postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: SV: Catch S/mime header and change destinatio

Re: SV: Catch S/mime header and change destination

From: Wietse Venema <wietse_at_nospam>
Date: Thu Oct 07 2010 - 14:31:16 GMT
To: Postfix users <postfix-users@postfix.org>

Peter Sørensen:
> Good point ! You're right.
>
> The problem I am about to solve is that we to accept encryptet
> mail to a specific mailbox and this has to be decryptet before we
> scan for VIRUS/SPAM
>
> A server will be dedicatet for the decrypting/encrypting purpose.
> This is outside our MTA so my downstram postfix will receive the
> mail , If signed this should be sent to the decryptimg server and
> when decryptet it will be sent back to the postfix MTA and the
> scanned for VIRUS/SPAM.

In that case, use a header_checks pattern.

/etc/postfix/main.cf:
    header_checks = pcre:/etc/postfix/header_checks

/etc/postfix/header_checks:
    /smimeheader-pattern/ FILTER smtp:host-for-encrypted-mail

That leaves two problems.

The first is that this will also decrypt mail that is destined
to remote users. I am not going to solve that in this reply
without further input from you.

The second the problem is how to avoid an infinite loop where mail
goes back and forth between Postfix and your mail decryptor. For
this, the host-for-encrypted-mail should send the mail back into
Postfix in the same way that SMTP-based content filters do.

This involves sending to a specially-configured Postfix SMTP server
on a different IP address or on a different TCP port. An example
of the latter, inspired by the FILTER_README document:

/etc/postfix/master.cf:
    # ===================================================================
    # service type private unpriv chroot wakeup maxproc command
    # (yes) (yes) (yes) (never) (100)
    # ===================================================================
    10026 inet n - n - 10 smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject

As an additional safety measure it would be a good idea to firewall
port 10026 to block remote access.

        Wietse