Postfix : Open New Instance With Filters

It's quite often our client is asking to add another server IP in trusted network list (a.k.a mynetworks) for sending email without any authentication, but sometime in the future it can be chaos since the application server possibly infected by malware that sending spam email outside. so then to prevent that we can instruct postfix to add instance that will be listen in port other than usually (port 25) and we enforce the rule to make sure it's originally email comes from legitimate sender, we can combine all filters together base on criteria such as by sender, headers, etc.

  •  I'm using zimbra's postfix for these steps, you can adjust in your own local postfix's configuration.
  •  For the filter we will enforcing sender is, with subject that begin or must include with word Notifikasi.
  • The allowed sender will be listed in a file, also we do the same for the header filters (Subject). 
  • The port will be listen on port 4545.
Create the reference file for sender filtering, we are using regex pattern for flexibility
vim /opt/zimbra/common/conf/allowed_app_senders

/ OK

Then we create filter rule by email headers.
vim /opt/zimbra/common/conf/allowed_app_headers

/^Subject:(.*Notifikasi.*)$/    OK  
/^Subject:(.*)$/        REJECT rejected for subject: ${1} 

Edit postfix main configuration, Add following line in the most bottom, file allowed_app_senders is what we prepared before.
vim /opt/zimbra/common/conf/

filter4545=check_sender_access regexp:/opt/zimbra/common/conf/allowed_app_senders,reject
Add following configuration in posftix daemon configuration, add following lines in the bottom.
vim /opt/zimbra/common/conf/

msa_cleanup unix    n   -   n   -   0   cleanup
    -o header_checks=regexp:/opt/zimbra/common/conf/allowed_app_headers

4545 inet n  -       n       -       -  smtpd
    -o cleanup_service_name=msa_cleanup
    -o smtpd_sender_restrictions=$filter4545
    -o mynetworks=
    -o syslog_name=postfix/port4545

Restart the postfix service to apply the configurations.
su - zimbra

zmmtact restart

try to send message by telnet to make sure it running as expected
telnet 4545


Popular posts from this blog

Disable sending telemetry data in DotNet

Running debug SMTP server with python