In the following example, the before-filter Postfix SMTP server
gives mail to a content filter that listens on localhost port 10025.
The after-filter Postfix SMTP server receives mail from the content
filter via localhost port 10026. From then on mail is processed as
usual.
The content filter itself is not described here. You can use
any filter that is SMTP enabled. For non-SMTP capable content
filtering software, Bennett Todd's SMTP proxy implements a nice
PERL/SMTP content filtering framework. See:
https://bent.latency.net/smtpprox/.
This is configured by editing the
master.cf file:
/etc/postfix/
master.cf:
# =============================================================
# service type private unpriv chroot wakeup maxproc command
# (yes) (yes) (yes) (never) (100)
# =============================================================
#
# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10025.
#
smtp inet n - n - 20 smtpd
-o
smtpd_proxy_filter=127.0.0.1:10025
-o
smtpd_client_connection_count_limit=10
#
# After-filter SMTP server. Receive mail from the content filter
# on localhost port 10026.
#
127.0.0.1:10026 inet n - n - - smtpd
-o
smtpd_authorized_xforward_hosts=127.0.0.0/8
-o
smtpd_client_restrictions=
-o
smtpd_helo_restrictions=
-o
smtpd_sender_restrictions=
-o
smtpd_recipient_restrictions=
permit_mynetworks,reject
-o
smtpd_data_restrictions=
-o
mynetworks=127.0.0.0/8
-o
receive_override_options=
no_unknown_recipient_checks
Note: do not specify spaces around the "=" or "," characters.
The before-filter SMTP server entry is a modified version of the
default Postfix SMTP server entry that is normally configured at
the top of the
master.cf file:
-
The number of SMTP sessions is reduced from the default
100 to only 20. This prevents a burst of mail from running your
system into the ground with too many content filter processes.
-
The "-o
smtpd_client_connection_count_limit=10" prevents
one SMTP client from using up all 20 SMTP server processes.
This limit is not necessary if you receive all mail from a
trusted
relay host.
Note: this setting is ignored by the stable Postfix 2.1
release. The feature will be available only in the experimental
release until Postfix 2.2.
-
The "-o
smtpd_proxy_filter=127.0.0.1:10025" tells the
before filter SMTP server that it should give incoming mail to
the content filter that listens on localhost TCP port 10025.
-
Postfix 2.3 supports both TCP and UNIX-domain filters.
The above filter could be specified as "inet:127.0.0.1:10025".
To specify a UNIX-domain filter, specify "unix:pathname".
A relative pathname is interpreted relative to the Postfix queue
directory.
The after-filter SMTP server is a new
master.cf entry:
-
The "127.0.0.1:10026" makes the after-filter SMTP
server listen
on the localhost address only, without exposing it to the
network. NEVER expose the after-filter SMTP server to the
Internet :-)
-
The "-o
smtpd_authorized_xforward_hosts=127.0.0.0/8"
allows the after-filter SMTP server to receive remote SMTP
client information from the before filter SMTP server, so that
the after-filter Postfix daemons log the remote SMTP client
information instead of logging localhost[127.0.0.1].
-
The other after-filter SMTP server settings avoid
duplication of work that is already done in the "before filter"
SMTP server.
By default, the filter has 100 seconds to do its work. If it
takes longer then Postfix gives up and reports an error to the
remote SMTP client. You can increase this time limit (see configuration
parameter section below) but doing so is pointless because you
can't control when the remote SMTP client times out.
