this list about "header_checks OK
not working" when it was, in fact, working as documented and
intended. The documentation was changed to DUNNO rather than
OK in the hope to not raise false expectations, but the
behavior of postfix has not changed.
-- Noel Jones
