1

I'm pretty well versed in using header_checks/mime_header_checks to refuse smtp mail in Postfix, but now I think I've gone off the path of righteousness; I'm trying to suss out a way that I can refuse a message if it doesn't contain one of the following headers:

  • application/pkcs7-signature
  • application/x-pkcs7-signature
  • application/pkcs7-mime
  • application/x-pkcs7-mime

If it's not obvious, the intention is that the MTA should only accept mail that's either encrypted or signed using S/MIME. I know that I can process and then discard it after accepting it (this is the "standard" way of handling errors, according to the Direct Project), but if there's a way I can 5xx reject it before it gets that far, that's at least one possible case that doesn't have to disappear into the black hole.

My google-fu has failed me on this - I get many, many results on rejecting, but nothing on requiring, certain headers. So either it can't be done and I'm whistling into the wind, or my search terms just aren't matching up with what they need to be.

GeminiDomino
  • 121
  • 5
  • 1
    afaik postfix can't act on the non-existence of headers with header_checks. you probably have to use a milter/pre-queue filter for this – Gryphius Jan 30 '14 at 18:40

1 Answers1

1

NO, you can't

Reference:

  1. postfix mailing list

postfix header_checks work on one header at a time. so there's no way to have a rule that works on all the headers. and in particular, there's no way to specify a rule that says if "$header doesn't exists".

  1. postfix author comment

As documented, header_checks makes a decision one header at a time, and does not remember decisions from one header to the next.

I suggest that you fix the problem in the program that creates the message.

If you must repair this in Postfix, then you need to use an external content filter (http://www.postfix.org/FILTER_README.html) or a Milter application (http://www.postfix.org/MILTER_README.html).

Community
  • 1
masegaloeh
  • 18,236
  • 10
  • 57
  • 106