Victor Duchovni:
> On Sat, Jun 13, 2009 at 01:09:49AM +0200, mouss wrote:
>
> > by default:
> >
> > mime_header_checks = $header_checks
> > nested_header_checks = $header_checks
> >
> > so header_checks apply to more than 822 headers.
> >
> > > I'm
> > > not sure if this is a bug/'feature' - but to have to keep commenting out
> > > certain rules to get them sent is a minor hassle.
> >
> > I personally only use few header_checks (reject "forged" mail, reject
> > unauthorized attachments).
>
> I always make sure to set nested_header_checks empty, or to a separate
> table that lists only rules I am willing to enforce on the headers
> message/rfc822 attachments.
>
> The default value of nested_header_checks is a minor
> backwards-compatibility blemish. Perhaps this can be addressed in
> "Postfix-lite".
I think it takes more to justify the change.
Remember that the original purpose of header/body checks is to stop
malicious content in inbound email, even when that content is
embedded as a bounce message or otherwise. In this context it is
desirable to lump primary and secondary headers together, and the
built-in defaults reflect this need.
Other contexts have other needs:
- In SMTP client context, header/body checks are not meant to block
mail, but rather, they serve the purpose of content transformation.
There, it is less desirable to lump primary and secondary headers
together, as is reflected by the defaults.
- In post-Milter context, the purpose is to make decisions based
on the the headers generated by Milter applications. Currently,
Milters can generate only primary message headers, so there is no
choice to be made (yet).
In any case, the question would be irrelevant if people were using
a (web-based) GUI tool that generates Postfix config files; Postfix's
built-in macro expansion is a surrogate for the automatic rules
that configuration tools tend to have. These invisible Postfix
features do occasionally bite, as with this week's virtual alias
wild-carding example.
Postfix does currently not ship with a GUI configuration tool (I
wrote one as part of SATAN, one of the first web-based tools in
existence). There are several add-on tools and products that do
this for Postfix.
Wietse
