Open relay? Nonlocal recips but not originating: ...

Mark Martinec Mark.Martinec+amavis at ijs.si
Sat Mar 12 03:45:54 CET 2011 

Jim,

> I recently upgraded to Zimbra 6.0.10 which now includes amavisd-new 2.6.4
> (This has already been posted to the Zimbra forums as well.)
> 
> Following the upgrade, I noticed lots of these errors being logged:
> 
> Mar 11 11:48:39 mymail amavis[16435]: (16435-17) Open relay? Nonlocal
> recips but not originating: user at somewhere.net

Previous versions did not report the warning.
Other than that, there were no changes in this area.

> I get one for each outbound message from clients within our network.
> Most of the Zimbra configuration works out of the box using defaults.
> 
> But one difference I found in the new version is this feature:
> 
> $policy_bank{'MYNETS'} = {
>   originating                 => 1,
>   allow_disclaimers           => 0,
>   log_level                   => 1,
> };
> 
> I am not sure what I need to do to eliminate these warnings.

If this is about messages coming from inside, you need to tell
amavisd that they are truly coming from inside. For simple cases
(all users coming from internal networks, no authenticated roaming
users), all you need to do is to properly configure the @mynetworks
list, and make sure that Postfix is passing client's IP address
to amavisd using its XFORWARD protocol extension.

> I have tested our server with the Open Relay test sites, and we are OK.
> This traffic is legitimate outbound email from trusted clients.
> Postfix is configured for mynetworks = ...
> But I need to tell amavis that somehow.

amavisd.conf:

@mynetworks = qw(
  0.0.0.0/8 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
  169.254.0.0/16 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
...
);

master.cf:

amavisfeed unix -  -       n       -       50      smtp
 ...
  -o smtp_send_xforward_command=yes

(change both 'smtp' to 'lmtp' if you prefer LMTP protocol)


For more complex setups where your users submit mail from foreign
networks, you need to set up a dedicated policy bank with
originating=>1, attach it to a dedicated TCP port, then configure
Postfix to pass authenticated mail from MSA to such port.

  Mark

More information about the amavis-users mailing list