header check question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

header check question

Conz
I have a stand-alone mail server with postfix 2.10.1 (CentOS7) that also
has an anti spam setup.

For privacy reasons I added a header check to submission to change the
header on incoming mails from authenticated users so the anti spam won't
freak out about SPF etc. Because of roaming mobile clients I can't white
list senders like I would do normally in an enterprise setup where the
server would be a gateway. This header check is defined as its own
cleanup service in master.cf.

My header check consists of:

/^\s*(Received: from)[^\n]*(.*for <.*@(?!domain).*)/ REPLACE $1
[127.0.0.1] (localhost [127.0.0.1])$2

But I also need it to go to the HOLD directory. This is done with the
same received check normally but you can't have 2 filters for the same
thing.

Does anyone have any advice on how to accomplish this ?

Reply | Threaded
Open this post in threaded view
|

Re: header check question

Benny Pedersen-2
On 26. okt. 2017 10.32.29 Conz <[hidden email]> wrote:

> Does anyone have any advice on how to accomplish this ?

no logs, no problem

why enable spf test on anyhing not port 25, post postconf -n with logs that
shows error
Reply | Threaded
Open this post in threaded view
|

Re: header check question

Conz
On 10/26/2017 11:20 AM, Benny Pedersen wrote:
> On 26. okt. 2017 10.32.29 Conz <[hidden email]> wrote:
>
>> Does anyone have any advice on how to accomplish this ?
>
> no logs, no problem
>
> why enable spf test on anyhing not port 25, post postconf -n with logs
> that shows error
It's spamassassin amongst things that does the SPF checking for me, not
Postfix.
So there are no errors, just positive spam scoring.

The issue is that I need to both replace the Received header -and- still
dump the mail in the HOLD queue.
My bad for not being clear on that.
Reply | Threaded
Open this post in threaded view
|

Re: header check question

Wietse Venema
Conz:

> On 10/26/2017 11:20 AM, Benny Pedersen wrote:
> > On 26. okt. 2017 10.32.29 Conz <[hidden email]> wrote:
> >
> >> Does anyone have any advice on how to accomplish this ?
> >
> > no logs, no problem
> >
> > why enable spf test on anyhing not port 25, post postconf -n with logs
> > that shows error
> It's spamassassin amongst things that does the SPF checking for me, not
> Postfix.
> So there are no errors, just positive spam scoring.
>
> The issue is that I need to both replace the Received header -and- still
> dump the mail in the HOLD queue.
> My bad for not being clear on that.

Make the clients submit mail through the submission service, then set

submission inet n       -       n       -       -       smtpd
    ...
    -o smtpd_end_of_data_restrictions=static:hold

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: header check question

Conz
On 10/26/2017 01:02 PM, Wietse Venema wrote:

> Conz:
>> On 10/26/2017 11:20 AM, Benny Pedersen wrote:
>>> On 26. okt. 2017 10.32.29 Conz <[hidden email]> wrote:
>>>
>>>> Does anyone have any advice on how to accomplish this ?
>>> no logs, no problem
>>>
>>> why enable spf test on anyhing not port 25, post postconf -n with logs
>>> that shows error
>> It's spamassassin amongst things that does the SPF checking for me, not
>> Postfix.
>> So there are no errors, just positive spam scoring.
>>
>> The issue is that I need to both replace the Received header -and- still
>> dump the mail in the HOLD queue.
>> My bad for not being clear on that.
> Make the clients submit mail through the submission service, then set
>
> submission inet n       -       n       -       -       smtpd
>      ...
>      -o smtpd_end_of_data_restrictions=static:hold
>
> Wietse

When I add that it returns a 4.3.5 configuration error right after the
DATA command during sending:
postfix/submission/smtpd[17688]: warning: specify one of
(check_client_access, check_reverse_client_hostname_access,
check_helo_access, check_sender_access, check_recipient_access,
check_etrn_access) before End-of-data restriction "static:hold"

Pasting my submission part below, those options are indeed not enabled.
All the restrictions are done with 'smtpd_recipient_restrictions' so i
never looked at the ones in master.cf. Also not entirely sure what the
$mua variables are supposed to be.

submission inet n       -       n       -       -       smtpd
         -o syslog_name=postfix/submission
         -o smtpd_tls_security_level=encrypt
         -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
         -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
         -o cleanup_service_name=auth-cleanup
#      -o smtpd_end_of_data_restrictions=static:hold

Reply | Threaded
Open this post in threaded view
|

Re: header check question

Wietse Venema
Conz:

> On 10/26/2017 01:02 PM, Wietse Venema wrote:
> > Conz:
> >> On 10/26/2017 11:20 AM, Benny Pedersen wrote:
> >>> On 26. okt. 2017 10.32.29 Conz <[hidden email]> wrote:
> >>>
> >>>> Does anyone have any advice on how to accomplish this ?
> >>> no logs, no problem
> >>>
> >>> why enable spf test on anyhing not port 25, post postconf -n with logs
> >>> that shows error
> >> It's spamassassin amongst things that does the SPF checking for me, not
> >> Postfix.
> >> So there are no errors, just positive spam scoring.
> >>
> >> The issue is that I need to both replace the Received header -and- still
> >> dump the mail in the HOLD queue.
> >> My bad for not being clear on that.
> > Make the clients submit mail through the submission service, then set
> >
> > submission inet n       -       n       -       -       smtpd
> >      ...
> >      -o smtpd_end_of_data_restrictions=static:hold

My suggestion assumes that you have an already working submission
service. For an explanation of the mua_mumble parameters in master.cf,
see "man 5 master".

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: header check question

Conz


On 10/26/2017 08:03 PM, Wietse Venema wrote:

> Conz:
>> On 10/26/2017 01:02 PM, Wietse Venema wrote:
>>> Conz:
>>>> On 10/26/2017 11:20 AM, Benny Pedersen wrote:
>>>>> On 26. okt. 2017 10.32.29 Conz <[hidden email]> wrote:
>>>>>
>>>>>> Does anyone have any advice on how to accomplish this ?
>>>>> no logs, no problem
>>>>>
>>>>> why enable spf test on anyhing not port 25, post postconf -n with logs
>>>>> that shows error
>>>> It's spamassassin amongst things that does the SPF checking for me, not
>>>> Postfix.
>>>> So there are no errors, just positive spam scoring.
>>>>
>>>> The issue is that I need to both replace the Received header -and- still
>>>> dump the mail in the HOLD queue.
>>>> My bad for not being clear on that.
>>> Make the clients submit mail through the submission service, then set
>>>
>>> submission inet n       -       n       -       -       smtpd
>>>       ...
>>>       -o smtpd_end_of_data_restrictions=static:hold
> My suggestion assumes that you have an already working submission
> service. For an explanation of the mua_mumble parameters in master.cf,
> see "man 5 master".
>
> Wietse

Submission works fine without the end_of_data_restrictions which is why
i'm confused by the error.
I'm assuming submission also looks at the smtpd_recipient_restrictions
setting in main.cf which also adds to my confusion ..
As soon as I enable the new setting it just gives me the error. Even if
I comment out all the other options for submission in master.cf which
seems to be how most people have it configured.
Another hint would be really appreciated.

Reply | Threaded
Open this post in threaded view
|

Re: header check question

Noel Jones-2
On 10/27/2017 4:48 AM, Conz wrote:
> Another hint would be really appreciated.
>



# main.cf
mua_eod_restrictions = check_client_access static:hold

# master.cf
submission ...
  ...
  -o smtpd_end_of_data_restrictions=$mua_eod_restrictions