Thank you, I will definitively look into it. On Sun, Feb 17, 2013 at 1:19 AM, Noel Jones <[email protected]> wrote:
> On 2/16/2013 12:40 PM, Gary V wrote: > > On Fri, Feb 15, 2013 at 6:51 AM, milos.kaurin wrote: > >> Hi all > >> > >> > >> I have set up a restrictive amavis-new daemon which works great > >> > >> > >> I would, however, like some users on my domain to be able to accept > some of > >> the extensions that are otherwise banned. > >> > >> I'm not sure what is the right way to go about doing this. > >> > >> Basically, I need to let, say, [email protected] and [email protected] be > >> able to recieve .avi and .pdf (which is currently restricted) > > > > If you use 2.3.0 or newer and your intent is to allow a particular > > recipient (or recipients) to receive certain files that are blocked by > > the current settings in banned_filename_re, you could first redefine > > the %banned_rules hash and include a complete custom set of > > $banned_filename_re settings there. In addition, this hash necessarily > > includes the 'DEFAULT' banned_filename_re settings and needs to be > > positioned after the existing $banned_filename_re new_RE( ... ); > > setting. Then set up a policy bank to trigger the recipient to use the > > reconfigured rules. For example: > > > > %banned_rules = ( > > 'ALLOW_PDF' => new_RE( > > [qr'.\.(avi|pdf)$'i => 0], # pass .avi and .pdf files > > # block certain double extensions anywhere in the base name: > > qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, > > qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows > > Class ID CLSID, strict > > qr'^application/x-msdownload$'i, # block these > MIME types > > qr'^application/x-msdos-program$'i, > > qr'^application/hta$'i, > > qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - > basic > > qr'^\.(exe-ms)$', # banned file(1) types > > ), > > 'DEFAULT'=>$banned_filename_re, > > ); > > > > $inet_socket_port = [10024,10026]; > > $interface_policy{'10026'} = 'ALLOWPDF'; > > > > $policy_bank{'ALLOWPDF'} = { > > banned_filename_maps => ['ALLOW_PDF'], # more permissive banning rules > > }; > > > > In main.cf add a check_recipient_access that serves to toggle the > > FILTER to port 10026: > > > > smtpd_recipient_restrictions = > > permit_mynetworks, > > permit_sasl_authenticated, > > reject_unauth_destination, > > check_recipient_access hash:/etc/postfix/amavis_allow_pdf > > > > The contents of /etc/postfix/amavis_allow_pdf (don't forget to postmap > > the file): > > [email protected] FILTER smtp-amavis:[127.0.0.1]:10026 > > [email protected] FILTER smtp-amavis:[127.0.0.1]:10026 > > > Caution: FILTER is a per-message action, not per-recipient. > Multirecipient mail may not be routed as you expect. > > Controlling the next-hop per recipient reliably requires using a > transport map and multiple postfix instances. See postfix-users > archives for details. > > Or you may decide you can live with occasional misrouted mail, but > then you're not going to be surprised when that happens. > > > -- Noel Jones > > > > > > > Hopefully it's obvious my amavis is configured as an after queue > > filter and my transport in master.cf is called smtp-amavis > > > >
