Open relay? Nonlocal recips but not originating ... for roaming, authenticated users?

Patrick Ben Koetter p at state-of-mind.de
Sun Apr 29 21:02:02 CEST 2012 

* a7476765 at your-mail.com <a7476765 at your-mail.com>:
> 
> I'm setting up Amavis with Postfix.
> 
> It's mostly all working, but when I send mail from an authenticated
> roaming user -- specifically from my mobile phone authenticating to and
> sending via my server -- I get
> 
> 	Apr 28 11:31:50 test postfix/qmgr[26625]: 9689560119:
> 	from=<a7 at test.stratfivXX.net>, size=3984, nrcpt=1 (queue active)
> 	Apr 28 11:31:50 test amavis[26375]: (26375-01) Checking:
> 	Yf23MOH6kTEC [184.208.230.208] <a7 at test.stratfivXX.net> ->
> 	<a7test97454321 at gmail.com>
> 	Apr 28 11:31:50 test amavis[26375]: (26375-01) Open relay?
> 	Nonlocal recips but not originating: a7test97454321 at gmail.com
> 	Apr 28 11:31:50 test postfix/smtpd[31605]: disconnect from
> 	184-208-230-208.pools.spcsdns.net[184.208.230.208]
> 	Apr 28 11:31:57 test postfix/qmgr[26625]: D07C96021B:
> 	from=<a7 at test.stratfivXX.net>, size=4505, nrcpt=1 (queue active)
> 
> I tracked down this thread,
> 
> 	"Open relay? Nonlocal recips but not originating: ..."
> 	 http://lists.amavis.org/pipermail/amavis-users/2011-March/000063.html

amavis has an internal model of transport directions (all variations of
internal and external). If you don't tell it any sender is believed to be
external. If that sender sends to a "non local" domain the transport
directions is considered to be "external -> external" aka "open relay".

For anything that is directed internal add all your domains to
@local_domains_maps.

For any local sender with static IP either use @mynetworks or, if you need
something more sophistcated, use @client_ipaddr_policy and map certain IP
spaces to different policy_banks (where you can run different content filter
setups for local senders).

For any local sender with dynamic IP let their clients use Port 587
(submission) in Postfix and send their messages to a dedicated
content_filter/smtpd_proxy_filter e.g. on port 10026 in amavis.

Create a dedicated $policy_bank for that port and (!) set "origination => 1"
in that policy bank. This way amavis will know the senders message originates
i.e. is local.

As soon as you do that amavis will stop complaining, because it can tell where
(external/internal) come from and where they are going to (external/internal).

p at rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

More information about the amavis-users mailing list