Steffen Nurpmeso via Postfix-users: > Keith wrote in > <bd099fc3eb840e7fa6007ff1d92ec6735841bde5.ca...@soondae.co.uk>: > |Hmm Policy Server. Do I have to install one and read the Man Pages? > | > |Then again I might take heart from the suggestion that this has been > |done before although the mention of blocklisting and coloured flags > |suggests others decided it was a bad idea. > | > |I get that cause for concern but, to me, it might arise because... > | > |//.burp\ -h -a --plorp -s 1038 ->./zed*\|+z furble > | > |would be nonsensical to a Facebook user. Also likely to apply to > |Mastodon users. > | > |Obviously we all copy and paste random stuff from the Web into our > |config files because that works until it doesn't and we kept a backup. > > I must admit i do not truly grasp your message. > The op wants to be able to reject the one emails, and to block IPs > of others which match something, if i understood this correctly. > This i think can be done with a "policy server" or a milter, > parsing logs is too late. I would say policy is much cheaper and > easier than milter in terms of CPU cycles and usage. > > So.. i do not know, actually, whether there exists an "easily > accessible proxy" already, like say one that readily prepares the > KEY=VALUE pairs of the protocol to make them accessible for > example to a shell script, (or a shell function, ie, one shell > instance from start to stop; i-should-go-more-lua, btw), and then > supports things like postfix itself, for example "REJECT" or > "RUN-SCRIPT" .. or whatever. That would be cool. > If so, it would be *cool* if that would become a postfix companion > and part of it! (RUN-SCRIPT would then change user and group id > etc, likely.)
For policy delegation, it's already there. The example in https://www.postfix.org/SMTPD_POLICY_README.html uses the Postfix built-in spawn(8) daemon, to run a policy server on-demand and as an unprivileged user. The policy protocol is brain-dead simple (apart from %hex encoding of weird strings). The script should run in a loop so that the same process can be reused multiple times until the Postfix SMTP daemon closes the connection. For header_checks, one could use the tcp_table and socketmap protocols, but the Postfix lookup table interface supports only one query attribute per request. For complex policies that require real-time responses and that look at the envelope and message content, I still recommed using a milter. Wietse _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
