Il 2021-11-05 09:36 Dominic Raferd ha scritto:
Why permit auth connections on port 25? Restrict them to 587 and/or
465 then you can specify subject rewriting for (all) mails arriving
via port 25. (And you can use postscreen on port 25.)
Yeah, it would be a very clean solution. However, we have many smtp
client already configured to authenticate on port 25 and so I can not
blindly use the connection port to identify to-be-tagged messages.
Presumably you are not concerned that rewriting subjects will break
DKIM/DMARC?
No, it is not an issue at the moment. But thanks to advice, it should be
considered a significant issue indeed. Let only say I am *strongly*
against this subject rewrite and/or disclaimer adding policy, and I hope
management recognizes they are useless to avoid phishing...
If you have the option, better to use pcre: than regex:.
Sure, regexp was only for a quick test.
Today I was able to get it working - hopefully correctly - in a test
environment. I edited my configuration files as following:
# main.cf
# auth client are immediately permitted, all other messages are FILTERed
smtpd_client_restrictions = permit_sasl_authenticated,
check_client_access regexp:/etc/postfix/custom
# master.cf
# secondary smtpd and cleanup process
# disable milters to avoid double spam check
127.0.0.1:10025 inet n - n - - smtpd
-o smtpd_client_restrictions=
-o smtpd_milters=
-o cleanup_service_name=mycleanup
mycleanup unix n - n - 0 cleanup
-o header_checks=regexp:/etc/postfix/rewrite
# custom
# all unauth messages are FILTERed
/.*/ FILTER smtp:127.0.0.1:10025
# rewrite
# only add tag if it is not already present
if !/^Subject: .*[EXTERNAL].*/i
/^Subject: (.+)$/i REPLACE Subject: [EXTERNAL] $1
endif
Do you see some grossly wrong config?
Regards.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.da...@assyoma.it - i...@assyoma.it
GPG public key ID: FF5F32A8
