[Postfixbuch-users] Spamassassin scannt nicht alle Mails

Kai Fürstenberg postfix at fuersti-net.de
Mi Jun 7 11:08:47 CEST 2006 

Kai Fürstenberg wrote:
> Hallo,
> 
> niels_kalle wrote:
>> [..]
>>> Lass uns doch mal ein Update machen. Schick bitte nochmals deine 
>>> aktuelle master.cf, postconf -n, und die, sagen wir mal 20-30 ersten 
>>> Zeilen der amavisd.conf
>> OK, du hast es so gewollt... ;), hier kommt der Output von postconf -n:
>>
>> 2bounce_notice_recipient = postmaster
>> access_map_reject_code = 554
>> alias_maps = mysql:/etc/postfix/mysql-aliases.cf
>> allow_percent_hack = yes
>> append_at_myorigin = yes
>> append_dot_mydomain = yes
>> biff = no
>> body_checks = pcre:/etc/postfix/body_checks.pcre
>> bounce_notice_recipient = postmaster
>> bounce_size_limit = 65536
>> broken_sasl_auth_clients = yes
>> command_directory = /usr/sbin
>> command_time_limit = 600s
>> config_directory = /etc/postfix
>> content_filter = smtp-amavis:[127.0.0.1]:10024
>> daemon_directory = /usr/lib/postfix
>> debug_peer_level = 2
>> debug_peer_list = mail.humbug.org, nikster.humbug.org, localhost
>> default_destination_concurrency_limit = 5
>> default_destination_recipient_limit = 1000
>> default_process_limit = 150
>> default_rbl_reply = $rbl_code Service unavailable; $rbl_class
>> [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason} -
>> contact postmaster at humbug.org for details
>> delay_notice_recipient = postmaster
>> delay_warning_time = 1h
>> disable_dns_lookups = no
>> disable_vrfy_command = yes
>> double_bounce_sender = double-bounce
>> duplicate_filter_limit = 1000
>> empty_address_recipient = postmaster
>> error_notice_recipient = postmaster
>> header_checks = pcre:/etc/postfix/header_checks.pcre
>> header_size_limit = 204800
>> home_mailbox = .maildir/
>> hopcount_limit = 50
>> html_directory = /usr/share/doc/postfix-2.2.5/html
>> ignore_mx_lookup_error = yes
>> in_flow_delay = 1s
>> inet_interfaces = all
>> initial_destination_concurrency = 2
>> invalid_hostname_reject_code = 501
>> line_length_limit = 4096
>> local_destination_concurrency_limit = 10
>> local_destination_recipient_limit = 1000
>> local_transport = no local mail delivery
>> mail_name = humbug Mailservices
>> mail_owner = postfix
>> mailbox_command = /usr/bin/procmail
>> mailbox_size_limit = 0
>> mailq_path = /usr/bin/mailq
>> manpage_directory = /usr/share/man
>> maps_rbl_reject_code = 554
>> max_idle = 10s
>> max_use = 20
>> maximal_backoff_time = 3600s
>> maximal_queue_lifetime = 1d
>> message_size_limit = 10240000
>> minimal_backoff_time = 60s
>> mydestination = $myhostname, localhost.$mydomain, $mydomain, mail.$mydomain
>> mydomain = humbug.org
>> myhostname = mail.humbug.org
>> mynetworks = 127.0.0.0/8
>> newaliases_path = /usr/bin/newaliases
>> non_fqdn_reject_code = 504
>> notify_classes = resource, software
>> prepend_delivered_header = forward
>> qmgr_message_active_limit = 10000
>> qmgr_message_recipient_limit = 10000
>> queue_directory = /var/spool/postfix
>> queue_minfree = 603979776
>> queue_run_delay = 1h
>> readme_directory = /usr/share/doc/postfix-2.2.5/readme
>> reject_code = 554
>> relay_domains_reject_code = 554
>> relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
>> require_home_directory = no
>> sample_directory = /etc/postfix
>> sendmail_path = /usr/sbin/sendmail
>> setgid_group = postdrop
>> smtp_tls_note_starttls_offer = yes
>> smtpd_banner = mail.humbug.org ESMTP $mail_name
>> smtpd_client_restrictions = permit_mynetworks        check_client_access
>> $default_database_type:/etc/postfix/rbl_checks_client_whitelist
>> check_sender_access
>> $default_database_type:/etc/postfix/rbl_checks_sender_whitelist
>> check_recipient_access
>> $default_database_type:/etc/postfix/rbl_checks_recipient_whitelist
>>   rbl_checks        permit
>> smtpd_data_restrictions = reject_unauth_pipelining        permit
>> smtpd_delay_reject = yes
>> smtpd_error_sleep_time = 1s
>> smtpd_etrn_restrictions = reject
>> smtpd_helo_required = yes
>> smtpd_helo_restrictions = permit_mynetworks
>> permit_sasl_authenticated        reject_invalid_hostname        permit
>> smtpd_recipient_limit = 10000
>> smtpd_recipient_restrictions = permit_mynetworks
>> reject_unknown_recipient_domain        reject_non_fqdn_recipient
>> permit_auth_destination        permit_sasl_authenticated
>> check_sender_access regexp:/etc/postfix/nice_reject        reject
>> smtpd_restriction_classes = rbl_checks
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_local_domain =
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sender_restrictions = permit_mynetworks
>> permit_sasl_authenticated        permit
>> smtpd_timeout = 300s
>> smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
>> smtpd_tls_cert_file = /etc/postfix/tls/newcert.pem
>> smtpd_tls_key_file = /etc/postfix/tls/newreq.pem
>> smtpd_tls_loglevel = 3
>> smtpd_tls_received_header = yes
>> smtpd_tls_session_cache_timeout = 3600s
>> smtpd_use_tls = yes
>> soft_bounce = no
>> strict_rfc821_envelopes = yes
>> swap_bangpath = yes
>> tls_random_source = dev:/dev/urandom
>> transport_maps = mysql:/etc/postfix/mysql-transport.cf
>> transport_retry_time = 30s
>> undisclosed_recipients_header = To: undisclosed-recipients:;
>> unknown_address_reject_code = 550
>> unknown_client_reject_code = 550
>> unknown_hostname_reject_code = 550
>> unknown_local_recipient_reject_code = 550
>> unknown_relay_recipient_reject_code = 550
>> unknown_virtual_alias_reject_code = 550
>> unknown_virtual_mailbox_reject_code = 550
>> virtual_transport = virtual  virtual_minimum_uid = 1000
>> virtual_gid_maps = static:1000  virtual_mailbox_maps =
>> mysql:/etc/postfix/mysql-virtual-maps.cf  virtual_alias_maps =
>> mysql:/etc/postfix/mysql-virtual.cf  virtual_uid_maps = static:100
>> virtual_mailbox_base = /home/vmail
> 
> Soweit ok. Die ein oder andere Sache sollte vielleicht noch angepasst 
> werden. Mir ist aufgefallen, dass du in den smtpd_sender_restrictions 
> _alles_ erlaubst: permit_mynetworks, permit_sasl_authenticated, permit. 
> Vielleicht leer lassen :-)
> 
>> Das ist etwas viel, aber ich habe schon mehrere Mailserver mit Postfix
>> gebaut und da sind eine Menge nuetzlicher (und weniger nuetzlicher)
>> Optionen, bzw. evtl. auch Leichen zusammengekommen. :)
>>
>> Hier die ersten 30 (unkommentierten) Zeilen der amavisd.conf:
>>
>> $MYHOME = '/var/amavis';   # (default is '/var/amavis')
>> $mydomain = 'humbug.org';      # (no useful default)
>> $myhostname = 'nikster.humbug.org';  # fqdn of this host, default by
>> uname(3)
>> $daemon_user  = 'amavis';   # (no default;  customary: vscan or amavis)
>> $daemon_group = 'amavis';   # (no default;  customary: vscan or amavis
>> or sweep)
>> $TEMPBASE = "$MYHOME/tmp";      # prefer to keep home dir /var/amavis clean?
>> $db_home = "$MYHOME/db";        # DB databases directory, default
>> "$MYHOME/db"
>> $helpers_home = $MYHOME;        # (defaults to $MYHOME)
>> $ENV{TMPDIR} = $TEMPBASE;       # wise to set TMPDIR, but not obligatory
>> $enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and
>> nanny)
>> $enable_global_cache = 1;    # enabl
>> $max_servers  =  4;   # number of pre-forked children          (default 2)
>> $max_requests = 20;   # retire a child after that many accepts (default 10)
>> $child_timeout=5*60;  # abort child if it does not complete each task in
>> @local_domains_maps = ( [".$mydomain"] );  # $mydomain and its subdomains
>> $unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
> ^^^^
> Diese Zeile solltest du auskommentieren. Amavis weiss sonst nicht, ob er 
> auf einen Socket (oben) oder einen Port (s. nächste Zeile) lauschen 
> soll. Da sollte auch was entsprechendes in den Logfiles stehen.
> 
>> $inet_socket_port = 10024;        # accept SMTP on this local TCP port
>> @inet_acl = qw(127.0.0.1 [::1]);  # allow SMTP access only from localhost IP
>> $DO_SYSLOG = 1;                   # (defaults to 0)
>> $LOGFILE = "$MYHOME/amavis.log";  # (defaults to empty, no log)
>> $log_level = 0;           # (defaults to 0)
>> $log_recip_templ = undef;  # undef disables by-recipient level-0 log entries
>> $final_virus_destiny      = D_DISCARD;  # (defaults to D_DISCARD)
>> $final_banned_destiny     = D_DISCARD;  # (defaults to D_BOUNCE)
>> $final_spam_destiny       = D_DISCARD;  # (defaults to D_BOUNCE)
>> $final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE
>> suggested
>> $warnspamsender = 1;    # (defaults to false (undef))
> 
> Hier ist noch eine Sache, die aber jetzt nichts mit dem Problem zu tun hat:
> Möchtest du über den syslogd ($DO_SYSLOG = 1;) oder in ein Logfile 
> ($LOGFILE = "$MYHOME/amavis.log";) loggen? Beim Syslog solltest du einen 
> Level z.B. mit
>    $SYSLOG_LEVEL = 'mail.debug';
> definieren und $LOGFILE auskommentieren.
> 
> Hast du noch eben die master.cf zur Hand?
> Du hast gesagt, interne Mails werden gescannt, reinkommende jedoch 
> nicht. Hast du ein paar Log-Daten hierzu?

Wart mal eben.
Das ist nicht so ganz klar geworden. Wieso glaubst du, dass Amavis keine 
SA-Checks bei eingehenden Mails durchführt? Zum genauen Test: Setz 
$log_level mal auf 5, also hammermäßiges Logging ;-)
Im Log taucht dann unter hunderten von anderen Log eine bestimmte auf
Jun  7 10:13:46 root amavis[32433]: (32433-01) spam_scan: score=0.87 
tests=[..]
Das heisst, die Mail wurde gescannt. Nur werden nicht unbedingt 
entsprechende Header-Zeilen zu der Mail hinzugefügt. Die werden erstens 
nur für lokale Empfänger ergänzt ($mydomain in amavid.conf) und zudem 
nur, wenn die Score höher als $sa_tag_level_deflt ist.
Sollen immer Header-Zeilen ergänzt werden, einfach $sa_tag_level_deflt 
auf undef setzen. Außerdem darauf achten, dass *alle* Domains in 
$mydomain eingetragen sind.

Kai

Mehr Informationen über die Mailingliste Postfixbuch-users