MS+Postfix, Selective HOLD

Glenn Steen glenn.steen at gmail.com
Sat Apr 12 16:01:33 IST 2008 

On 12/04/2008, Glenn Steen <glenn.steen at gmail.com> wrote:
> On 12/04/2008, Hugo van der Kooij <hvdkooij at vanderkooij.org> wrote:
>  > -----BEGIN PGP SIGNED MESSAGE-----
>  >  Hash: SHA1
>  >
>  >  Glenn Steen wrote:
>  >  | On 06/04/2008, Hugo van der Kooij <hvdkooij at vanderkooij.org> wrote:
>  >  |> -----BEGIN PGP SIGNED MESSAGE-----
>  >  |>  Hash: SHA1
>  >  |>
>  >  |>  Hi,
>  >  |>
>  >  |>  I have been trying to get my head around this question before. I find
>  >  |>  that I have a scalability problem that I could resolve if I can put
>  >  |>  messages on HOLD for MS to pickup only if it is not for a certain
>  >  |> recipient.
>  >  |>
>  >  |>  There is one recipient that goes straight into a procmail parser to
>  >  |>  extract specific information. There is no need to fire up the whole MS
>  >  |>  circus for each message. This is an automated system that will get 1
>  >  |>  message per monitored SMTP server per minute.
>  >  |>
>  >  |>  The normal config is:
>  >  |>  #       Do some header checks
>  >  |>  #       This includes setting almost anything on hold for MailScanner
>  > to
>  >  |>  pick up
>  >  |>  header_checks =
>  > regexp:/etc/postfix/regexp/header-checks
>  >  |>
>  >  |>  So I have tried a number of setups. Most of them failed miserably.
>  >  |>
>  >  |>  This morning I woke up whith what seems to be the answer so I gave it a
>  >  |>  spin and here are my findings.
>  >  |>
>  >  |>
>  >  |>  What does work is at the end of my smtpd checks add a table to list
>  >  |>  explicit addresses to scan. In the main.cf it looks like:
>  >  |>
>  >  |>  #       Access rules
>  >  |>  smtpd_client_restrictions =
>  >  |>  ~        permit_mynetworks,
>  >  |>  ~        permit_sasl_authenticated,
>  >  |>  ....Long list removed.......
>  >  |>  ~        reject_unauth_destination,
>  >  |>  ~        check_recipient_access
>  >  |> hash:/etc/postfix/hash/valid-recipients
>  >  |>
>  >  |>  And the hash tables explicit lists everyone for whome MS should be
>  >  |>  called upon. Like:
>  >  |>
>  >  |>  hugo at vanderkooij.org            HOLD
>  >  |>  hvdkooij at vanderkooij.org        HOLD
>  >  |>
>  >  |>  (I know putting email in the clear scares some people. But if you ever
>  >  |>  see a Megalist without these two then do not buy it. ;-)
>  >  |>
>  >  |>  But the drawback is it only works for a simple setup at home with only
>  > a
>  >  |>  moderate list of recipients. And where you actually know all the
>  >  |> recipients.
>  >  |>
>  >  | Actually... If you (as ) already use the relay_recipient_map thing,
>  >  | it'd be trivial to rewrite the script that generates the
>  >  | relay_recipient_map to also do an access_map...:).
>  >  |  But then again...
>  >  |>  But if you want to have just a few exceptions then you better use
>  >  |>  regular expressions.
>  >  |>
>  >  |>  So replace:
>  >  |>  check_recipient_access
>  >  |> hash:/etc/postfix/hash/valid-recipients
>  >  |>
>  >  |>  with:
>  >  |>  check_recipient_access
>  >  |> regexp:/etc/postfix/regexp/MailScanner
>  >  |>
>  >  |>  With /etc/postfix/regexp/MailScanner looking like:
>  >  |>
>  >  |>  #
>  >  |>  #        header_checks - Postfix built-in header/body inspection
>  >  |>  #
>  >  |>  /exclusion at test\.example\.net/          OK
>  >  |>
>  >  |>  #       Everyone else will go through MailScanner!
>  >  |>  /.*/                                    HOLD
>  >  |>
>  >  |>  #       EOF
>  >  |>
>  >  |>
>  >  |>  This does the trick for me. It might work for others.
>  >  | This would be a better replacement for the header check thing, in
>  >  | cases where you'd like to be selective. Thanks for thinking it up, and
>  >  | sharing.
>  >
>  >  Sharing is what make OS so much stronger.
>  >
>  >  But I have found an issue I am not able to pinpoint yet. Every email to
>  >  my postmaster seems to bypass MailScanner as well. I have grepped my
>  >  config files untill my fingers grew tired. But I have no postmaster
>  >  exception in postfix anywhere. Nor do I have one in MailScanner.
>  >
>  >  Is there an buildin option of postfix I am missing here?
>
> Nah, it likely is a regexp thing:-).
>  Your pattern
>  /.*/
>  litteraly means "anything containing at least one character". So you
Correction. It _should_ mean anything containing 0 or more characters,
but seem to mean the above... Which will miss the empty string. Sigh.

>  need match the empty recipient as well with a separate
>  /^$/ HOLD
>  pattern in there, or else the empty sender (==MAILER-DAEMON,
>  postmaster or ...:-) will simply "fall through".
>  Try it and tell us how you fare!
>
>
>  Cheers

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list