6

How can I apply different header_checks for incoming and outoing mail using postfix?

By default, all header_checks are applied to both incoming and outgoing.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
Zulakis
  • 4,191
  • 14
  • 44
  • 75
  • 1
    For anyone coming from search, this answer might give a clue on how to implement this: https://serverfault.com/a/998993/153238 – PF4Public Aug 05 '21 at 12:45

3 Answers3

6

header_checks is done by cleanup so I don't think you can apply it only for incoming or outgoing.

smtp_header_checks is applied only for outgoing mail (smtp client)

Laurentiu Roescu
  • 2,246
  • 16
  • 17
  • 1
    Hm, thanks. That's a little bit better then only having `header_checks`. However, this still leaves me with problems: 1) `smtp_header_checks` is only used when mail leaves your server, so mail between users won't get filtered. 2)`header_checks` still is executed for both incoming and outgoing, it is not possible to have checks only for incoming – Zulakis May 25 '13 at 20:01
  • header_checks it is applied for incoming mail. But for postfix everything is incoming, local or internet. If you need to do it only for locally delivered emails maybe you can do it at another level, for example in MDA (procmail for example). – Laurentiu Roescu May 25 '13 at 20:28
  • Okay, I think I am going to do it like this: mail 'send' by a local user is going to either get filtered by `smtp_headers_check` OR by a MDA if is being sent to another local user. All checks of mails received from other domains are also going to be done by the MDA. Do you think it's going to work like that or are there any problems I did not see? – Zulakis May 25 '13 at 20:59
2

If there is a mail header which you can use to identify which is incoming and which is outgoing mail, with postfix 3.2 or newer you can short-circuit the header_checks, like:

/^Received: .*detect_outgoing_mails/ PASS
/^X-Something: this rule will only match on incoming mails/ HOLD

(but it still gives you only option to match ALL (as before) or to match only incoming or only outgoing mail, and requires relatively new postfix version)

As a better alternative, if you can always receive "outgoing" mail (mail from clients for whom you act as mail relay server) on one port (submission: tcp/587) and incoming mail on tcp/25, you should be able to use master.cf to override header_checks for each one, like this:

submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o header_checks=pcre:/etc/postfix/header_checks.relay

smtp      inet  n       -       -       -       200     smtpd
  -o strict_rfc821_envelopes=yes
  -o header_checks=pcre:/etc/postfix/header_checks.mx

but that won't work if your clients for whom you relay also use tcp/25 as rest of the world. If they do, you could setup alternative port for them and it would work, but feasibility of that depends on your ability to persuade all your users to change their settings.

If you have extra IP to spare, you could also make it mostly transparent for users: let's say you had smtp.example.org as both relay server for users and as your MX with IP a.a.a.a, you could change domain's MX to IP b.b.b.b, and then use one smtpd server at a.a.a.a with one set of header checks, and another smtpd server at b.b.b.b with another set of header checks. This is even easier if you relay only for users from say 192.168.x.x/24 when you could even keep same DNS name and use DNS views to present internal IP for internal clients, and external IP for rest of the world.

And third way is so to use postfix FILTER capability instead of header_check - instead of simple regexp matching, it will forward whole message to your custom script for processing, which can then easily distinguish between incoming and outgoing mail by inspecting headers, and then do any postprocessing as wanted.

Matija Nalis
  • 2,409
  • 23
  • 37
  • also see http://serverfault.com/questions/658106/how-to-block-attachments-on-incoming-mails-only-using-postfix – Matija Nalis Jan 16 '17 at 21:15
  • 1
    plaese note you can't use header_checks in smtpd in master.cf, as it's implemented by cleanup, not smtpd – Waleed Hamra Jan 24 '19 at 15:44
  • Yep, so need to use `smtpd` option called `cleanup_service_name` and define such an alternate in `master.cf`. – lkraav Jan 02 '22 at 12:45
0

If I understand your question correctly, you should be able to do this through the /etc/postfix/header_checks file, something like this for the out going mail /^From: "spammer/ REJECT /^To: bob@here.com/ REDIRECT bob@there.com

I did this long time ago so dont remember all the details but you can get more info from here DOC

This would allow you to define a action depending on whether mail is incoming or outgoing, I hope this answers your question.

APZ
  • 954
  • 2
  • 12
  • 24
  • Sorry, but this is not what I am looking for. I want to apply different `header_checks` to incoming/outgoing mail. I do not want to do a certain action depending on incoming/outgoing. – Zulakis May 25 '13 at 17:11
  • 1
    The reason for this is that I need to modify some headers depending on where the mail is coming from. As header_checks is line-based, I cannot achieve this using a single header_checks file. – Zulakis May 25 '13 at 17:13