[Postfixbuch-users] Amavis als smtpd_proxy_filter: Bounces für sasl authentifizierte (eigene) Benutzer, für alle anderen Rejects
Torben Dannhauer
torben at dannhauer.info
Mi Apr 27 15:59:43 CEST 2011
Hallo,
ich habe ein Problem mein Postfix im Zusammenspiel mit Amavis korrekt zu
konfigurieren.
Ich nutze Amavis als proxy_filter, was soweit auch problemlos funktioniert.
Nun habe ich mit dem GTUBE Spamtest ein wenig rumgespielt. Wenn von extern
eine eMail mit diesem Test-Spam eintrifft, blockt Amavis als proxy_filter
diese Mail mit D_REJECT. -> So soll es sein.
Wenn ich versuche eine GTUBE Spam-eMail von meinen Mailserver nach draußen
zu schicken, wird die Einlieferung durch Outlook von amavis ebenfalls
geblockt.
Zwar ist es richtig die Spam-eMail zu blocken, jedoch bemerkt Outlook das
REJECT im STMP Protokoll anscheinend nicht – Der Sender bemerkt also nicht
dass seine Email nicht raus ist.
è Lösungsansatz: SASL-Authentifizierte Benutzer sollen kein Reject, sondern
einen Bounce von Amavis erhalten. (D_BOUNCE anstelle D_REJECT)
Hierzu wollte ich policy_banks nutzen. Netterweise gibt es ja sogar eine
policy_bank ‚MYUSERS‘, doch leider greift diese policy_bank bei mir nicht.
Natürlich könnte ich zwei verschiedene IPs nehmen, einen für MX, eine für
die internen User, aber das ist irgendwie unschön, ‚MYUSERS‘ wäre schon
netter.
Frage a): Woran kann es liegen dass MYUSERS nicht erkannt wird in Amavis?
Frage b) Gibt es noch andere Lösungen um die Bounces bei eigenen Userns zu
verlangen, und bei allen anderen SMTP Einlieferungen REJECTs zu verwenden?
Vielen Dank für die Hilfe, ich bin da grade etwas Orientierungslos.
Torben Dannhauer
Meine Daten:
OS: Debian Squeeze
Main.cf, master.cf, amavis-conf (conf.d/50-user)
---------------------------- Amavis conf: --------------------------
cat /etc/amavis/conf.d/50-user
use strict;
#
# Place your configuration directives here. They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
$inet_socket_port = [10024, 10030];
$log_level = 4;
# Virus and SPAM check is disabled by default, therefore we have to enable
it:
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl,
\$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
$final_virus_destiny = D_REJECT; # (data not lost, see virus
quarantine)
$final_banned_destiny = D_REJECT; # D_REJECT when front-end MTA
$final_spam_destiny = D_REJECT;
$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
$sa_spam_subject_tag = '****SPAM**** ';
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that
level
$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
(Only relevant if D_BOUNCE is used)
# Do not save mails in quarantine
$virus_quarantine_to = undef;
$spam_quarantine_to = undef;
$banned_quarantine_to = undef;
$bad_header_quarantine_to = undef;
# configure how many instances amavis should run at max (postfix-limit+1 [+1
for AM.DPD])
$max_servers = 7;
# SQL Settings
@lookup_sql_dsn = ([ 'DBI:Pg:database=amavis', 'dbuser', 'hiddenpass' ]);
# Bounce own users on bads behaviour
$policy_bank{'MYUSERS'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
final_virus_destiny => D_BOUNCE, # bounce only to authenticated local
users
final_banned_destiny=> D_BOUNCE,
final_spam_destiny => D_BOUNCE,
};
#------------ Do not modify anything below this line -------------
1; # ensure a defined return
---------------- master.cf---------------------------
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
-o smtpd_proxy_filter=localhost:10024
-o content_filter=
pickup fifo n - - 60 1 pickup
-o content_filter=smtp-amavis:[localhost]:10024
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
maildrop unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/bin/maildrop -w 85 -d
${user}@${nexthop} ${recipient} ${user} ${nexthop} ${sender}
vacation unix - n n - - pipe
flags=Rq user=vacation:vacation argv=/var/spool/vacation/vacation.pl -f
${sender} -- ${recipient}
# Transport method for postfix->amavis to limit the maximum used amavis
instances.
smtp-amavis unix - - - - 6 smtp
-o smtp_data_done_timeout=1800
-o disable_mime_output_conversion=yes
-o smtp_generic_maps=
# This port is for the return delivery of scanned emails by amavis.
# This port has no anti spam protection to prevent an infinite loop of
amavis calls.
localhost:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o recieve_override_options=no_unknown_recipient_checks
# Open port 2333 as alternative SMTP port for ISPs with blocked port 25
smtp:2333 inet n - - - - smtpd
----------------- main.cf-----------------------------
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
soft_bounce = no
#
# General Setup
#
default_database_type = btree
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
myhostname = myhost.domain.tld
myorigin = /etc/mailname
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, my-IP
relayhost =
mailbox_size_limit = 0
message_size_limit = 52428800
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
# Settings for virtual hosting
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
# Ensures, that no Mails are written to Filesystem outside this path
virtual_mailbox_base = /var/vmail
# Lookup maps
## global
transport_maps = pgsql:/etc/postfix/pgsql-transport.cf
relocated_maps = pgsql:/etc/postfix/pgsql-relocated.cf
## local
alias_maps = btree:/etc/aliases pgsql:/etc/postfix/pgsql-aliases.cf
alias_database = btree:/etc/aliases
## virtual
virtual_mailbox_domains = pgsql:/etc/postfix/pgsql-virtual-domains.cf
virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox.cf
virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias.cf
# SMTP AUTH (SASL)
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
unknown_local_recipient_reject_code = 550
# Maildrop
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
unknown_maildrop_mailbox_reject_code = 450
## SMTP-Restrictions
smtpd_recipient_restrictions =
# Whitelist RFC-conform
check_recipient_access btree:/etc/postfix/access_recipient-rfc,
# Whitelisting and Blacklisting
# Don't accept unclean mails
# reject_non_fqdn_sender, # Todo: Server checken, die nur über ihren
Namen senden
# reject_non_fqdn_recipient, # Todo: checken, was mit lokalen Accounts
wie root, etc ist.
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
# Allow own users
permit_sasl_authenticated,
permit_mynetworks,
# Check RBL
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.njabl.org,
# Policyd-Weight
check_policy_service inet:127.0.0.1:12525,
# Greylisting
check_policy_service inet:127.0.0.1:10023,
# Check for known relay recipients
reject_unverified_recipient,
# Allow Backup-MX
permit_mx_backup,
# Stop all other relaying
reject_unauth_destination,
# Now everything is checked,
permit
# Send all email through Amavis:
# No need to call amavis there, the smtp method in master.cf is praperated
to use amavis as smtpd_proxy_filter.
# TLS PART START
## SMTP Part
smtp_tls_CAfile = /usr/share/ca-certificates/cacert.org/cacert.org.crt
smtp_tls_cert_file = /etc/postfix/tls/jonathan.dannhauer.info.crt
smtp_tls_key_file = /etc/postfix/tls/jonathan.dannhauer.info.key
smtp_tls_session_cache_database =
btree:${data_directory}/smtp_tls_session_cache
smtp_use_tls = yes
## SMTPD Part
smtpd_tls_CAfile = /usr/share/ca-certificates/cacert.org/cacert.org.crt
smtpd_tls_cert_file = /etc/postfix/tls/jonathan.dannhauer.info.crt
smtpd_tls_key_file = /etc/postfix/tls/jonathan.dannhauer.info.key
smtpd_tls_session_cache_database =
btree:${data_directory}/smtpd_tls_session_cache
smtpd_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
tls_random_source = dev:/dev/urandom
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20110427/a870a542/attachment.html>
Mehr Informationen über die Mailingliste Postfixbuch-users