Help: Frage zur Postfix Konfiguration für Routing / Relay

Liebeskind Uri (luri) luri at zhaw.ch
Mi Jul 4 12:11:12 CEST 2018 

Dear postfix experts,

since more than a week I try to include a encryption appliance to the mailflow of our postfix servers.


UP TO NOW THE MAIL-FLOW IS AS SUCH:

Exchange -> mx1:25
            -> To milter at 127.0.0.1:10025 (Sophos PureMessage)
            -> from milter 10026:127.0.0.1
            -> Outbound mta (i.e. gmail)


CONFIGURATION FOR THIS IS:
main.cf:
content_filter = pmx:[127.0.0.1]:10025

master.cf:
:25      inet  n    -    n    -    300   smtpd
:10026   inet  n    -    n    -     -    smtpd
     -o content_filter=
     -o local_recipient_maps=
     -o relay_recipient_maps=
     -o myhostname=localhost
     -o smtpd_helo_restrictions=
     -o smtpd_client_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o mynetworks=127.0.0.0/8
     -o allow_untrusted_routing=yes

PureMessage is configured to pass mail to 127.0.0.1:10026



WHAT I WANT TO ACHIEVE:
Mails with certain header criteria have to be relayed to an appliance in our network enc.zhaw.ch:25. The appliance then has to pass the mail back to mx1 and postfix shall deliver the mail.

The scenario must be tested only on our nonproductive mx4 only for a specific (source- and target-) mail address (test at zhaw.ch) Only mx4 redirects mails to the encryption appliance.


CONFIGURATION TO RELAY MAILS FROM MX1 TO MX4 FOR test at zhaw.ch
MX1:
main.cf:
sender_dependent_relayhost_maps = hash:/etc/postfix/relay_by_sender

relay_by_sender:
test at zhaw.ch     mx4.zhaw.ch


CONFIGURATION ON MX4 TO RELAY MAILS FROM MX4 to enc.zhaw.ch FOR SPECIFIC HEADER CRITERIAS
MX4:
main.cf:
content_filter = pmx:[127.0.0.1]:10025 
header_checks = pcre:/etc/postfix/header_checks,pcre:/etc/postfix/header_checks-totemo

header_checks-totemo:
/Subject:\h*#secure/                        FILTER smtp:[enc.zhaw.ch]
/Content-Type: .*pkcs7-(signature|mime)/    FILTER smtp:[enc.zhaw.ch]

The encryption appliance removes the triggering text #secure from the subject, encrypts the message and then passes the message to mx1:20025

CONFIGURATION ON MX1 
main.cf: (as before)
content_filter = pmx:[127.0.0.1]:10025
header_checks = pcre:/etc/postfix/header_checks,pcre:/etc/postfix/header_checks-totemo


header_checks-totemo:
/Subject:\h*#secure/                        FILTER smtp:[enc.zhaw.ch]
/Content-Type: .*pkcs7-(signature|mime)/    FILTER smtp:[enc.zhaw.ch]


master.cf:
:25      inet  n    -    n    -    300   smtpd
:10026   inet  n    -    n    -     -    smtpd
     -o content_filter=
     -o local_recipient_maps=
     -o relay_recipient_maps=
     -o myhostname=localhost
     -o smtpd_helo_restrictions=
     -o smtpd_client_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o mynetworks=127.0.0.0/8
     -o allow_untrusted_routing=yes

# RECEIVE MAILS FROM ENCRYPTION APPLIANCES ON 20025
:20025   inet  n    -    n    -     -    smtpd
     -o content_filter=
     -o sender_dependent_relayhost_maps=
     -o receive_override_options=no_header_body_checks
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o mynetworks=127.0.0.0/8,160.85.104.245,160.85.104.246


WHAT HAPPENS:
This configuration behaves as a loop, because the option "-o sender_dependent_relayhost_maps=" is ignored.
This causes the message to be relayed again to MX4. On MX4 header_checks-totemo will trigger on Content-Type: criteria because the message is encrypted. This will again relay the message to the encryption appliance and so on.

I am struggling with this for over a week now. It is really hard to understand which parameters are processed at what time in postfix.

So I hope someone can give me a tip.

Another requirement is that in the final setup I want to send the messages through the pmx antispam milter before encryption and after decryption. 

Kind regards,
Uri




-- 
------------------------------------
Zurich University of Applied Sciences
Information and Communication Technology

Uri Liebeskind
System Administrator
Gertrudstrasse 15
Postfach 805
CH-8401 Winterthur

Tel. +41 58 934 72 63
Fax. +41 58 935 72 63
http://www.zhaw.ch/en/
-------------------------------------



-- 
------------------------------------
Zurich University of Applied Sciences
Information and Communication Technology

Uri Liebeskind
System Administrator
Gertrudstrasse 15
Postfach 805
CH-8401 Winterthur

Tel. +41 58 934 72 63
Fax. +41 58 935 72 63
http://www.zhaw.ch/en/
-------------------------------------

Mehr Informationen über die Mailingliste Postfixbuch-users