From: Noel Jones (no email)
Date: Fri May 02 2008 - 16:30:18 EDT
Eddy Beliveau wrote:
>>> Eddy Beliveau wrote:
>>> Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
>>> execution)
> ...cut...
>>> smtpd_data_restrictions =
>>> check_sender_access ldap:ldap_add_header
>>> ldap_add_header_query_filter = (mail=%s)
>>> ...cut...
>>> ldap_add_header_result_attribute = privileges
>>> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
>>> But, I also want to be sure to remove any forged similar header
>>> so, I added this rule to my header_checks file:
>>> /^X-Sender-Privileges:/ IGNORE
> ...cut...
>>> It seems that "smtpd_data_restrictions" is execute before
>>> header_checks step.
>
> "Noel Jones" <> replies:
>> Right, smtpd_*_restrictions happen before header/body checks (with the
>> exception of smtpd_end_of_data_restrictions which can't add headers).
>> ...cut...
>> - have the pre-amavis postfix remove forged headers, and the
>> post-amavis postfix add your headers. This would require either
>> multiple postfix instances, or defining multiple cleanup services in
>> master.cf.
>
>
> Hi! Noel,
>
> Many thanks for your reply.
>
> Currently, emails received by postfix (port 25) are passed to
> smtp-amavis (127.0.0.1:10024)
> which passed them back to postfix (127.0.0.1:10025) for final delivery
> with lmtp/smtp
>
...
> My current header_checks file contains:
> /^X-Sender-Privileges:/ IGNORE
>
>
> I like your multiple cleanup solution.
> Do you mean the following:
Now that I think about it a little more, since you're using
no_header_body_checks on the post-amavisd postfix
127.0.0.1:10025 all you need to do is tell
smtpd_data_restrictions on the post-amavisd postfix to add
your header. The IGNORE header check won't be run a second time.
This means you don't need to mess with the
cleanup_service_name overrides or multiple cleanup services,
making it just a little simpler.
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o mynetworks_style=host
-o strict_rfc821_envelopes=yes
-o in_flow_delay=0
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o
smtpd_data_restrictions=check_sender_access,ldap:/etc/postfix/add_my_header.cf
-- Noel Jones
|
|
|