How to block attachments on incoming mails only using Postfix?

I will rewrite your question become:

How can I use different _header_checks for smtpd (port 25) and submission (port 587)?

This canonical problem can be divided with several conditions

1. I want turn off header_checks for one of smtpd or submission.
2. I want to run different header_checks for smtpd and submission.

1. I want turn off header_checks for one of smtpd or submission.

For the example I assume that you want to turn off the header_checks for submission (outgoing email).

Solution 1: receive_override_options method

You can use postfix parameter called receive_override_options. With the parameter you can override global header_check switch, so the filter won't run. #main.cf header_checks = pcre:/path/to/header_checks

#master.cf
submission inet n       -       n       -       -       smtpd
    -o receive_override_options=no_header_body_checks

Caveats: this will turn off ALL _header_checks and body_checks defined in man 5 header_checks. For the completed control which parameter that will be turned off, see Solution 2.

Solution 2: Multiple cleanup service method

We can multiple-cleanup-service technique for your problem as *_header_checks was performed by cleanup service. You can see the example of this setup in amavisd-new tutorial.

The magic parameter for this configuration is cleanup_service_name. With this parameter, we can use different cleanup service for each smtpd process. First we define one additional cleanup service (called no-headerchecks) in master.cf

no-headerchecks unix    n       -       n       -       0       cleanup
    -o mime_header_checks=

In this cleanup, we define empty mime_header_checks to disable filtering. The last step is tell submission service to use our no-headerchecks

submission inet n       -       n       -       -       smtpd
    -o cleanup_service_name=no-headerchecks 

2. I want to run different header_checks for smtpd and submission.

For this problem you can use multiple cleanup service method as described above.

First we define one additional cleanup service (called second-headerchecks) in master.cf

second-headerchecks unix    n       -       n       -       0       cleanup
    -o mime_header_checks=pcre:/path/to/2ndheaderchecks

In this cleanup, we define second mime_header_checks to other PCRE table. The last step is tell submission service to use our second-headerchecks

submission inet n       -       n       -       -       smtpd
    -o cleanup_service_name=second-headerchecks

Note:

• Your case looks similar with this question. Unfortunately the answer from Laurentiu Roescu only works if you want enable header_checks for outgoing mail that use smtp as transport. The good news is his first sentence about cleanup daemon gives us some idea for second solution.

• Multiple cleanup service method can be applied if you want different header_checks, body_checks and other parameters defined in man 5 header_checks.

in /etc/postfix/master.cf, not /etc/postfix/main.cf, add (nb must be tabbed spaces):

second-headerchecks unix    n   -   n   -   0   cleanup
    -o mime_header_checks=pcre:/etc/postfix/2ndheaderchecks
submission inet n   -   n   -   -   smtpd
    -o cleanup_service_name=second-headerchecks
#
first-headerchecks unix n   -   n   -   0   cleanup
    -o mime_header_checks=pcre:/etc/postfix/1stheaderchecks
smtp inet n -   n   -   -   smtpd
    -o cleanup_service_name=first-headerchecks
#

create /etc/postfix/1stheaderchecks, which in this case is to block incoming zip files, then create the .db file:

/name=[^>]*\.zip/ REJECT security issue - please contact....by phone

then create /etc/postfix/2ndtheaderchecks, to allow outgoing attachments (and create the .db file):

# this file being 2ndheaderchecks allows for the sending of zip etc files which otherwise might be blocked
# ie all files can be sent aside from .128 files...I didn't want to leave it blank as was not sure if that would work
/name=[^>]*\.128/ REJECT