Open Relay testing based on recipient domain? Disable?

Mark Martinec Mark.Martinec+amavis at ijs.si
Tue Aug 2 15:00:17 CEST 2011 

emailbuilder88,

> I'm seeing this in my logs when mail is being delivered to a recipient in a
> virtual domain (but not when delivering to the main domain of the
> machine):
> 
> Open relay? Nonlocal recips but not originating: test at example.com
> (email address obscured)
> 
> I understand that this can be caused by the originating flag not being set
> in a policy bank, but I *do* have it set.

Apparently you don't have it set, otherwise you would not get the
'Nonlocal recips but not originating' warning.

> In this case, amavis seems to
> be trying to compare the contents of @local_domains_maps to the recipient
> domain.  If I add my virtual domains to @local_domains_maps, the error
> goes away.

Right. This warning appears only when originating flag is off
(i.e. mail arriving from outside) AND a recipient does not match
the @local_domains_maps.

> However, I don't care to maintain all my domains in the amavis
> configuration file.
> 
> I am using amavis only to have a way to pass mails through an anti-virus
> scanner.  I have a rich set of policies and a good configuration that is
> most certainly not an open relay in Postfix.  I frankly don't need amavis
> to try to make guesses like this - it's redundant logic that I just don't
> need.
> 
> How can I stop amavis from doing this without having to add all my virtual
> domains to @local_domains_maps?

You can declare that any domain is local:

  @local_domains_maps = ( 1 );

This way amavis will consider all mail to be either incoming (originating off)
or internal-to-internal (originating on). No outbound mail.

Depends on whether you care or not, but this will disable bounce killer,
penpals scoring, will be adding X-Spam-* AND Authentication-Results
to outbound mail too, and affect logging and statistics (SNMP) counters.

> However, I don't care to maintain all my domains in the amavis
> configuration file.

You have the list of your domains already maintained somewhere
for the sake of an MTA. You may be able to access the same data,
perhaps through SQL or LDAP or an occasional fetch/update script.

  Mark

More information about the amavis-users mailing list