Il 29. 10. 15 14:38, Wietse Venema ha scritto: > Marco: >> Hello all. >> >> I'm using postfix since at least 20 years and I could always find a >> satisfactory solution to my problems. >> >> However I have an now an issue with the filtering of the mail headers, >> as I want to use the headers_check functionality only for e-mails sent >> to external/Internet addresses. This without the need of creating a >> number of roles depending from the internal sender, IP, ecc as I have >> found as hints by googling today (I do support several IPs, domains, ecc). >> >> I have one VM dedicated to Postfix and it seems that the only general >> solution is to create a new Posfix VM, define this as the relayhost and >> apply the headers_check in this VM that will be used only for Internet >> outgoing traffic. >> >> Is there any other solution that will not need a new VM? > For external deliveries, Postfix has smtp_header_checks (default: > empty) which provide a subset of functionality (for example they > cannot change the delivery with redirect, defer, reject, filter, > but they can modify content with replace, prepend, ignore, warn). > > If you need the defer, reject, filter functionality then that > requires ordinary header_checks which are available only while > Postfix receives mail. > > Options: > > - Re-implement header_checks with a Milter, and apply them only for > external destinations. > > - Use header_checks in a second Postfix instance (or Postfix in a > VM) for delivering external mail (see MULTI_INSTANCE_README, but > beware that some distros have broken multi-instance support). > > Wietse Tnx for the input.
I will explore the multi instance option, even it is really not unlikely I will create a new VM as this seems to be easier after a first diagonal reading of the MULTI_INSTANCE_README (and the other problems you mentioned). A Milter could be also an option in the future, with the target of "sanitizing" the mails by replacing the original header with a new one, ensuring no internal information leakage (i.e. including the bi-directional mapping of the internal message ID created by the internal mail clients "public" message IDs). I'm aware that someone is flagging this type of protection as "security by obscurity". In my opinion this is partially false as this is not a direct security measure (where security by obscurity is for sure wrong) , instead just a prudent way to make attacks more difficult. I have seen this type of approach in some commercial products (E-mail gateways, etc) and I'm surprised I have never seen this applied to Postfix.
