![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2018-11-16
目錄
- sasl authenticated users bypass amavisd
- Bypass checks for internally generated mail
- submission port (587) / smtps port (465) 用另一個 policy_bank
- Restrictions
- Reinjection port setting
- Bypass filter by IP
- Doc
sasl authenticated users bypass amavisd
# main.cf
# 用兩個 check_sender_access 包往 permit_sasl_authenticated
receive_override_options = no_address_mappings smtpd_sender_restrictions = check_client_access pcre:/etc/postfix/filter_auth, permit_sasl_authenticated, check_client_access pcre:/etc/postfix/filter_default.cf
# filter_auth.cf
# for logging /./ FILTER scan:[127.0.0.1]:10026
# filter_default.cf
/./ FILTER scan:[127.0.0.1]:10024
Bypass checks for internally generated mail
main.cf
pickup fifo n - n 60 1 pickup
-o content_filter=
submission port (587) / smtps port (465) 用另一個 policy_bank
用處 DKIM 在那 policy_bank 實施
main.cf
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10027amavisd.conf
$inet_socket_port = [10024,10026,10027]; # listen on multiple TCP ports
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
...........
originating => 1
...........
};
Restrictions
# applies in the context of the SMTP DATA command.
smtpd_data_restrictions (default: empty)
# applies in the context of the SMTP END-OF-DATA command
smtpd_end_of_data_restrictions (default: empty)
- smtpd_client_restrictions
- smtpd_helo_restrictions
- smtpd_sender_restrictions
- smtpd_relay_restrictions
- smtpd_recipient_restrictions
Reinjection port setting
main.cf
receive_override_options = no_address_mappings
master.cf
127.0.0.1:10025 inet n - n - - smtpd
-o syslog_name=postfix/10025
-o content_filter=
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o local_recipient_maps=
-o relay_recipient_maps=
-o strict_rfc821_envelopes=yes
-o smtp_tls_security_level=none
-o smtpd_tls_security_level=none
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_end_of_data_restrictions=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
Bypass filter by IP
[2] skip amavisd-new entirely by sending the mail back to Postfix 's reinjection port
bypass scanning by using check_client_access (IP)
main.cf
# Bypass Amavis By IP
# Default: "smtpd_client_restrictions ="
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/bypass_amavis/etc/postfix/bypass_amavis
# 10025 <-- reinjection port 192.168.1.41 FILTER smtp:[127.0.0.1]:10025
postfix reload
postmap hash:/etc/postfix/bypass_amavis
log
grep sender@domain /var/log/maillog
Nov 16 11:44:06 mx-server postfix/smtpd[7700]: NOQUEUE: filter: RCPT from PTR[s.s.s.s]: <PTR[s.s.s.s]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<sender@domain> to=<[email protected]> proto=ESMTP helo=<[192.168.88.150]> Nov 16 11:44:07 mx-server postfix/qmgr[7675]: 4D4143A00C5: from=<sender@domain>, size=404, nrcpt=1 (queue active) Nov 16 11:44:07 mx-server postfix/qmgr[7675]: 5416B3A00C9: from=<sender@domain>, size=576, nrcpt=1 (queue active)
Turn on content filtering on the fly
上面那個 check_client_access 例子是其中一個 Turn on on the fly
/etc/postfix/access:
whatever FILTER foo:bar
/etc/postfix/header_checks:
/whatever/ FILTER foo:bar
- FILTER actions from smtpd access maps and header/body_checks
take precedence over filters specified with the main.cf content_filter parameter.
- If a message triggers more than one filter action, only the last one takes effect.
To turn off "advanced" content filtering
/etc/postfix/main.cf:
# comment out 以下兩行 # content_filter = scan:localhost:10025 # receive_override_options = no_address_mappings
postfix reload
# -r queue_id
# "ALL" must be specified in upper case
# Requeue the message with the named queue ID from the named mail queue(s)
# (default: hold, incoming, active and deferred).
# remove content filter request records from existing queue files
postsuper -r ALL
*_send_xforward_command
When using the "MYNETS' policy bank, you must use *_send_xforward_command in master.cf:
With "-o smtp_send_xforward_command=yes",
the scan transport will try to forward the original client name and IP address through the content filter to the after-filter smtpd process,
so that filtered mail is logged with the real client name IP address.
before-filter --> filter --> after-filter
Security
The XFORWARD command changes audit trails.
Use of this command must be restricted to authorized clients.
# Client 與 Server 的對話
C: EHLO client.example.com
...
S: 250 XFORWARD NAME ADDR PORT PROTO HELO SOURCE (1)
...
C: XFORWARD NAME=s.s.s ADDR=n.n.n.n PROTO=ESMTP (2)
S: 250 Ok (3)
C: XFORWARD HELO=s.s.s
S: 250 Ok
...(1)
When an SMTP server announces support for the XFORWARD command,
(2)
an SMTP client may send information that overrides one or more client-related logging attributes.
attribute-name = ( NAME | ADDR | PORT | PROTO | HELO | IDENT | SOURCE )
(3)
250 success
421 unable to proceed, disconnecting
501 bad command parameter syntax
503 mail transaction in progress
550 insufficient authorization
disable_mime_output_conversion (default: no)
Disable the conversion of 8BITMIME format to 7BIT format.
Mime output conversion is needed when the destination does not advertise 8BITMIME support.
prevents the breaking of domainkeys and other digital signatures.
This is needed because some SMTP-based content filters don't announce 8BITMIME support,
even though they can handle 8-bit mail.
Doc
http://www.postfix.org/FILTER_README.html
