Re: Any best practices for stacking filters?

Mon, 22 Oct 2012 13:03:54 -0700

--On Monday, October 22, 2012 3:33 PM -0400 Wietse Venema <wie...@porcupine.org> wrote: 


One suggestion I can make is to avoid mixing mail streams from
outside with mail streams from inside, before your mail is signed.

For example,

- Use before-queue filters for mail from outside so that you can
  reject mail before it hits the queue.

- Use after-queue filters for mail from inside. Then, your mail
  from "inside" is not affected by the limitation. You can sign it
  with dkim-milter and the like.


Hi Wieste,
As I noted in my original mail, I already use the filters to separate out the streams:
smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re 

zimbra@zre-ldap002:~/postfix/conf$ cat tag_as_originating.re
/^/  FILTER smtp-amavis:[127.0.0.1]:10026

zimbra@zre-ldap002:~/postfix/conf$ cat tag_as_foreign.re
/^/  FILTER smtp-amavis:[127.0.0.1]:10024
So I believe I am already, as you said, diverting the mail into different streams. Both of which go to Amavis. I.e., originating mail gets directed to amavis on port 10026. Foreign mail goes to amavis on port 10024. Which gets me into the entire problem I'm having now. Or am I misunderstanding what you said?
Mail gets re-injected from Amavis to Postfix on port 10025. Then it is signed. The problem is, at that point, Amavis is already done with the mail. So again, I think I'm doing what you suggest, but I can't figure out how to get it to sign the mail via OpenDKIM prior to Amavis processing. 

Here's my master.cf again as well:

smtp      inet  n       -       n       -       -       smtpd
   -o content_filter=scan:[127.0.0.1]:10029
465    inet  n       -       n       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o content_filter=scan:[127.0.0.1]:10029
submission inet n      -       n       -       -       smtpd
   -o smtpd_etrn_restrictions=reject
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o smtpd_tls_security_level=may
scan      unix  -       -       n       -       10      smtp
   -o smtp_send_xforward_command=yes
   -o disable_mime_output_conversion=yes
   -o smtp_generic_maps=
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -   -   n   -   1   scache
maildrop  unix  -       n       n       -       -       pipe
 flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -       n       n       -       -       pipe
 flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus     unix  -       n       n       -       -       pipe
 user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) 
ifmail    unix  -       n       n       -       -       pipe
 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient 
smtp-amavis unix -      -       n       -       10  smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
   -o max_use=20
127.0.0.1:10025 inet n  -       n       -       -  smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o virtual_mailbox_maps=
   -o virtual_alias_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_delay_reject=no
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_helo_restrictions=
   -o smtpd_milters=inet:localhost:8465
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks_style=host
   -o mynetworks=127.0.0.0/8,[::1]/128
   -o strict_rfc821_envelopes=yes
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o smtpd_client_connection_count_limit=0
   -o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings 
   -o local_header_rewrite_clients=
[127.0.0.1]:10029 inet n - n - - smtpd
   -o smtpd_milters=inet:localhost:8465


--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Reply via email to