Hello,
We are using postfix as a central email relay that forwards to an external
provider for trusted sending to our customers. Centralising this relay is a
must to limit the distribution of sasl creds required for sending to our
external provider. We have several products, each with dev, staging and
production environments and each with their own defined Class A address
ranges (10.0.0.0/16). Every server has an FQDN which makes email sent to
accounts such as 'root' from CRON easy to filter - "To: root@
$host.app-environment.local".
>From reading through the header_checks doc this seems like the best place
to do conditional filtering, but, per the doc, you can not filter on From:
To: Message-ID: Date:; the former two are of most use. It looks like I can
filter on ^Received:.*10\.0\.\d{1,3}\.\d{1,3}, but this is not enough.
For brevity's sake in the following I am omitting the actual regex, but
from quite a lot of testing and using 'postmap -q -
pcre:/etc/postfix/header_checks </tmp/test-email' I can see that the rule
set "should" work..
What we wish to achieve (with pcre because it's more efficient):
if /^Received:.*PRODUCT_IP_RANGE_REGEX/
/^Received:.*DEV_IP_REGEX/ REDIRECT dev.em...@our.domain.name
/^Received:.*STAGING_IP_REGEX/ REDIRECT staging.em...@our.domain.name
# /PRODUCTION_IP_REGEX/ should be permitted to be sent to our external
provider
# Other rules for a specific product that we do not wish to apply to other
products should also go here.
endif
/^To:.*\.local$/ REDIRECT devnull@localhost.
/^To:.*\.internal$/ REDIRECT devnull@localhost.
/^Received:/ IGNORE
But:
1) As soon as a redirect is actioned the "To: local" at the bottom doesn't
work; but the "To: local" does catch and redirect email that was not
matched and redirected inside of the "production_ip_range" if/endif
2) If i put the "To: local" filter at the top, it does REDIRECT, but then
the IP range regex overrides it, which I see is the intended behaviour
noted in the docs and why we put the .local catch at the bottom.
3) As soon as REDIRECT has been actioned once I can no longer match on ^To:
or even just ".*To.*".
I have pretty much exhausted my Search Fu and am beginning to think that
this is simply not possible. Is anyone able to confirm that I'm crazy and
this is indeed not possible, or is there something I am missing?
Regards,
Phil
