Re: smtpd filters: accept bypass in commit stage

Tue, 25 Aug 2020 00:40:58 -0700 

Does this filter actually work for you? Not by my testing, nor my
understanding of filters. Filter-dkimsign works during the
filter-dataline phase, so you'd have to circumvent that one, which is
not supported.

Personally I'd sign the domain anyway, since it gives the receiver
some additional information where a message might have been altered if
it happens somewhere down a MTA-chain, but if you really don't want to
sign the message you could try setting the phase to data, since that's
where filter-dkimsign's magic happens. I haven't tested this though,
so it might be just the data-command and not the actual data.
If that doesn't work your best bet at this point is two different
listen statement for the two domains.

martijn@

On Tue, 2020-08-25 at 04:30 +0000, Lucas wrote:
> Hello tech@,
> 
> I keep getting a syntax error with the following seemingly correct
> line:
> 
>       filter "dkimsign-override" phase commit \
>           match mail-from <ext_relay_from> bypass
> 
> The problem (`/etc/mail/smtpd.conf:20: syntax error`) arises from
> smtpd.conf's grammar only allowing `filter_action_builtin_nojunk` for
> `commit` phase. It turns out that the current definition of
> `filter_action_builtin_nojunk` means no junk and no bypass. Address
> that moving bypass action to nojunk.
> 
> My usecase for it is to avoid DKIM-signing emails that are externally
> relayed with `opensmtpd-filters-dkimsign`: if I also own
> lucas@domain.invalid, I don't want smtpd to sign lucas@domain.invalid's
> emails, just lu...@sexy.is'. This seems possible with `filter-chain`,
> and technically could be decided in `mail-from` phase, but sadly
> `bypass` doesn't short-circuit. Second best option is to `bypass`
> during `commit` phase, which is when `filter-dkimsign` does its magic.
> 
> Comments?
> 
> -Lucas
> 
> 
> Index: parse.y
> ===================================================================
> RCS file: /home/cvs/src/usr.sbin/smtpd/parse.y,v
> retrieving revision 1.278
> diff -u -p -r1.278 parse.y
> --- parse.y   1 Jun 2020 05:21:30 -0000       1.278
> +++ parse.y   25 Aug 2020 04:05:27 -0000
> @@ -1527,9 +1527,6 @@ filter_action_builtin_nojunk
>  | JUNK {
>       filter_config->junk = 1;
>  }
> -| BYPASS {
> -     filter_config->bypass = 1;
> -}
>  ;
>  
>  filter_action_builtin_nojunk:
> @@ -1544,6 +1541,9 @@ REJECT STRING {
>  }
>  | REPORT STRING {
>       filter_config->report = $2;
> +}
> +| BYPASS {
> +     filter_config->bypass = 1;
>  }
>  ;
>  
>

Reply via email to