Postfix : Conditional Header Checks

postfix smtp

After comment from @masegaloeh I've found a solution. The idea is to have a second postfix SMTP server listening on 10025 with a policy server in order to send mails to the normal server (if whitelisted) or to the quarantine server.

The idea was starting as your header_checks solution, in main.cf:

header_checks = regexp:/etc/postfix/header_checks

In header_checks:

/^(S|s)ubject: .*!!(SPAM|BULK|SUSPECT)!!.*/ FILTER  smtp:127.0.0.1:10025

Then in master.cf (edited with @masegaloeh comments):

10025      inet  n       -       n       -       -       smtpd
        -o receive_override_options=no_header_body_checks
        -o smtpd_recipient_restrictions=${my_switcher_restrictions}
policy  unix    -       n       n       -       0       spawn   user=nobody argv=/etc/postfix/policy-server-switcher

This makes the second instance of postfix override the use of header_checks.

And in main.cf

my_switcher_restrictions = check_policy_service unix:private/policy

And the contents of policy-server-switcher

!/bin/bash

sender=""
recipient=""

while read line
    do
    key=$(echo $line | cut -f1 -d=)
    value=$(echo $line|cut -f2 -d=)
    if [ "$key" == "sender" ] 
        then
        sender=${value}
        logger -p mail.info -t PolicyServer "Sender is: ${value}"
        fi
    if [ "$key" == "recipient" ] 
        then
        recipient=${value}
        logger -p mail.info -t PolicyServer "Recipient is: ${value}"
        fi
    if [  "x${recipient}" != "x" ] && [  "x${sender}" != "x" ]
        then
        if [ "$sender" == "[email protected]" ] && [ "$recipient" == "[email protected]" ]
            then
            echo "action=FILTER smtp:192.168.1.150"
            echo
            exit 0
            fi
        if [ "$sender" == "[email protected]" ] && [ "$recipient" == "[email protected]" ]
            then
            echo "action=FILTER smtp:192.168.1.150"
            echo
            exit 0
            fi
        echo "action=FILTER smtp:192.168.1.151"
        echo
        exit 0
        fi
    done

Of course you will need to program your policy server to load the whitelist from database or LDAP, here is just an example to get the idea.

But this still have some caveats, suppose I send a mail with this

From: [email protected]

To: [email protected]

To: [email protected]

This will go to the normal server for alphamikevictor and for thomas, as far as the last test against the policy server returns FILTER to the normal, but if you place alphamikevictor on second position then it will send mail for both recipients to quarantine.

Related

In Apache, is there a way to limit the number of new connections per second/hour/day?
Syslinux: How to correctly configure for UEFI PXE boot?
ipTables: How to improve the current set-up?
Article after 'added' or 'implemented' in software changelogs [closed]
A respectful alternative to the word "you" or "your" [duplicate]
Do you walk up or climb stairs
Is there a sense of "caravanserai" which includes an elaborate transportation - such as of a circus?
Enter is to entrant as exit is to * [closed]
One word for "set as pending" [closed]
"translation of" or "translation for"
Is it "moved into" or "moved in to"?
Is a single adjective proper grammar? [duplicate]