Re: exceptions for smtpd_end_of_data_restrictions

Wed, 29 Aug 2012 00:36:11 -0700 


----- Message from an...@isac.gov.in ---------
   Date: Tue, 28 Aug 2012 09:32:12 +0530
   From: an...@isac.gov.in
Subject: Re: exceptions for smtpd_end_of_data_restrictions
     To: postfix-users@postfix.org



----- Message from Noel Jones <njo...@megan.vbhcs.org> ---------
    Date: Mon, 27 Aug 2012 08:57:11 -0500
    From: Noel Jones <njo...@megan.vbhcs.org>
Reply-To: postfix users <postfix-users@postfix.org>
 Subject: Re: exceptions for smtpd_end_of_data_restrictions
      To: postfix-users@postfix.org



On 8/27/2012 7:56 AM, an...@isac.gov.in wrote:


----- Message from an...@isac.gov.in ---------
  Date: Sat, 25 Aug 2012 15:50:33 +0530
  From: an...@isac.gov.in
Subject: Re: exceptions for smtpd_end_of_data_restrictions
    To: postfix-users@postfix.org



----- Message from Noel Jones <njo...@megan.vbhcs.org> ---------
   Date: Fri, 24 Aug 2012 23:49:25 -0500
   From: Noel Jones <njo...@megan.vbhcs.org>
Reply-To: postfix users <postfix-users@postfix.org>
Subject: Re: exceptions for smtpd_end_of_data_restrictions
     To: postfix-users@postfix.org



On 8/24/2012 11:10 PM, an...@isac.gov.in wrote:


----- Message from Noel Jones <njo...@megan.vbhcs.org> ---------
  Date: Wed, 22 Aug 2012 06:31:10 -0500
  From: Noel Jones <njo...@megan.vbhcs.org>
Reply-To: postfix users <postfix-users@postfix.org>
Subject: Re: exceptions for smtpd_end_of_data_restrictions
    To: postfix-users@postfix.org



On 8/22/2012 2:14 AM, an...@isac.gov.in wrote:

Dear List,

I have this in my main.cf

smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:9998


This basically checks for mail size and allows/not allows a mail
based on contents of a file.

Is there a way to say, not to use this policy service, based
on some
headers of a mail?




You can skip the policy based on envelope information by using a
check_*_access map before the policy check.  You could also likely
do this inside the policy server itself.

You cannot skip it based on headers.



-- Noel Jones




Thanks for your inputs.    You are all experts, please share some
ideas with me to solve my problem.  I have described the
requirement
in detail as below.

Let me explain my current setup and my real requirement.

I have a front end for accessing and sending mail (say server A).
All mails sent from this (server A) are directed to another server
(say server B) for virus/spam check using Amavisd.  If the mails
are
addressed to any internet domain other than ours, mails get
forwarded to Server C, else mails are delivered locally.

A (Front End Mail) -> B (Virus/Spam scanner) -> C (for
delivering to
Internet).

At server B (for local delivery of mails) we have a size limit
of 30
MB.

At Server C (for delivery to Internet ) we have a size limit of 30
MB, but using policyd feature of Postfix (at
smtpd_end_of_data_restrictions), by default we are restricting to 2
MB and based on the contents of a data file (which is manually
edited as and when required) which contains Sender address and
allowed size, mails get get delivered to outside domains having
higher size.

Now, I have been asked to develop another front end at same
level as
Server A (say server D), to enable users to send mails of large
size
to Internet users, such that, once a mail is composed and submitted
for approval, Based on the content, I can approve or disapprove.
Once approved, it should go through Server B and finally server
C to
get delivered to outside domains.

My problem lies at Server C where I am running a policy for sending
outside mails.  How does that mail be allowed without even looking
at policy (exception for policy).

Please provide guidance or any other alternative strategy to
achieve
the requirement.  But, it is must that, mail should go through the
virus scan.

Regards,
Anant.




Have D submit mail to a dedicated amavisd port on B, which can then
submit to a separate port on C with no policy.

See amavisd docs about listening on multiple ports, policy banks,
etc.

For the postfix changes on C, the lazy solution is set up another
smtpd listener in master.cf with empty
smtpd_end_of_data_restrictions; the better full-featured solution is
a separate postfix instance giving full control with separate queue,
logging, and stats.



-- Noel Jones



Thanks.  I think, this is the only option.  I need to work on
this. Thanks.

Regards,
Anant.




Dear Noel Jones,

I was just browsing through the net and found the following link

http://marcelog.github.com/articles/configure_postfix_forward_email_regex_subject_transport_relay.html


In my setup, I have different queue setup already for incoming and
outgoing in Server C.  My policy runs on outgoing queue.

If I setup another queue on server C, say 'highersizequeue'.   And
in outgoing main.cf, I add header check for some specific header and
based on that header, I relay that mail to newly created queue
(higersizequeue).


That could work.



Is this solution advisable? If you say No, I would stick your
earlier suggested option.


As a general rule, routing decisions shouldn't be based on headers.
You'll need to insure that you do not unintentionally match the
wrong header.  Even experts fat-finger regexp; it's harder than it
looks.

I think the separate ports discussed earlier is a better and safer
solution.  There is much less possibility of unintended routing that
way.



 -- Noel Jones



THANK YOU.
What I tried to implement did not work. On my server C, in the existing outgoing queue, I set message size limit as 2 MB, removed smtpd_end_of_data_restrictions policy. Added a header_check for a custom header to filter to smtp:xxx:yyy
But, when I send a mail higher than 2 MB, header_check does not happen. Mail bounces back. I thought, header_check would apply and it would get redirected to another instance of postfix as defined in header_checks.
Where as, if the size of the mail is less than 2 MB, it goes through the new instance of postfix to which I have filtered and gets delivered.
Does header_check works only after completely queuing the mail? I am using 2.6.13 version of postfix? 

Regards,
Anant.





----- End message from Noel Jones <njo...@megan.vbhcs.org> -----


------------------------------------------------------------------------------
Confidentiality Notice: This e-mail message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
------------------------------------------------------------------------------



----- End message from an...@isac.gov.in -----


------------------------------------------------------------------------------
Confidentiality Notice: This e-mail message, including any attachments, is for
the sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
------------------------------------------------------------------------------

Reply via email to