Using amavisd forward_method or forward_methods_by_ccast_maps to force TLS for certain domains
Mark Martinec via amavis-users
amavis-users at amavis.org
Thu Aug 29 20:47:04 CEST 2013
Tom,
Sorry for delay ... vacations, catching up with work, ...
> We've got a large number of domains for which we filter email. Some of
> them have specific destinations to which they want to enforce TLS, bouncing
> email destined to that domain if TLS is not available. (they need to
> require it - opportunistic TLS isn't enough for them for certain domains).
>
> We can't use the standard postfix maps, because while one user might want
> to force TLS to, say gmail.com, another might not.
>
> So we need to basically look up the recipient domain to see if it's in a
> list that where the sender wants TLS to be forced and then send it to a
> postfix instance that enforces TLS. I'm looking for the best way to handle
> this, and am asking for any ideas or opinions.
>
> Obviously, we're going to do some sort of a lookup based on the sender and
> recipient domains to decide if an outbound message should go to a postfix
> instance that forces tls.
>
> I thought of doing this with a custom_hook (before_send, perhaps), that
> would the forward_method for a particular recipient.
>
> I also noted the forward_method_maps_by_ccat option.....perhaps we would
> create a new ccat that means "deliver by tls"? And then use
> forward_method_maps_by_ccat to map that to a different forward instance.
> This seems cleaner, as far as delivery goes....but is there a way to add
> an additional major contents_category constants in a well-supported way
> that doesn't involve modifying the amavisd-new source code?
>
> Or is there some great way to do this in postfix that isn't occurring to
> me?
The @forward_method_maps list is capable of splitting a multi-recipient
message into several deliveries, grouped automatically by their delivery
method.
If the list of special-need recipient domains is fairly static
and not many of them are different, you could use something like:
$inet_socket_port = [10024, 10000, 10001];
$interface_policy{'10000'} = 'NEED_TLS_SENDER1';
$interface_policy{'10001'} = 'NEED_TLS_SENDER2';
$policy_bank{'NEED_TLS_SENDER1'} = {
forward_method_maps => [ # per-recipient map
{ '.sensitive1.com' => 'smtp:[127.0.0.1]:10098',
'.sensitive2.com' => 'smtp:[127.0.0.1]:10099',
'.' => 'smtp:[127.0.0.1]:10025', # all other recips
},
],
};
$policy_bank{'NEED_TLS_SENDER2'} = {
forward_method_maps => [ # per-recipient map
{ '.sensitiveX.com' => 'smtp:[127.0.0.1]:10077',
'.sensitive2.com' => 'smtp:[127.0.0.1]:10099',
'.' => 'smtp:[127.0.0.1]:10025', # all other recips
},
],
};
where a message arriving at amavisd port 10000 (or 10001)
would get a default forward_method overruled by a by-recipient
@forward_method_maps.
Postfix would need to be configured to use amavisd's port
10000 for filtering mail submitted by special-need clients1.
If needs are more dynamic or with complicated rules,
a ->delivery_method for each recipient in @{$msginfo->per_recip_data}
could be replaced with whatever forward_method -compatible value
by a custom before_send hook, as you suggested correctly.
See code in amavisd around:
# a custom hook may change $r->delivery_method
for illustration.
Mark
More information about the amavis-users
mailing list