Ping a Specific Port

Question

Marki555

Asked: 2015-06-12 06:57:54 +0800 CST2015-06-12 06:57:54 +0800 CST 2015-06-12 06:57:54 +0800 CST

Postfix how to use policy service together with proxy filter

772

Using postfix 2.9 on debian I have configured before-queue proxy filter for scanning of spam and viruses smtpd_proxy_filter=127.0.0.1:27. I am using proxy filter and not content filter, so that I can directly reject the email (with after-queue content filter, I can only discard the email and optionally send backscatter to forged sender address).

I also want to use policy service to limit the number of sent emails per SASL username. This is configured in smtpd_recipient_restrictions just before permit_sasl_authenticated. The policy daemon works OK, but postfix complains that it cannot HOLD the email with this message:

warning: access table inet:127.0.0.1:10031: with smtpd_proxy_filter
specified, action HOLD is unavailable

As per this thread, this is not directly possible:

To HOLD mail with smtpd_proxy_filter, specify the HOLD action with the smtpd proces AFTER the filter.

I have tried that, however when I put the policy service on the smtpd daemon after the proxy filter (smtpd on port 26 in my case), it doesn't get any SASL information (confirmed with tcpdump).

smtpd :25 ---> before-queue proxy localhost:27 ---> smtpd localhost:26

So how can I combine these two checks?

EDIT: Maybe nested before-queue filters would work? Then I would need to use different program for the SASL checks, or make some filter/policy protocol rewriting...

1 Answers

Voted

Marki555 · Answer 1 · 2015-06-19T01:56:47+08:00

Finally I have been able to come up with solution which works fine, although it is a two-step approach.

First, I have modified the policy daemon (postfix cluebringer v2) configuration to return the PREPEND directive instead of HOLD. I am adding a special header, which will be evaluated later: PREPEND X-cust-policy: Hold. This works even with combination with before-queue proxy filter.

Second, I used the directive header_checkspcre:/etc/postfix/header_hold in the main.cf to check for my added later. This check is avaluated by the cleanup(8) daemon before the mail enters the queue. So after the email is passed via all checks including policy daemon, it is passed through the before-queue filter and then it is processed by the cleanup(8) daemon. Normally it should put the message into the incoming queue, but when it finds this header, the mail is put directly into the hold queue.

Here is the contents of PCRE table file /etc/postfix/header_hold:

### PCRE format, no postmap command!
# Hold all email with specified header (which is inserted by policy service)
/^X-cust-policy: Hold/    HOLD

The only caveat is that the header-based check will also trigger on returned undeliverable mail (but it doesn't happen often that email released from hold queue will be bounced back).

Also I had to update cluebringer webui to support the PREPEND action for Quotas module, although the daemon itself supports it already (the version in Debian wheezy).

Postfix how to use policy service together with proxy filter

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?