Loading ...
Sorry, an error occurred while loading the content.

RE: smtpd_proxy_filter by size

Expand Messages
  • Noel Jones
    It s not possible to select a proxy based on some message property. Postfix must open the proxy *first*, before any message property is known. Perhaps you can
    Message 1 of 7 , Dec 2, 2007
    • 0 Attachment
      It's not possible to select a proxy based on some message property.

      Postfix must open the proxy *first*, before any message property is known.

      Perhaps you can configure your proxy to stop scanning (just pass transparently) after some byte limit.

      --
      Noel Jones

      -----Original Message-----
      From: "C. Vorwerk" <list-user@...>
      To: postfix-users@...
      Sent: 12/2/07 10:59 AM
      Subject: smtpd_proxy_filter by size

      Hallo,

      i just about to move from exim to postfix. Though i liked exim, i missed
      some capabilities needed for cyrus back end.

      Now i setup an test system with smtpd_proxy_filter clamsmtp for denying
      virus and phishing mails before complete accepting it. I know about the
      problem of getting to much load on the system caused by to much virus
      checks, but i don't' like handling viruses for my users making
      quarantens or else.
      To limit this Problem, i would like to limit the checking to mails with
      a size of about 500kb by the smtpd_proxy_filter and check mails above
      this to about 10mb again in a content_filter. I already set this up. But
      i didn't find a way for the limit handled by postfix. I know, i can set
      up two instances of clamavd and set at least the upper limit. The
      problem of the lower is still there (and therefor an unneeded double
      check) and the usage of doubling the system resources by calmavd (two
      instances).

      Before writing my own pipe filters, checking the size (and i don't know
      how to do this for the proxy filter), i would like to know whether there
      is an option i might use or someone who already set something like this up.

      Thanks in advance!

      Here my master.conf:

      127.0.0.1:10025 inet n - n - 16 smtpd
      -o content_filter=smtp-clamavfilter:[127.0.0.1]:10026
      -o smtpd_proxy_filter=
      -o receive_override_options=no_address_mappings
      -o smtpd_helo_restrictions=
      -o smtpd_client_restrictions=
      -o smtpd_sender_restrictions=
      -o smtpd_delay_reject=no
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o mynetworks=127.0.0.0/8
      -o smtpd_authorized_xforward_hosts=127.0.0.0/8

      smtp-clamavfilter unix - - n - 16 smtp
      -o smtp_send_xforward_command=yes
      -o smtp_enforce_tls=no
      -o disable_dns_lookups=yes

      127.0.0.1:10027 inet n - n - 16 smtpd
      -o content_filter=
      -o smtpd_proxy_filter=
      -o
      receive_override_options=no_unknown_recipient_checks,no_header_body_checks
      -o smtpd_helo_restrictions=
      -o smtpd_client_restrictions=
      -o smtpd_sender_restrictions=
      -o smtpd_delay_reject=no
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o mynetworks=127.0.0.0/8
      -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    • C. Vorwerk
      ... Well, i could start two instances of clamavd with different config files. There you can configure the max size of a file to scan. this would lead to more
      Message 2 of 7 , Dec 3, 2007
      • 0 Attachment
        Noel Jones schrieb:
        > It's not possible to select a proxy based on some message property.
        >
        > Postfix must open the proxy *first*, before any message property is known.
        >
        > Perhaps you can configure your proxy to stop scanning (just pass transparently) after some byte limit.
        >


        Well, i could start two instances of clamavd with different config
        files. There you can configure the max size of a file to scan. this
        would lead to more used resources which i don't want.

        I understand now why postfix can't help. Do you know another way for my
        problem?
      • Noel Jones
        ... I don t think there is a good solution to your goal of scanning mail up to some size pre-queue and scan the rest post-queue. Running two clamd daemons and
        Message 3 of 7 , Dec 3, 2007
        • 0 Attachment
          C. Vorwerk wrote:
          > Noel Jones schrieb:
          >> It's not possible to select a proxy based on some message property.
          >> Postfix must open the proxy *first*, before any message property is
          >> known.
          >>
          >> Perhaps you can configure your proxy to stop scanning (just pass
          >> transparently) after some byte limit.
          >>
          >
          >
          > Well, i could start two instances of clamavd with different config
          > files. There you can configure the max size of a file to scan. this
          > would lead to more used resources which i don't want.
          >
          > I understand now why postfix can't help. Do you know another way for my
          > problem?

          I don't think there is a good solution to your goal of
          scanning mail up to some size pre-queue and scan the rest
          post-queue.

          Running two clamd daemons and routing mail to the second one
          as a post-queue content_filter is the only way I can think of.
          While resource usage probably wouldn't be terrible, it is
          rather complex and awkward. This also requires some bit of
          glue so postfix can select a FILTER based on the size of the
          message. The SA plugin is one way, another way is a policy
          service that either uses PREPEND to add a X-Size: header or
          just returns a FILTER command itself.

          more info here might help:
          http://www.postfix.org/SMTPD_POLICY_README.html
          http://www.postfix.org/addon.html#policy

          --
          Noel Jones
        • C. Vorwerk
          ... I don t know so much about good. There are probably many opinions about how to implement in a good way. I d like to hear some. I talkt to the clamsmtp
          Message 4 of 7 , Dec 4, 2007
          • 0 Attachment
            Noel Jones schrieb:

            > I don't think there is a good solution to your goal of scanning mail up
            > to some size pre-queue and scan the rest post-queue.
            >
            I don't know so much about good. There are probably many opinions about
            how to implement in a good way. I'd like to hear some.

            I talkt to the clamsmtp mailing list. They said, that i might implement
            this feature without many changes, just checking the size of the mail
            after it recives it.
            I will try that the next weeks.

            > Running two clamd daemons and routing mail to the second one as a
            > post-queue content_filter is the only way I can think of. While
            > resource usage probably wouldn't be terrible, it is rather complex and
            > awkward. This also requires some bit of glue so postfix can select a
            > FILTER based on the size of the message. The SA plugin is one way,
            > another way is a policy service that either uses PREPEND to add a
            > X-Size: header or just returns a FILTER command itself.
            >
            > more info here might help:
            > http://www.postfix.org/SMTPD_POLICY_README.html
            > http://www.postfix.org/addon.html#policy
            >

            You are probably right about the resources in a large scale. As a
            hosting service provider i would not wory about it either even with
            onlinescanning 10 Mb mails. But when you are small and need to calculate
            sharply about the costs, every Mb of your RAM is wourth a fortune even
            it is cheap on the market.
            By the way, i don't like the idea to run services twice without any
            need. It complicates the configuration.

            I will try to patch the clamsmtp with an max size and maybe an min size
            option. Alternativly it writes an special trustworthy header with a salt
            which can be identified by postix for further mappings.

            Maybe you might explain to me why i get the feeling that you don't like
            the idea of my configuration. I am open to other / better ideas.

            Greets
          • Noel Jones
            ... Does clamsmtp save the incoming mail to a temp file and then scan it before passing it to the next hop? (surely it doesn t try to cache it in memory...)
            Message 5 of 7 , Dec 4, 2007
            • 0 Attachment
              C. Vorwerk wrote:
              > Noel Jones schrieb:
              >
              >> I don't think there is a good solution to your goal of scanning mail
              >> up to some size pre-queue and scan the rest post-queue.
              >>
              > I don't know so much about good. There are probably many opinions about
              > how to implement in a good way. I'd like to hear some.
              >
              > I talkt to the clamsmtp mailing list. They said, that i might implement
              > this feature without many changes, just checking the size of the mail
              > after it recives it.
              > I will try that the next weeks.

              Does clamsmtp save the incoming mail to a temp file and then
              scan it before passing it to the next hop? (surely it doesn't
              try to cache it in memory...)

              If so, you could have clamsmtp either pass the mail or just
              add some X-header that you use as a trigger for post-queue
              scanning.

              AFAIK, this is the only way this could work cleanly. And yet
              you would still risk timeout issues on large mails or messages
              that take a long time to scan for some reason.

              >
              >> Running two clamd daemons and routing mail to the second one as a
              >> post-queue content_filter is the only way I can think of. While
              >> resource usage probably wouldn't be terrible, it is rather complex and
              >> awkward. This also requires some bit of glue so postfix can select a
              >> FILTER based on the size of the message. The SA plugin is one way,
              >> another way is a policy service that either uses PREPEND to add a
              >> X-Size: header or just returns a FILTER command itself.
              >>
              >> more info here might help:
              >> http://www.postfix.org/SMTPD_POLICY_README.html
              >> http://www.postfix.org/addon.html#policy
              >>
              >
              > You are probably right about the resources in a large scale. As a
              > hosting service provider i would not wory about it either even with
              > onlinescanning 10 Mb mails. But when you are small and need to calculate
              > sharply about the costs, every Mb of your RAM is wourth a fortune even
              > it is cheap on the market.
              > By the way, i don't like the idea to run services twice without any
              > need. It complicates the configuration.
              >
              > I will try to patch the clamsmtp with an max size and maybe an min size
              > option. Alternativly it writes an special trustworthy header with a salt
              > which can be identified by postix for further mappings.

              If you add a header that the file wasn't scanned and needs
              further processing, the trust factor is far less of an issue.

              >
              > Maybe you might explain to me why i get the feeling that you don't like
              > the idea of my configuration. I am open to other / better ideas.
              >

              The idea is fine. I just don't see any reasonable way to
              accomplish it with available tools.

              If I've left anything significant out, be assured that someone
              else will jump in here...

              Good luck.

              --
              Noel Jones
            Your message has been successfully submitted and would be delivered to recipients shortly.