From: Mark M. <Mar...@ij...> - 2007-10-30 17:47:14
|
Jordi, > =BFIs it possible to make a policy bank which permit the domain users to > send .exe-like file but doesn't receive them? It is possible to have a policy bank to install its own set of banning rule= s, which allows for example for mail originating from inside to have less strict banning rules than incoming mail. Search for %banned_rules and banned_filename_maps in RELEASE_NOTES. See also: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks and examples there. Here is another example: %banned_rules =3D ( 'ALLOW_EXE' =3D> # pass executables except if name ends in .vbs .pif .sc= r .bat new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' =3D> 0] ), 'NO-VIDEO' =3D> new_RE( qr'^\.movie$', qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ), 'NO-MOVIES' =3D> new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ), 'DEFAULT' =3D> $banned_filename_re, ); @mynetworks =3D qw( ... ); # list your internal networks here $policy_bank{'MYNETS'} =3D { # mail originating from @mynetworks banned_filename_maps =3D> ['ALLOW_EXE,DEFAULT'], }; > Afer all my last goal is make not permit the .exe-like file traffic in > any direction (inbound/outbound) by default but permit the outbound in > only few accounts. =BFCan I do it? MTA will need to map these privileged accounts to a content filter port number, so that you could assign appropriate policy bank to it. The simplest would be to provide a separate smtpd postfix service for them (with its own -o content_filter setting), accessible only to these authorized accounts. Or perhaps a combination of check_sender_access with a FILTER, combined with an access restriction based on client's IP address or SASL authorization) could be used. Mark |