On Thu, Feb 23, 2012 at 12:58:46PM -0800, rg86...@airpost.net wrote:
> On Thu, Feb 23, 2012, at 02:28 PM, /dev/rob0 wrote:
> > sendmail(1) writes mail to a file which is enqueued by the 
> > pickup(8) daemon. smtpd(8) is not used. smtpd-specific settings 
> > such as smtpd_sender_restrictions are irrelevant in this mode of 
> > submission.
> 
> Yes, it does that locally.  I am sending from one machine to 
> another.
> 
> @ my desktop,
> 
>       sendmail -i -t <<EOF
>       From: ro...@presence-group.com
>       To: ro...@mail.rogermail.lan,s...@mail.rogermail.lan
>       Subject: test
>       testing
>       EOF
> 
> This clearly invokes postfix on the desktop machine, and sends it 
> to the server,

Gotcha. This was not clear, or I was not paying attention. Anyway, I 
did explain what happened to it.

> @ my desktop's log,
> 
> tail -f /var/log/mail
> 
> Feb 23 11:51:52 desk postfix/pickup[19611]: 986C040083: uid=1000
> from=<roger>
> Feb 23 11:51:52 desk postfix/cleanup[20619]: 986C040083:
> message-id=<20120223195152.986c040...@desk.rogermail.lan>
> Feb 23 11:51:52 desk postfix/qmgr[5927]: 986C040083:
> from=<ro...@desk.rogermail.lan>, size=371, nrcpt=2 (queue
> active)
> Feb 23 11:51:52 desk postfix/smtp[20627]: connect to
> mail.rogermail.lan[192.168.1.10]:25: Connection refused
> Feb 23 11:51:52 desk postfix/smtp[20627]: 986C040083:
> to=<s...@mail.rogermail.lan>,
> relay=mail.rogermail.lan[192.168.1.10]:25, delay=0.3,
> delays=0.21/0/0.03/0.06, dsn=5.1.1, status=bounced (host
> mail.rogermail.lan[192.168.1.10] said: 550 5.1.1
> <s...@mail.rogermail.lan>: Recipient address rejected: User
> unknown in virtual mailbox table (in reply to RCPT TO command))

The invalid recipient is eliminated before the content filter. 
Therefore it cannot get to the reinjection smtpd.

snip
> > > With Postfix still configured at the reinjection listener
> >
> > Why do you have this on reinjection? It will be rejected as
> > an unknown user before reinjection can occur.
> 
> Because I was advised to.
> 
> I reference this specific example,
> 
>       Configuring the Postfix SMTP pass-through proxy feature
>       http://www.postfix.org/ SMTPD_PROXY_README.html#config
> 
> Based on that, my current understanding of my config is that
> email is received by postscreen,

No, postscreen receives no mail. It receives a connection, identifies 
it as legitimate, and passes that connection on to smtpd. I've only 
ever done after-queue content filtering with postscreen, so I am not 
sure how they interact. Looks like it goes to smtpd, filter, smtpd, 
very much as after-queue content filtering works.

> passed to the before-queue filter, then 
> reinjected back to a local smtpd,

See "Principles of operation" in SMTPD_PROXY_README.html which says:

  * The before-filter Postfix SMTP server accepts connections from
    the Internet and does the usual relay access control, SASL
    authentication, TLS negotiation, RBL lookups, rejecting
    non-existent sender or recipient addresses, etc.

It's the very last item before "etc" that you are missing. You are 
not getting to the filter.

snip
> > Here's another thought, which I think someone else mentioned
> > upthread: you could PREPEND a special header, then handle that in
> > your content filter.
> >
> > s...@mail.rogermail.lan         PREPEND X-spamtrap-garbage: YES
> 
> Will such a header be added for ALL recipients?  or just for the 
> matched address?

A header is part of the message, the DATA part of SMTP. There is one 
DATA for all RCPT TO addresses. So, yes.

> Also, I assume that's still done with the check_recipient_access
> restriction?  If yes, then at which stage?

I presume that you could continue to reject the spamtrap as invalid, 
as long as you are doing the check_recipient_access PREPEND action 
before reject_unknown_recipient (or, anywhere, if you're only using 
the implicit smtpd_reject_unknown_recipient rejection.)
 
snip
> Naively, I'd assume 'this' is best done @postscreen time.  Iiuc, 
> though, that's not currently possible, and/or would require 
> 'additional development'.

Not going to happen; postscreen does what it does, and that is 
probably all it will ever do. Forget postscreen, irrelevant to this.

> I'm still hoping to get some specific advice, in layman's terms, 
> how to specifically get done what i've set out to do.
> 
> Two pending questions for me, atm,
> 
> (1) is the PREPEND header option an all-recipient solution, or just 
> for the matched recipient address?

answered above

> (2) at what stage should this restriction check be added?  i've got 
> both a 'yes' and a 'no' for @ the reinjection listener.

Since you want to see the header in the filter, it must be added 
before the filter.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Reply via email to