Per (local) recipient check exceptions

milos.kaurin at gmail.com milos.kaurin at gmail.com
Sun Feb 17 00:22:50 CET 2013


Thank you so much for your reply!

I have seen what you just described in several other guides online, and
read up on Amavis/Postfix docs.

Now I'm certain this is the definitive way to go about my problem.

Cheers!

On Sat, Feb 16, 2013 at 7:40 PM, Gary V <mr88talent at gmail.com> wrote:

> On Fri, Feb 15, 2013 at 6:51 AM, milos.kaurin wrote:
> > Hi all
> >
> >
> > I have set up a restrictive amavis-new daemon which works great
> >
> >
> > I would, however, like some users on my domain to be able to accept some
> of
> > the extensions that are otherwise banned.
> >
> > I'm not sure what is the right way to go about doing this.
> >
> > Basically, I need to let, say, tom at example.com and sally at example.com to
> be
> > able to recieve .avi and .pdf (which is currently restricted)
>
> If you use 2.3.0 or newer and your intent is to allow a particular
> recipient (or recipients) to receive certain files that are blocked by
> the current settings in banned_filename_re, you could first redefine
> the %banned_rules hash and include a complete custom set of
> $banned_filename_re settings there. In addition, this hash necessarily
> includes the 'DEFAULT' banned_filename_re settings and needs to be
> positioned after the existing $banned_filename_re new_RE( ... );
> setting. Then set up a policy bank to trigger the recipient to use the
> reconfigured rules. For example:
>
> %banned_rules = (
>   'ALLOW_PDF' => new_RE(
>       [qr'.\.(avi|pdf)$'i => 0],  # pass .avi and .pdf files
>       # block certain double extensions anywhere in the base name:
>       qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
>       qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows
> Class ID CLSID, strict
>       qr'^application/x-msdownload$'i,                  # block these MIME
> types
>       qr'^application/x-msdos-program$'i,
>       qr'^application/hta$'i,
>       qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension -
> basic
>       qr'^\.(exe-ms)$',                       # banned file(1) types
>       ),
>   'DEFAULT'=>$banned_filename_re,
> );
>
> $inet_socket_port = [10024,10026];
> $interface_policy{'10026'} = 'ALLOWPDF';
>
> $policy_bank{'ALLOWPDF'} = {
>  banned_filename_maps => ['ALLOW_PDF'], # more permissive banning rules
> };
>
> In main.cf add a check_recipient_access that serves to toggle the
> FILTER to port 10026:
>
> smtpd_recipient_restrictions =
>  permit_mynetworks,
>  permit_sasl_authenticated,
>  reject_unauth_destination,
>  check_recipient_access hash:/etc/postfix/amavis_allow_pdf
>
> The contents of /etc/postfix/amavis_allow_pdf (don't forget to postmap
> the file):
> tom at example.com FILTER smtp-amavis:[127.0.0.1]:10026
> sally at example.com FILTER smtp-amavis:[127.0.0.1]:10026
>
> Hopefully it's obvious my amavis is configured as an after queue
> filter and my transport in master.cf is called smtp-amavis
>
> --
> Gary V
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20130217/1907099e/attachment.html>


More information about the amavis-users mailing list