How to block attachments on incoming mails only using Postfix

attachmentpostfix

I have a mail server (CentOS 6.5) running Postfix and Dovecot

Postfix is listening on port 25 for inbound mail and 587 for outbound mail

The problem is outbound mail with pdf attachments are being blocked where I only want inbound mail with pdf attachments blocked.

I have this configuration line in main.cf

 mime_header_checks = regexp:/etc/postfix/blocked_attachments

The blocked_attachments file contains:

/name=[^>]*\.(pdf|zip)/ REJECT

So incoming mail with a pdf attachment correctly is blocked, but when I compose an email with a PDF that is also blocked when I try and send.

How can I tell postfix that I only want incoming attachments filtered? Or have I missed something?

Best Answer

I will rewrite your question become:

How can I use different _header_checks for smtpd (port 25) and submission (port 587)?

This canonical problem can be divided with several conditions

  1. I want turn off header_checks for one of smtpd or submission.
  2. I want to run different header_checks for smtpd and submission.

1. I want turn off header_checks for one of smtpd or submission.

For the example I assume that you want to turn off the header_checks for submission (outgoing email).

Solution 1: receive_override_options method

You can use postfix parameter called receive_override_options. With the parameter you can override global header_check switch, so the filter won't run. #main.cf header_checks = pcre:/path/to/header_checks

#master.cf
submission inet n       -       n       -       -       smtpd
    -o receive_override_options=no_header_body_checks

Caveats: this will turn off ALL _header_checks and body_checks defined in man 5 header_checks. For the completed control which parameter that will be turned off, see Solution 2.

Solution 2: Multiple cleanup service method

We can multiple-cleanup-service technique for your problem as *_header_checks was performed by cleanup service. You can see the example of this setup in amavisd-new tutorial.

The magic parameter for this configuration is cleanup_service_name. With this parameter, we can use different cleanup service for each smtpd process. First we define one additional cleanup service (called no-headerchecks) in master.cf

no-headerchecks unix    n       -       n       -       0       cleanup
    -o mime_header_checks=

In this cleanup, we define empty mime_header_checks to disable filtering. The last step is tell submission service to use our no-headerchecks

submission inet n       -       n       -       -       smtpd
    -o cleanup_service_name=no-headerchecks

2. I want to run different header_checks for smtpd and submission.

For this problem you can use multiple cleanup service method as described above.

First we define one additional cleanup service (called second-headerchecks) in master.cf

second-headerchecks unix    n       -       n       -       0       cleanup
    -o mime_header_checks=pcre:/path/to/2ndheaderchecks

In this cleanup, we define second mime_header_checks to other PCRE table. The last step is tell submission service to use our second-headerchecks

submission inet n       -       n       -       -       smtpd
    -o cleanup_service_name=second-headerchecks

Note:

  • Your case looks similar with this question. Unfortunately the answer from Laurentiu Roescu only works if you want enable header_checks for outgoing mail that use smtp as transport. The good news is his first sentence about cleanup daemon gives us some idea for second solution.

  • Multiple cleanup service method can be applied if you want different header_checks, body_checks and other parameters defined in man 5 header_checks.

Related Topic