Postfix and sending incoming emails to script instead of sending

I want to use Postfix to accept incoming emails and have it send them to an external Python script which parse them and add them to a database.

I read that this could be done via a Policy file.

My first question is what should the policy file return to have Postfix delete the email from the queue with a success message to the sender.

My second ques开发者_JS百科tion is can I use the Policy file to validate the SMTP authentication that was sent by the client? If not, is there any way of having it use an external script to validate the login?

Thanks!

• Christian

If you need SMTP authentication anyway and just want a script to act as MDA, I think you can do it simply by setting mailbox_command = /path/to/my/script in /etc/postfix/main.cf and configuring an authentication scheme. If you have dovecot running, too, I can recommend having postfix authenticate via dovecot, which is very configurable when it comes to SASL authentication.

Update

Since you will be having plaintext passwords going over the wire (assuming this service is reachable from the network), I recommend permitting authentication only over an encrypted line. The configuration I'm going to show will still accept mails for which the server is the destination without authentication. As far as I know, that behaviour is mandated by an RFC for SMTP servers which are reachable from the internet.

Announce SASL authentication only over encrypted connections

smtpd_tls_auth_only=yes

Don't require everyone to talk to you over an encrypted channel

smtpd_tls_security_level=may

SASL boilerplate

smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain

For whom to accept mail. This is worked left to right, until a permitting or denying rule is encountered. Fallback behaviour would be to permit.

smtpd_recipient_restrictions = permit_auth_destination, reject_plaintext_session, permit_sasl_authenticated, reject

• permit_auth_destination as first rule would make sure that clients may deliver mail to users for which I feel responsible unauthenticated. The clients may choose whether to use TLS or not.
• reject_plaintext_session as second rule makes sure that all other rules further down the line can assume an ecrypted channel.
• permit_sasl_authenticated is self-explanatory
• reject as last rule basically changes the default policy to "deny".

If you don't want to accept mails without SMTP authentication, you may want to drop the first rule of smtpd_recipient_restrictions.

Not shown is the configuration of the SSL certificate and how to tell postfix about it (the latter of which is easy).