Amavis meldet OpenRelayed obwohl Originating gesetzt ist?

Mo Sep 25 10:03:23 CEST 2017

Guten Morgen Liste, 

ich benutze Postfix und Amavisd auf einem CentOS 7 Server als E-Mail
Relay und mir sind unstimmigkeiten in den Logs aufgefallen: 

(145710-19) Checking: 0ol2VMESohfo ORIGINATING [10.200.0.138]
<123 at example.com> -> <456 at extern.com> 

(145710-19) Open relay? Nonlocal recips but not originating:
456 at extern.com 

Passed CLEAN {RELAYEDOPENRELAY}, ORIGINATING [10.200.0.138]:62251
<123 at example.com> -> <456 at extern.com>, Queue-ID: E4809180131B,
Message-ID: <000001d335cd$f2ef1940$d8cd4bc0$@inprosim.de>, mail_id:
T0U1QgrmEOV0, Hits: -0.997, size: 2868, queued_as: 16FB7180131F, 1037 ms

Wenn ich von intern nach extern über Port 587 sende wird mir
"RelayedOpenRelay" von Amavis gemeldet obwohl originating gesetzt ist.
Woran kann das liegen? 

In der master.cf ist milter_macro_deamon_name gesetzt. 

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_milters=
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=inet:imap.proit-services.de:1587
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_recipient_restrictions=
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[::1]:10024
  -o milter_macro_daemon_name=ORIGINATING 

smtp-amavis unix -    -    n    -    2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o disable_mime_output_conversion=yes
    -o smtp_generic_maps= 

Und in amavisd habe ich auch die Policybank auf Port 10024 gesetzt. 

$interface_policy{'10024'} = 'ORIGINATING'; 

$policy_bank{'ORIGINATING'} = {
    inet_acl => [qw( 127.0.0.1 [::1] )],
    originating => 1,
    allow_disclaimers => 1,
    virus_admin_maps => ["virusalert\@$mydomain"],
    spam_admin_maps  => ["virusalert\@$mydomain"],
    warnbadhsender   => 1,
    smtpd_discard_ehlo_keywords => ['8BITMIME'],
    bypass_spam_checks_maps => [0],
    bypass_banned_checks_maps => [1],
    terminate_dsn_on_notify_success => 0,
    notify_method  => 'smtp:[::1]:10025',
    forward_method => 'smtp:[::1]:10025',
    final_virus_destiny => 'D_BOUNCE',
}; 

Localdomains sind ebenfalls gesetzt. 

postconf -n 

address_verify_map = memcache:/etc/postfix/verify_cache
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_transport_maps =
btree:/etc/postfix/transport_verify,$transport_maps
alias_maps = hash:/etc/aliases
amavisd_milter = inet:[::1]:8893
biff = no
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.de-DE.cf
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter =
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list =
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo
cont; echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
>$config_directory/$process_name.$process_id.log & sleep 5
default_database_type = btree
default_privs = nobody
delay_warning_time = 30m
disable_dns_lookups = no
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 52428800
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 3d
message_size_limit = 52428800
mydestination =
myhostname = mail.example.com
mynetworks = 127.0.0.0/8 [::1]/128 10.200.0.0/24 10.200.1.0/24
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = ${amavisd_milter}
opendkim_milter = inet:[::1]:8891
opendmarc_milter = inet:[::1]:8899
permit_mx_backup_networks =
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_whitelist,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_bare_newline_action = drop
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
b.barracudacentral.org*1
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
postscreen_whitelist_interfaces = static:all
proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache,
proxy:btree:/var/lib/postfix/verify_cache
queue_directory = /var/spool/postfix
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
relayhost =
sample_directory = /usr/share/doc/postfix-2.11.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_destination_rate_delay = 0s
smtp_fallback_relay =
smtp_tls_CAfile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
smtp_tls_cert_file = /etc/ssl/certs/proitcrt.pem
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, 3DES, RC4, MD5,
PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_fingerprint_digest = sha1
smtp_tls_key_file = /etc/ssl/certs/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_policy_maps = btree:/etc/postfix/tls_outgoing_policy
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 20
smtpd_client_message_rate_limit = 50
smtpd_client_restrictions =
smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/esmtp_access
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_invalid_hostname,
permit_mynetworks, check_client_access btree:/etc/postfix/client_checks,
check_sender_access btree:/etc/postfix/sender_checks,
reject_unknown_client_hostname, reject_unauth_destination,
reject_unverified_recipient, permit
smtpd_reject_footer = \c. Contact your postmaster/admin for technical
assistance. He can achieve our postmaster via email:
postmaster at proit-services.de. In any case, please provide the following
information in your problem report: This error message, time
($localtime), client ($client_address) and server ($server_name).
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
smtpd_tls_cert_file = /etc/ssl/certs/crt.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, 3DES, RC4, MD5,
PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/certs/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
spf_milter = inet:[::1]:8890
tls_preempt_cipherlist = yes
transport_maps = btree:/etc/postfix/transport
unverified_recipient_reject_code = 577
unverified_recipient_reject_reason = Recipient address lookup failed
unverified_sender_reject_reason = Sender address lookup failed
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf 

mail_version = 2.10.1 

Amavisd-new 2.11.0-1.el7 

Ich verstehe nicht ganz was Amavisd da treibt. Kann mir das jemand bitte
erklären? 

Vielen Dank im Voraus

-- 
Mit freundlichen Grüßen

Moritz Hofmann
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20170925/963d1605/attachment.html>