Wietse Venema via Postfix-users wrote in
<[email protected]>:
|Steffen Nurpmeso via Postfix-users:
|> Keith wrote in
|> <[email protected]>:
|>|Hmm Policy Server. Do I have to install one and read the Man Pages?
...
|> The op wants to be able to reject the one emails, and to block IPs
|> of others which match something, if i understood this correctly.
|> This i think can be done with a "policy server" or a milter,
|> parsing logs is too late. I would say policy is much cheaper and
|> easier than milter in terms of CPU cycles and usage.
|>
|> So.. i do not know, actually, whether there exists an "easily
|> accessible proxy" already, like say one that readily prepares the
|> KEY=VALUE pairs of the protocol to make them accessible for
|> example to a shell script, (or a shell function, ie, one shell
|> instance from start to stop; i-should-go-more-lua, btw), and then
|> supports things like postfix itself, for example "REJECT" or
|> "RUN-SCRIPT" .. or whatever. That would be cool.
|> If so, it would be *cool* if that would become a postfix companion
|> and part of it! (RUN-SCRIPT would then change user and group id
|> etc, likely.)
|
|For policy delegation, it's already there. The example in
|https://www.postfix.org/SMTPD_POLICY_README.html uses the Postfix
|built-in spawn(8) daemon, to run a policy server on-demand and as
|an unprivileged user.
|
|The policy protocol is brain-dead simple (apart from %hex encoding
|of weird strings). The script should run in a loop so that the same
After the shock .. this hopefully only applies to "ccert_*"
attributes as the README says.
|process can be reused multiple times until the Postfix SMTP daemon
|closes the connection.
So this strips the mentioned postfix example to a core that should
run (untested), with only the necessity to fill in the function
fullfill_your_desire(). A pity it is not lua, maybe sometimes
before autumn i could create the same as a lua script, and post it
to this thread just for fun?!?
#!/usr/bin/env perl
use Sys::Syslog qw(:DEFAULT setlogsock);
$verbose = 0;
$syslog_socktype = 'unix'; # inet, unix, stream, console
$syslog_facility="mail";
$syslog_options="pid";
$syslog_priority="info";
sub fullfill_your_desire {
return "dunno";
}
sub fatal_exit {
my($first) = shift(@_);
syslog "err", "fatal: $first", @_;
exit 1;
}
setlogsock $syslog_socktype;
openlog $0, $syslog_options, $syslog_facility;
while ($option = shift(@ARGV)) {
if ($option eq "-v") {
$verbose = 1;
} else {
syslog $syslog_priority, "Invalid option: %s. Usage: %s [-v]",
$option, $0;
exit 1;
}
}
select((select(STDOUT), $| = 1)[0]);
while (<STDIN>) {
if (/([^=]+)=(.*)\n/) {
$attr{substr($1, 0, 512)} = substr($2, 0, 512);
} elsif ($_ eq "\n") {
if ($verbose) {
for (keys %attr) {
syslog $syslog_priority, "Attribute: %s=%s", $_, $attr{$_};
}
}
fatal_exit "unrecognized request type: '%s'", $attr{request}
unless $attr{"request"} eq "smtpd_access_policy";
$action = fullfill_your_desire();
syslog $syslog_priority, "Action: %s", $action if $verbose;
print STDOUT "action=$action\n\n";
%attr = ();
} else {
chop;
syslog $syslog_priority, "warning: ignoring garbage: %.100s", $_;
}
}
|For header_checks, one could use the tcp_table and socketmap
|protocols, but the Postfix lookup table interface supports only one
|query attribute per request.
|
|For complex policies that require real-time responses and that look
|at the envelope and message content, I still recommed using a milter.
...
--End of <[email protected]>
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
|
| Only during dog days:
| On the 81st anniversary of the Goebbel's Sportpalast speech
| von der Leyen gave an overlong hypocritical inauguration one.
| The brew's essence of our civilizing advancement seems o be:
| Total war - shortest war -> Permanent war - everlasting war
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]