Re: header_checks for IP & email destination?
If it is supposed to be Source IP and destination address, do you really need to do anything with the headers? What I mean is, if you know the IP, make a restriction that if a mail is being received from a specific IP, then push it onto another restriction class, which then checks the recipient, and if it is the correct recipient, allow it through, else reject it (or redirect it). I realize this would add tons of restriction classes, but it would work for what you are wanting to do, would it not? Or do you mean the first hop, not the last hop prior to your server is what you need to base it on? On Fri, Dec 22, 2017 at 6:34 AM, Viktor Dukhovni wrote: > > > > On Dec 21, 2017, at 7:54 PM, li...@mypenguin.net.au wrote: > > > > I've a very unique need to configure Postfix to deliver email based on > > source IP and destination email address. > > > > Example: > > --- > > If: > >Received: by mx0.example2.com AND Delivered-To: > > li...@mypenguin.net.au > > > >Action: Deliver > > else: > >Discard or Redirect (depending on user) > > fi > > --- > > > > Can postfix header_checks do this? > > No. Nor can any other MTA, because mail routing MUST be based > the message envelope recipients not header recipients. > > > Looks like it'll only accept regex based on a line by line query? > > Correct, but headers would be the wrong criterion anyway. > > Policy services can return DISCARD verdicts for the message as > a whole, based on the envelope and message original. Milters > or content filters should be able to delete specific recipients. > > -- > Viktor. > > -- - Markus
Re: Requesting certificates
On Fri, 22 Dec 2017 09:52:13 + Dominic Raferd wrote: > On 22 December 2017 at 09:38, li...@lazygranch.com > wrote: > > > ... > > From main.cf (sanitized): > > > > # TLS > > smtpd_use_tls = yes > > > > smtpd_tls_security_level = may > > smtpd_tls_auth_only = yes > > smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.com/privkey.pem > > smtpd_tls_cert_file > > = /etc/letsencrypt/live/mydomain.com/fullchain.pem > > smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes > > #next line experimental > > > > smtpd_tls_ask_ccert = yes > > smtpd_tls_session_cache_timeout = 3600s > > tls_random_source = dev:/dev/urandom > > > BTW, smtpd_use_tls = yes is deprecated for Postfix 2.3+: > > smtpd_tls_security_level = may achieves the same thing. Thanks. I just commented out the line and everything works the same. I have compatibility_level = 2 in the main.cf.
Re: Requesting certificates
On 22 December 2017 at 09:38, li...@lazygranch.com wrote: > ... > From main.cf (sanitized): > > # TLS > smtpd_use_tls = yes > > smtpd_tls_security_level = may > smtpd_tls_auth_only = yes > smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.com/privkey.pem > smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.com/fullchain.pem > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > #next line experimental > > smtpd_tls_ask_ccert = yes > smtpd_tls_session_cache_timeout = 3600s > tls_random_source = dev:/dev/urandom BTW, smtpd_use_tls = yes is deprecated for Postfix 2.3+: smtpd_tls_security_level = may achieves the same thing.
Requesting certificates
I'm not at the point where I want to verify certs and reject mail, because the mail must go through! However I would like at least for postfix to request the cert. (Forgive my terminology here if I am not phrasing this properly.) Basically I would just eyeball the header and look at the cert request on a case by case basis. Here is a part of an email header from an email that I sent myself (sanitized to stay off google) Received: from mydomain.com (unknown [myipaddress]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by www.example.com (Postfix) with ESMTPSA id 1604469A2A for ; Fri, 22 Dec 2017 09:01:13 + (UTC) --- From master.cf, with the emphasis on the last line: -- submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_tls_ask_ccert=yes --- From main.cf (sanitized): # TLS smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.com/privkey.pem smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.com/fullchain.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes #next line experimental smtpd_tls_ask_ccert = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom -- My reasoning here being since I have a real (enough) cert from a CA rather than a self-signed one, I should be able to let the recipient's MTA sniff my cert. I suppose if this is dumb I'm going to find out. ;-)