Roman Medina-Heigl Hernandez a écrit :
> [snip]
>
> I'd like to drop email if *any* of the following conditions are met:
> 1/ "X-Amavis-Alert" *contains* "INFECTED" or "BANNED"
> 2/ "X-Spam-Flag" *contains* "YES"
>
> Relating your 2nd question, perhaps it's not that easy. I'm currently
> sharing MX + SMTP functionality (not a good idea, I think, but it's how I
> set up this years ago). I mean, same port 25 is used for "receiving" mail
> for a domain (mx) and for "sending" (smtp, with sasl auth, of course). This
> means that I'm currently analyzing (amavisd-new) both "mx" *and*
> "smtp/saslauth" traffic (yes, this is suboptimal).
>
> So "outgoing" mail (from my server's perspective) could be "mx" mail (being
> relayed to final mta), or "smtp/saslauth" mail. I don't want both kind of
> traffic to be header-filtered, but only the first one (relayed). So I guess
> the only way is checking for destination domain.
>
If I understand correctly, you have outbound and inbound mail both using
port 25, and you want to block outbound using header_checks. by
"outbound", I mean mail submitted from mynetworks or SASL authenticated.
if that's right, then you can use different paths for outbound and
inbound (even if both come via port 25). below is a way to do that.
1) in master.cf, add an smtpd listener on port 10587 and an associated
cleanup service that uses your header_checks
cleanout unix n - n - 0 cleanup
-o syslog_name=postfix-out
-o header_checks=pcre:/etc/postfix/header_checks.out
127.0.0.1:10587 inet n - n - - smtpd
-o syslog_name=postfix-out
-o cleanup_service_name=cleanout
-o receive_override_options=no_unknown_recipient_checks
-o mynetworks=127.0.0.1
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o content_filter=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1000
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
....
(this is an after-the-filter smtpd, so use the "usual" conf...)
1b) test this. use telnet to port 10587 and send some messages.
2) In amavisd-new, add a listener on port 10586 and make it forward mail
to port 10587. in amavisd.conf:
$inet_socket_port = [10024, 10586];
$interface_policy{'10586'} = 'MSA';
$policy_bank{'MSA'} = {
originating => 1,
forward_method => 'smtp:[127.0.0.1]:10586',
# bypass_spam_checks_maps => [ 1 ],
# bypass_banned_checks_maps => [ 1 ],
# ...
};
2b) test this. use telnet to connect to port 10587...
3) configure postfix to pass "outbound" mail to port 10587. in main.cf:
content_filter=amavisfeed:[127.0.0.1]:10586
smtpd_recipient_restrictions =
...
reject_unauth_destination
check_client_access pcre:/etc/postfix/filter_default.pcre
...
== filter_default.pcre
/./ FILTER amavisfeed:[127.0.0.1]:10024
with this, "inbound" mail will reach the check_client_access statement
that makes it use the 10024 content filter. other mail (inbound) will
not reach this (it is accepted before reject_uanuth_destination) and
will thus use the 10586 content filter.
