From: Eddy Beliveau (no email)
Date: Fri May 02 2008 - 16:57:40 EDT
Many thanks for your reply.
I will try it next tuesday and give a follow-up
Thanks
Eddy
----- Message d'origine -----
De : "Noel Jones" <>
À : <>
Envoyé : 2 mai 2008 16:30
Objet : Re: smtpd_data_restrictions vs header_checks (sequence of execution)
> Eddy Beliveau wrote:
>>>> Eddy Beliveau wrote:
>>>> Objet : Re: smtpd_data_restrictions vs header_checks (sequence of
>>>> execution)
>> ...cut...
>>>> smtpd_data_restrictions =
>>>> check_sender_access ldap:ldap_add_header
>>>> ldap_add_header_query_filter = (mail=%s)
>>>> ...cut...
>>>> ldap_add_header_result_attribute = privileges
>>>> ldap_add_header_result_format = PREPEND X-Sender-Privileges: %s
>>>> But, I also want to be sure to remove any forged similar header
>>>> so, I added this rule to my header_checks file:
>>>> /^X-Sender-Privileges:/ IGNORE
>> ...cut...
>>>> It seems that "smtpd_data_restrictions" is execute before header_checks
>>>> step.
>>
>> "Noel Jones" <> replies:
>>> Right, smtpd_*_restrictions happen before header/body checks (with the
>>> exception of smtpd_end_of_data_restrictions which can't add headers).
>>> ...cut...
>>> - have the pre-amavis postfix remove forged headers, and the post-amavis
>>> postfix add your headers. This would require either multiple postfix
>>> instances, or defining multiple cleanup services in master.cf.
>>
>>
>> Hi! Noel,
>>
>> Many thanks for your reply.
>>
>> Currently, emails received by postfix (port 25) are passed to smtp-amavis
>> (127.0.0.1:10024)
>> which passed them back to postfix (127.0.0.1:10025) for final delivery
>> with lmtp/smtp
>>
> ...
>> My current header_checks file contains:
>> /^X-Sender-Privileges:/ IGNORE
>>
>>
>> I like your multiple cleanup solution.
>> Do you mean the following:
>
> Now that I think about it a little more, since you're using
> no_header_body_checks on the post-amavisd postfix 127.0.0.1:10025 all you
> need to do is tell smtpd_data_restrictions on the post-amavisd postfix to
> add your header. The IGNORE header check won't be run a second time.
>
> This means you don't need to mess with the cleanup_service_name overrides
> or multiple cleanup services, making it just a little simpler.
>
> 127.0.0.1:10025 inet n - n - - smtpd
> -o content_filter=
> -o local_recipient_maps=
> -o relay_recipient_maps=
> -o smtpd_restriction_classes=
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o mynetworks=127.0.0.0/8
> -o mynetworks_style=host
> -o strict_rfc821_envelopes=yes
> -o in_flow_delay=0
> -o
> receive_override_options=no_unknown_recipient_checks,no_header_body_checks
> -o
> smtpd_data_restrictions=check_sender_access,ldap:/etc/postfix/add_my_header.cf
>
> --
> Noel Jones
|
|
|