From: Michael Tokarev (no email)
Date: Sat Jun 01 2002 - 19:15:28 EDT
Rocco Rutte wrote:
>
> Hi,
>
> I've looked through documentation and still have a question.
> What I need is a mixture of header_checks and access(5).
>
> Read: I'd like to only accept a mail for a local recipient
> (which is an alias in /etc/aliases, if that matters) if the
> mail was sent by one specific host and contains one specific
> header.
Any and all content checks in postfix (header and body checks)
cannot be turned on or off selectively (only using tricky methods
with several cleanup daemons and different MX per-domain basis).
There is no *logical* way to do that: the big question is what
to do with multi-recipient mails.
> The problem (at least for me) is that the allowed
> client IP and the allowed value of the header differ from
> recipient to recipient -- for some there're also no
> restrictions.
>
> I thought of something like:
>
> /etc/postfix/access:
> user1@ hash:/etc/postfix/user1-access
> regexp:/etc/postfix/user1-regexp
> user2@ hash:/etc/postfix/user2-access
> regexp:/etc/postfix/user2-regexp
>
> /etc/postfix/user1-access:
> ip OK
> REJECT
>
> /etc/postfix/user1-regexp:
> /.../ OK
> REJECT
>
> Is that possible? If not, how to define individual access
> restrictions per local recipient?
Concerning headers, no, it is not possible. About allowing
IPs etc (envelope information), - yes, it is possible, but
if you have many users, it will be difficult (per-user UCE
restrictions patch may help here, read the postfix addons
page for it). The idea is as follows:
main.cf:
smtpd_restriction_classes = user1, user2, ...
smtpd_recipient_restrictions = ...,
reject_unauth_destination,
...,
check_recipient_access hash:recipients
user1 = check_client_access hash:user1_clients, reject
user2 = check_client_access hash:user2_clients, reject
...
recipients:
user1
user2
...
user1_clients:
10.0.0.1 OK
10.0.1.1 OK
user2_clients:
10.0.0.2 OK
10.0.1.2 OK
...
For that (may be huge) amount of maps, you'd better use
either pcre/regex map (will not require more filedescriptors),
or my fnmatch map, with that the above will be written in more
short form:
main.cf:
smtpd_restriction_classes = user1, user2, ...
smtpd_recipient_restrictions = ...,
reject_unauth_destination,
...,
check_recipient_access hash:recipients
user1 = check_client_access fnmatch:10.0.0.1|10.0.1.1:OK, reject
user2 = check_client_access fnmatch:10.0.0.2|10.0.1.2:OK, reject
...
recipients:
user1
user2
...
> What I'd like to know,
> too, is if there's a way to forward the rejected mails to
> another account for approval.
No. For this, you'd use content_filter (where you, in fact,
may do ALL those checks including headers).
/mjt
-
To unsubscribe, send mail to with content
(not subject): unsubscribe postfix-users
|
|
|