per sender/email exclusion for smtpd_milter_maps, or equiv?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

per sender/email exclusion for smtpd_milter_maps, or equiv?

PGNet Dev
I've a postfix instance accepting mail submission from internal clients.

The configuration includes a DKIM signer

        [int.mx.example.com]:465 inet n - n - - smtpd
        ...
        -o smtpd_milters=unix:/run/dkimpy-milter/dkimpy-milter.sock
        -o milter_macro_daemon_name=DKIM_ORIGINATING
        ...

It signs outbound as expected.

I'd like to all dkim interaction/processing for a single internal sender ([hidden email]); ideally excluding it from pass to outbound milter at all.

In docs

        smtpd_milter_maps (default: empty)

                Lookup tables with Milter settings per remote SMTP client IP address. The lookup result overrides the smtpd_milters setting, and has the same syntax.

                Note: lookup tables cannot return empty responses. Specify a lookup result of DISABLE (case does not matter) to indicate that Milter support should be disabled.

                Example to disable Milters for local clients:

                /etc/postfix/main.cf:
                        smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
                        smtpd_milters = inet:host:port, { inet:host:port, ... }, ...

                /etc/postfix/smtpd_milter_map:
                        # Disable Milters for local clients.
                        127.0.0.0/8    DISABLE
                        192.168.0.0/16 DISABLE
                        ::/64          DISABLE
                        2001:db8::/32  DISABLE

                This feature is available in Postfix 3.2 and later.

provides an exclusion mechanism -- but, iiuc, ONLY (?) for "lookup tables ... per remote SMTP client IP address".

I _can_ setup the sender to use an new/different smtpd listener in postfix config.
Or, I can modify the DKIM signer (dunno yet if that's in code, or in config).

Certainly doable, tho a bit kludgy.


Is there a postfix exclusion map mechanism that'll safely work with a sender/email lookup?

Reply | Threaded
Open this post in threaded view
|

Re: per sender/email exclusion for smtpd_milter_maps, or equiv?

Wietse Venema
PGNet Dev:
> I'd like to all dkim interaction/processing for a single internal sender ([hidden email]); ideally excluding it from pass to outbound milter at all.

It is not possible to switch Milter options in the middle of an
SMTP session. That is why smtpd_milter_maps is indexed by the SMTP
client IP address, and not by information that is received during
an SMTP session. In theory software can be made to do arbitrary
things, but in practice one has to limit the code complexity to
guarantee some level of bug-free-ness.

Maybe you can configure an exception for the sender's domain in
the dkim milter configuration.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: per sender/email exclusion for smtpd_milter_maps, or equiv?

PGNet Dev
> It is not possible to switch Milter options in the middle of an SMTP session.

ah, understood.

> Maybe you can configure an exception for the sender's domain in
> the dkim milter configuration.

not immediately obvious how with current milter dkimpy-milter, but there are other options.