On Thu, Feb 23, 2012 at 12:58:46PM -0800, rg86...@airpost.net wrote: > On Thu, Feb 23, 2012, at 02:28 PM, /dev/rob0 wrote: > > sendmail(1) writes mail to a file which is enqueued by the > > pickup(8) daemon. smtpd(8) is not used. smtpd-specific settings > > such as smtpd_sender_restrictions are irrelevant in this mode of > > submission. > > Yes, it does that locally. I am sending from one machine to > another. > > @ my desktop, > > sendmail -i -t <<EOF > From: ro...@presence-group.com > To: ro...@mail.rogermail.lan,s...@mail.rogermail.lan > Subject: test > testing > EOF > > This clearly invokes postfix on the desktop machine, and sends it > to the server,
Gotcha. This was not clear, or I was not paying attention. Anyway, I did explain what happened to it. > @ my desktop's log, > > tail -f /var/log/mail > > Feb 23 11:51:52 desk postfix/pickup[19611]: 986C040083: uid=1000 > from=<roger> > Feb 23 11:51:52 desk postfix/cleanup[20619]: 986C040083: > message-id=<20120223195152.986c040...@desk.rogermail.lan> > Feb 23 11:51:52 desk postfix/qmgr[5927]: 986C040083: > from=<ro...@desk.rogermail.lan>, size=371, nrcpt=2 (queue > active) > Feb 23 11:51:52 desk postfix/smtp[20627]: connect to > mail.rogermail.lan[192.168.1.10]:25: Connection refused > Feb 23 11:51:52 desk postfix/smtp[20627]: 986C040083: > to=<s...@mail.rogermail.lan>, > relay=mail.rogermail.lan[192.168.1.10]:25, delay=0.3, > delays=0.21/0/0.03/0.06, dsn=5.1.1, status=bounced (host > mail.rogermail.lan[192.168.1.10] said: 550 5.1.1 > <s...@mail.rogermail.lan>: Recipient address rejected: User > unknown in virtual mailbox table (in reply to RCPT TO command)) The invalid recipient is eliminated before the content filter. Therefore it cannot get to the reinjection smtpd. snip > > > With Postfix still configured at the reinjection listener > > > > Why do you have this on reinjection? It will be rejected as > > an unknown user before reinjection can occur. > > Because I was advised to. > > I reference this specific example, > > Configuring the Postfix SMTP pass-through proxy feature > http://www.postfix.org/ SMTPD_PROXY_README.html#config > > Based on that, my current understanding of my config is that > email is received by postscreen, No, postscreen receives no mail. It receives a connection, identifies it as legitimate, and passes that connection on to smtpd. I've only ever done after-queue content filtering with postscreen, so I am not sure how they interact. Looks like it goes to smtpd, filter, smtpd, very much as after-queue content filtering works. > passed to the before-queue filter, then > reinjected back to a local smtpd, See "Principles of operation" in SMTPD_PROXY_README.html which says: * The before-filter Postfix SMTP server accepts connections from the Internet and does the usual relay access control, SASL authentication, TLS negotiation, RBL lookups, rejecting non-existent sender or recipient addresses, etc. It's the very last item before "etc" that you are missing. You are not getting to the filter. snip > > Here's another thought, which I think someone else mentioned > > upthread: you could PREPEND a special header, then handle that in > > your content filter. > > > > s...@mail.rogermail.lan PREPEND X-spamtrap-garbage: YES > > Will such a header be added for ALL recipients? or just for the > matched address? A header is part of the message, the DATA part of SMTP. There is one DATA for all RCPT TO addresses. So, yes. > Also, I assume that's still done with the check_recipient_access > restriction? If yes, then at which stage? I presume that you could continue to reject the spamtrap as invalid, as long as you are doing the check_recipient_access PREPEND action before reject_unknown_recipient (or, anywhere, if you're only using the implicit smtpd_reject_unknown_recipient rejection.) snip > Naively, I'd assume 'this' is best done @postscreen time. Iiuc, > though, that's not currently possible, and/or would require > 'additional development'. Not going to happen; postscreen does what it does, and that is probably all it will ever do. Forget postscreen, irrelevant to this. > I'm still hoping to get some specific advice, in layman's terms, > how to specifically get done what i've set out to do. > > Two pending questions for me, atm, > > (1) is the PREPEND header option an all-recipient solution, or just > for the matched recipient address? answered above > (2) at what stage should this restriction check be added? i've got > both a 'yes' and a 'no' for @ the reinjection listener. Since you want to see the header in the filter, it must be added before the filter. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
