silent drop from sender *unless* to...

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

silent drop from sender *unless* to...

Jonathan Engbrecht
Can I make a header_check rule (or equivalent) somehow that does the following:

AND NOT To: (bar|baz|quux)@mydomain.com
DISCARD
Reply | Threaded
Open this post in threaded view
|

Re: silent drop from sender *unless* to...

Noel Jones-2
On 12/3/2019 3:31 PM, Jonathan Engbrecht wrote:
> Can I make a header_check rule (or equivalent) somehow that does the
> following:
>
> If From: [hidden email] <mailto:[hidden email]>
> AND NOT To: (bar|baz|quux)@mydomain.com <http://mydomain.com>
> DISCARD


header_checks operates on each single header, you can't compare info
from different headers.  So no.

You can use restriction classes or a policy service such as postfwd
to compare both the sender and recipient, but keep in mind those
features use the envelope sender and recipient and not what's listed
in the From: and To: headers.
http://www.postfix.org/RESTRICTION_CLASS_README.html
http://postfwd.org/

You could do this in a milter or a content_filter.



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: silent drop from sender *unless* to...

Ralph Seichter-2
In reply to this post by Jonathan Engbrecht
* Jonathan Engbrecht:

> If From: [hidden email]
> AND NOT To: (bar|baz|quux)@mydomain.com
> DISCARD

Milter-regex (https://www.benzedrine.ch/milter-regex.html) can do this,
and more. The actual syntax for your example would be something like
this (untested because I am typing from memory):

  discard
  header /^From$/ /foo@example\.com/ and not \
  header /^To$/ /(bar|baz|quux)@mydomain\.com/

You can also use variables in milter-regex to easily re-use complex
expressions. I can heartily recommend it.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: silent drop from sender *unless* to...

Jonathan Engbrecht
thanks all.  Looks like I can mostly do this with restriction classes, though the drop ends up being a 5xx reject rather than a silent drop, which is a bit too bad.

tester = check_recipient_access hash:/etc/postfix/maps/privileged_recipients, reject

being able to use "discard" here would be great, but doesn't appear to be possible

On Tue, 3 Dec 2019 at 17:38, Ralph Seichter <[hidden email]> wrote:
* Jonathan Engbrecht:

> If From: [hidden email]
> AND NOT To: (bar|baz|quux)@mydomain.com
> DISCARD

Milter-regex (https://www.benzedrine.ch/milter-regex.html) can do this,
and more. The actual syntax for your example would be something like
this (untested because I am typing from memory):

  discard
  header /^From$/ /foo@example\.com/ and not \
  header /^To$/ /(bar|baz|quux)@mydomain\.com/

You can also use variables in milter-regex to easily re-use complex
expressions. I can heartily recommend it.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: silent drop from sender *unless* to...

Noel Jones-2
On 12/4/2019 1:55 PM, Jonathan Engbrecht wrote:

> thanks all.  Looks like I can mostly do this with restriction
> classes, though the drop ends up being a 5xx reject rather than a
> silent drop, which is a bit too bad.
>
> tester = check_recipient_access
> hash:/etc/postfix/maps/privileged_recipients, *reject*
> *
> *
> being able to use "discard" here would be great, but doesn't appear
> to be possible

You can use static:discard there.

Caution: discard is a permanent action that loses data; use
sparingly.  Reject is almost always more appropriate.



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: silent drop from sender *unless* to...

Jonathan Engbrecht
static:discard is exactly what I needed.  Thanks.

This isn't a production system and we're just using this for testing a new application where we don't want users that aren't part of the test receiving email until we're ready to go live.

On Wed, 4 Dec 2019 at 15:29, Noel Jones <[hidden email]> wrote:
On 12/4/2019 1:55 PM, Jonathan Engbrecht wrote:
> thanks all.  Looks like I can mostly do this with restriction
> classes, though the drop ends up being a 5xx reject rather than a
> silent drop, which is a bit too bad.
>
> tester = check_recipient_access
> hash:/etc/postfix/maps/privileged_recipients, *reject*
> *
> *
> being able to use "discard" here would be great, but doesn't appear
> to be possible

You can use static:discard there.

Caution: discard is a permanent action that loses data; use
sparingly.  Reject is almost always more appropriate.



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: silent drop from sender *unless* to...

Noel Jones-2
On 12/5/2019 9:31 AM, Jonathan Engbrecht wrote:
> static:discard is exactly what I needed.  Thanks.
>
> This isn't a production system and we're just using this for testing
> a new application where we don't want users that aren't part of the
> test receiving email until we're ready to go live.
>


For a closed test environment, you can tell postfix to discard any
mail that doesn't have a predefined delivery path.

# main.cf
default_transport = discard


http://www.postfix.org/ADDRESS_CLASS_README.html



   -- Noel Jones


> On Wed, 4 Dec 2019 at 15:29, Noel Jones <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 12/4/2019 1:55 PM, Jonathan Engbrecht wrote:
>      > thanks all.  Looks like I can mostly do this with restriction
>      > classes, though the drop ends up being a 5xx reject rather
>     than a
>      > silent drop, which is a bit too bad.
>      >
>      > tester = check_recipient_access
>      > hash:/etc/postfix/maps/privileged_recipients, *reject*
>      > *
>      > *
>      > being able to use "discard" here would be great, but doesn't
>     appear
>      > to be possible
>
>     You can use static:discard there.
>
>     Caution: discard is a permanent action that loses data; use
>     sparingly.  Reject is almost always more appropriate.
>
>
>
>         -- Noel Jones
>