Per (local) recipient check exceptions

Gary V mr88talent at gmail.com
Sat Feb 16 19:40:43 CET 2013 

On Fri, Feb 15, 2013 at 6:51 AM, milos.kaurin wrote:
> Hi all
>
>
> I have set up a restrictive amavis-new daemon which works great
>
>
> I would, however, like some users on my domain to be able to accept some of
> the extensions that are otherwise banned.
>
> I'm not sure what is the right way to go about doing this.
>
> Basically, I need to let, say, tom at example.com and sally at example.com to be
> able to recieve .avi and .pdf (which is currently restricted)

If you use 2.3.0 or newer and your intent is to allow a particular
recipient (or recipients) to receive certain files that are blocked by
the current settings in banned_filename_re, you could first redefine
the %banned_rules hash and include a complete custom set of
$banned_filename_re settings there. In addition, this hash necessarily
includes the 'DEFAULT' banned_filename_re settings and needs to be
positioned after the existing $banned_filename_re new_RE( ... );
setting. Then set up a policy bank to trigger the recipient to use the
reconfigured rules. For example:

%banned_rules = (
  'ALLOW_PDF' => new_RE(
      [qr'.\.(avi|pdf)$'i => 0],  # pass .avi and .pdf files
      # block certain double extensions anywhere in the base name:
      qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
      qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows
Class ID CLSID, strict
      qr'^application/x-msdownload$'i,                  # block these MIME types
      qr'^application/x-msdos-program$'i,
      qr'^application/hta$'i,
      qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
      qr'^\.(exe-ms)$',                       # banned file(1) types
      ),
  'DEFAULT'=>$banned_filename_re,
);

$inet_socket_port = [10024,10026];
$interface_policy{'10026'} = 'ALLOWPDF';

$policy_bank{'ALLOWPDF'} = {
 banned_filename_maps => ['ALLOW_PDF'], # more permissive banning rules
};

In main.cf add a check_recipient_access that serves to toggle the
FILTER to port 10026:

smtpd_recipient_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_unauth_destination,
 check_recipient_access hash:/etc/postfix/amavis_allow_pdf

The contents of /etc/postfix/amavis_allow_pdf (don't forget to postmap
the file):
tom at example.com FILTER smtp-amavis:[127.0.0.1]:10026
sally at example.com FILTER smtp-amavis:[127.0.0.1]:10026

Hopefully it's obvious my amavis is configured as an after queue
filter and my transport in master.cf is called smtp-amavis

-- 
Gary V

More information about the amavis-users mailing list