smtpd_data_restrictions vs header_checks (sequence of execution)

 

This works too well

It also remove the custom header that I just added.

 

It seems that "smtpd_data_restrictions" is execute before header_checks step.

 

Any advise will be appreciated

 

Thanks and have a nice day

Eddy

Eddy Beliveau wrote:
Right, smtpd_*_restrictions happen before header/body checks
(with the exception of smtpd_end_of_data_restrictions which
can't add headers).

Some alternate choices, there may be others:
- have your smtp proxy use some default (restricted?) behavior
in the presence of multiple privilege headers.
- have postfix remove forged headers and convince amavisd-new
to add what you need.
- have the pre-amavis postfix remove forged headers, and the
post-amavis postfix add your headers.  This would require
either multiple postfix instances, or defining multiple
cleanup services in master.cf.

--
Noel Jones

>> Eddy Beliveau wrote:
>>Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
>>execution)
...cut...
>> smtpd_data_restrictions =
>>         check_sender_access   ldap:ldap_add_header
>>  ldap_add_header_query_filter = (mail=%s)
>> ...cut...
>> ldap_add_header_result_attribute = privileges
>> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
>>  But, I also want to be sure to remove any forged similar header
>>  so, I added this rule to my header_checks file:
>> /^X-Sender-Privileges:/                        IGNORE
...cut...
>> It seems that "smtpd_data_restrictions" is execute before header_checks
>> step.

"Noel Jones" <[hidden email]> replies:
> Right, smtpd_*_restrictions happen before header/body checks (with the
> exception of smtpd_end_of_data_restrictions which can't add headers).
>  ...cut...
> - have the pre-amavis postfix remove forged headers, and the post-amavis
> postfix add your headers.  This would require either multiple postfix
> instances, or defining multiple cleanup services in master.cf.


Hi! Noel,

Many thanks for your reply.

Currently, emails received by postfix (port 25) are passed to smtp-amavis
(127.0.0.1:10024)
which passed them back to postfix (127.0.0.1:10025) for final delivery with
lmtp/smtp

Here is a part of my current master.cf said:
smtp      inet  n       -       n       -       -       smtpd
        -o receive_override_options=no_address_mappings

cleanup   unix  n       -       n       -       0       cleanup
lmtp      unix  -       -       n       -       -       lmtp
smtp      unix  -       -       n       -       -       smtp

smtp-amavis unix -   -      n         -  10 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookup=yes
    -o max_use=20

127.0.0.1:10025 inet n  -       n       -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_data_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o mynetworks_style=host
    -o strict_rfc821_envelopes=yes
    -o in_flow_delay=0
    -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks

My current header_checks file contains:
/^X-Sender-Privileges:/                        IGNORE


I like your multiple cleanup solution.
Do you mean the following:

smtp      inet  n       -       n       -       -       smtpd
        -o receive_override_options=no_address_mappings
        -o cleanup_service_name=pre-cleanup
        -o smtpd_data_restrictions=

pre-cleanup  unix n     -       n       -       0       cleanup

cleanup   unix  n       -       n       -       0       cleanup
       -o header_checks=

127.0.0.1:10025 inet n  -       n       -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
##    -o smtpd_data_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o mynetworks_style=host
    -o strict_rfc821_envelopes=yes
    -o in_flow_delay=0
    -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks

Thanks again,
Eddy

Eddy Beliveau wrote: ...
> My current header_checks file contains:
> /^X-Sender-Privileges:/                        IGNORE
>
>
> I like your multiple cleanup solution.
> Do you mean the following:

Now that I think about it a little more, since you're using
no_header_body_checks on the post-amavisd postfix
127.0.0.1:10025 all you need to do is tell
smtpd_data_restrictions on the post-amavisd postfix to add
your header.  The IGNORE header check won't be run a second time.

This means you don't need to mess with the
cleanup_service_name overrides or multiple cleanup services,
making it just a little simpler.

127.0.0.1:10025 inet n  -       n       -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o mynetworks_style=host
    -o strict_rfc821_envelopes=yes
    -o in_flow_delay=0
    -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o
smtpd_data_restrictions=check_sender_access,ldap:/etc/postfix/add_my_header.cf

--
Noel Jones

Many thanks for your reply.

I will try it next tuesday and give a follow-up

Thanks
Eddy
----- Message d'origine -----
De : "Noel Jones" <[hidden email]>
À : <[hidden email]>
Envoyé : 2 mai 2008 16:30
Objet : Re: smtpd_data_restrictions vs header_checks (sequence of execution)