Postfix's SMTP outbound mail filtering of header content

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix's SMTP outbound mail filtering of header content

Charles Account
Hi Gurus,

Can Postfix's SMTP process (outbound delivery) perform header_checks and
relay the message to a specified MTA?

Based on what I've read in the man pages for header_checks this implemented
by cleanup process and doesn't seem to solve my problem.

My scenario,  I have an RFC822 X-header that is add by a milter.
If the RFC822 X-header is set, and it is queued to the SMTP process
(not deposited locally), I would like message to be sent to a secondary
MTA for further processing.

Can I do this by adding a filter/header_check to master.cf's smtp configuration?

Charles


Get 5 GB of storage with Windows Live Hotmail. Sign up today.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix's SMTP outbound mail filtering of header content

Wietse Venema
As documented, smtp_header_checks etc. cannot change the destination.

Destination changes would not make sense, because the checks happen
while mail is being delivered.

        Wietse
Reply | Threaded
Open this post in threaded view
|

RE: Postfix's SMTP outbound mail filtering of header content

Charles Account


> Subject: Re: Postfix's SMTP outbound mail filtering of header content
> To: [hidden email]
> Date: Mon, 17 Nov 2008 16:13:19 -0500
> CC: [hidden email]
> From: [hidden email]
>
> As documented, smtp_header_checks etc. cannot change the destination.
>
> Destination changes would not make sense, because the checks happen
> while mail is being delivered.
>
> Wietse

If I create a second relay-smtp queue that is configured to be a relay to deliver
mail to my MTA, can I use smtp_header_checks in conjunction with cleanup
to determine recipient's destination is not local, if so, deliver to relay-smtp
queue?

Charles


Color coding for safety: Windows Live Hotmail alerts you to suspicious email. Sign up today.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix's SMTP outbound mail filtering of header content

Wietse Venema
Wietse:
> As documented, smtp_header_checks etc. cannot change the destination.
>
> Destination changes would not make sense, because the checks happen
> while mail is being delivered.

Charles Account:
> If I create a second relay-smtp queue that is configured to be a
> relay to deliver mail to my MTA, can I use smtp_header_checks in
> conjunction with cleanup to determine recipient's destination is
> not local, if so, deliver to relay-smtp queue?

As documented, smtp_header_checks are implemented by the SMTP client
while Postfix delivers mail. As documented, this cannot change the
destination. It can change the message by prepending, replacing or
ignoring a message header.

As documented, header_checks are implemented by the cleanup daemon
while Postfix receives mail. As documented, this can change the
destination.

        Wietse
Reply | Threaded
Open this post in threaded view
|

RE: Postfix's SMTP outbound mail filtering of header content

Charles Account


> Subject: Re: Postfix's SMTP outbound mail filtering of header content
> To: [hidden email]
> Date: Mon, 17 Nov 2008 17:35:20 -0500
> From: [hidden email]
>
> Wietse:
>> As documented, smtp_header_checks etc. cannot change the destination.
>>
>> Destination changes would not make sense, because the checks happen
>> while mail is being delivered.
>
> Charles Account:
>> If I create a second relay-smtp queue that is configured to be a
>> relay to deliver mail to my MTA, can I use smtp_header_checks in
>> conjunction with cleanup to determine recipient's destination is
>> not local, if so, deliver to relay-smtp queue?
>
> As documented, smtp_header_checks are implemented by the SMTP client
> while Postfix delivers mail. As documented, this cannot change the
> destination. It can change the message by prepending, replacing or
> ignoring a message header.
>
> As documented, header_checks are implemented by the cleanup daemon
> while Postfix receives mail. As documented, this can change the
> destination.
>
> Wietse

Wietse,

Thanks for the information. I was originally looking at header_checks but as I
understand the feature, it may not support (please correct me if I'm wrong)
the function I am looking to implement.

I am running Postfix with zimbra, our milter checks for specific content, etc.
If it exists, it is allowed to be delivered to the local lmtp queues, however,
as for company policy, it must be run through a black box service before
being sent outside the company. The milter will put an RFC822 X-header
in the message to indicate additional checks are required. The problem is
we don't want all mail sent outside to be run through the black box
because of the load (a different department and that's what the folks
are telling me).

As I understand header_checks is it affects the all recipients and we
are not required to check internal mail by the black box.Ā 

The only solution I can devise, is to have all outbound smtp traffic sent
to an intermediate sendmail server, which I can configure to forward
mail traffic containing the RFC822 X-header to the black box and
all other mail delivered. I personally don't want to stand up another
server because of costs but since I'm still understanding all of postfix's
many features, I haven't found anything.

Do you see an alternative within postfix?

Thanks in advance for helping out a postfix novice.

Charles






Get more done, have more fun, and stay more connected with Windows MobileĀ®. See how.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix's SMTP outbound mail filtering of header content

Victor Duchovni
On Tue, Nov 18, 2008 at 02:24:38PM +0000, Charles Account wrote:

> I am running Postfix with zimbra, our milter checks for specific
> content, etc.If it exists, it is allowed to be delivered to the local
> lmtp queues, however,as for company policy, it must be run through a
> black box service beforebeing sent outside the company. The milter will
> put an RFC822 X-headerin the message to indicate additional checks are
> required.

This calls for a 2.5 stage Postfix:


        input -------> output ----> destination
                          |
                          |
                          v
                       scrutiny --> destination

The X-Header is added between the input and output stages (via a milter in
the input stage, or a content_filter between the input and output stages).
The output stage Looks for the X-Header and if present, shunts mail into
the scrutiny stage, otherwise delivers to the real destination.

I would use three separate Postfix instances for this, but it can be
done with multiple services in a single instance.

In most of my systems that are similar, the "scrutiny" stage is actually
a quarantine, and mail does not leave directly from there, but the idea
is the same...

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.