postfix-users April 2011 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Nulls not being stripped from incoming mail

Re: Nulls not being stripped from incoming mail

From: Jeroen Geilman <jeroen_at_nospam>
Date: Wed Apr 13 2011 - 01:29:07 GMT
To: postfix-users@postfix.org

On 04/12/2011 08:59 PM, Rich Wales wrote:
> Wietse wrote:
>
>
>> However, message_strip_characters has no effect when mail is received with
>>
>> receive_override_options = no_header_body_checks ...
>>
>> This is set either in master.cf or main.cf.
>>
> And indeed, I have no_header_body_checks specified in my master.cf file --
> for "smtp", and also for port 10025 (reinjection of mail after scanning by
> AMaViS).
>
> I understand (from the postconf.5 page) that no_header_body_checks is
> "typically specified AFTER an external content filter" -- so I'm guessing
> it does need to stay in the configuration for port 10025.
>

Typically, yes, otherwise header_checks would be performed twice: once
on reception and once after the content_filter.
This wouldn't serve any meaningful purpose for IGNOREs, and would
probably muck things up for PREPEND.
Additionally, if you're using header_checks to FILTER to a
content_filter, not disabling header_checks on re-injection would loop.

Here's the fine print:
http://www.postfix.org/BUILTIN_FILTER_README.html#what

> I'm not really sure at this point why I have no_header_body_checks as part
> of my "smtp" configuration in master.cf. Is this appropriate?
It's not a default configuration, and makes very little sense there.

> Or should I remove it?

Yes.

> Aside from this null-stripping issue, what (if any) changes
> in behaviour should I expect to see if I do remove no_header_body_checks
> from "smtp"?
>

If you're not /using/ header_checks, none.
If you ARE, then header_checks has not worked up to now, and removing
the above will suddenly, magically, make header_checks start to work on
smtpd(8) mail.

> I'm including a copy (see below) of the "smtp" configuration stanza from
> my master.cf file.
>
> Rich Wales
> richw@richw.org
>
> ==========================================================================
>
> smtp inet n - n - - smtpd
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o
> smtpd_recipient_restrictions=check_client_access,hash:/etc/postfix/smtp_access,check_client_access,cidr:/etc/postfix/block_spam_ipaddrs,permit_mynetworks,sleep,1,reject_unauth_pipelining,reject_invalid_helo_hostname,reject_unauth_destination,reject_unlisted_recipient,reject_rbl_client,zen.spamhaus.org
> -o smtpd_delay_reject=yes
> -o receive_override_options=no_header_body_checks
>
> ==========================================================================
>

I wonder where this configuration came from.

Try to override as few main.cf parameters as possible, as this makes the
configuration harder to understand and maintain (overrides don't show up
in postconf -n either)

Specifically, smtpd_mumble_restrictions are set in main.cf and become
the default values for all smtpd(8) processes - unless overridden.

The main smtpd(8) listener is the primary process for which these
options exist; just move them to main.cf.

It's the re-injection listener you want to put certain overrides on,
such as, indeed, receive_override_options=no_header_body_checks.
You probably also want to disable repeated alias expansion by adding
"no_address_mappings" to the above.

There is no need to duplicate defaults such as delay_reject=yes and
empty client and helo restrictions - just get rid of them, or move them
to main.cf, as appropriate.

In fact, the ONLY thing that is neither a default nor misplaced is

     receive_override_options=no_header_body_checks

- and that's the one that makes the least sense to use here.

If you *have* header_checks, not doing them at smtpd(8) time means they
won't get done.

-- J.