Date: Sun, 15 Oct 2006 22:53:40 +0200 From: Erik Norgaard <norgaard@locolomo.org> To: freebsd-questions@freebsd.org Subject: Re: Non English Spam Message-ID: <45329FD4.4040101@locolomo.org> In-Reply-To: <20061015154213.35EC.GERARD@seibercom.net> References: <Pine.BSF.3.96.1061016013445.21409C-100000@gaia.nimnet.asn.au> <45328A41.9040904@locolomo.org> <20061015154213.35EC.GERARD@seibercom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Gerard Seibert wrote: > On Sunday October 15, 2006 at 03:21:37 (PM) Erik Norgaard wrote: > > >> Ian Smith wrote: > > [...] > >> Maybe I didn't make clear how the filtering in Postfix works? Each >> header line is unwrapped and then filtered independent of the others. >> There is no info as to if that is the first or last Received line. >> >> I can make a rule to reject the mail. And I can make a rule that accept >> a given header line, but the remaining header will still be filtered and >> possibly rejected. >> >> I can't make a header check for Received cause checks for content-type >> to be skipped. >> >> Nor can I make incoming mail from white listed servers skip the header >> checks. The two things are independent: The first applies when >> establishing the connection: HELO, MAIL FROM, RCPT TO etc. The header >> checks are invoked if the initial delivery request was accepted. >> >> Yes, that sucks, but that's how Postfix works. > > Are you sure about that? I use Postfix myself and that does not appear > to be correct, although it might be. Have you ever posted this question > on the postfix forum? <postfix-users@postfix.org> There are some pretty > sharp individuals there who might be able to give you some advice. I am certain that: 1) header/body checks are independent of the smtpd_restrictions - I can send a mail that is rejected even though I have authenticated and permit authenticated connections. 2) OK when a header line is matched does not affect the parsing of other header lines, and if you think about it you wouldn't want that: Then it would be possible to include a secret keyword or forged header line in the top of the header to get by the other rules. Basically, the only line that you can trust is the first Received which our server inserted - which as mentioned is waste to check. So, no header check in itself should allow an entire mail. There is a FILTER keyword which you can use to "tag" a mail for further content filtering. That action is taken after all the header checks have been done. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45329FD4.4040101>