Postfix Header_Check Regex ‘Does Not Match’ issue

postfixregex

I am trying to configure Postfix to NOT accept outbound messages with FROM addresses other than my own domains.

The following regex successfully rejects only 3 domains:

/etc/postfix/header_checks:
/(^From:.*domain\.com|^From:.*domain\.net|^From:.*domain\.co\.il)/ REJECT SEND FROM THE RIGHT DOMAINS FFS!

I'd like to basically reverse it and block EVERYTHING BUT those 3.

So according to the manual:

!/pattern/flags result
When pattern does not match the input string, use the corre-
sponding result value.

However, this just blocks everything:

/etc/postfix/header_checks:
!/(^From:.*domain\.com|^From:.*domain\.net|^From:.*domain\.co\.il)/ REJECT SEND FROM THE RIGHT DOMAINS FFS!

Best Answer

The problem is postfix use header_checks for every header line. So if there is header line like

Subject: I love you :p

and postfix will apply that regex into this line. The result is postfix will reject this email.

The solution is adding if endif in your regex pattern

if /^From:/
!/(^From:.*domain\.com|^From:.*domain\.net|^From:.*domain\.co\.il)/ REJECT SEND FROM THE RIGHT DOMAINS FFS!
endif

Basically you tell postfix to apply the pattern into From header only. This will prevent postfix to evaluate the regex into another header line and causes rejected email.

See postfix manual to further information

Related Solutions

Php – RegEx Match URL Pattern

What language are you using?

In general it sounds like you want something that matches the basic aspects of a domain, ruling out the possibility of a period other than the one that delinates the .tld.

#http://[^.]+\.(com|net|org)#i

If you don't want to match the protocal, maybe something like this.

#[^. ]+\.(com|net|org)#i

Your desire to handle multi-part TLD's will really screw this up, you will need to maintain a manual list of all the ones you want to match. The only alternative is to do DNS lookups to determine the listing type. There really isn't another way to extract subdomain data from the domain with a regular expression because by rights domains are actually just subdomains of some TLD (top level domain).

Edit: To match TLD's assuming they woudl have less than four characters, you can play around with something like this. You're going to have to work out what constitutes the start and end of a match. Are you requireing the presense of a protocal? Is this in a paragraph where somebody could type.a period out of context? If you give more details on the parameters we might be able to provide a more precise solution.

[^.]+((\.[^.]{0,3})+)

Postfix recipient address verification: does it work without maintaing a list of relay domains on the forwarder

If your talking about postfix probing the relay_host via smtp, that cannot be done natively and it would be a burden on postfix. If it cannot determine immediately via local file/db/ldap or dns(domain mx) that it is allowed, it'll reject it. Otherwise DOS attacks will quite quickly tie up your resources and take out your relay_host as well.

If the relay_host does have a database or ldap list of users, you can use relay_recipient_maps and virtual_mailbox_domains to query the relay_host and know what it has available. The only downside is if it is down at any point your postfix box will most likely error with a 4XX temporary failure instead of accepting the mail and hold it until the relay_host is available to accept it, this is the upside of a local cached copy. I use a wget from my central server to my local 3 postfix relay hosts which periodically download the list of users and domains.

Without detailed information on your relay host has to offer, can't really give much configuration suggestions.

Best Answer

Related Solutions

Php – RegEx Match URL Pattern

Postfix recipient address verification: does it work without maintaing a list of relay domains on the forwarder

Related Topic