Postfix and MIMEdefang; per-recipient treatment of messages in a milter environment

From: Rolf E. Sonneveld <R.E.Sonneveld_at_nospam>
Date: Tue Nov 22 2011 - 21:46:59 GMT
To: postfix-users <postfix-users@postfix.org>

Hi, all,

running Postfix 2.8.6 in combination with MIMEdefang (MD) 2.72.

What I want to achieve is the following: the combination Postfix + MD
should provide per-user anti-spam functionality. In itself this is not a
big problem, but the real problem here is: how to do this for messages
which has multiple recipients? (with that I mean: a single SMTP session
with multiple RCPT TO addresses). For example: one recipient would like
to quarantine a particular message, while another recipient of the same
message would like to get it delivered.

To achieve this I'm experimenting with the MD stream_by_recipient()
function. This means: the MD milter during the first run splits up a
multi-recipient message into separate single-recipient messages and
reinjects them via the sendmail command as a local SMTP submission,
which triggers the MD milter again, but the second time it's applied per
single-recipient message. This doesn't solve all problems, but it is
know to work well, with a regular Sendmail installation.

Question: if there's a more elegant/better way to achieve the same,
please let me know.

As I want to do the same with Postfix, I tried to emulate this behaviour
using:

smtpd_milters = inet:localhost:25000
non_smtpd_milters = inet:localhost:25000

where the smtpd_milters is 'invoked' during initial SMTP enqueue, and
the non_smtpd_milters take care of the 2nd MD 'run'. This seem to work
OK, but there might be a caveat: the author of MD wrote to me:

> It looks like it's working. However, there's one caveat: With real Sendmail,
> MIMEDefang redelivers the streamed messages using deferred mode. That means
> they just get queued up. A short time later, the queue is run and the
> remailed messages appear.
>
> This means that if a message has 100 recipients, they get queued up and
> then redelivered in a nicely serialized way with limited parallelism. If
> Postfix actually redelivers the messages immediately, an N-recipient message
> might try to tie up N scanning processes all at about the same time.
>
> I'm not sure if this will be a problem in practice, but it's something to
> watch for. You don't want to allow an attacker to DoS your machine by sending
> messages to large numbers of recipients and relying on amplification.

It seems MD invokes sendmail using a -odd option (in mimedefang.pl):

> Sendmail is invoked with the "-odd" option. If you look for -odd in
> mimedefang.pl, you'll find the places where Sendmail is invoked.

What I would like to know is:

1. what is the effect of this option, when used with the
    Postfix-provided sendmail image?
2. if the behavior of the Postfix-provided sendmail image is different
    from the original Sendmail, is there a way I can still achieve the
    same effect (i.e. prevent DoS-like problems for messages with a big
    number of recipients)?

For all types of transports this seems to be taken care of with the
parameter destination_recipient_limit, but this does not apply to
milters, as milters are typically invoked during the (SMTP) session. Any
other suggestion to split up a multi-recipient message and apply a
milter like MD to the resulting single-recipient message copies?

Regards,
/rolf

-- output of postconf -n: $ /usr/local/postfix-2.8.6/sbin/postconf -n command_directory = /usr/local/postfix-2.8.6/sbin config_directory = /usr/local/postfix-2.8.6 daemon_directory = /usr/local/postfix-2.8.6/libexec data_directory = /usr/local/postfix-2.8.6/lib debug_peer_level = 2 html_directory = /usr/local/postfix-2.8.6/html inet_interfaces = all local_recipient_maps = hash:/usr/local/postfix-2.8.6/etc/aliases mail_owner = postfix mailq_path = /usr/local/postfix-2.8.6/bin/mailq manpage_directory = /usr/local/postfix-2.8.6/man mydestination = $myhostname mydomain = mydomain.org myhostname = lynx.mydomain.org mynetworks = my.ip.add.ress/24, 127.0.0.0/8 mynetworks_style = host myorigin = $myhostname newaliases_path = /usr/local/postfix-2.8.6/bin/newaliases non_smtpd_milters = inet:localhost:25000 queue_directory = /usr/local/postfix-2.8.6/spool readme_directory = /usr/local/postfix-2.8.6/readme sample_directory = /usr/local/postfix-2.8.6 sendmail_path = /usr/local/postfix-2.8.6/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname Pleased to meet you smtpd_milters = inet:localhost:25000 unknown_local_recipient_reject_code = 550

This message: [ Message body ]
Next message: Wietse Venema: "Re: Postfix and MIMEdefang; per-recipient treatment of messages in a milter environment"
Previous message: Bjorn Mork: "Re: dict_nis_init: NIS domain name not set"
Next in thread: Wietse Venema: "Re: Postfix and MIMEdefang; per-recipient treatment of messages in a milter environment"
Reply: Wietse Venema: "Re: Postfix and MIMEdefang; per-recipient treatment of messages in a milter environment"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]