mouss escribió:
> Roman Medina-Heigl Hernandez a écrit :
>> [snip]
>>
>> I'd like to drop email if *any* of the following conditions are met:
>> 1/ "X-Amavis-Alert" *contains* "INFECTED" or "BANNED"
>> 2/ "X-Spam-Flag" *contains* "YES"
>>
>> Relating your 2nd question, perhaps it's not that easy. I'm currently
>> sharing MX + SMTP functionality (not a good idea, I think, but it's how I
>> set up this years ago). I mean, same port 25 is used for "receiving" mail
>> for a domain (mx) and for "sending" (smtp, with sasl auth, of course). This
>> means that I'm currently analyzing (amavisd-new) both "mx" *and*
>> "smtp/saslauth" traffic (yes, this is suboptimal).
>>
>> So "outgoing" mail (from my server's perspective) could be "mx" mail (being
>> relayed to final mta), or "smtp/saslauth" mail. I don't want both kind of
>> traffic to be header-filtered, but only the first one (relayed). So I guess
>> the only way is checking for destination domain.
>>
>
> If I understand correctly, you have outbound and inbound mail both using
> port 25, and you want to block outbound using header_checks. by
> "outbound", I mean mail submitted from mynetworks or SASL authenticated.
> if that's right, then you can use different paths for outbound and
> inbound (even if both come via port 25). below is a way to do that.
No, my need is:
1/ permit_networs + SASL -> no amavisd AND no header check
2/ incoming mail to my mailboxes -> amavisd but no header check
3/ incoming mail to be relayed to another MX -> amavisd AND header check!
The problem is how to make the difference between the two last cases. But I
think I could do it using the tricks you described below which are greatly
appreciated (thank you!!!).
> 1) in master.cf, add an smtpd listener on port 10587 and an associated
> cleanup service that uses your header_checks
>
> cleanout unix n - n - 0 cleanup
> -o syslog_name=postfix-out
> -o header_checks=pcre:/etc/postfix/header_checks.out
>
> 127.0.0.1:10587 inet n - n - - smtpd
> -o syslog_name=postfix-out
> -o cleanup_service_name=cleanout
> -o receive_override_options=no_unknown_recipient_checks
> -o mynetworks=127.0.0.1
> -o smtpd_delay_reject=no
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o content_filter=
> -o smtpd_error_sleep_time=0
> -o smtpd_soft_error_limit=1000
> -o smtpd_hard_error_limit=1000
> -o smtpd_client_connection_count_limit=0
> -o smtpd_client_connection_rate_limit=0
> ....
>
> (this is an after-the-filter smtpd, so use the "usual" conf...)
>
> 1b) test this. use telnet to port 10587 and send some messages.
>
> 2) In amavisd-new, add a listener on port 10586 and make it forward mail
> to port 10587. in amavisd.conf:
>
> $inet_socket_port = [10024, 10586];
>
>
> $interface_policy{'10586'} = 'MSA';
> $policy_bank{'MSA'} = {
> originating => 1,
>
> forward_method => 'smtp:[127.0.0.1]:10586',
You meant 10587, I guess.
>
> # bypass_spam_checks_maps => [ 1 ],
>
> # bypass_banned_checks_maps => [ 1 ],
>
>
> # ...
> };
>
> 2b) test this. use telnet to connect to port 10587...
>
> 3) configure postfix to pass "outbound" mail to port 10587. in main.cf:
>
> content_filter=amavisfeed:[127.0.0.1]:10586
> smtpd_recipient_restrictions =
> ...
> reject_unauth_destination
> check_client_access pcre:/etc/postfix/filter_default.pcre
In my case, I should use "check_recipient_access", so I could make my
choice based on destination domain.
> ...
>
>
> == filter_default.pcre
> /./ FILTER amavisfeed:[127.0.0.1]:10024
And then enter here the only domain I'm relaying to, and finally a "catch
all" FILTER for the rest of traffic (which would be delivered to my mailboxes).
Is there any problem with using FILTER in check_recipient_access? Perhaps
when one only mail has several recipients? If so... any workaround?
Cheers,
-Roman
