bypass policy server in recipient_restrictions when subject contains string

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

bypass policy server in recipient_restrictions when subject contains string

Stefan Bauer-2
Hi,

is there a way to bypass policy server in smtp_recipient_restrictions, in case, subject contains special string?

smtpd_recipient_restrictions = check_policy_service unix:private/policy

header_checks:

/^Subject: .*string.*/ FILTER no-policy-service:

header_checks could reroute by subject but seems to kick in too late :/

Stefan
Reply | Threaded
Open this post in threaded view
|

Re: bypass policy server in recipient_restrictions when subject contains string

Bill Cole-3
On 4 Jan 2019, at 9:36, Stefan Bauer wrote:

> is there a way to bypass policy server in smtp_recipient_restrictions,
> in
> case, subject contains special string?

No. As documented, smtp_recipient_restrictions is evaluated for each
RCPT command, all of which occur before the DATA command, which is when
the SMTP server can examine message data (including message headers.)
Reply | Threaded
Open this post in threaded view
|

Re: bypass policy server in recipient_restrictions when subject contains string

Stefan Bauer-2
Would it be possible to have FILTER as action in policy server (in recipient_restrictions) and send it to smtp process that uses header_checks do have mailroute based on subject?




Am Fr., 4. Jan. 2019 um 16:08 Uhr schrieb Bill Cole <[hidden email]>:
On 4 Jan 2019, at 9:36, Stefan Bauer wrote:

> is there a way to bypass policy server in smtp_recipient_restrictions,
> in
> case, subject contains special string?

No. As documented, smtp_recipient_restrictions is evaluated for each
RCPT command, all of which occur before the DATA command, which is when
the SMTP server can examine message data (including message headers.)
Reply | Threaded
Open this post in threaded view
|

Re: bypass policy server in recipient_restrictions when subject contains string

Bill Cole-3
On 4 Jan 2019, at 10:36, Stefan Bauer wrote:

> Would it be possible to have FILTER as action in policy server

Yes, but FILTER behaves as documented in the access(5) man page. The
first 5 words there describing what FILTER does are critical, but you
should read it all...

> (in
> recipient_restrictions) and send it to smtp process that uses
> header_checks
> do have mailroute based on subject?

There can be NO WAY to exempt a message from policy that would apply at
RCPT time with facts that cannot be known until end-of-DATA time.
Postfix cannot modify the basic constraints of non-quantum causality or
the arrow of time or tell SMTP clients to re-order the fixed command
sequence of SMTP.

If you want to make any decisions about a message based on a header, you
must do that with a tool (header_checks, milter, content_filter, or
post-delivery backend) that has access to the message data because it
operates at end-of-DATA or after queueing.
Reply | Threaded
Open this post in threaded view
|

Re: bypass policy server in recipient_restrictions when subject contains string

Stefan Bauer-2
Understood. Would it be possible to have header_checks in main.cf that send mails with special subject with FILTER to smtp process that did not have policy service as option

and all other mails (/.*/)

also with FILTER to smtp process with policy service?

this way i can bypass policy service with special subject.

Am Freitag, 4. Januar 2019 schrieb Bill Cole <[hidden email]>:

> On 4 Jan 2019, at 10:36, Stefan Bauer wrote:
>
>> Would it be possible to have FILTER as action in policy server
>
> Yes, but FILTER behaves as documented in the access(5) man page. The first 5 words there describing what FILTER does are critical, but you should read it all...
>
>> (in
>> recipient_restrictions) and send it to smtp process that uses header_checks
>> do have mailroute based on subject?
>
> There can be NO WAY to exempt a message from policy that would apply at RCPT time with facts that cannot be known until end-of-DATA time. Postfix cannot modify the basic constraints of non-quantum causality or the arrow of time or tell SMTP clients to re-order the fixed command sequence of SMTP.
>
> If you want to make any decisions about a message based on a header, you must do that with a tool (header_checks, milter, content_filter, or post-delivery backend) that has access to the message data because it operates at end-of-DATA or after queueing.
>
Reply | Threaded
Open this post in threaded view
|

Re: bypass policy server in recipient_restrictions when subject contains string

Stefan Bauer-2
Seems to have no effect for unknown reasons. policy service is not called. Tried:


tls_whitelist_check     unix    -       -       n       -       -       smtp
   -o header_checks=
   -o smtp_header_checks=
   -o smtpd_recipient_restrictions=check_policy_service,unix:private/policy
   -o sender_dependent_default_transport_maps=
   -o smtpd_relay_restrictions=

header_checks in main.cf:

/^Subject: .*/  FILTER tls_whitelist_check:

mail.log reports:

Jan  5 14:00:09 mx1 postfix/cleanup[31559]: 3FE0A8062A: filter: header Subject: test from mail1.remote.tld[1.2.3.4]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mail1.bla>: tls_whitelist_check:

mail gets delivered, but policy service is not used/called.

What am i missing?

Am Sa., 5. Jan. 2019 um 11:05 Uhr schrieb Stefan Bauer <[hidden email]>:
Understood. Would it be possible to have header_checks in main.cf that send mails with special subject with FILTER to smtp process that did not have policy service as option

and all other mails (/.*/)

also with FILTER to smtp process with policy service?

this way i can bypass policy service with special subject.

Am Freitag, 4. Januar 2019 schrieb Bill Cole <[hidden email]>:

> On 4 Jan 2019, at 10:36, Stefan Bauer wrote:
>
>> Would it be possible to have FILTER as action in policy server
>
> Yes, but FILTER behaves as documented in the access(5) man page. The first 5 words there describing what FILTER does are critical, but you should read it all...
>
>> (in
>> recipient_restrictions) and send it to smtp process that uses header_checks
>> do have mailroute based on subject?
>
> There can be NO WAY to exempt a message from policy that would apply at RCPT time with facts that cannot be known until end-of-DATA time. Postfix cannot modify the basic constraints of non-quantum causality or the arrow of time or tell SMTP clients to re-order the fixed command sequence of SMTP.
>
> If you want to make any decisions about a message based on a header, you must do that with a tool (header_checks, milter, content_filter, or post-delivery backend) that has access to the message data because it operates at end-of-DATA or after queueing.
>
Reply | Threaded
Open this post in threaded view
|

Re: bypass policy server in recipient_restrictions when subject contains string

Benny Pedersen-2
Stefan Bauer skrev den 2019-01-05 14:08:

> tls_whitelist_check     unix    -       -       n       -       -
>  smtp
>    -o header_checks=
>    -o smtp_header_checks=
>    -o
> smtpd_recipient_restrictions=check_policy_service,unix:private/policy
>    -o sender_dependent_default_transport_maps=
>    -o smtpd_relay_restrictions=

smtpd cant be overrided in smtp master.cf :=)

it can, but it have no effect, sorry cant help more
Reply | Threaded
Open this post in threaded view
|

Re: bypass policy server in recipient_restrictions when subject contains string

Stefan Bauer-2
Thank you. That explains it!

Am Sa., 5. Jan. 2019 um 15:03 Uhr schrieb Benny Pedersen <[hidden email]>:
Stefan Bauer skrev den 2019-01-05 14:08:

> tls_whitelist_check     unix    -       -       n       -       -
>  smtp
>    -o header_checks=
>    -o smtp_header_checks=
>    -o
> smtpd_recipient_restrictions=check_policy_service,unix:private/policy
>    -o sender_dependent_default_transport_maps=
>    -o smtpd_relay_restrictions=

smtpd cant be overrided in smtp master.cf :=)

it can, but it have no effect, sorry cant help more
Reply | Threaded
Open this post in threaded view
|

Re: bypass policy server in recipient_restrictions when subject contains string

Viktor Dukhovni
In reply to this post by Stefan Bauer-2


> On Jan 5, 2019, at 8:08 AM, Stefan Bauer <[hidden email]> wrote:
>
> tls_whitelist_check     unix    -       -       n       -       -       smtp
>    -o header_checks=
>    -o smtp_header_checks=
>    -o smtpd_recipient_restrictions=check_policy_service,unix:private/policy
>    -o sender_dependent_default_transport_maps=
>    -o smtpd_relay_restrictions=

Take a look at: http://www.postfix.org/OVERVIEW.html

Once you understand how mail flows through the system, you'll
see why the above is a non-starter.

--
        Viktor.