Both methods worked fine.
I would like to thank all of you for pointing me to the right direction.
I'm repeating here what I did with your suggestions just in case it
might be useful to someone else.
Feel free to correct me if I'm stating something wrong.
Here is the background info.
To use a post-queue content filter postfix has the global content_filter option.
To override this global option the access table FILTER action can be used.
Unfortunately it can only trigger another filter action, but not
disable the global filter.
What I was looking for:
I needed a way to disable the content filter for the null sender
(mailer-daemon) of a misbehaving smtpd server.
Here are the 2 ways that have been promptly suggested in this list.
- 1 - The First (and cleanest) way
for all mails coming from the broken smtpd ip, if the sender is empty,
don't use the filter (actually this is done using the return transport
that the filter uses to send mail back to postfix as it were a filter
itself).
main.cf:
smtpd_restriction_classes = avoid_filter
avoid_filter = check_sender_access
hash:/etc/postfix/hash/accept_mailer_daemon_from_broken_smtpd
smtpd_sender_restrictions = check_client_access
hash:/etc/postfix/hash/ip_broken_smtpd
where ip_broken_smtpd:
# ip smtpd
172.16.1.1 avoid_filter
and accept_mailer_daemon_from_broken_smtpd:
# <> is the empty sender
# relay:[127.0.0.1]:10026 is the return transport from the filter back
to postfix
<> FILTER relay:[127.0.0.1]:10026
That is, for the empty sender, email goes straight back to postfix
without using the global content filter.
Then, in master.cf, where is defined the return transport from the
filter, the smtp_sender_restrictions must be disabled to avoid loops:
# content filter loop back smtpd
localhost:10026 inet n - n - 20 smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_proxy_filter=
-o content_filter=
-o local_recipient_maps=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions= # <--
-o smtpd_enforce_tls=no
- 2 - The second way
the global content_filter option is disabled, and enabled in an access
table for everyone except for the empty sender of the smtpd ip.
in main.cf:
# disable global content filter
content_filter =
smtpd_restriction_classes = skip_mailer_daemon
skip_mailer_daemon = check_sender_access
hash:/etc/postfix/hash/dunno_mailer_daemon
smtpd_sender_restrictions =
check_client_access pcre:/etc/postfix/pcre/antivirus
dunno_mailer_daemon:
<> DUNNO
filter:
/172\.16\.1\.1$/ skip_mailer_daemon
/./ FILTER filtername:localhost:10025
that is if mail is coming from the broken smtpd ip and the sender is
empty, do nothing, otherwise use the filter.
To avoid loops the usual line must be added to the return transport of
the filter:
-o smtpd_sender_restrictions=
One last note.
When an access table FILTER is triggered, the filter name is logged,
so there is an extra line in the logs for each mail that triggers an
access table filter. So logs are more verbose in the second case.
Regards,
Diego.
