Using amavisd forward_method or forward_methods_by_ccast_maps to force TLS for certain domains

Mark Martinec via amavis-users amavis-users at amavis.org
Thu Aug 29 20:47:04 CEST 2013 

Tom,

Sorry for delay ... vacations, catching up with work, ...

> We've got a large number of domains for which we filter email.  Some of
> them have specific destinations to which they want to enforce TLS, bouncing
> email destined to that domain if TLS is not available.  (they need to
> require it - opportunistic TLS isn't enough for them for certain domains).
> 
> We can't use the standard postfix maps, because while one user might want
> to force TLS to, say gmail.com, another might not.
> 
> So we need to basically look up the recipient domain to see if it's in a
> list that where the sender wants TLS to be forced and then send it to a
> postfix instance that enforces TLS.  I'm looking for the best way to handle
> this, and am asking for any ideas or opinions.
> 
> Obviously, we're going to do some sort of a lookup based on the sender and
> recipient domains to decide if an outbound message should go to a postfix
> instance that forces tls.
> 
> I thought of doing this with a custom_hook (before_send, perhaps), that
> would  the forward_method for a particular recipient.
> 
> I also noted the forward_method_maps_by_ccat option.....perhaps we would
> create a new ccat that means "deliver by tls"?  And then use
> forward_method_maps_by_ccat to map that to a different forward instance.
>  This seems cleaner, as far as delivery goes....but is there a way to add
> an additional major contents_category constants in a well-supported way
> that doesn't involve modifying the amavisd-new source code?
> 
> Or is there some great way to do this in postfix that isn't occurring to
> me?

The @forward_method_maps list is capable of splitting a multi-recipient
message into several deliveries, grouped automatically by their delivery
method.

If the list of special-need recipient domains is fairly static
and not many of them are different, you could use something like:

  $inet_socket_port = [10024, 10000, 10001];

  $interface_policy{'10000'} = 'NEED_TLS_SENDER1';
  $interface_policy{'10001'} = 'NEED_TLS_SENDER2';

  $policy_bank{'NEED_TLS_SENDER1'} = {
    forward_method_maps => [  # per-recipient map
      { '.sensitive1.com' => 'smtp:[127.0.0.1]:10098',
        '.sensitive2.com' => 'smtp:[127.0.0.1]:10099',
        '.'               => 'smtp:[127.0.0.1]:10025',  # all other recips
      },
    ],
  };

  $policy_bank{'NEED_TLS_SENDER2'} = {
    forward_method_maps => [  # per-recipient map
      { '.sensitiveX.com' => 'smtp:[127.0.0.1]:10077',
        '.sensitive2.com' => 'smtp:[127.0.0.1]:10099',
        '.'               => 'smtp:[127.0.0.1]:10025',  # all other recips
      },
    ],
  };


where a message arriving at amavisd port 10000 (or 10001)
would get a default forward_method overruled by a by-recipient
@forward_method_maps.

Postfix would need to be configured to use amavisd's port
10000 for filtering mail submitted by special-need clients1.


If needs are more dynamic or with complicated rules,
a ->delivery_method for each recipient in @{$msginfo->per_recip_data}
could be replaced with whatever forward_method -compatible value
by a custom before_send hook, as you suggested correctly.

See code in amavisd around:
  # a custom hook may change $r->delivery_method
for illustration.


  Mark

More information about the amavis-users mailing list