Hello, Few months ago, I've switched my postfix setup from "regular" greylisting to "milter" greylisting, and it appears to have changed few things about header_checks I didn't notice until yesterday. My setup uses before-queue content filtering:
# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10025.
#
smtp inet n - n - 30 smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o smtpd_client_connection_count_limit=20
-o smtpd_proxy_ehlo=amavis.at.mydomain
-o inet_interfaces=159.x.y.y
-o smtpd_timeout=150
#
# After-filter SMTP server. Receive mail from the content filter
# on localhost port 10025.
#
127.0.0.1:10025 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
-o smtpd_milters=
header_checks is configured in main.cf:
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
empty_address_recipient = MAILER-DAEMON
header_checks = regexp:/usr/local/etc/postfix/header_checks
inet_protocols = ipv4
local_recipient_maps =
local_transport = local
mail_owner = postfix
mailbox_size_limit = 1000000000
mailq_path = /usr/local/bin/mailq
message_size_limit = 20480000
milter_connect_macros = j
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname localhost.$mydomain my-domain.net
mydomain = my-domain.fr
myhostname = mx01.my-domain.fr
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/local/bin/newaliases
notify_classes = resource,software
parent_domain_matches_subdomains =
queue_minfree = 500000000
recipient_bcc_maps = hash:/usr/local/etc/postfix/recipient_bcc
relay_domains = $mydomain mail.my-domain.fr my-domain.net
relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipient_maps
relay_transport = smtp:[mailgw.my-domain.fr]
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 30
smtpd_client_connection_rate_limit = 30
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_message_rate_limit = 120
smtpd_client_recipient_rate_limit = 200
smtpd_error_sleep_time = 0s
smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
check_client_access cidr:/usr/local/etc/postfix/client_access_cidr,
check_recipient_access hash:/usr/local/etc/postfix/recipient_access,
reject_unlisted_recipient, check_client_access
hash:/usr/local/etc/postfix/client_access, reject_rbl_client zen.dnsbl-local
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sender_restrictions = reject_unlisted_sender, check_sender_access
hash:/usr/local/etc/postfix/sender_access reject_unknown_sender_domain,
reject_non_fqdn_sender, permit
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 450
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual_alias
Yesterday, I've used header_checks to REJECT a massive phishing email flood,
and I've noticed that the REJECT action was not triggered on the before-filter
smtpd server, but on the after-filter one:
header_check pattern:
/^From: .*@facturation\.fr/ REJECT PHISHING
postfix/amavisd log:
Apr 25 14:58:57 mx01 amavis[54935]: (54935-14) (!)FWD from
<prvs=1827ead847=serv...@facturation.fr> -> <foo....@my-domain.fr>,BODY=7BIT
550 5.7.1 from MTA(smtp:[127.0.0.1]:10025): 550 5.7.1 PHISHING
Apr 25 14:58:57 mx01 amavis[54935]: (54935-14) Blocked MTA-BLOCKED
{RejectedInbound}, [193.48.137.241]:5139 [121.121.13.129]
<prvs=1827ead847=serv...@facturation.fr> -> <foo....@my-domain.fr>, Message-ID:
<IKPGSMTP2miR9Odutox0000d8ee@IKPGSMTP2>, mail_id: GCSs1t7iZJpQ, Hits: -1.869,
size: 41142, 2260 ms
Apr 25 14:58:57 mx01 postfix/smtpd[56053]: proxy-reject: END-OF-MESSAGE: 550
5.7.1 id=54935-14 - Rejected by next-hop MTA on relaying, from
MTA(smtp:[127.0.0.1]:10025): 550 5.7.1 PHISHING;
from=<prvs=1827ead847=serv...@facturation.fr> to=<foo....@my-domain.fr>
proto=ESMTP helo=<cumulus.mom.fr>
It appears that the message enters the front smtpd, passes greylist (after due
retry), passes the antispam filters, but fails to enter the back smtpd thanks
to header_checks.
I might have missed something here, but shouldn't header_checks REJECT the
message before smtpd_milter inspection? Or at least before smtpd_proxy_filter?
regards,
Patrick
smime.p7s
Description: S/MIME cryptographic signature
