Help: Frage zur Postfix Konfiguration für Routing / Relay

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Help: Frage zur Postfix Konfiguration für Routing / Relay

Liebeskind Uri (luri)
Dear postfix experts,

since more than a week I try to include a encryption appliance to the mailflow of our postfix servers.


UP TO NOW THE MAIL-FLOW IS AS SUCH:

Exchange -> mx1:25
            -> To milter at 127.0.0.1:10025 (Sophos PureMessage)
            -> from milter 10026:127.0.0.1
            -> Outbound mta (i.e. gmail)


CONFIGURATION FOR THIS IS:
main.cf:
content_filter = pmx:[127.0.0.1]:10025

master.cf:
:25      inet  n    -    n    -    300   smtpd
:10026   inet  n    -    n    -     -    smtpd
     -o content_filter=
     -o local_recipient_maps=
     -o relay_recipient_maps=
     -o myhostname=localhost
     -o smtpd_helo_restrictions=
     -o smtpd_client_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o mynetworks=127.0.0.0/8
     -o allow_untrusted_routing=yes

PureMessage is configured to pass mail to 127.0.0.1:10026



WHAT I WANT TO ACHIEVE:
Mails with certain header criteria have to be relayed to an appliance in our network enc.zhaw.ch:25. The appliance then has to pass the mail back to mx1 and postfix shall deliver the mail.

The scenario must be tested only on our nonproductive mx4 only for a specific (source- and target-) mail address ([hidden email]) Only mx4 redirects mails to the encryption appliance.


CONFIGURATION TO RELAY MAILS FROM MX1 TO MX4 FOR [hidden email]
MX1:
main.cf:
sender_dependent_relayhost_maps = hash:/etc/postfix/relay_by_sender

relay_by_sender:
[hidden email]     mx4.zhaw.ch


CONFIGURATION ON MX4 TO RELAY MAILS FROM MX4 to enc.zhaw.ch FOR SPECIFIC HEADER CRITERIAS
MX4:
main.cf:
content_filter = pmx:[127.0.0.1]:10025
header_checks = pcre:/etc/postfix/header_checks,pcre:/etc/postfix/header_checks-totemo

header_checks-totemo:
/Subject:\h*#secure/                        FILTER smtp:[enc.zhaw.ch]
/Content-Type: .*pkcs7-(signature|mime)/    FILTER smtp:[enc.zhaw.ch]

The encryption appliance removes the triggering text #secure from the subject, encrypts the message and then passes the message to mx1:20025

CONFIGURATION ON MX1
main.cf: (as before)
content_filter = pmx:[127.0.0.1]:10025
header_checks = pcre:/etc/postfix/header_checks,pcre:/etc/postfix/header_checks-totemo


header_checks-totemo:
/Subject:\h*#secure/                        FILTER smtp:[enc.zhaw.ch]
/Content-Type: .*pkcs7-(signature|mime)/    FILTER smtp:[enc.zhaw.ch]


master.cf:
:25      inet  n    -    n    -    300   smtpd
:10026   inet  n    -    n    -     -    smtpd
     -o content_filter=
     -o local_recipient_maps=
     -o relay_recipient_maps=
     -o myhostname=localhost
     -o smtpd_helo_restrictions=
     -o smtpd_client_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o mynetworks=127.0.0.0/8
     -o allow_untrusted_routing=yes

# RECEIVE MAILS FROM ENCRYPTION APPLIANCES ON 20025
:20025   inet  n    -    n    -     -    smtpd
     -o content_filter=
     -o sender_dependent_relayhost_maps=
     -o receive_override_options=no_header_body_checks
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o mynetworks=127.0.0.0/8,160.85.104.245,160.85.104.246


WHAT HAPPENS:
This configuration behaves as a loop, because the option "-o sender_dependent_relayhost_maps=" is ignored.
This causes the message to be relayed again to MX4. On MX4 header_checks-totemo will trigger on Content-Type: criteria because the message is encrypted. This will again relay the message to the encryption appliance and so on.

I am struggling with this for over a week now. It is really hard to understand which parameters are processed at what time in postfix.

So I hope someone can give me a tip.

Another requirement is that in the final setup I want to send the messages through the pmx antispam milter before encryption and after decryption.

Kind regards,
Uri




--
------------------------------------
Zurich University of Applied Sciences
Information and Communication Technology

Uri Liebeskind
System Administrator
Gertrudstrasse 15
Postfach 805
CH-8401 Winterthur

Tel. +41 58 934 72 63
Fax. +41 58 935 72 63
http://www.zhaw.ch/en/
-------------------------------------



--
------------------------------------
Zurich University of Applied Sciences
Information and Communication Technology

Uri Liebeskind
System Administrator
Gertrudstrasse 15
Postfach 805
CH-8401 Winterthur

Tel. +41 58 934 72 63
Fax. +41 58 935 72 63
http://www.zhaw.ch/en/
-------------------------------------


Reply | Threaded
Open this post in threaded view
|

Antwort: Help: Frage zur Postfix Konfiguration für Routing / Relay

Stephan.Glatthaar
* Liebeskind Uri (luri) <[hidden email]>:

> WHAT I WANT TO ACHIEVE:
> Mails with certain header criteria have to be relayed to an
> appliance in our network enc.zhaw.ch:25. The appliance then has to
> pass the mail back to mx1 and postfix shall deliver the mail.
>
you could solve this with a puremessage policy.siv snipplet like this:
if allof(pmx_attachment_type :memberof ["encrypted-mailparts"],
             not pmx_relay :re ["enc.zhaw.ch"])
 
    {
        pmx_mark1 "enrypted outbound";
        pmx_route ["enc.zhaw.ch"];
        stop;
    }



or with postfix, first the way to totemo:

add in main.cf:
mime_header_checks = pcre:/etc/postfix/mime_header_checks

mime_header_checks:
## # Filter, if a mail was S/MIME or OpenPGP encypted/signed

/^Content-Type:\s* (
        multipart\/signed|
        multipart\/encrypted|
        application\/pkcs7-mime|
        application\/x-pkcs7-mime
        )/x                             FILTER smtp:[enc.zhaw.ch]


and then the way back from totemo to postfix port 10026:

add to master.cf:
10026   inet    n       -       n       -       20      smtpd
        -o content_filter=
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o allow_untrusted_routing=yes
        -o receive_override_options=no_header_body_checks


--

Cheers
Stephan