smtpd_data_restrictions vs header_checks (sequence of execution)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

smtpd_data_restrictions vs header_checks (sequence of execution)

Eddy Beliveau
Hi! Networkers,
 
I'm using with success Postfix 2.5.1 (+amavisd-new) on my academic server.
 
This server is reserved to authenticated sender only.
 
I need to add some custom header to every emails received.
This custom header will be read later by some smtpproxy process.
 
So, on main.cf, I added:
 
smtpd_data_restrictions =
        check_sender_access   ldap:ldap_add_header
 
ldap_add_header_query_filter = (mail=%s)
...cut...
ldap_add_header_result_attribute = privileges
ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
 
 
But, I also want to be sure to remove any forged similar header
 
so, I added this rule to my header_checks file:
/^X-Sender-Privileges:/                        IGNORE
 
This works too well
It also remove the custom header that I just added.
 
It seems that "smtpd_data_restrictions" is execute before header_checks step.
 
Any advise will be appreciated
 
Thanks and have a nice day
Eddy

Reply | Threaded
Open this post in threaded view
|

Re: smtpd_data_restrictions vs header_checks (sequence of execution)

Noel Jones-2
Eddy Beliveau wrote:

> Hi! Networkers,
>  
> I'm using with success Postfix 2.5.1 (+amavisd-new) on my academic server.
>  
> This server is reserved to authenticated sender only.
>  
> I need to add some custom header to every emails received.
> This custom header will be read later by some smtpproxy process.
>  
> So, on main.cf, I added:
>  
> smtpd_data_restrictions =
>         check_sender_access   ldap:ldap_add_header
>  
> ldap_add_header_query_filter = (mail=%s)
> ...cut...
> ldap_add_header_result_attribute = privileges
> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
>  
>  
> But, I also want to be sure to remove any forged similar header
>  
> so, I added this rule to my header_checks file:
> /^X-Sender-Privileges:/                        IGNORE
>  
> This works too well
> It also remove the custom header that I just added.
>  
> It seems that "smtpd_data_restrictions" is execute before header_checks
> step.
>  
> Any advise will be appreciated
>  
> Thanks and have a nice day
> Eddy
>

Right, smtpd_*_restrictions happen before header/body checks
(with the exception of smtpd_end_of_data_restrictions which
can't add headers).

Some alternate choices, there may be others:
- have your smtp proxy use some default (restricted?) behavior
in the presence of multiple privilege headers.
- have postfix remove forged headers and convince amavisd-new
to add what you need.
- have the pre-amavis postfix remove forged headers, and the
post-amavis postfix add your headers.  This would require
either multiple postfix instances, or defining multiple
cleanup services in master.cf.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: smtpd_data_restrictions vs header_checks (sequence of execution)

Eddy Beliveau
>> Eddy Beliveau wrote:
>>Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
>>execution)
...cut...
>> smtpd_data_restrictions =
>>         check_sender_access   ldap:ldap_add_header
>>  ldap_add_header_query_filter = (mail=%s)
>> ...cut...
>> ldap_add_header_result_attribute = privileges
>> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
>>  But, I also want to be sure to remove any forged similar header
>>  so, I added this rule to my header_checks file:
>> /^X-Sender-Privileges:/                        IGNORE
...cut...
>> It seems that "smtpd_data_restrictions" is execute before header_checks
>> step.

"Noel Jones" <[hidden email]> replies:
> Right, smtpd_*_restrictions happen before header/body checks (with the
> exception of smtpd_end_of_data_restrictions which can't add headers).
>  ...cut...
> - have the pre-amavis postfix remove forged headers, and the post-amavis
> postfix add your headers.  This would require either multiple postfix
> instances, or defining multiple cleanup services in master.cf.


Hi! Noel,

Many thanks for your reply.

Currently, emails received by postfix (port 25) are passed to smtp-amavis
(127.0.0.1:10024)
which passed them back to postfix (127.0.0.1:10025) for final delivery with
lmtp/smtp

Here is a part of my current master.cf said:
smtp      inet  n       -       n       -       -       smtpd
        -o receive_override_options=no_address_mappings

cleanup   unix  n       -       n       -       0       cleanup
lmtp      unix  -       -       n       -       -       lmtp
smtp      unix  -       -       n       -       -       smtp

smtp-amavis unix -   -      n         -  10 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookup=yes
    -o max_use=20

127.0.0.1:10025 inet n  -       n       -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_data_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o mynetworks_style=host
    -o strict_rfc821_envelopes=yes
    -o in_flow_delay=0
    -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks

My current header_checks file contains:
/^X-Sender-Privileges:/                        IGNORE


I like your multiple cleanup solution.
Do you mean the following:

smtp      inet  n       -       n       -       -       smtpd
        -o receive_override_options=no_address_mappings
        -o cleanup_service_name=pre-cleanup
        -o smtpd_data_restrictions=

pre-cleanup  unix n     -       n       -       0       cleanup

cleanup   unix  n       -       n       -       0       cleanup
       -o header_checks=

127.0.0.1:10025 inet n  -       n       -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
##    -o smtpd_data_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o mynetworks_style=host
    -o strict_rfc821_envelopes=yes
    -o in_flow_delay=0
    -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks

Thanks again,
Eddy

Reply | Threaded
Open this post in threaded view
|

Re: smtpd_data_restrictions vs header_checks (sequence of execution)

Noel Jones-2
Eddy Beliveau wrote:

>>> Eddy Beliveau wrote:
>>> Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
>>> execution)
> ...cut...
>>> smtpd_data_restrictions =
>>>         check_sender_access   ldap:ldap_add_header
>>>  ldap_add_header_query_filter = (mail=%s)
>>> ...cut...
>>> ldap_add_header_result_attribute = privileges
>>> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
>>>  But, I also want to be sure to remove any forged similar header
>>>  so, I added this rule to my header_checks file:
>>> /^X-Sender-Privileges:/                        IGNORE
> ...cut...
>>> It seems that "smtpd_data_restrictions" is execute before
>>> header_checks step.
>
> "Noel Jones" <[hidden email]> replies:
>> Right, smtpd_*_restrictions happen before header/body checks (with the
>> exception of smtpd_end_of_data_restrictions which can't add headers).
>>  ...cut...
>> - have the pre-amavis postfix remove forged headers, and the
>> post-amavis postfix add your headers.  This would require either
>> multiple postfix instances, or defining multiple cleanup services in
>> master.cf.
>
>
> Hi! Noel,
>
> Many thanks for your reply.
>
> Currently, emails received by postfix (port 25) are passed to
> smtp-amavis (127.0.0.1:10024)
> which passed them back to postfix (127.0.0.1:10025) for final delivery
> with lmtp/smtp
>
...
> My current header_checks file contains:
> /^X-Sender-Privileges:/                        IGNORE
>
>
> I like your multiple cleanup solution.
> Do you mean the following:

Now that I think about it a little more, since you're using
no_header_body_checks on the post-amavisd postfix
127.0.0.1:10025 all you need to do is tell
smtpd_data_restrictions on the post-amavisd postfix to add
your header.  The IGNORE header check won't be run a second time.

This means you don't need to mess with the
cleanup_service_name overrides or multiple cleanup services,
making it just a little simpler.

127.0.0.1:10025 inet n  -       n       -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o mynetworks_style=host
    -o strict_rfc821_envelopes=yes
    -o in_flow_delay=0
    -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o
smtpd_data_restrictions=check_sender_access,ldap:/etc/postfix/add_my_header.cf

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: smtpd_data_restrictions vs header_checks (sequence of execution)

Eddy Beliveau
Many thanks for your reply.

I will try it next tuesday and give a follow-up

Thanks
Eddy
----- Message d'origine -----
De : "Noel Jones" <[hidden email]>
À : <[hidden email]>
Envoyé : 2 mai 2008 16:30
Objet : Re: smtpd_data_restrictions vs header_checks (sequence of execution)


> Eddy Beliveau wrote:
>>>> Eddy Beliveau wrote:
>>>> Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
>>>> execution)
>> ...cut...
>>>> smtpd_data_restrictions =
>>>>         check_sender_access   ldap:ldap_add_header
>>>>  ldap_add_header_query_filter = (mail=%s)
>>>> ...cut...
>>>> ldap_add_header_result_attribute = privileges
>>>> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
>>>>  But, I also want to be sure to remove any forged similar header
>>>>  so, I added this rule to my header_checks file:
>>>> /^X-Sender-Privileges:/                        IGNORE
>> ...cut...
>>>> It seems that "smtpd_data_restrictions" is execute before header_checks
>>>> step.
>>
>> "Noel Jones" <[hidden email]> replies:
>>> Right, smtpd_*_restrictions happen before header/body checks (with the
>>> exception of smtpd_end_of_data_restrictions which can't add headers).
>>>  ...cut...
>>> - have the pre-amavis postfix remove forged headers, and the post-amavis
>>> postfix add your headers.  This would require either multiple postfix
>>> instances, or defining multiple cleanup services in master.cf.
>>
>>
>> Hi! Noel,
>>
>> Many thanks for your reply.
>>
>> Currently, emails received by postfix (port 25) are passed to smtp-amavis
>> (127.0.0.1:10024)
>> which passed them back to postfix (127.0.0.1:10025) for final delivery
>> with lmtp/smtp
>>
> ...
>> My current header_checks file contains:
>> /^X-Sender-Privileges:/                        IGNORE
>>
>>
>> I like your multiple cleanup solution.
>> Do you mean the following:
>
> Now that I think about it a little more, since you're using
> no_header_body_checks on the post-amavisd postfix 127.0.0.1:10025 all you
> need to do is tell smtpd_data_restrictions on the post-amavisd postfix to
> add your header.  The IGNORE header check won't be run a second time.
>
> This means you don't need to mess with the cleanup_service_name overrides
> or multiple cleanup services, making it just a little simpler.
>
> 127.0.0.1:10025 inet n  -       n       -       -  smtpd
>    -o content_filter=
>    -o local_recipient_maps=
>    -o relay_recipient_maps=
>    -o smtpd_restriction_classes=
>    -o smtpd_client_restrictions=
>    -o smtpd_helo_restrictions=
>    -o smtpd_sender_restrictions=
>    -o smtpd_recipient_restrictions=permit_mynetworks,reject
>    -o mynetworks=127.0.0.0/8
>    -o mynetworks_style=host
>    -o strict_rfc821_envelopes=yes
>    -o in_flow_delay=0
>    -o
> receive_override_options=no_unknown_recipient_checks,no_header_body_checks
>    -o
> smtpd_data_restrictions=check_sender_access,ldap:/etc/postfix/add_my_header.cf
>
> --
> Noel Jones