Quantcast

multiple actions, SPF to skip greylist

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

multiple actions, SPF to skip greylist

Andreas Schamanek

Hi there,

I am open to suggestions but for now I am running Postfix 2.11.3
(Debian Stable), Postgrey 1.35 and postfix-policyd-spf-python 2.0.1,
joined together with

  smtpd_recipient_restrictions = (...)
    reject_unauth_destination
    check_policy_service unix:private/policyd-spf
    # postgrey
    check_policy_service inet:127.0.0.1:60000

I not yet very familiar with the many details of Postfix but if I am
not mistaken a policy service can only return 1 action (AFAIK this is
still the case in 3.x, too!? cf. [1]).

So, policyd-spf is bound to either PREPEND a header _or_ send an OK.
Is there a way to configure this so that policyd-spf in case of
SPF-Pass causes Postfix to prepend a header _and_ skip the
greylisting?

I haven't tried it but I assume that I could call policyd-spf twice
with 2 different configs, the 1st to send PREPEND, the 2nd to send OK.
However, if possible I wanted to avoid this waste of resources.

I found a thread from 2014 by Wietse re. [Idea: multiple actions in
access/header_checks/policy results][1]. It seems this is what I am
looking for, but it hasn't been hacked into Postfix, or have I just
missed the respective documentation?

  [1]: http://postfix.1071664.n5.nabble.com/Idea-multiple-actions-in-access-header-checks-policy-results-td71906.html

--
-- Andreas

    :-)

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: multiple actions, SPF to skip greylist

Wietse Venema
Andreas Schamanek:
> I found a thread from 2014 by Wietse re. [Idea: multiple actions in
> access/header_checks/policy results][1]. It seems this is what I am
> looking for, but it hasn't been hacked into Postfix, or have I just
> missed the respective documentation?
>
>   [1]: http://postfix.1071664.n5.nabble.com/Idea-multiple-actions-in-access-header-checks-policy-results-td71906.html
>

That design uses '{' or '}' to specify the boundaries of a command,
for example,

    { prepend X-Foo: foo }, permit

Such text is safe in Postfix configuration files which can be edited
only by a trusted user, but not when the text is produced on-the-fly
by a policy server, regexp table, or pcre table, based on untrusted
inputs from the Internet.

To make such text safe, Postfix policy/access lookups would have
to forbid inputs that contain '{' or '}', or use a format that does
not rely on delimiter characters, such as netstring which is not
compatible with current Postfix table formats.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: multiple actions, SPF to skip greylist

Scott Kitterman-4
In reply to this post by Andreas Schamanek
On Monday, May 08, 2017 08:09:45 PM Andreas Schamanek wrote:

> Hi there,
>
> I am open to suggestions but for now I am running Postfix 2.11.3
> (Debian Stable), Postgrey 1.35 and postfix-policyd-spf-python 2.0.1,
> joined together with
>
>   smtpd_recipient_restrictions = (...)
>     reject_unauth_destination
>     check_policy_service unix:private/policyd-spf
>     # postgrey
>     check_policy_service inet:127.0.0.1:60000
>
> I not yet very familiar with the many details of Postfix but if I am
> not mistaken a policy service can only return 1 action (AFAIK this is
> still the case in 3.x, too!? cf. [1]).
>
> So, policyd-spf is bound to either PREPEND a header _or_ send an OK.
> Is there a way to configure this so that policyd-spf in case of
> SPF-Pass causes Postfix to prepend a header _and_ skip the
> greylisting?
>
> I haven't tried it but I assume that I could call policyd-spf twice
> with 2 different configs, the 1st to send PREPEND, the 2nd to send OK.
> However, if possible I wanted to avoid this waste of resources.
>
> I found a thread from 2014 by Wietse re. [Idea: multiple actions in
> access/header_checks/policy results][1]. It seems this is what I am
> looking for, but it hasn't been hacked into Postfix, or have I just
> missed the respective documentation?
>
>   [1]:
> http://postfix.1071664.n5.nabble.com/Idea-multiple-actions-in-access-header
> -checks-policy-results-td71906.html

If you look at README.per_user_whitelisting that's included with the policy
server it shows methods to take different actions based on the SPF result.  
You do have to run it twice to also prepend the header field, but (assuming a
local DNS cache - which you really should have anyway) the resource
implications are not large.  Virtually all of the overhead associated with SPF
checks are due to waiting on DNS lookups.  As long as it's in the local cache
for the second instance, that should be pretty minimal.

That text could use some work, so if you have suggestions, please file bugs in
the project bug tracker [1].

Scott K

[1] https://bugs.launchpad.net/pypolicyd-spf/
Loading...