check if incoming server is SMTP or ESMTP
in [Postfix]
|
From: Manuel Mely on 6 Aug 2010 11:00 Hi, I've programmed one script for checking the allowed message size for every user on my network. I started programming this script based on the greylist perl example script that it's in the postfix documentation[1] (very nice start point). The script is working well but i'm having one problem, there are some messages that are bypassing my filter because the incoming server is using a SMTP session and not ESMTP, the script is expecting the latter for checking. Is there a way configuring postfix, so if it knows that the incoming mailserver protocol is going to be ESMTP, he will check use the script in smtpd_recipient_restrictions and if it is SMTP will send it directly to check in smtpd_end_of_data_restrictions. What i want is to avoid checking twice, because with SMTP i have to receive the whole message, and then check the size. Is there a way to do this? Greetings. 1- http://www.postfix.org/SMTPD_POLICY_README.html
From: Wietse Venema on 6 Aug 2010 12:50 Manuel Mely: > Hi, > > I've programmed one script for checking the allowed message size for > every user on my network. I started programming this script based on > the greylist perl example script that it's in the postfix > documentation[1] (very nice start point). > The script is working well but i'm having one problem, there are some > messages that are bypassing my filter because the incoming server is > using a SMTP session and not ESMTP, the script is expecting the latter > for checking. There are a few things to consider. 1) The client does not have to send the SIZE command. There is nothing in the RFCs that says it must use this feature. 2) The client can send the wrong size information. If you base your access policy on the SIZE information from the client, malicious clients can use this to work around your policy. You can get the true message size from Postfix after the client has sent the complete email message. smtpd_end_of_data_restrictions = ....your policy server here... Wietse
From: Manuel Mely on 8 Aug 2010 15:57 Hi Wietse, My server is acting as relay for my network, so my internal clients are MTAs that uses ESMTP. The problem is when other servers in internet are delivering messages to my server, some of them are SMTP. If i place my policy server in smtpd_end_of_data_restrictions i must wait for the entire message and then check, and my internet bandwidth is really poor. That's why I'm checking in other place rather than end_of_data. Thanks in advance! On 8/6/10, Wietse Venema <wietse(a)porcupine.org> wrote: > Manuel Mely: >> Hi, >> >> I've programmed one script for checking the allowed message size for >> every user on my network. I started programming this script based on >> the greylist perl example script that it's in the postfix >> documentation[1] (very nice start point). >> The script is working well but i'm having one problem, there are some >> messages that are bypassing my filter because the incoming server is >> using a SMTP session and not ESMTP, the script is expecting the latter >> for checking. > > There are a few things to consider. > > 1) The client does not have to send the SIZE command. There is > nothing in the RFCs that says it must use this feature. > > 2) The client can send the wrong size information. If you base > your access policy on the SIZE information from the client, > malicious clients can use this to work around your policy. > > You can get the true message size from Postfix after the client > has sent the complete email message. > > smtpd_end_of_data_restrictions = ....your policy server here... > > Wietse >
From: Manuel Mely on 8 Aug 2010 16:00 Sorry for the top posting!
From: Wietse Venema on 8 Aug 2010 16:04 Manuel Mely: > Hi Wietse, > > My server is acting as relay for my network, so my internal clients > are MTAs that uses ESMTP. The problem is when other servers in > internet are delivering messages to my server, some of them are SMTP. > If i place my policy server in smtpd_end_of_data_restrictions i must > wait for the entire message and then check, and my internet bandwidth > is really poor. That's why I'm checking in other place rather than > end_of_data. Here is a revolutionary idea: configure Postfix announce to the right message size limit. You can use different master.cf configurations for smtpd, if local and remote clients have different limits (use a different server IP address). Wietse > On 8/6/10, Wietse Venema <wietse(a)porcupine.org> wrote: > > Manuel Mely: > >> Hi, > >> > >> I've programmed one script for checking the allowed message size for > >> every user on my network. I started programming this script based on > >> the greylist perl example script that it's in the postfix > >> documentation[1] (very nice start point). > >> The script is working well but i'm having one problem, there are some > >> messages that are bypassing my filter because the incoming server is > >> using a SMTP session and not ESMTP, the script is expecting the latter > >> for checking. > > > > There are a few things to consider. > > > > 1) The client does not have to send the SIZE command. There is > > nothing in the RFCs that says it must use this feature. > > > > 2) The client can send the wrong size information. If you base > > your access policy on the SIZE information from the client, > > malicious clients can use this to work around your policy. > > > > You can get the true message size from Postfix after the client > > has sent the complete email message. > > > > smtpd_end_of_data_restrictions = ....your policy server here... > > > > Wietse > > > >
|
Next
|
Last
Pages: 1 2 Prev: Beginner Question: Outgoing Mail Routing Next: Postfix SMTP AUTH using Oracle |