Turning Off Body and Header Checks for Internal Users
Since Postfix body and header checks do not have a way to whitelist known good
clients or IP addresses, administrators generally configure a separate content
filter to handle anything more complicated than simple checks that they can
confidently apply to all messages. In many situations, however, you might find
it helpful to disable body and header checks for internal users. Email from the
outside is subject to the checks, but internal messages do not use up
processing and memory resources, and you do not risk generating false-positives
on messages from your own users. This How-To describes one way to bypass
header and body checks for internal senders using the
receive_override_options
feature that was introduced in version 2.1
(and earlier snapshots) of Postfix. If you are using a version prior to 2.1,
the technique described here will not work. This method also requires an
additional IP address for your Postfix system.
The idea is simple enough. Set up an additional smtpd
instance for
your internal users and disable body and header checks for that instance only.
We will also disable body and header checks in the pickup
daemon
so that messages submitted locally (on the same machine) will bypass content
checking as well. The second smtpd
instance listens on a separate
IP address. You should obtain an IP address from your network administrator. If
your system has multiple network interfaces, then you may already have a second
IP address to use. If one interface is for an internal subnet, use its IP
address as the second one. If you don't have two or more network cards,
configure the second IP address as an alias on your single network interface.
Adding an IP Address
If you have two interfaces, and you've identified the IP address of the one you
will use for internal users, you're all set. Skip ahead to “Configuring
Postfix” below. Otherwise, the task of creating IP address aliases differs
across various Unix platforms. Check your system documentation to see how it is
done on your operating system. Most Unix platforms use the
ifconfig
command. You will probably find the information you need
in the ifconfig
man page. For example, Linux and HP-UX use an
index number along with the name of the interface. Configuring the second IP
address 192.168.100.12 on Linux, looks like the following:
# ifconfig eth0:0 192.168.100.12 netmask 255.255.255.0
Other platforms, like FreeBSD and IRIX, use an alias
command along
with ifconfig
, for example:
# ifconfig ef0 alias 192.168.100.12 netmask 255.255.255.255
You will want to configure your system so that the second IP address is automatically set when your system boots up. See your system documentation for the best way to do that. Also, if this second interface is accessible from the Internet, make sure that you configure your firewall so that external systems cannot reach it. It's meant to be accesed by your internal users only.
Configuring Postfix
Now that you have a second IP address, you need to configure Postfix to start a
second instance of smtpd
to handle requests over that address.
Before getting to that, however, you need to make sure that your primary
smtpd
does not gobble up all of the IP addresses before your
second instance gets a chance at one. You can do that by editing the
inet_interfaces
parameter in your main.cf
file. The
parameter inet_interfaces
specifies which of your interfaces
Postfix should listen on, and by default, it's set to ‘all’. You
want to set it so that Postfix listens on all IP addresses except the
one we're configuring for bypassing content checks. (We'll get Postfix
listening on that one next.)
Edit main.cf
and find or add the inet_interfaces
parameter. Set it to your main IP address (plus any additional IP addresses you
may have excluding the new one). In this example, the main IP address is
192.168.100.11, and it is the only IP address the original smtpd
daemon should respond on.
# # main.cf # inet_interfaces = 192.168.100.11
Next we'll create a new entry in master.cf
to add the additional
instance of smtpd
. This entry is identified by the new IP address
plus the smtp
port, which it should listen on. The entry includes
a configuration option to turn off body and header checks through the
receive_override_options
parameter:
# # master.cf # 192.168.100.12:smtp inet n - n - - smtpd -o receive_override_options=no_header_body_checks
Note that the second line must start with whitespace to indicate that it is a
continuation of the previous line. There cannot be any spaces between
receive_override_options
, the equals sign, and
no_header_body_checks
. If you wanted to make other configuration
changes to this instance, you can add them in the same way. Otherwise, this
instance will use the same configuration from main.cf
other than
any of the parameters you override here.
Also create a similar entry for the loopback address and add the same
no_header_body_checks
feature to the pickup
daemon so
that all mail submitted locally will also bypass the checks. The entries in the
master.cf
file (including the original smtpd
entry)
should look like the following:
smtp inet n - n - - smtpd 192.168.100.12:smtp inet n - n - - smtpd -o receive_override_options=no_header_body_checks 127.0.0.1:smtp inet n - n - - smtpd -o receive_override_options=no_header_body_checks pickup fifo n - n 60 1 pickup -o receive_override_options=no_header_body_checks
You will have to stop and start Postfix after making these changes. A reload is not enough when adding or changing interfaces:
# postfix stop postfix/postfix-script: stopping the Postfix mail system # postfix start postfix/postfix-script: starting the Postfix mail system
Be sure to check your log file to make sure there are no errors.
Tell your users to set their email clients to use 192.168.100.12
(or its hostname) as their SMTP server. Then all mail from your
local network or from the machine itself will skip body and
header checks configured in main.cf
.
Summary
Here's a quick summary of the steps to bypass header and body checks for internal users:
Obtain or identify an IP address to use for internal email relaying. Using either a second interface or IP aliasing configure your system with the second IP address. Make sure that the new address comes up when the system initializes.
Set the parameter
inet_interfaces
inmain.cf
so that your originalsmtpd
does not use your new internal IP address.Add entries to
master.cf
for the new IP address and for the loopback IP. Include the configuration option-o receive_override_options=no_header_body_checks
to skip body and header checks. Also, add the same configuration override to thepickup
daemon to skip the checks.Stop and restart Postfix. Check your log file for any problems.