On 8/27/2012 7:56 AM, an...@isac.gov.in wrote: > > ----- Message from an...@isac.gov.in --------- > Date: Sat, 25 Aug 2012 15:50:33 +0530 > From: an...@isac.gov.in > Subject: Re: exceptions for smtpd_end_of_data_restrictions > To: postfix-users@postfix.org > > >> ----- Message from Noel Jones <njo...@megan.vbhcs.org> --------- >> Date: Fri, 24 Aug 2012 23:49:25 -0500 >> From: Noel Jones <njo...@megan.vbhcs.org> >> Reply-To: postfix users <postfix-users@postfix.org> >> Subject: Re: exceptions for smtpd_end_of_data_restrictions >> To: postfix-users@postfix.org >> >> >>> On 8/24/2012 11:10 PM, an...@isac.gov.in wrote: >>>> >>>> ----- Message from Noel Jones <njo...@megan.vbhcs.org> --------- >>>> Date: Wed, 22 Aug 2012 06:31:10 -0500 >>>> From: Noel Jones <njo...@megan.vbhcs.org> >>>> Reply-To: postfix users <postfix-users@postfix.org> >>>> Subject: Re: exceptions for smtpd_end_of_data_restrictions >>>> To: postfix-users@postfix.org >>>> >>>> >>>>> On 8/22/2012 2:14 AM, an...@isac.gov.in wrote: >>>>>> Dear List, >>>>>> >>>>>> I have this in my main.cf >>>>>> >>>>>> smtpd_end_of_data_restrictions = >>>>>> check_policy_service inet:127.0.0.1:9998 >>>>>> >>>>>> >>>>>> This basically checks for mail size and allows/not allows a mail >>>>>> based on contents of a file. >>>>>> >>>>>> Is there a way to say, not to use this policy service, based >>>>>> on some >>>>>> headers of a mail? >>>>>> >>>>> >>>>> >>>>> You can skip the policy based on envelope information by using a >>>>> check_*_access map before the policy check. You could also likely >>>>> do this inside the policy server itself. >>>>> >>>>> You cannot skip it based on headers. >>>>> >>>>> >>>>> >>>>> -- Noel Jones >>>> >>>> >>>> >>>> Thanks for your inputs. You are all experts, please share some >>>> ideas with me to solve my problem. I have described the >>>> requirement >>>> in detail as below. >>>> >>>> Let me explain my current setup and my real requirement. >>>> >>>> I have a front end for accessing and sending mail (say server A). >>>> All mails sent from this (server A) are directed to another server >>>> (say server B) for virus/spam check using Amavisd. If the mails >>>> are >>>> addressed to any internet domain other than ours, mails get >>>> forwarded to Server C, else mails are delivered locally. >>>> >>>> A (Front End Mail) -> B (Virus/Spam scanner) -> C (for >>>> delivering to >>>> Internet). >>>> >>>> At server B (for local delivery of mails) we have a size limit >>>> of 30 >>>> MB. >>>> >>>> At Server C (for delivery to Internet ) we have a size limit of 30 >>>> MB, but using policyd feature of Postfix (at >>>> smtpd_end_of_data_restrictions), by default we are restricting to 2 >>>> MB and based on the contents of a data file (which is manually >>>> edited as and when required) which contains Sender address and >>>> allowed size, mails get get delivered to outside domains having >>>> higher size. >>>> >>>> Now, I have been asked to develop another front end at same >>>> level as >>>> Server A (say server D), to enable users to send mails of large >>>> size >>>> to Internet users, such that, once a mail is composed and submitted >>>> for approval, Based on the content, I can approve or disapprove. >>>> Once approved, it should go through Server B and finally server >>>> C to >>>> get delivered to outside domains. >>>> >>>> My problem lies at Server C where I am running a policy for sending >>>> outside mails. How does that mail be allowed without even looking >>>> at policy (exception for policy). >>>> >>>> Please provide guidance or any other alternative strategy to >>>> achieve >>>> the requirement. But, it is must that, mail should go through the >>>> virus scan. >>>> >>>> Regards, >>>> Anant. >>>> >>> >>> >>> Have D submit mail to a dedicated amavisd port on B, which can then >>> submit to a separate port on C with no policy. >>> >>> See amavisd docs about listening on multiple ports, policy banks, >>> etc. >>> >>> For the postfix changes on C, the lazy solution is set up another >>> smtpd listener in master.cf with empty >>> smtpd_end_of_data_restrictions; the better full-featured solution is >>> a separate postfix instance giving full control with separate queue, >>> logging, and stats. >>> >>> >>> >>> -- Noel Jones >> >> >> Thanks. I think, this is the only option. I need to work on >> this. Thanks. >> >> Regards, >> Anant. >> > > > Dear Noel Jones, > > I was just browsing through the net and found the following link > > http://marcelog.github.com/articles/configure_postfix_forward_email_regex_subject_transport_relay.html > > > In my setup, I have different queue setup already for incoming and > outgoing in Server C. My policy runs on outgoing queue. > > If I setup another queue on server C, say 'highersizequeue'. And > in outgoing main.cf, I add header check for some specific header and > based on that header, I relay that mail to newly created queue > (higersizequeue).
That could work. > > Is this solution advisable? If you say No, I would stick your > earlier suggested option. As a general rule, routing decisions shouldn't be based on headers. You'll need to insure that you do not unintentionally match the wrong header. Even experts fat-finger regexp; it's harder than it looks. I think the separate ports discussed earlier is a better and safer solution. There is much less possibility of unintended routing that way. -- Noel Jones
