From: Paul Gardiner (no email)
Date: Wed Dec 01 2004 - 11:57:44 EST
> From: "Ean Kingston" <>
> > -----Original Message-----
> > From: Paul Gardiner [mailto:]
> > Sent: Wednesday, December 01, 2004 10:56 AM
> > To: Ean Kingston
> > Subject: Re: Finer control of header_checks
> >
> > > From: "Ean Kingston" <>
> > > > From: Paul Gardiner [mailto:]
> > > > Sent: Wednesday, December 01, 2004 8:51 AM
> > > > To: Postfix users
> > > > Subject: Re: Finer control of header_checks
> > > >
> > > [cut]
> > > > Is it possible to have the detection of one header force
> > > > acceptance of others that you would normally reject?
> > >
> > > Yes, the first 'OK' (as opposed to 'DUNNO', 'REJECT', ...) will be
> > > obeyed and no further checks (in that section) are done. If you have
> > > more than one of the smtpd_*_restrictions in your main.cf I think
> you
> > > need to include the override at the top of each.
> >
> > That would be great, but I worry its not true, since I found this
> > in the docs:
> >
> > "For backwards compatibility reasons, Postfix also
> > accepts OK but it is (and always has been) treated
> > as DUNNO."
> >
> > Have you ever tried using OK in that way?
>
> You're right. I don't have any filters that work that way but I did make
> a quick test and it looks like the OK didn't work the way I thought it
> did.
That's a shame.
> I have found that you can do some short-circuiting of filtering, though.
> For instance, I've got:
>
> My_networks = 192.168....
>
> Smtp_*_restrictions = permit_mynetworks, ..., \
> check_sender_access dbm:sender_access
>
> and I found that if I send from within my network I can send from any
> address including those prevented in sender_access.
>
> This isn't what you wanted but there is some limited ability to bypass
> restrictions.
That's close, but I think the header_checks are done by cleanup, so I'm not
sure I can turn shortcut them in this way.
> Out of curiosity, what exactly are you trying to use to bypass on?
I'm intending to introduce a "before queue" spam filter (probably using spampd).
I want to reject the spam using the header_checks facility (assuming that the reject
will work its way back through postfix, without turning into a bounce, which it
looks as though it will). But I have some email coming in via fetchmail, and I
don't want to reject that, because it will just mount up on my ISP's POP server.
I'm happy to have that come in and keep it in separate mail boxes.
> Since
> all headers can be faked by a sender, there isn't much left in the
> headers to trust.
That worries me a bit, but I think I'm ok. If someone fakes a positive Spam
header, then they deserve to have the email rejected. And faking of the header
generated by fetchmail is unlikely.
Thanks for your interest. I need all the help I can get.
Cheers,
Paul.
|
|
|