Jose Borges Ferreira:
> On Mon, Oct 21, 2013 at 4:40 PM, Wietse Venema <wie...@porcupine.org> wrote:
> > I don't have time for that full analysis, but it looks like
> > internal_mail_filter_classes=bounce can be safe (more on that at
> > the end of this email).
>
> So, can I assume that is safe as long as the Milter server don't block
> the email ?
internal_mail_filter_classes enables content inspection with both
Milters and header/body_checks. As long as all those content
inspectors are also used while receiving mail, and as long as none
of those content inspectors blocks stuff that appears only in bounces
generated by Postfix itself, then "internal_mail_filter_classes=bounce"
should be safe, i.e. should not result result in the loss of mail.
> > Why would one want to turn on header checks when all you want is
> > to sign mail with a Milter? internal_mail_filter_classes needs
> > to be replaced by a tool that is more precise.
>
> You stated that passing bounces throught a Milter is unsafe because it
> could be blocked.
No. I stated that filtering bounces GENERATED BY POSTFIX ITSELF is
unsafe because blocking those would result in the loss of mail.
This is unsafe in principle, until it can be shown that it is safe
to use for certain use cases. I think I have outlined such a use
case above. I also think that the need for such an analysis shows
that the feature is not optimally designed. Postfix should be easy
to use safely, and hard to use incorrectly.
> The header_check was only an example on how someone could block
> bounces regardless of the Milter.
The discussion is about internal_mail_filter_classes, and enabling
Milters and header/body_checks for bounce messages generated by
Postfix itself. The discussion of header_checks is appropriate
where there is concern about loss of mail.
Wietse
