How to block attachments on incoming mails only using Postfix?
I will rewrite your question become:
How can I use different _header_checks for smtpd (port 25) and submission (port 587)?
This canonical problem can be divided with several conditions
- I want turn off header_checks for one of smtpd or submission.
- I want to run different header_checks for smtpd and submission.
1. I want turn off header_checks for one of smtpd or submission.
For the example I assume that you want to turn off the header_checks for submission (outgoing email).
Solution 1: receive_override_options method
You can use postfix parameter called receive_override_options. With the parameter you can override global header_check switch, so the filter won't run. #main.cf header_checks = pcre:/path/to/header_checks
#master.cf
submission inet n - n - - smtpd
-o receive_override_options=no_header_body_checks
Caveats: this will turn off ALL _header_checks and body_checks defined in man 5 header_checks. For the completed control which parameter that will be turned off, see Solution 2.
Solution 2: Multiple cleanup service method
We can multiple-cleanup-service technique for your problem as *_header_checks was performed by cleanup service. You can see the example of this setup in amavisd-new tutorial.
The magic parameter for this configuration is cleanup_service_name. With this parameter, we can use different cleanup service for each smtpd process. First we define one additional cleanup service (called no-headerchecks) in master.cf
no-headerchecks unix n - n - 0 cleanup
-o mime_header_checks=
In this cleanup, we define empty mime_header_checks to disable filtering. The last step is tell submission service to use our no-headerchecks
submission inet n - n - - smtpd
-o cleanup_service_name=no-headerchecks
2. I want to run different header_checks for smtpd and submission.
For this problem you can use multiple cleanup service method as described above.
First we define one additional cleanup service (called second-headerchecks) in master.cf
second-headerchecks unix n - n - 0 cleanup
-o mime_header_checks=pcre:/path/to/2ndheaderchecks
In this cleanup, we define second mime_header_checks to other PCRE table. The last step is tell submission service to use our second-headerchecks
submission inet n - n - - smtpd
-o cleanup_service_name=second-headerchecks
Note:
Your case looks similar with this question. Unfortunately the answer from Laurentiu Roescu only works if you want enable header_checks for outgoing mail that use smtp as transport. The good news is his first sentence about
cleanupdaemon gives us some idea for second solution.Multiple cleanup service method can be applied if you want different header_checks, body_checks and other parameters defined in
man 5 header_checks.
in /etc/postfix/master.cf, not /etc/postfix/main.cf, add (nb must be tabbed spaces):
second-headerchecks unix n - n - 0 cleanup
-o mime_header_checks=pcre:/etc/postfix/2ndheaderchecks
submission inet n - n - - smtpd
-o cleanup_service_name=second-headerchecks
#
first-headerchecks unix n - n - 0 cleanup
-o mime_header_checks=pcre:/etc/postfix/1stheaderchecks
smtp inet n - n - - smtpd
-o cleanup_service_name=first-headerchecks
#
create /etc/postfix/1stheaderchecks, which in this case is to block incoming zip files, then create the .db file:
/name=[^>]*\.zip/ REJECT security issue - please contact....by phone
then create /etc/postfix/2ndtheaderchecks, to allow outgoing attachments (and create the .db file):
# this file being 2ndheaderchecks allows for the sending of zip etc files which otherwise might be blocked
# ie all files can be sent aside from .128 files...I didn't want to leave it blank as was not sure if that would work
/name=[^>]*\.128/ REJECT