Per (local) recipient check exceptions
milos.kaurin at gmail.com
milos.kaurin at gmail.com
Sun Feb 17 17:28:55 CET 2013
Thank you, I will definitively look into it.
On Sun, Feb 17, 2013 at 1:19 AM, Noel Jones <njones at megan.vbhcs.org> wrote:
> On 2/16/2013 12:40 PM, Gary V wrote:
> > On Fri, Feb 15, 2013 at 6:51 AM, milos.kaurin wrote:
> >> Hi all
> >>
> >>
> >> I have set up a restrictive amavis-new daemon which works great
> >>
> >>
> >> I would, however, like some users on my domain to be able to accept
> some of
> >> the extensions that are otherwise banned.
> >>
> >> I'm not sure what is the right way to go about doing this.
> >>
> >> Basically, I need to let, say, tom at example.com and sally at example.comto be
> >> able to recieve .avi and .pdf (which is currently restricted)
> >
> > If you use 2.3.0 or newer and your intent is to allow a particular
> > recipient (or recipients) to receive certain files that are blocked by
> > the current settings in banned_filename_re, you could first redefine
> > the %banned_rules hash and include a complete custom set of
> > $banned_filename_re settings there. In addition, this hash necessarily
> > includes the 'DEFAULT' banned_filename_re settings and needs to be
> > positioned after the existing $banned_filename_re new_RE( ... );
> > setting. Then set up a policy bank to trigger the recipient to use the
> > reconfigured rules. For example:
> >
> > %banned_rules = (
> > 'ALLOW_PDF' => new_RE(
> > [qr'.\.(avi|pdf)$'i => 0], # pass .avi and .pdf files
> > # block certain double extensions anywhere in the base name:
> > qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
> > qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows
> > Class ID CLSID, strict
> > qr'^application/x-msdownload$'i, # block these
> MIME types
> > qr'^application/x-msdos-program$'i,
> > qr'^application/hta$'i,
> > qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension -
> basic
> > qr'^\.(exe-ms)$', # banned file(1) types
> > ),
> > 'DEFAULT'=>$banned_filename_re,
> > );
> >
> > $inet_socket_port = [10024,10026];
> > $interface_policy{'10026'} = 'ALLOWPDF';
> >
> > $policy_bank{'ALLOWPDF'} = {
> > banned_filename_maps => ['ALLOW_PDF'], # more permissive banning rules
> > };
> >
> > In main.cf add a check_recipient_access that serves to toggle the
> > FILTER to port 10026:
> >
> > smtpd_recipient_restrictions =
> > permit_mynetworks,
> > permit_sasl_authenticated,
> > reject_unauth_destination,
> > check_recipient_access hash:/etc/postfix/amavis_allow_pdf
> >
> > The contents of /etc/postfix/amavis_allow_pdf (don't forget to postmap
> > the file):
> > tom at example.com FILTER smtp-amavis:[127.0.0.1]:10026
> > sally at example.com FILTER smtp-amavis:[127.0.0.1]:10026
>
>
> Caution: FILTER is a per-message action, not per-recipient.
> Multirecipient mail may not be routed as you expect.
>
> Controlling the next-hop per recipient reliably requires using a
> transport map and multiple postfix instances. See postfix-users
> archives for details.
>
> Or you may decide you can live with occasional misrouted mail, but
> then you're not going to be surprised when that happens.
>
>
> -- Noel Jones
>
>
>
> >
> > Hopefully it's obvious my amavis is configured as an after queue
> > filter and my transport in master.cf is called smtp-amavis
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20130217/57e7b440/attachment.html>
More information about the amavis-users
mailing list