Re: Rewrite subject for unauth messages only

Fri, 05 Nov 2021 03:38:39 -0700 

On 05/11/2021 10:20, Gionatan Danti wrote:

Il 2021-11-05 09:36 Dominic Raferd ha scritto:

Why permit auth connections on port 25? Restrict them to 587 and/or
465 then you can specify subject rewriting for (all) mails arriving
via port 25.  (And you can use postscreen on port 25.)

Yeah, it would be a very clean solution. However, we have many smtp
client already configured to authenticate on port 25 and so I can not
blindly use the connection port to identify to-be-tagged messages.


Presumably you are not concerned that rewriting subjects will break
DKIM/DMARC?

No, it is not an issue at the moment. But thanks to advice, it should be
considered a significant issue indeed. Let only say I am *strongly*
against this subject rewrite and/or disclaimer adding policy, and I hope
management recognizes they are useless to avoid phishing...


If you have the option, better to use pcre: than regex:.

Sure, regexp was only for a quick test.

Today I was able to get it working - hopefully correctly - in a test
environment. I edited my configuration files as following:

# main.cf
# auth client are immediately permitted, all other messages are FILTERed
smtpd_client_restrictions = permit_sasl_authenticated,
check_client_access regexp:/etc/postfix/custom

# master.cf
# secondary smtpd and cleanup process
# disable milters to avoid double spam check
127.0.0.1:10025    inet  n       -       n       -       -       smtpd
    -o smtpd_client_restrictions=
    -o smtpd_milters=
    -o cleanup_service_name=mycleanup
mycleanup unix  n       -       n       -       0       cleanup
    -o header_checks=regexp:/etc/postfix/rewrite

# custom
# all unauth messages are FILTERed
/.*/    FILTER smtp:127.0.0.1:10025

# rewrite
# only add tag if it is not already present
if !/^Subject: .*[EXTERNAL].*/i
/^Subject: (.+)$/i REPLACE Subject: [EXTERNAL] $1
endif

Do you see some grossly wrong config?
Regards.
I think you need to ensure that the rule runs only for Subject: headers, escape square brackets in the if clause, and cover the possibility of no space after 'Subject:' (note: all untested): 

if /^Subject:/i
if !/^Subject: \[EXTERNAL\]/i
/^Subject: ?(.+)/i REPLACE Subject: [EXTERNAL] $1
endif
endif

Reply via email to