Policy server setup

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Policy server setup

Omar Eljumaily
Hi, I'm trying to set up a simple policy server described here:

http://www.postfix.org/SMTPD_POLICY_README.html#client_config

I've written a simple server in c++, and have also tried numerous
examples written in Perl, and still can't get it to work.  My logs
suggest that the server is never being called.

Here's my setup in main.cf.  The server I'm testing is the one with
inet:127.0.0.1:3001.  The greylist server works already, but I want to
add another one.

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_rbl_client zen.spamhaus.org,
#   reject_rbl_client xbl.spamhaus.org,
   check_policy_service inet:127.0.0.1:3001,
    check_recipient_access hash:/etc/postfix/greylist_optin
#  check_policy_service unix:private/policy <--- Also tried private
Spawn configuration which didn't work

#policy_time_limit = 3600

smtpd_restriction_classes = greylist

My c++ code is roughly this.  What I want to do is simply add a header
to all email messages, "Mypol: test123";

void Server1::doListen()
{
     _serverSocket.setListener(this);
     _serverSocket._address = "localhost";
     _serverSocket._port = 3001;
     _serverSocket.doListen1();
}

void Server1::addValue(StringMap &a,const std::string &line)
{
     int i = line.find("=");
     if(i < 0)
         return;
     std::string key = line.substr(0,i);
     a[key] = line.substr(i + 1);
}

void Server1::acceptSocket(SocketHelper *sock)
{

     StringMap a;

     try
     {
         std::string line = sock->readLine();


         while (line != "")
         {
             addValue(a, line);
             line = sock->readLine();
         }

         sock->write("action=PREPEND Mypol: test123\n\n");
     }
     catch (OMException e)
     {

     }

}

Thanks,

Omar


Reply | Threaded
Open this post in threaded view
|

Re: Policy server setup

Wietse Venema
Omar Eljumaily:

> Hi, I'm trying to set up a simple policy server described here:
>
> http://www.postfix.org/SMTPD_POLICY_README.html#client_config
>
> I've written a simple server in c++, and have also tried numerous
> examples written in Perl, and still can't get it to work.  My logs
> suggest that the server is never being called.
>
> Here's my setup in main.cf.  The server I'm testing is the one with
> inet:127.0.0.1:3001.  The greylist server works already, but I want to
> add another one.
>
> smtpd_recipient_restrictions =
>     permit_mynetworks,
>     permit_sasl_authenticated,
>     reject_unauth_destination,
>     reject_rbl_client zen.spamhaus.org,
> #   reject_rbl_client xbl.spamhaus.org,
>    check_policy_service inet:127.0.0.1:3001,
...stuff omitted...

With the above, the policy service is NEVER called if the client
IP address matches mynetworks, or if the client has authenticated
with SASL.

To test if the service is called, run netcat instead of your server:

    $ nc -l 3001

This should show a bunch of Postfix attributes, assuming that the
the client IP address does not match mynetworks, and that the client
has not authenticated with SASL. The Postfix SMTP server will be waiting
for a policy response.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Policy server setup

Omar Eljumaily
Thanks Wietse.  Adding the rule on the 1st line makes it work.

Just to make sure, I'm assuming that returning only a header addition neither accepts or rejects, so I'm not creating an open relay.

Thanks,

Omar


On 3/27/2016 10:27 AM, Wietse Venema wrote:

> Omar Eljumaily:
>> Hi, I'm trying to set up a simple policy server described here:
>>
>> http://www.postfix.org/SMTPD_POLICY_README.html#client_config
>>
>> I've written a simple server in c++, and have also tried numerous
>> examples written in Perl, and still can't get it to work.  My logs
>> suggest that the server is never being called.
>>
>> Here's my setup in main.cf.  The server I'm testing is the one with
>> inet:127.0.0.1:3001.  The greylist server works already, but I want to
>> add another one.
>>
>> smtpd_recipient_restrictions =
>>      permit_mynetworks,
>>      permit_sasl_authenticated,
>>      reject_unauth_destination,
>>      reject_rbl_client zen.spamhaus.org,
>> #   reject_rbl_client xbl.spamhaus.org,
>>     check_policy_service inet:127.0.0.1:3001,
> ...stuff omitted...
>
> With the above, the policy service is NEVER called if the client
> IP address matches mynetworks, or if the client has authenticated
> with SASL.
>
> To test if the service is called, run netcat instead of your server:
>
>      $ nc -l 3001
>
> This should show a bunch of Postfix attributes, assuming that the
> the client IP address does not match mynetworks, and that the client
> has not authenticated with SASL. The Postfix SMTP server will be waiting
> for a policy response.
>
> Wietse

Reply | Threaded
Open this post in threaded view
|

Re: Policy server setup

Wietse Venema
Omar Eljumaily:
> Thanks Wietse.  Adding the rule on the 1st line makes it work.
>
> Just to make sure, I'm assuming that returning only a header
> addition neither accepts or rejects, so I'm not creating an open
> relay.

The prepend action makes no "accept/reject" decision.

If you always want to prepend a fixed text, Postfix 3.0 or later
can do that with built-in features:

/etc/postfix/main.cf:
     smtpd_mumble_restrictions =
        check_mumble_access static:{prepend Header-Name: header-value}
        ...

(for any known value of "mumble").

If the header value depends on sender, recipient, etc.,  you
can use a PCRE table instead (see "man 5 pcre_table").

        Wietse