1

How do I reliably enforce a policy of certain header being present in all messages in Postfix?

For example, To: header.

I've read about header_checks and used them previously to filter messages based on present headers, but apparently they're not made for what I want.

sanmai
  • 531
  • 5
  • 19

1 Answers1

-2

Unfortunately this is not possible on postfix by default. As you already stated, it's possible to check for headers but not for missing ones.

There's another question on SF that had a similar requirement (see here)

You may achieve an integration with more complex rules by creating a policy server or wrap a perl script around a service. An example for this can be found here.

Important: There's no explicit information in the postfix documentation that states if headers from concurrent incoming mail may be mixed OR if headers on such a service are only queried mail after mail. If the processing is mail by mail you may detect a new message on specific header fields and reset your internal state of the filter script.

Not the best solution and has to be implmented carefully, but may solve your requirement. For testing you may just log warnings instead of rejecting the mail and see how goor your success rates are.

Community
  • 1
Daniel Nachtrub
  • 1,022
  • 7
  • 12
  • If so, how can I do that? `tcp_tables` do not solve my problem because with them I also cannot check for missing headers. – sanmai Apr 04 '16 at 03:33
  • You can - in some way. You've just to implement additional logic that detects first and last headers of an e-mail and in between there may be an analysis which appeared and which have been missing. So you can adjust the response of the last table lookup for a given mail regarding the last few lookups for this mays. But, to repeat: This only works if only one mail is processed at the same time. – Daniel Nachtrub Apr 04 '16 at 06:34
  • In what way exactly? Where do I implement that logic? See, that was my original question... – sanmai Apr 05 '16 at 01:26
  • You can write this filter yourself. This can be a hosted script within postfix (to bridge onto a port) or another host with for example a c# application. It only has to listen on a tcp port. – Daniel Nachtrub Apr 05 '16 at 05:23
  • 1
    If you don't know how can I solve my problem what is the purpose of your answer then? – sanmai Apr 05 '16 at 05:25
  • There is a whole bunch of options. I would do it with c# as i'm familiar with. But from where should i know if you're aware of c# development? – Daniel Nachtrub Apr 05 '16 at 05:26
  • Why does that matter if I care about C# or whatnot if my question is answered? – sanmai Apr 05 '16 at 05:28
  • Ok, it seems that you don't understand the answer: This can NOT be done with postfix configuration. YOU have to extend postfix - by providing an external service that listens on a tcp port where postfix can send the headers and YOUR service replies to postfix on each header with good or not. The trick is the internal design of your service. – Daniel Nachtrub Apr 05 '16 at 05:30
  • Excuse me but where did I say that this has to be done with configuration only? I intentionally did not specify a method of execution. – sanmai Apr 05 '16 at 14:41
  • Then where's the issue: write a custom tcp server that receives the headers, try to find a way to (reliably) detect the first and last header of a mail. on each received header, you know that this header has been received. on the last header you're queried by postfix you can reply with a deny as you know that some headers that haven't been yet submitted, won't come. Constraints about parallelism etc. are noted in my initial answer. – Daniel Nachtrub Apr 05 '16 at 16:40
  • How does one hook up such a server to Postfix? Please clarify in your answer, because that's what it for – sanmai Apr 06 '16 at 02:16
  • Did you follow the second link in my answer? There's a complete example about how to do header checks on a tcp table – Daniel Nachtrub Apr 06 '16 at 07:53
  • I did follow that link, but like I said `header_checks` doesn't let one check for *missing* headers (not present in the message). – sanmai Apr 06 '16 at 08:43
  • That's correct. But your program can reply with a deny if a header hasn't been received. That's the whole trick when writing a custom tool. – Daniel Nachtrub Apr 06 '16 at 11:57
  • How can a program know if a header is not received for a specific message if it only sees headers one by one? – sanmai Apr 07 '16 at 01:16
  • You can see for yourself that [specific message ID is nowhere mentioned in the example you linked to](http://people.freebsd.org/~sahil/scripts/checkdbl.pl.txt). – sanmai Apr 07 '16 at 01:52
  • thats exactly the trick. you can detect this with a high propability if there is no concurreny as specific headers are at the beginning and some at the end - it's not completely random. but you'll query the postfix newsgroup wheter there's concurrency or not. – Daniel Nachtrub Apr 07 '16 at 05:07
  • How can I detect? Please update you answer with details. – sanmai Apr 07 '16 at 12:34
  • thats already described. sorry but i cannot write down the whole statemachine in the response. – Daniel Nachtrub Apr 07 '16 at 22:43
  • Okay, I get it - you can find when a new message starts. How can I know when I am looking at the very last header for the message? – sanmai Apr 08 '16 at 01:00
  • I would check for a header like Content-type - that is mostly placed at the end. – Daniel Nachtrub Apr 08 '16 at 05:48
  • What if I check on that header and there's none, and then I block next message from someone very important? – sanmai Apr 08 '16 at 08:46
  • thats part of the state machine. finding a reliable detection of a new message is the tricky and risky part. – Daniel Nachtrub Apr 08 '16 at 19:51