content filtering & restriction_classses

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

content filtering & restriction_classses

Chad M Stewart-2

I can't figure out how to setup an additional content filter based on a restriction class.  I need a clue stick applied, gently I hope.  :-)

High level of my setup

reload -- version 2.9.1, configuration /usr/local/etc/postfix

Internet -> postscreen -> smtpd ---LMTP--> content filter on localhost:37726 --SMTP--> postfix:10025.  That all works no problem.  What I want to accomplish is on postfix:10025 have an additional content filter, but not for all addresses, only those that are in a particular restriction class.


Relevant parts of config

master.cf
####
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd
        -o content_filter=lmtp:localhost:37726
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
#
#
###################
localhost:10025 inet  n -       n       -       -        smtpd
  -o smtpd_milters=
  -o receive_override_options=no_address_mappings,no_header_body_checks,no_unknown_recipient_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8,192.168.7.30
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8


What I've tried in main.cf is the following

smtpd_restriction_classes = ultra_rc, high_rc, med_rc, low_rc, discard_filter_rc

discard_filter_rc =
        sleep 2
        reject_invalid_hostname
        reject_unknown_reverse_client_hostname
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unknown_sender_domain
        reject_unknown_recipient_domain
        reject_unverified_recipient
        reject_multi_recipient_bounce
        reject_unauth_pipelining
        check_policy_service unix:private/spf-policy
        content_filter = smtp:localhost:10027

I tried replacing "smtp:localhost:10027" with "inet:localhost:10027" but either result in something like the text below in the logs.  I've read the FILTER_README and something is not sinking into my brain, because in my head I should be able to use the same syntax in master.cf or main.cf, but that is not working for me.

May 17 01:41:33 mta01 postfix/smtpd[94021]: error: unsupported dictionary type: smtp



Thank you,
Chad



Reply | Threaded
Open this post in threaded view
|

Re: content filtering & restriction_classses

Noel Jones-2
On 5/16/2012 8:59 PM, Chad M Stewart wrote:

>
> I can't figure out how to setup an additional content filter based on a restriction class.  I need a clue stick applied, gently I hope.  :-)
>
> High level of my setup
>
> reload -- version 2.9.1, configuration /usr/local/etc/postfix
>
> Internet -> postscreen -> smtpd ---LMTP--> content filter on localhost:37726 --SMTP--> postfix:10025.  That all works no problem.  What I want to accomplish is on postfix:10025 have an additional content filter, but not for all addresses, only those that are in a particular restriction class.
>
>
> Relevant parts of config
>
> master.cf
> ####
> smtp      inet  n       -       n       -       1       postscreen
> smtpd     pass  -       -       y       -       -       smtpd
>         -o content_filter=lmtp:localhost:37726
> dnsblog   unix  -       -       n       -       0       dnsblog
> tlsproxy  unix  -       -       n       -       0       tlsproxy
> #
> #
> ###################
> localhost:10025 inet  n -       n       -       -        smtpd
>   -o smtpd_milters=
>   -o receive_override_options=no_address_mappings,no_header_body_checks,no_unknown_recipient_checks
>   -o smtpd_helo_restrictions=
>   -o smtpd_client_restrictions=
>   -o smtpd_sender_restrictions=
>   -o smtpd_recipient_restrictions=permit_mynetworks,reject
>   -o mynetworks=127.0.0.0/8,192.168.7.30
>   -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>
>
> What I've tried in main.cf is the following
>
> smtpd_restriction_classes = ultra_rc, high_rc, med_rc, low_rc, discard_filter_rc
>
> discard_filter_rc =
>         sleep 2
>         reject_invalid_hostname
>         reject_unknown_reverse_client_hostname
>         reject_non_fqdn_sender
>         reject_non_fqdn_recipient
>         reject_unknown_sender_domain
>         reject_unknown_recipient_domain
>         reject_unverified_recipient
>         reject_multi_recipient_bounce
>         reject_unauth_pipelining
>         check_policy_service unix:private/spf-policy
>         content_filter = smtp:localhost:10027

content_filter is not a valid argument in this context.  You could
replace it with an access table that returns "FILTER
smtp:[127.0.0.1]:10027" when the input matches.

Also note that content_filter and FILTER directives are not additive
-- the last one applied is the one used.  If you want to apply
multiple filters, you will need to chain them in master.cf or use
multiple postfix versions, basically add the access table that
triggers the restriction class to one of the "-o
smtpd_*_restrictions" of the 10025 listener, and then add another
listener to receive the input from 10027.  So the full path for mail
with the extra filtering would be something like

Internet -> postscreen -> smtpd ---LMTP--> content filter on
localhost:37726 --SMTP--> postfix:10025--> filter:10027-->
postfix:10029--> final delivery



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: content filtering & restriction_classses

Chad M Stewart-2

Thank you Noel for the clarification.  I think I've figured out how I want this all setup.  :)


-Chad