Loading ...
Sorry, an error occurred while loading the content.

Re: smtpd_data_restrictions vs header_checks (sequence of execution)

Expand Messages
  • Noel Jones
    ... Right, smtpd_*_restrictions happen before header/body checks (with the exception of smtpd_end_of_data_restrictions which can t add headers). Some alternate
    Message 1 of 5 , May 1, 2008
    • 0 Attachment
      Eddy Beliveau wrote:
      > Hi! Networkers,
      >
      > I'm using with success Postfix 2.5.1 (+amavisd-new) on my academic server.
      >
      > This server is reserved to authenticated sender only.
      >
      > I need to add some custom header to every emails received.
      > This custom header will be read later by some smtpproxy process.
      >
      > So, on main.cf, I added:
      >
      > smtpd_data_restrictions =
      > check_sender_access ldap:ldap_add_header
      >
      > ldap_add_header_query_filter = (mail=%s)
      > ...cut...
      > ldap_add_header_result_attribute = privileges
      > ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
      >
      >
      > But, I also want to be sure to remove any forged similar header
      >
      > so, I added this rule to my header_checks file:
      > /^X-Sender-Privileges:/ IGNORE
      >
      > This works too well
      > It also remove the custom header that I just added.
      >
      > It seems that "smtpd_data_restrictions" is execute before header_checks
      > step.
      >
      > Any advise will be appreciated
      >
      > Thanks and have a nice day
      > Eddy
      >

      Right, smtpd_*_restrictions happen before header/body checks
      (with the exception of smtpd_end_of_data_restrictions which
      can't add headers).

      Some alternate choices, there may be others:
      - have your smtp proxy use some default (restricted?) behavior
      in the presence of multiple privilege headers.
      - have postfix remove forged headers and convince amavisd-new
      to add what you need.
      - have the pre-amavis postfix remove forged headers, and the
      post-amavis postfix add your headers. This would require
      either multiple postfix instances, or defining multiple
      cleanup services in master.cf.

      --
      Noel Jones
    • Eddy Beliveau
      ... Hi! Noel, Many thanks for your reply. Currently, emails received by postfix (port 25) are passed to smtp-amavis (127.0.0.1:10024) which passed them back to
      Message 2 of 5 , May 2, 2008
      • 0 Attachment
        >> Eddy Beliveau wrote:
        >>Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
        >>execution)
        ...cut...
        >> smtpd_data_restrictions =
        >> check_sender_access ldap:ldap_add_header
        >> ldap_add_header_query_filter = (mail=%s)
        >> ...cut...
        >> ldap_add_header_result_attribute = privileges
        >> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
        >> But, I also want to be sure to remove any forged similar header
        >> so, I added this rule to my header_checks file:
        >> /^X-Sender-Privileges:/ IGNORE
        ...cut...
        >> It seems that "smtpd_data_restrictions" is execute before header_checks
        >> step.

        "Noel Jones" <njones@...> replies:
        > Right, smtpd_*_restrictions happen before header/body checks (with the
        > exception of smtpd_end_of_data_restrictions which can't add headers).
        > ...cut...
        > - have the pre-amavis postfix remove forged headers, and the post-amavis
        > postfix add your headers. This would require either multiple postfix
        > instances, or defining multiple cleanup services in master.cf.


        Hi! Noel,

        Many thanks for your reply.

        Currently, emails received by postfix (port 25) are passed to smtp-amavis
        (127.0.0.1:10024)
        which passed them back to postfix (127.0.0.1:10025) for final delivery with
        lmtp/smtp

        Here is a part of my current master.cf said:
        smtp inet n - n - - smtpd
        -o receive_override_options=no_address_mappings

        cleanup unix n - n - 0 cleanup
        lmtp unix - - n - - lmtp
        smtp unix - - n - - smtp

        smtp-amavis unix - - n - 10 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookup=yes
        -o max_use=20

        127.0.0.1:10025 inet n - n - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_data_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o mynetworks_style=host
        -o strict_rfc821_envelopes=yes
        -o in_flow_delay=0
        -o
        receive_override_options=no_unknown_recipient_checks,no_header_body_checks

        My current header_checks file contains:
        /^X-Sender-Privileges:/ IGNORE


        I like your multiple cleanup solution.
        Do you mean the following:

        smtp inet n - n - - smtpd
        -o receive_override_options=no_address_mappings
        -o cleanup_service_name=pre-cleanup
        -o smtpd_data_restrictions=

        pre-cleanup unix n - n - 0 cleanup

        cleanup unix n - n - 0 cleanup
        -o header_checks=

        127.0.0.1:10025 inet n - n - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        ## -o smtpd_data_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o mynetworks_style=host
        -o strict_rfc821_envelopes=yes
        -o in_flow_delay=0
        -o
        receive_override_options=no_unknown_recipient_checks,no_header_body_checks

        Thanks again,
        Eddy
      • Noel Jones
        ... Now that I think about it a little more, since you re using no_header_body_checks on the post-amavisd postfix 127.0.0.1:10025 all you need to do is tell
        Message 3 of 5 , May 2, 2008
        • 0 Attachment
          Eddy Beliveau wrote:
          >>> Eddy Beliveau wrote:
          >>> Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
          >>> execution)
          > ...cut...
          >>> smtpd_data_restrictions =
          >>> check_sender_access ldap:ldap_add_header
          >>> ldap_add_header_query_filter = (mail=%s)
          >>> ...cut...
          >>> ldap_add_header_result_attribute = privileges
          >>> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
          >>> But, I also want to be sure to remove any forged similar header
          >>> so, I added this rule to my header_checks file:
          >>> /^X-Sender-Privileges:/ IGNORE
          > ...cut...
          >>> It seems that "smtpd_data_restrictions" is execute before
          >>> header_checks step.
          >
          > "Noel Jones" <njones@...> replies:
          >> Right, smtpd_*_restrictions happen before header/body checks (with the
          >> exception of smtpd_end_of_data_restrictions which can't add headers).
          >> ...cut...
          >> - have the pre-amavis postfix remove forged headers, and the
          >> post-amavis postfix add your headers. This would require either
          >> multiple postfix instances, or defining multiple cleanup services in
          >> master.cf.
          >
          >
          > Hi! Noel,
          >
          > Many thanks for your reply.
          >
          > Currently, emails received by postfix (port 25) are passed to
          > smtp-amavis (127.0.0.1:10024)
          > which passed them back to postfix (127.0.0.1:10025) for final delivery
          > with lmtp/smtp
          >
          ...
          > My current header_checks file contains:
          > /^X-Sender-Privileges:/ IGNORE
          >
          >
          > I like your multiple cleanup solution.
          > Do you mean the following:

          Now that I think about it a little more, since you're using
          no_header_body_checks on the post-amavisd postfix
          127.0.0.1:10025 all you need to do is tell
          smtpd_data_restrictions on the post-amavisd postfix to add
          your header. The IGNORE header check won't be run a second time.

          This means you don't need to mess with the
          cleanup_service_name overrides or multiple cleanup services,
          making it just a little simpler.

          127.0.0.1:10025 inet n - n - - smtpd
          -o content_filter=
          -o local_recipient_maps=
          -o relay_recipient_maps=
          -o smtpd_restriction_classes=
          -o smtpd_client_restrictions=
          -o smtpd_helo_restrictions=
          -o smtpd_sender_restrictions=
          -o smtpd_recipient_restrictions=permit_mynetworks,reject
          -o mynetworks=127.0.0.0/8
          -o mynetworks_style=host
          -o strict_rfc821_envelopes=yes
          -o in_flow_delay=0
          -o
          receive_override_options=no_unknown_recipient_checks,no_header_body_checks
          -o
          smtpd_data_restrictions=check_sender_access,ldap:/etc/postfix/add_my_header.cf

          --
          Noel Jones
        • Eddy Beliveau
          Many thanks for your reply. I will try it next tuesday and give a follow-up Thanks Eddy ... De : Noel Jones À :
          Message 4 of 5 , May 2, 2008
          • 0 Attachment
            Many thanks for your reply.

            I will try it next tuesday and give a follow-up

            Thanks
            Eddy
            ----- Message d'origine -----
            De : "Noel Jones" <njones@...>
            À : <postfix-users@...>
            Envoyé : 2 mai 2008 16:30
            Objet : Re: smtpd_data_restrictions vs header_checks (sequence of execution)


            > Eddy Beliveau wrote:
            >>>> Eddy Beliveau wrote:
            >>>> Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
            >>>> execution)
            >> ...cut...
            >>>> smtpd_data_restrictions =
            >>>> check_sender_access ldap:ldap_add_header
            >>>> ldap_add_header_query_filter = (mail=%s)
            >>>> ...cut...
            >>>> ldap_add_header_result_attribute = privileges
            >>>> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
            >>>> But, I also want to be sure to remove any forged similar header
            >>>> so, I added this rule to my header_checks file:
            >>>> /^X-Sender-Privileges:/ IGNORE
            >> ...cut...
            >>>> It seems that "smtpd_data_restrictions" is execute before header_checks
            >>>> step.
            >>
            >> "Noel Jones" <njones@...> replies:
            >>> Right, smtpd_*_restrictions happen before header/body checks (with the
            >>> exception of smtpd_end_of_data_restrictions which can't add headers).
            >>> ...cut...
            >>> - have the pre-amavis postfix remove forged headers, and the post-amavis
            >>> postfix add your headers. This would require either multiple postfix
            >>> instances, or defining multiple cleanup services in master.cf.
            >>
            >>
            >> Hi! Noel,
            >>
            >> Many thanks for your reply.
            >>
            >> Currently, emails received by postfix (port 25) are passed to smtp-amavis
            >> (127.0.0.1:10024)
            >> which passed them back to postfix (127.0.0.1:10025) for final delivery
            >> with lmtp/smtp
            >>
            > ...
            >> My current header_checks file contains:
            >> /^X-Sender-Privileges:/ IGNORE
            >>
            >>
            >> I like your multiple cleanup solution.
            >> Do you mean the following:
            >
            > Now that I think about it a little more, since you're using
            > no_header_body_checks on the post-amavisd postfix 127.0.0.1:10025 all you
            > need to do is tell smtpd_data_restrictions on the post-amavisd postfix to
            > add your header. The IGNORE header check won't be run a second time.
            >
            > This means you don't need to mess with the cleanup_service_name overrides
            > or multiple cleanup services, making it just a little simpler.
            >
            > 127.0.0.1:10025 inet n - n - - smtpd
            > -o content_filter=
            > -o local_recipient_maps=
            > -o relay_recipient_maps=
            > -o smtpd_restriction_classes=
            > -o smtpd_client_restrictions=
            > -o smtpd_helo_restrictions=
            > -o smtpd_sender_restrictions=
            > -o smtpd_recipient_restrictions=permit_mynetworks,reject
            > -o mynetworks=127.0.0.0/8
            > -o mynetworks_style=host
            > -o strict_rfc821_envelopes=yes
            > -o in_flow_delay=0
            > -o
            > receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            > -o
            > smtpd_data_restrictions=check_sender_access,ldap:/etc/postfix/add_my_header.cf
            >
            > --
            > Noel Jones
          Your message has been successfully submitted and would be delivered to recipients shortly.