I'm trying to write a simple header_check rule and seeing inconsistent results between testing with "postmap -q" and postfix processing an incoming message. We need to match header lines with a specific SFV value and match the domain of the message recipient. Here are the relevant parts of the config from our test host:
main.cf (excerpt): --------------------------------------------------------- header_checks = regexp:/etc/postfix/header_checks header_checks: --------------------------------------------------------- /^subject:/ WARN /^X-Forefront-Antispam-Report:.*SFV:(SPM|SKS|SKB).*to=<.*@ms2019.mobility-lab.com>/ WARN It's working /^X-Forefront-Antispam-Report:.*SFV:(SPM|SKS|SKB)/ WARN fall through rule match /tmp/headerline.txt (sample header line) --------------------------------------------------------- X-Forefront-Antispam-Report:??CIP:144.188.130.206;CTRY:US;LANG:en;SCL:7;SRV:;IPV:NLI;SFV:SPM;H:relay2.mobility-lab.com;PTR:lab-144-188-130-206.reverse.mobility-lab.com;CAT:HSPM;SFS:(13230001)(218001); from mail-mw2nam12lp2049.outbound.protection.outlook.com[104.47.66.49]; from=<test...@ms2016.mobility-lab.com> to=<er...@ms2019.mobility-lab.com> proto=ESMTP helo=<NAM12-MW2-obe.outbound.protection.outlook.com> With this config in place when I use the postmap query option to test I receive the expected result. The second header_checks line matches and returns the "It's working" warning: [root@relay1 ~]# postmap -q - regexp:/etc/postfix/header_checks < /tmp/headerline.txt X-Forefront-Antispam-Report:??CIP:144.188.130.206;CTRY:US;LANG:en;SCL:7;SRV:;IPV:NLI;SFV:SPM;H:relay2.mobility-lab.com;PTR:lab-144-188-130-206.reverse.mobility-lab.com;CAT:HSPM;SFS:(13230001)(218001); from mail-mw2nam12lp2049.outbound.protection.outlook.com[104.47.66.49]; from=<test...@ms2016.mobility-lab.com> to=<er...@ms2019.mobility-lab.com> proto=ESMTP helo=<NAM12-MW2-obe.outbound.protection.outlook.com> WARN It's working [root@relay1 ~]# However, when I send a test message through the system and watch the logs. The third line, "fall through rule", matches, implying that the "It's working" rule does not match: [root@relay1 ~]# tail -f /var/log/maillog | grep warning Feb 10 15:48:21 relay1 postfix/cleanup[6626]: C680C628D87E: warning: header Subject: test Thu, 10 Feb 2022 14:39:35 -0600 from mail-dm6nam11lp2177.outbound.protection.outlook.com[104.47.57.177]; from=<test...@ms2016.mobility-lab.com> to=<er...@ms2019.mobility-lab.com> proto=ESMTP helo=<NAM11-DM6-obe.outbound.protection.outlook.com> Feb 10 15:48:21 relay1 postfix/cleanup[6626]: C680C628D87E: warning: header X-Forefront-Antispam-Report:??CIP:144.188.130.206;CTRY:US;LANG:en;SCL:7;SRV:;IPV:NLI;SFV:SPM;H:relay2.mobility-lab.com;PTR:lab-144-188-130-206.reverse.mobility-lab.com;CAT:HSPM;SFS:(13230001)(218001); from mail-dm6nam11lp2177.outbound.protection.outlook.com[104.47.57.177]; from=<test...@ms2016.mobility-lab.com> to=<er...@ms2019.mobility-lab.com> proto=ESMTP helo=<NAM11-DM6-obe.outbound.protection.outlook.com>: fall through rule match ^C [root@relay1 ~]# Can you please help explain why there is a discrepancy between the two operations?
