combine a milter and a before-queue content filter

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

combine a milter and a before-queue content filter

Rob Maidment-2

Is it possible to use milters in combination with a before-queue content filter? 

What does the content filter see if the milter indicates a message should be rejected?

 

thank you.

 


Rob Maidment

Chief Architect

Telephone +44 118 903 8657

Twitter@clearswift

<img border="0" width="134" height="44" id="clearswiftLogo" src="https://www.clearswift.com/sites/all/themes/clearswift2/img/sigfiles/clearswift-ruag- cyber-security-logo-email.png" alt="Clearswift">

1310 Waterside | Arlington Business Park | Theale | Berkshire | RG7 4SA | United Kingdom

Adaptive Security & Data Loss Prevention solutions for email, web, cloud apps and endpoint. On-premise, Hosted and Managed Service options available.

Clearswift Endpoint DLP is now available! Data Discovery - Content Transfer & Encryption - Device Control. Learn more here.


___________________________________________________________
Clearswift processes personal data in accordance with our privacy policy.

This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.


This email message has been inspected by Clearswift for inappropriate content and security threats. 


To find out more about Clearswift’s solutions please visit www.clearswift.com

Reply | Threaded
Open this post in threaded view
|

Re: combine a milter and a before-queue content filter

Matus UHLAR - fantomas
On 30.07.19 11:26, Rob Maidment wrote:
>Is it possible to use milters in combination with a before-queue content filter?

milter does work as before-queue content filter: it does run and is able to
reject messages at SMTP time.

>What does the content filter see if the milter indicates a message should be rejected?

if you are asking about smtp proxy, better don't use that.  Milter often
won't indicate that since it won't see most of the message.

you can use two milters instead.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
Reply | Threaded
Open this post in threaded view
|

RE: combine a milter and a before-queue content filter

Rob Maidment-2
I already have a before-queue content filter (proxy) that I must use:  http://www.postfix.org/SMTPD_PROXY_README.html 
I would like to make use of a milter as well:  http://www.postfix.org/MILTER_README.html 
 I'd like to know if combining both could cause problems.  What does the content filter see, for example, if the milter indicates the message should be rejected at the RCPT TO stage?

Thank you.


-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Matus UHLAR - fantomas
Sent: 30 July 2019 12:46
To: [hidden email]
Subject: Re: combine a milter and a before-queue content filter

** This message has come from an external source. If you do not recognise the sender, THINK carefully before you CLICK or OPEN any links or attachments.
**

On 30.07.19 11:26, Rob Maidment wrote:
>Is it possible to use milters in combination with a before-queue
>content filter?

milter does work as before-queue content filter: it does run and is able to reject messages at SMTP time.

>What does the content filter see if the milter indicates a message
>should be rejected?

if you are asking about smtp proxy, better don't use that.  Milter often won't indicate that since it won't see most of the message.

you can use two milters instead.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.

This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.

This email message has been inspected by Clearswift for inappropriate content and security threats.

To find out more about Clearswift’s solutions please visit www.clearswift.com
Reply | Threaded
Open this post in threaded view
|

Re: combine a milter and a before-queue content filter

Matus UHLAR - fantomas
On 30.07.19 12:52, Rob Maidment wrote:
>I already have a before-queue content filter (proxy) that I must use:  http://www.postfix.org/SMTPD_PROXY_README.html

must?  Are you sure you can't replace it by milter?  Note that milter has
better functions than smtp proxy.

>I would like to make use of a milter as well:  http://www.postfix.org/MILTER_README.html
> I'd like to know if combining both could cause problems.  What does the content filter see, for example, if the milter indicates the message should be rejected at the RCPT TO stage?

as you can read in http://www.postfix.org/MILTER_README.html:

When you use the before-queue content filter for incoming SMTP mail (see
SMTPD_PROXY_README), Milter applications have access only to the SMTP
command information; they have no access to the message header or body, and
cannot make modifications to the message or to the envelope.

I believe you can reject at RCPT to stage, if milter says so.


>-----Original Message-----
>From: [hidden email] <[hidden email]> On Behalf Of Matus UHLAR - fantomas
>Sent: 30 July 2019 12:46
>To: [hidden email]
>Subject: Re: combine a milter and a before-queue content filter
>
>** This message has come from an external source. If you do not recognise the sender, THINK carefully before you CLICK or OPEN any links or attachments.
>**
>
>On 30.07.19 11:26, Rob Maidment wrote:
>>Is it possible to use milters in combination with a before-queue
>>content filter?
>
>milter does work as before-queue content filter: it does run and is able to reject messages at SMTP time.
>
>>What does the content filter see if the milter indicates a message
>>should be rejected?
>
>if you are asking about smtp proxy, better don't use that.  Milter often won't indicate that since it won't see most of the message.
>
>you can use two milters instead.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.
Reply | Threaded
Open this post in threaded view
|

Re: combine a milter and a before-queue content filter

Viktor Dukhovni
In reply to this post by Rob Maidment-2
> On Jul 30, 2019, at 8:52 AM, Rob Maidment <[hidden email]> wrote:
>
> I already have a before-queue content filter (proxy) that I must use:  http://www.postfix.org/SMTPD_PROXY_README.html 
> I would like to make use of a milter as well:  http://www.postfix.org/MILTER_README.html 
> I'd like to know if combining both could cause problems.  What does the content filter see, for example, if the milter indicates the message should be rejected at the RCPT TO stage?

When the message envelope is rejected, the proxy filter never runs.

I would not recommend mixing milters and proxy filters.  The milter
can never see the message body because, when using a proxy, smtpd(8)
has no cleanup(8) to which it can pass the milter connection for body
inspection. The milter will only see the message envelope, and it is
not clear that the milter will behave correctly at "DOT" when it never
saw the message body.  I could be mistaken.  Wietse would know better.

I've not yet used the Postfix milter interface in practice.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: combine a milter and a before-queue content filter

Wietse Venema
Viktor Dukhovni:

> > On Jul 30, 2019, at 8:52 AM, Rob Maidment <[hidden email]> wrote:
> >
> > I already have a before-queue content filter (proxy) that I must use:  http://www.postfix.org/SMTPD_PROXY_README.html 
> > I would like to make use of a milter as well:  http://www.postfix.org/MILTER_README.html 
> > I'd like to know if combining both could cause problems.  What does the content filter see, for example, if the milter indicates the message should be rejected at the RCPT TO stage?
>
> When the message envelope is rejected, the proxy filter never runs.
>
> I would not recommend mixing milters and proxy filters.  The milter
> can never see the message body because, when using a proxy, smtpd(8)
> has no cleanup(8) to which it can pass the milter connection for body
> inspection. The milter will only see the message envelope, and it is
> not clear that the milter will behave correctly at "DOT" when it never
> saw the message body.  I could be mistaken.  Wietse would know better.
>
> I've not yet used the Postfix milter interface in practice.

As Viktor says, the Milter will not see any header/body/end-of-body
protocol events, and therefore it will reject any attempt to modify
the message or envelope.

        Wietse