Loading ...
Sorry, an error occurred while loading the content.
 

Re: Question about ordering of checks

Expand Messages
  • mouss
    ... No. FILTER does not skip other checks. It just sets the filter to use. so check_client_access cidr:$dir/per_client_filter reject will reject all mail. In
    Message 1 of 2 , Apr 29 7:18 AM
      Kurt Lieber wrote:
      > Currently, we every message that comes in to postfix through
      > amavisd-new using:
      >
      > content_filter=smtp-amavis:[127.0.0.1]:10024
      >
      > I'd like to reduce the amount of amavisd traffic for load reasons, so
      > I'd like to move to something similar to the suggestion found in
      > http://www.ijs.si/software/amavisd/amavisd-new-magdeburg-20050519.pdf,
      > which is to bypass filtering for some subnets.
      >
      > My question:
      >
      > Currently, smtpd_recipient_restrictions looks like:
      >
      > smtpd_recipient_restrictions =
      > permit_sasl_authenticated
      > permit_mynetworks
      > reject_invalid_hostname
      > reject_non_fqdn_hostname
      > reject_non_fqdn_recipient
      > reject_non_fqdn_sender
      > reject_unknown_sender_domain
      > reject_unknown_recipient_domain
      > reject_unauth_destination
      > check_sender_mx_access cidr:/etc/postfix/bogus_mx_records
      > check_helo_access pcre:/etc/postfix/helo_checks
      > reject_unverified_sender
      > permit
      >
      >
      > I want to place a lookup (check_client_access
      > cidr:/etc/postfix/filter.cidr) in that list. The contents of the file
      > will be similar to:
      >
      > 123.123.123.123 DUNNO
      > 321.321.321.321 DUNNO
      >
      > 0.0.0.0/0 FILTER smtp-amavis:[127.0.0.1]:10024
      > ::/0 FILTER smtp-amavis:[127.0.0.1]:10024
      >
      > If I put that lookup before the reject_invalid_hostname, does that
      > mean that all mail (including that which would have otherwise been
      > caught by the subsequent reject lookup) will still go through amavisd?

      No. FILTER does not skip other checks. It just sets the filter to use. so
      check_client_access cidr:$dir/per_client_filter
      reject

      will reject all mail. In short, you can put the filter selection check
      at the top of your restrictions, provided that you never use OK as a
      result as OK accepts the mail and further checks won't be performed.
      This also means that if FILTER is found twice for a single message
      (multiple FILTER statements in access or additional FILTER statements in
      header/body checks), then the last FILTER statement prevails. This also
      explains why per recipient FILTER doesn't work as intended in the case
      of multi-recipient mail.

      Here is a _slightly_ modified version of your checks

      smtpd_recipient_restrictions =
      ## set the filter for authenticated users
      check_client_access pcre:/etc/postfix/maps/pcre/sasl_filter
      ## allow authenticated users
      permit_sasl_authenticated
      ## set the filter for mynetworks
      check_client_access pcre:/etc/postfix/maps/pcre/mynetworks_filter
      ## allow mynetworks
      permit_mynetworks
      ## reject relay
      reject_unauth_destination
      ## set per client filter
      check_client_access cidr:/etc/postfix/maps/cidr/per_client_filter
      ## require valid addresses
      reject_non_fqdn_recipient
      reject_non_fqdn_sender
      ## require valid helo
      reject_invalid_hostname
      ##WARNING: the following will block legitimate mail from
      misconfigured clients
      reject_non_fqdn_hostname
      ## reject senders with a bogus MX
      check_sender_mx_access cidr:/etc/postfix/bogus_mx_records
      ## reject senders with a domain that does not resolve
      reject_unknown_sender_domain
      ## custom hello checks
      check_helo_access pcre:/etc/postfix/helo_checks
      ## DNSBL checks
      #reject_rb_client sbl-xbl.spamhaus.org
      ## WARNING: address verification is too "strong".
      ## This may get you blocked for "gratitious" probes
      ## It is better to do it on a per sender domain basis, via a
      check_sender_access map
      reject_unverified_sender

      where sasl_filter contains something like:
      /./ FILTER clamsmtp:[127.0.0.1]:10586

      mynetworks_filter contains a similar thing:
      /./ FILTER clamsmtp:[127.0.0.1]:10586
      you can use a different filter for authenticated users and for
      mynetworks, but this is rarely used. If you don't need this, just remove
      the line with mynewtorks_filter in smtpd_recipient_restrictions.

      You can then run clamsmtp on port 10586 to filter for virus but not for
      spam, and configure it to forward mail to 10587 or 10025 where you have
      an smtpd listening.
    Your message has been successfully submitted and would be delivered to recipients shortly.