Loading ...
Sorry, an error occurred while loading the content.

smtpd_data_restrictions vs header_checks (sequence of execution)

Expand Messages
  • Eddy Beliveau
    Hi! Networkers, I m using with success Postfix 2.5.1 (+amavisd-new) on my academic server. This server is reserved to authenticated sender only. I need to add
    Message 1 of 5 , May 1, 2008
    • 0 Attachment
      Hi! Networkers,
       
      I'm using with success Postfix 2.5.1 (+amavisd-new) on my academic server.
       
      This server is reserved to authenticated sender only.
       
      I need to add some custom header to every emails received.
      This custom header will be read later by some smtpproxy process.
       
      So, on main.cf, I added:
       
      smtpd_data_restrictions =
              check_sender_access   ldap:ldap_add_header
       
      ldap_add_header_query_filter = (mail=%s)
      ...cut...
      ldap_add_header_result_attribute = privileges
      ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
       
       
      But, I also want to be sure to remove any forged similar header
       
      so, I added this rule to my header_checks file:
      /^X-Sender-Privileges:/                        IGNORE
       
      This works too well
      It also remove the custom header that I just added.
       
      It seems that "smtpd_data_restrictions" is execute before header_checks step.
       
      Any advise will be appreciated
       
      Thanks and have a nice day
      Eddy

    • Noel Jones
      ... Right, smtpd_*_restrictions happen before header/body checks (with the exception of smtpd_end_of_data_restrictions which can t add headers). Some alternate
      Message 2 of 5 , May 1, 2008
      • 0 Attachment
        Eddy Beliveau wrote:
        > Hi! Networkers,
        >
        > I'm using with success Postfix 2.5.1 (+amavisd-new) on my academic server.
        >
        > This server is reserved to authenticated sender only.
        >
        > I need to add some custom header to every emails received.
        > This custom header will be read later by some smtpproxy process.
        >
        > So, on main.cf, I added:
        >
        > smtpd_data_restrictions =
        > check_sender_access ldap:ldap_add_header
        >
        > ldap_add_header_query_filter = (mail=%s)
        > ...cut...
        > ldap_add_header_result_attribute = privileges
        > ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
        >
        >
        > But, I also want to be sure to remove any forged similar header
        >
        > so, I added this rule to my header_checks file:
        > /^X-Sender-Privileges:/ IGNORE
        >
        > This works too well
        > It also remove the custom header that I just added.
        >
        > It seems that "smtpd_data_restrictions" is execute before header_checks
        > step.
        >
        > Any advise will be appreciated
        >
        > Thanks and have a nice day
        > Eddy
        >

        Right, smtpd_*_restrictions happen before header/body checks
        (with the exception of smtpd_end_of_data_restrictions which
        can't add headers).

        Some alternate choices, there may be others:
        - have your smtp proxy use some default (restricted?) behavior
        in the presence of multiple privilege headers.
        - have postfix remove forged headers and convince amavisd-new
        to add what you need.
        - have the pre-amavis postfix remove forged headers, and the
        post-amavis postfix add your headers. This would require
        either multiple postfix instances, or defining multiple
        cleanup services in master.cf.

        --
        Noel Jones
      • Eddy Beliveau
        ... Hi! Noel, Many thanks for your reply. Currently, emails received by postfix (port 25) are passed to smtp-amavis (127.0.0.1:10024) which passed them back to
        Message 3 of 5 , May 2, 2008
        • 0 Attachment
          >> Eddy Beliveau wrote:
          >>Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
          >>execution)
          ...cut...
          >> smtpd_data_restrictions =
          >> check_sender_access ldap:ldap_add_header
          >> ldap_add_header_query_filter = (mail=%s)
          >> ...cut...
          >> ldap_add_header_result_attribute = privileges
          >> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
          >> But, I also want to be sure to remove any forged similar header
          >> so, I added this rule to my header_checks file:
          >> /^X-Sender-Privileges:/ IGNORE
          ...cut...
          >> It seems that "smtpd_data_restrictions" is execute before header_checks
          >> step.

          "Noel Jones" <njones@...> replies:
          > Right, smtpd_*_restrictions happen before header/body checks (with the
          > exception of smtpd_end_of_data_restrictions which can't add headers).
          > ...cut...
          > - have the pre-amavis postfix remove forged headers, and the post-amavis
          > postfix add your headers. This would require either multiple postfix
          > instances, or defining multiple cleanup services in master.cf.


          Hi! Noel,

          Many thanks for your reply.

          Currently, emails received by postfix (port 25) are passed to smtp-amavis
          (127.0.0.1:10024)
          which passed them back to postfix (127.0.0.1:10025) for final delivery with
          lmtp/smtp

          Here is a part of my current master.cf said:
          smtp inet n - n - - smtpd
          -o receive_override_options=no_address_mappings

          cleanup unix n - n - 0 cleanup
          lmtp unix - - n - - lmtp
          smtp unix - - n - - smtp

          smtp-amavis unix - - n - 10 smtp
          -o smtp_data_done_timeout=1200
          -o smtp_send_xforward_command=yes
          -o disable_dns_lookup=yes
          -o max_use=20

          127.0.0.1:10025 inet n - n - - smtpd
          -o content_filter=
          -o local_recipient_maps=
          -o relay_recipient_maps=
          -o smtpd_restriction_classes=
          -o smtpd_client_restrictions=
          -o smtpd_helo_restrictions=
          -o smtpd_sender_restrictions=
          -o smtpd_data_restrictions=
          -o smtpd_recipient_restrictions=permit_mynetworks,reject
          -o mynetworks=127.0.0.0/8
          -o mynetworks_style=host
          -o strict_rfc821_envelopes=yes
          -o in_flow_delay=0
          -o
          receive_override_options=no_unknown_recipient_checks,no_header_body_checks

          My current header_checks file contains:
          /^X-Sender-Privileges:/ IGNORE


          I like your multiple cleanup solution.
          Do you mean the following:

          smtp inet n - n - - smtpd
          -o receive_override_options=no_address_mappings
          -o cleanup_service_name=pre-cleanup
          -o smtpd_data_restrictions=

          pre-cleanup unix n - n - 0 cleanup

          cleanup unix n - n - 0 cleanup
          -o header_checks=

          127.0.0.1:10025 inet n - n - - smtpd
          -o content_filter=
          -o local_recipient_maps=
          -o relay_recipient_maps=
          -o smtpd_restriction_classes=
          -o smtpd_client_restrictions=
          -o smtpd_helo_restrictions=
          -o smtpd_sender_restrictions=
          ## -o smtpd_data_restrictions=
          -o smtpd_recipient_restrictions=permit_mynetworks,reject
          -o mynetworks=127.0.0.0/8
          -o mynetworks_style=host
          -o strict_rfc821_envelopes=yes
          -o in_flow_delay=0
          -o
          receive_override_options=no_unknown_recipient_checks,no_header_body_checks

          Thanks again,
          Eddy
        • Noel Jones
          ... Now that I think about it a little more, since you re using no_header_body_checks on the post-amavisd postfix 127.0.0.1:10025 all you need to do is tell
          Message 4 of 5 , May 2, 2008
          • 0 Attachment
            Eddy Beliveau wrote:
            >>> Eddy Beliveau wrote:
            >>> Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
            >>> execution)
            > ...cut...
            >>> smtpd_data_restrictions =
            >>> check_sender_access ldap:ldap_add_header
            >>> ldap_add_header_query_filter = (mail=%s)
            >>> ...cut...
            >>> ldap_add_header_result_attribute = privileges
            >>> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
            >>> But, I also want to be sure to remove any forged similar header
            >>> so, I added this rule to my header_checks file:
            >>> /^X-Sender-Privileges:/ IGNORE
            > ...cut...
            >>> It seems that "smtpd_data_restrictions" is execute before
            >>> header_checks step.
            >
            > "Noel Jones" <njones@...> replies:
            >> Right, smtpd_*_restrictions happen before header/body checks (with the
            >> exception of smtpd_end_of_data_restrictions which can't add headers).
            >> ...cut...
            >> - have the pre-amavis postfix remove forged headers, and the
            >> post-amavis postfix add your headers. This would require either
            >> multiple postfix instances, or defining multiple cleanup services in
            >> master.cf.
            >
            >
            > Hi! Noel,
            >
            > Many thanks for your reply.
            >
            > Currently, emails received by postfix (port 25) are passed to
            > smtp-amavis (127.0.0.1:10024)
            > which passed them back to postfix (127.0.0.1:10025) for final delivery
            > with lmtp/smtp
            >
            ...
            > My current header_checks file contains:
            > /^X-Sender-Privileges:/ IGNORE
            >
            >
            > I like your multiple cleanup solution.
            > Do you mean the following:

            Now that I think about it a little more, since you're using
            no_header_body_checks on the post-amavisd postfix
            127.0.0.1:10025 all you need to do is tell
            smtpd_data_restrictions on the post-amavisd postfix to add
            your header. The IGNORE header check won't be run a second time.

            This means you don't need to mess with the
            cleanup_service_name overrides or multiple cleanup services,
            making it just a little simpler.

            127.0.0.1:10025 inet n - n - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o mynetworks_style=host
            -o strict_rfc821_envelopes=yes
            -o in_flow_delay=0
            -o
            receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o
            smtpd_data_restrictions=check_sender_access,ldap:/etc/postfix/add_my_header.cf

            --
            Noel Jones
          • Eddy Beliveau
            Many thanks for your reply. I will try it next tuesday and give a follow-up Thanks Eddy ... De : Noel Jones À :
            Message 5 of 5 , May 2, 2008
            • 0 Attachment
              Many thanks for your reply.

              I will try it next tuesday and give a follow-up

              Thanks
              Eddy
              ----- Message d'origine -----
              De : "Noel Jones" <njones@...>
              À : <postfix-users@...>
              Envoyé : 2 mai 2008 16:30
              Objet : Re: smtpd_data_restrictions vs header_checks (sequence of execution)


              > Eddy Beliveau wrote:
              >>>> Eddy Beliveau wrote:
              >>>> Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
              >>>> execution)
              >> ...cut...
              >>>> smtpd_data_restrictions =
              >>>> check_sender_access ldap:ldap_add_header
              >>>> ldap_add_header_query_filter = (mail=%s)
              >>>> ...cut...
              >>>> ldap_add_header_result_attribute = privileges
              >>>> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
              >>>> But, I also want to be sure to remove any forged similar header
              >>>> so, I added this rule to my header_checks file:
              >>>> /^X-Sender-Privileges:/ IGNORE
              >> ...cut...
              >>>> It seems that "smtpd_data_restrictions" is execute before header_checks
              >>>> step.
              >>
              >> "Noel Jones" <njones@...> replies:
              >>> Right, smtpd_*_restrictions happen before header/body checks (with the
              >>> exception of smtpd_end_of_data_restrictions which can't add headers).
              >>> ...cut...
              >>> - have the pre-amavis postfix remove forged headers, and the post-amavis
              >>> postfix add your headers. This would require either multiple postfix
              >>> instances, or defining multiple cleanup services in master.cf.
              >>
              >>
              >> Hi! Noel,
              >>
              >> Many thanks for your reply.
              >>
              >> Currently, emails received by postfix (port 25) are passed to smtp-amavis
              >> (127.0.0.1:10024)
              >> which passed them back to postfix (127.0.0.1:10025) for final delivery
              >> with lmtp/smtp
              >>
              > ...
              >> My current header_checks file contains:
              >> /^X-Sender-Privileges:/ IGNORE
              >>
              >>
              >> I like your multiple cleanup solution.
              >> Do you mean the following:
              >
              > Now that I think about it a little more, since you're using
              > no_header_body_checks on the post-amavisd postfix 127.0.0.1:10025 all you
              > need to do is tell smtpd_data_restrictions on the post-amavisd postfix to
              > add your header. The IGNORE header check won't be run a second time.
              >
              > This means you don't need to mess with the cleanup_service_name overrides
              > or multiple cleanup services, making it just a little simpler.
              >
              > 127.0.0.1:10025 inet n - n - - smtpd
              > -o content_filter=
              > -o local_recipient_maps=
              > -o relay_recipient_maps=
              > -o smtpd_restriction_classes=
              > -o smtpd_client_restrictions=
              > -o smtpd_helo_restrictions=
              > -o smtpd_sender_restrictions=
              > -o smtpd_recipient_restrictions=permit_mynetworks,reject
              > -o mynetworks=127.0.0.0/8
              > -o mynetworks_style=host
              > -o strict_rfc821_envelopes=yes
              > -o in_flow_delay=0
              > -o
              > receive_override_options=no_unknown_recipient_checks,no_header_body_checks
              > -o
              > smtpd_data_restrictions=check_sender_access,ldap:/etc/postfix/add_my_header.cf
              >
              > --
              > Noel Jones
            Your message has been successfully submitted and would be delivered to recipients shortly.