check header for Authenticated sender in postfix

Question

My users send email with SMTP AUTH via SASL Authentification. Unfortunately their mails would marked as NoBounceOpenRelay by Amavis.

So I set this to postfix main.cf

smtpd_sasl_authenticated_header = yes

Is it possible to tell amavis checking this email header, so I can use a policy_bank to bounce or reject mails which contain Spam?

masegaloeh · Accepted Answer · 2015-03-12T14:33:05.527

Looks like your case was similar to this example case on Amavisd documentation

If for some reason SASL users connect to port 25, as an alternate method you could have all clients in Postfix' $mynetworks and SASL auth senders bypass checks and let everything else fall through to a catchall that sets the content_filter.

#main.cf
content_filter = smtp-amavis:[127.0.0.1]:10026

smtpd_data_restrictions =
    reject_unauth_pipelining
    permit_mynetworks
    permit_sasl_authenticated
    check_client_access regexp:/etc/postfix/filter-catchall.regexp

# /etc/postfix/filter-catchall.regexp:
/^/ FILTER smtp-amavis:[127.0.0.1]:10024

In this mode,

SASL user will permitted through permit_sasl_authenticated so it'll fall into content_filter parameter i.e. content_filter = smtp-amavis:[127.0.0.1]:10026.
Other email will fall into catchall check_client_access regexp:/etc/postfix/filter-catchall.regexp. So, it will go through smtp-amavis:[127.0.0.1]:10024.

The last part is configuring separate policy bank in port 10024 and 10026.

Above setup can be extended to allow whitelisting based on other factor, for example: SASL username and sender domain.

For SASL username, you can use check_sasl_access before permit_sasl_authenticated. Note: this feature was available for Postfix 2.11 and later.

# main.cf
...
check_sasl_access hash:/etc/postfix/amavis-bypass-sasl
permit_sasl_authenticated
...


#/etc/postfix/amavis-bypass-sasl

# Use this when smtpd_sasl_local_domain is empty.
username   FILTER smtp-amavis:[127.0.0.1]:10026
# Use this when smtpd_sasl_local_domain=example.com.
username@example.com FILTER smtp-amavis:[127.0.0.1]:10026

For sender domain, you can use check_sender_access

# main.cf
...
check_sender_access hash:/etc/postfix/amavis-bypass-sender
permit_sasl_authenticated
...


#/etc/postfix/amavis-bypass-sasl

# Use this when smtpd_sasl_local_domain is empty.
internal.example.com   FILTER smtp-amavis:[127.0.0.1]:10026
# Use this when smtpd_sasl_local_domain=example.com.
whitelist.example.org FILTER smtp-amavis:[127.0.0.1]:10026

And i just got edited my workbook.. The Users should be possible to turn off the filter. So i need a way to Whitelist them. With use of the content_filter, this seems not possible :-( — MarcJ, Mar 11 '15 at 12:10
See my updated answer about the possibilities of your requirement — masegaloeh, Mar 12 '15 at 14:33

check header for Authenticated sender in postfix

1 Answers1

Linked