Turning Off Body & Header Checks for Internal Users

[ home / articles / Turning Off Body & Header Checks for Internal Users ]

Since Postfix body and header checks do not have a way to whitelist known good clients or IP addresses, administrators generally configure a separate content filter to handle anything more complicated than simple checks that they can confidently apply to all messages. In many situations, however, you might find it helpful to disable body and header checks for internal users. Email from the outside is subject to the checks, but internal messages do not use up processing and memory resources, and you do not risk generating false-positives on messages from your own users. This How-To describes one way to bypass header and body checks for internal senders using the receive_override_options feature that was introduced in version 2.1 (and earlier snapshots) of Postfix. If you are using a version prior to 2.1, the technique described here will not work. This method also requires an additional IP address for your Postfix system.

The idea is simple enough. Set up an additional smtpd instance for your internal users and disable body and header checks for that instance only. We will also disable body and header checks in the pickup daemon so that messages submitted locally (on the same machine) will bypass content checking as well. The second smtpd instance listens on a separate IP address. You should obtain an IP address from your network administrator. If your system has multiple network interfaces, then you may already have a second IP address to use. If one interface is for an internal subnet, use its IP address as the second one. If you don't have two or more network cards, configure the second IP address as an alias on your single network interface.

Adding an IP Address

If you have two interfaces, and you've identified the IP address of the one you will use for internal users, you're all set. Skip ahead to "Configuring Postfix" below. Otherwise, the task of creating IP address aliases differs across various Unix platforms. Check your system documentation to see how it is done on your operating system. Most Unix platforms use the ifconfig command. You will probably find the information you need in the ifconfig man page. For example, Linux and HP-UX use an index number along with the name of the interface. Configuring the second IP address 192.168.100.12 on Linux, looks like the following:

# ifconfig eth0:0 192.168.100.12 netmask 255.255.255.0

Other platforms, like FreeBSD and IRIX, use an alias command along with ifconfig, for example:

# ifconfig ef0 alias 192.168.100.12 netmask 255.255.255.255

You will want to configure your system so that the second IP address is automatically set when your system boots up. See your system documentation for the best way to do that. Also, if this second interface is accessible from the Internet, make sure that you configure your firewall so that external systems cannot reach it. It's meant to be accesed by your internal users only.

Configuring Postfix

Now that you have a second IP address, you need to configure Postfix to start a second instance of smtpd to handle requests over that address. Before getting to that, however, you need to make sure that your primary smtpd does not gobble up all of the IP addresses before your second instance gets a chance at one. You can do that by editing the inet_interfaces parameter in your main.cf file. The parameter inet_interfaces specifies which of your interfaces Postfix should listen on, and by default, it's set to "all." You want to set it so that Postfix listens on all IP addresses except the one we're configuring for bypassing content checks. (We'll get Postfix listening on that one next.)

Edit main.cf and find or add the inet_interfaces parameter. Set it to your main IP address (plus any additional IP addresses you may have excluding the new one). In this example, the main IP address is 192.168.100.11, and it is the only IP address the original smtpd daemon should respond on.

#
# main.cf
#
inet_interfaces = 192.168.100.11

Next we'll create a new entry in master.cf to add the additional instance of smtpd. This entry is identified by the new IP address plus the smtp port, which it should listen on. The entry includes a configuration option to turn off body and header checks through the receive_override_options parameter:

#
# master.cf
#
192.168.100.12:smtp inet  n     -     n     -    - smtpd
   -o receive_override_options=no_header_body_checks

Note that the second line must start with whitespace to indicate that it is a continuation of the previous line. There cannot be any spaces between receive_override_options, the equals sign, and no_header_body_checks. If you wanted to make other configuration changes to this instance, you can add them in the same way. Otherwise, this instance will use the same configuration from main.cf other than any of the parameters you override here.

Also create a similar entry for the loopback address and add the same no_header_body_checks feature to the pickup daemon so that all mail submitted locally will also bypass the checks. The entries in the master.cf file (including the original smtpd entry) should look like the following:

smtp                inet  n     -     n     -     -   smtpd
192.168.100.12:smtp inet  n     -     n     -     -   smtpd
   -o receive_override_options=no_header_body_checks
127.0.0.1:smtp      inet  n     -     n     -     -   smtpd
   -o receive_override_options=no_header_body_checks
pickup              fifo  n     -     n    60     1   pickup
   -o receive_override_options=no_header_body_checks

You will have to stop and start Postfix after making these changes. A reload is not enough when adding or changing interfaces:

# postfix stop
postfix/postfix-script: stopping the Postfix mail system
# postfix start
postfix/postfix-script: starting the Postfix mail system

Be sure to check your log file to make sure there are no errors.

Tell your users to set their email clients to use 192.168.100.12 (or its hostname) as their SMTP server. Then all mail from your local network or from the machine itself will skip body and header checks configured in main.cf.

Summary

Here's a quick summary of the steps to bypass header and body checks for internal users:

  1. Obtain or identify an IP address to use for internal email relaying. Using either a second interface or IP aliasing configure your system with the second IP address. Make sure that the new address comes up when the system initializes.
  2. Set the parameter inet_interfaces in main.cf so that your original smtpd does not use your new internal IP address.
  3. Add entries to master.cf for the new IP address and for the loopback IP. Include the configuration option -o receive_override_options=no_header_body_checks to skip body and header checks. Also, add the same configuration override to the pickup daemon to skip the checks.
  4. Stop and restart Postfix. Check your log file for any problems.
Bookmark and Share
   
[Back to Top]

Enter a comment or email me directly if you prefer.

Comments:

Name (optional):
Comment: