[Postfixbuch-users] Amavis als smtpd_proxy_filter: Bounces für sasl authentifizierte (eigene) Benutzer, für alle anderen Rejects

Torben Dannhauer torben at dannhauer.info
Mi Apr 27 15:59:43 CEST 2011


Hallo,

 

ich habe ein Problem mein Postfix im Zusammenspiel mit Amavis korrekt zu
konfigurieren.

 

Ich nutze Amavis als proxy_filter, was soweit auch problemlos funktioniert.

 

Nun habe ich mit dem GTUBE Spamtest ein wenig rumgespielt. Wenn von extern
eine eMail mit diesem Test-Spam eintrifft, blockt Amavis als proxy_filter
diese Mail mit D_REJECT. -> So soll es sein.

Wenn ich versuche eine GTUBE Spam-eMail von meinen Mailserver nach draußen
zu schicken, wird die Einlieferung durch Outlook von amavis ebenfalls
geblockt. 

Zwar ist es richtig die Spam-eMail zu blocken, jedoch bemerkt Outlook das
REJECT im STMP Protokoll anscheinend nicht – Der Sender bemerkt also nicht
dass seine Email nicht raus ist.

 

è Lösungsansatz: SASL-Authentifizierte Benutzer sollen kein Reject, sondern
einen Bounce von Amavis erhalten. (D_BOUNCE anstelle D_REJECT)

Hierzu wollte ich policy_banks nutzen. Netterweise gibt es ja sogar eine
policy_bank ‚MYUSERS‘, doch leider greift diese policy_bank bei mir nicht.
Natürlich könnte ich zwei verschiedene IPs nehmen, einen für MX, eine für
die internen User, aber das ist irgendwie unschön, ‚MYUSERS‘ wäre schon
netter.

 

Frage a): Woran kann es liegen dass MYUSERS nicht erkannt wird in Amavis? 

 

Frage b) Gibt es noch andere Lösungen um die Bounces bei eigenen Userns zu
verlangen, und bei allen anderen SMTP Einlieferungen REJECTs zu verwenden? 

 

 

Vielen Dank für die Hilfe, ich bin da grade etwas Orientierungslos.

 

 

Torben Dannhauer

 

 

Meine Daten:

OS: Debian Squeeze

Main.cf, master.cf, amavis-conf (conf.d/50-user)

 

---------------------------- Amavis conf:  --------------------------

cat /etc/amavis/conf.d/50-user

use strict;

 

#

# Place your configuration directives here.  They will override those in

# earlier files.

#

# See /usr/share/doc/amavisd-new/ for documentation and examples of

# the directives you can use in this file

#

 

$inet_socket_port = [10024, 10030];

$log_level = 4;

 

# Virus and SPAM check is disabled by default, therefore we have to enable
it:

@bypass_virus_checks_maps = (

   \%bypass_virus_checks, \@bypass_virus_checks_acl,
\$bypass_virus_checks_re);

@bypass_spam_checks_maps = (

   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

 

$final_virus_destiny      = D_REJECT;  # (data not lost, see virus
quarantine)

$final_banned_destiny     = D_REJECT;   # D_REJECT when front-end MTA

$final_spam_destiny       = D_REJECT;

$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)

 

$sa_spam_subject_tag = '****SPAM**** ';

$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that
level

$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level

$sa_kill_level_deflt = 6.31; # triggers spam evasive actions

$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
(Only relevant if D_BOUNCE is used)

 

# Do not save mails in quarantine

$virus_quarantine_to = undef;

$spam_quarantine_to = undef;

$banned_quarantine_to = undef;

$bad_header_quarantine_to = undef;

 

# configure how many instances amavis should run at max (postfix-limit+1 [+1
for                         AM.DPD])

$max_servers = 7;

 

# SQL Settings

@lookup_sql_dsn = ([ 'DBI:Pg:database=amavis', 'dbuser', 'hiddenpass' ]);

 

# Bounce own users on bads behaviour

$policy_bank{'MYUSERS'} = {  # mail supposedly originating from our users

  originating => 1,  # declare that mail was submitted by our smtp client

  final_virus_destiny => D_BOUNCE, # bounce only to authenticated local
users

  final_banned_destiny=> D_BOUNCE,

  final_spam_destiny  => D_BOUNCE,

};

#------------ Do not modify anything below this line -------------

1;  # ensure a defined return

 

 

 

---------------- master.cf---------------------------

#

# Postfix master process configuration file.  For details on the format

# of the file, see the master(5) manual page (command: "man 5 master").

#

# Do not forget to execute "postfix reload" after editing this file.

#

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

# ==========================================================================

smtp      inet  n       -       -       -       -       smtpd

        -o smtpd_proxy_filter=localhost:10024

       -o content_filter=

pickup    fifo  n       -       -       60      1       pickup

        -o content_filter=smtp-amavis:[localhost]:10024

cleanup   unix  n       -       -       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

tlsmgr    unix  -       -       -       1000?   1       tlsmgr

rewrite   unix  -       -       -       -       -       trivial-rewrite

bounce    unix  -       -       -       -       0       bounce

defer     unix  -       -       -       -       0       bounce

trace     unix  -       -       -       -       0       bounce

verify    unix  -       -       -       -       1       verify

flush     unix  n       -       -       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

proxywrite unix -       -       n       -       1       proxymap

smtp      unix  -       -       -       -       -       smtp

# When relaying mail as backup MX, disable fallback_relay to avoid MX loops

relay     unix  -       -       -       -       -       smtp

        -o smtp_fallback_relay=

showq     unix  n       -       -       -       -       showq

error     unix  -       -       -       -       -       error

retry     unix  -       -       -       -       -       error

discard   unix  -       -       -       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       -       -       -       lmtp

anvil     unix  -       -       -       -       1       anvil

scache    unix  -       -       -       -       1       scache

#

# ====================================================================

#

# See the Postfix UUCP_README file for configuration details.

#

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)

#

# Other external delivery methods.

#

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient

scalemail-backend unix  -       n       n       -       2       pipe

  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}

mailman   unix  -       n       n       -       -       pipe

  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

  ${nexthop} ${user}

maildrop  unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail:vmail argv=/usr/bin/maildrop -w 85 -d
${user}@${nexthop} ${recipient} ${user} ${nexthop} ${sender}

vacation    unix  -       n       n       -       -       pipe

  flags=Rq user=vacation:vacation argv=/var/spool/vacation/vacation.pl -f
${sender} -- ${recipient}

 

# Transport method for postfix->amavis to limit the maximum used amavis
instances.

smtp-amavis     unix    -       -       -       -       6       smtp

        -o smtp_data_done_timeout=1800

        -o disable_mime_output_conversion=yes

        -o smtp_generic_maps=

 

# This port is for the return delivery of scanned emails by amavis.

# This port has no anti spam protection to prevent an infinite loop of
amavis calls.

localhost:10025 inet    n       -       n       -       -       smtpd

        -o content_filter=

        -o smtpd_proxy_filter=

        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

        -o smtpd_client_restrictions=

        -o smtpd_helo_restrictions=

        -o smtpd_sender_restrictions=

        -o smtpd_recipient_restrictions=permit_mynetworks,reject

        -o smtpd_data_restrictions=

        -o mynetworks=127.0.0.0/8

        -o recieve_override_options=no_unknown_recipient_checks

 

# Open port 2333 as alternative SMTP port for ISPs with blocked port 25

smtp:2333      inet  n       -       -       -       -       smtpd

 

 

 

----------------- main.cf-----------------------------

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first

# line of that file to be used as the name.  The Debian default

# is /etc/mailname.

#myorigin = /etc/mailname

 

soft_bounce = no

 

#

# General Setup

#

default_database_type = btree

 

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

biff = no

 

# appending .domain is the MUA's job.

append_dot_mydomain = no

 

# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h

 

myhostname = myhost.domain.tld

myorigin = /etc/mailname

mydestination = $myhostname, localhost.$mydomain, localhost

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, my-IP

relayhost =

mailbox_size_limit = 0

message_size_limit = 52428800

recipient_delimiter = +

inet_interfaces = all

html_directory = /usr/share/doc/postfix/html

 

 

smtpd_helo_required = yes

disable_vrfy_command = yes

strict_rfc821_envelopes = yes

 

 

# Settings for virtual hosting

virtual_uid_maps      = static:1001

virtual_gid_maps      = static:1001

# Ensures, that no Mails are written to Filesystem outside this path

virtual_mailbox_base  = /var/vmail

 

 

# Lookup maps

## global

transport_maps = pgsql:/etc/postfix/pgsql-transport.cf

relocated_maps = pgsql:/etc/postfix/pgsql-relocated.cf

## local

alias_maps = btree:/etc/aliases pgsql:/etc/postfix/pgsql-aliases.cf

alias_database = btree:/etc/aliases

## virtual

virtual_mailbox_domains = pgsql:/etc/postfix/pgsql-virtual-domains.cf

virtual_mailbox_maps    = pgsql:/etc/postfix/pgsql-virtual-mailbox.cf

virtual_alias_maps      = pgsql:/etc/postfix/pgsql-virtual-alias.cf

 

 

 

# SMTP AUTH (SASL)

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $myhostname

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients    = yes

unknown_local_recipient_reject_code = 550

 

 

 

# Maildrop

maildrop_destination_concurrency_limit = 1

maildrop_destination_recipient_limit   = 1

unknown_maildrop_mailbox_reject_code = 450

 

 

 

## SMTP-Restrictions

smtpd_recipient_restrictions =

# Whitelist RFC-conform

        check_recipient_access btree:/etc/postfix/access_recipient-rfc,

# Whitelisting and Blacklisting

# Don't accept unclean mails

#       reject_non_fqdn_sender, # Todo: Server checken, die nur über ihren
Namen senden

#       reject_non_fqdn_recipient, # Todo: checken, was mit lokalen Accounts
wie root, etc ist.

        reject_unknown_sender_domain,

        reject_unknown_recipient_domain,

# Allow own users

        permit_sasl_authenticated,

        permit_mynetworks,

# Check RBL

        reject_rbl_client zen.spamhaus.org,

        reject_rbl_client ix.dnsbl.manitu.net,

        reject_rbl_client bl.spamcop.net,

        reject_rbl_client dnsbl.njabl.org,

# Policyd-Weight

        check_policy_service inet:127.0.0.1:12525,

# Greylisting

        check_policy_service inet:127.0.0.1:10023,

# Check for known relay recipients

        reject_unverified_recipient,

# Allow Backup-MX

        permit_mx_backup,

# Stop all other relaying

         reject_unauth_destination,

# Now everything is checked,

        permit

 

# Send all email through Amavis:

# No need to call amavis there, the smtp method in master.cf is praperated
to use amavis as smtpd_proxy_filter.

 

# TLS PART START

## SMTP Part

smtp_tls_CAfile = /usr/share/ca-certificates/cacert.org/cacert.org.crt

smtp_tls_cert_file = /etc/postfix/tls/jonathan.dannhauer.info.crt

smtp_tls_key_file = /etc/postfix/tls/jonathan.dannhauer.info.key

smtp_tls_session_cache_database =
btree:${data_directory}/smtp_tls_session_cache

smtp_use_tls = yes

 

## SMTPD Part

smtpd_tls_CAfile = /usr/share/ca-certificates/cacert.org/cacert.org.crt

smtpd_tls_cert_file = /etc/postfix/tls/jonathan.dannhauer.info.crt

smtpd_tls_key_file = /etc/postfix/tls/jonathan.dannhauer.info.key

smtpd_tls_session_cache_database =
btree:${data_directory}/smtpd_tls_session_cache

smtpd_use_tls = yes

 

smtpd_tls_received_header = yes

smtpd_tls_ask_ccert = yes

smtpd_tls_loglevel = 1

tls_random_source = dev:/dev/urandom

-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20110427/a870a542/attachment.html>


Mehr Informationen über die Mailingliste Postfixbuch-users