policy banks question

Mark Martinec Mark.Martinec+amavis at ijs.si
Fri Apr 15 01:45:36 CEST 2011


> I'm reading over:
> <http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim>
> and I'm confused somewhat about the originating vs foreign regular
> expression bits for Postfix.  It seems to me that both of these regular
> expression files are identical other than the port, so how is one email
> considered originating and another foreign?  Is that something postfix
> "knows" based on the domain name?
> Basically, what I'm working on is setting domain disclaimers for
> "originating" emails (and eventually to do DKIM signing on originating
> emails as well).  I don't need postfix to do any milter work, so I don't
> need the 10027 port.  Right now I have ports 10024 and ports 10026 open via
> amavis, and 10026 is the originating policy bank.  However, I am just
> missing how postfix "knows" an email is originating vs foreign based on
> those regular expressions.

We are talking about the following:

smtpd_sender_restrictions =
    check_sender_access regexp:/etc/postfix/tag_as_originating.re
    check_sender_access regexp:/etc/postfix/tag_as_foreign.re

  /^/  FILTER amavisfeed:[]:10026

  /^/  FILTER amavisfeed:[]:10024

The magic is not in a regex (which matches everything which
reaches it), but in the order of rules in smtpd_sender_restrictions.
Remember that a FILTER in a matching access map just makes its
argument overlay the content_filter setting. The last FILTER
triggering has the final say (i.e. wins).

So the tag_as_originating.re places amavisfeed:[]:10026
into a content_filter for everybody first.

Then smtpd_sender_restrictions proceeds to permit_mynetworks,
permit_sasl_authenticated and permit_tls_clientcerts. If any
of these three rules match, the search stops here and the
amavisfeed:[]:10026 remains in content_filter.

If, however, none of the tree rules identifying local nets
or autheticated roaming users match, then the search reaches
the 'check_sender_access regexp:/etc/postfix/tag_as_foreign.re',
which overlays its cargo into a content_filter, which ends up
being amavisfeed:[]:10024. This happens for any
inbound or nonauthenticated client - which is exactly what we
need (assuming amavisd has a policy bank with originating=>1
hanging on a TCP port 10026.


More information about the amavis-users mailing list