Submission clients bypass MYNETS policy

Alex mysqlstudent at gmail.com
Mon Sep 19 23:04:45 CEST 2011 

Hi,
I have set up an amavisd-new with postfix/spamassassin on fedora15.
I'm trying to set up a disclaimer footer using amavisd because I also
need always_bcc, and was having a problem with postfix duplicating the
messages as a result.

Webmail now properly attaches the disclaimer footer using my amavisd
config, but somehow submission clients are bypassing the MYNETS
policy, which is where "allow_disclaimers = 1" is set.

Here's a snapshot from the logs. "remotenet.net" is the remote host
and "mylocalnet.net" is the amavisd host.

Sep 19 16:42:42 mail postfix/smtpd[25223]: 298372202AC:
client=orion.remotenet.net[68.195.xxx.yy], sasl_method=PLAIN,
sasl_username=gdadmin
Sep 19 16:42:42 mail postfix/cleanup[23849]: 298372202AC:
message-id=<4E77A940.7050902 at mylocalnet.net>
Sep 19 16:42:42 mail postfix/qmgr[13505]: 298372202AC:
from=<gdadmin at mylocalnet.net>, size=778, nrcpt=1 (queue active )
Sep 19 16:42:42 mail amavis[25188]: (25188-01) ESMTP::10024
/var/spool/amavisd/tmp/amavis-20110919T164242-25188:
<gdadmin at mylocalnet.net> -> <gdadmin at remotenet.net> SIZE=778 Received:
from mail.mylocalnet.net ([127.0.0.1]) by localhost
(mail.mylocalnet.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
for <gdadmin at remotenet.net>; Mon, 19 Sep 2011 16:42:42 -0400 (EDT)
Sep 19 16:42:42 mail amavis[25188]: (25188-01) Checking: gVCO0A-ajTZ8
[68.195.xxx.yy] <gdadmin at mylocalnet.net> -> <gdadmin at remotenet.net>
Sep 19 16:42:42 mail amavis[25188]: (25188-01) Open relay? Nonlocal
recips but not originating: gdadmin at remotenet.net
Sep 19 16:42:42 mail amavis[25188]: (25188-01) p001 1 Content-Type:
text/plain, size: 10 B, name:
Sep 19 16:42:42 mail postfix/smtpd[25223]: disconnect from
orion.remotenet.net[68.195.xxx.yy]
Sep 19 16:42:43 mail amavis[25188]: (25188-01) mangling NO: 0 (orig:
disclaimer), discl_allowed=0, <gdadmin at mylocalnet.net> ->
<gdadmin at remotenet.net>
Sep 19 16:42:43 mail postfix/smtpd[23853]: connect from localhost[127.0.0.1]
Sep 19 16:42:43 mail postfix/smtpd[23853]: 0AB1C2202C4:
client=orion.remotenet.net[68.195.xxx.yy]
Sep 19 16:42:43 mail postfix/cleanup[23849]: 0AB1C2202C4:
message-id=<4E77A940.7050902 at mylocalnet.net>
Sep 19 16:42:43 mail postfix/qmgr[13505]: 0AB1C2202C4:
from=<gdadmin at mylocalnet.net>, size=1269, nrcpt=2 (queue active)
Sep 19 16:42:43 mail amavis[25188]: (25188-01) FWD via SMTP:
<gdadmin at mylocalnet.net> -> <gdadmin at remotenet.net>,BODY=7BIT 250
2.0.0 Ok, id=25188-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok:
queued as 0AB1C2202C4
Sep 19 16:42:43 mail amavis[25188]: (25188-01) Passed CLEAN,
[68.195.xxx.yy] [68.195.xxx.yy] <gdadmin at mylocalnet.net> ->
<gdadmin at remotenet.net>, Message-ID:
<4E77A940.7050902 at mylocalnet.net>, mail_id: gVCO0A-ajTZ8, Hits: -2.9,
size: 778, queued_as: 0AB1C2202C4, 744 ms

I also don't understand why it's complaining about "nonlocal recips"
when mylocalnet.net is in the local_domains_maps. Here is the relevant
amavisd.conf config:

@local_domains_maps = ( [".$mydomain", "mylocalnet.net"] );  # list of
all local domains
$altermime = '/usr/bin/altermime';
@altermime_args_disclaimer = qw( --verbose \
                                 --disclaimer=/etc/postfix/disclaimer.txt \
                                 --disclaimer-html=/etc/postfix/disclaimer.txt);
$defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ];
$defang_maps_by_ccat{+CC_UNCHECKED} = [ 'disclaimer' ];

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
  allow_disclaimers => 1,
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};

Here is my postfix config:

smtp      inet  n       -       n       -       -       smtpd
        -o receive_override_options=no_address_mappings

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o receive_override_options=no_address_mappings

smtp-amavis unix    -       -       n       -       2     smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n    -       n       -       2     smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
    -o smtp_send_xforward_command=yes
    -o local_header_rewrite_clients=


main.cf:
~~~~~~~~~~~~~~~
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
always_bcc = emailcomp at mylocalnet.net
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
html_directory = no
mail_owner = postfix
mailbox_size_limit = 2000000000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 5d
message_size_limit = 15360000
mydestination = $myhostname, localhost.$mydomain, mylocaldomain.net
mydomain = mylocaldomain.net
myhostname = mail.mylocaldomain.net
mynetworks = 127.0.0.0/8, 192.168.1.0/24, 68.115.xxx.yyy/32
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps}
readme_directory = /usr/share/doc/postfix-2.7.5/README_FILES
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
relay_domains = $mydestination, $transport_maps
relayhost =
sample_directory = /usr/share/doc/postfix-2.7.5/samples
sender_canonical_maps =
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_sasl_security_options = noplaintext, noanonymous
smtp_send_xforward_command = yes
smtp_tls_CAfile = /etc/pki/tls/cacert.pem
smtpd_authorized_xforward_hosts = $mynetworks
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
check_client_access hash:/etc/postfix/client_checks_special,
check_sender_access
hash:/etc/postfix/sender_checks_special,	reject_non_fqdn_sender,	permit_mynetworks,	permit_sasl_authenticated,	reject_unauth_destination,	reject_unknown_sender_domain,	reject_unknown_recipient_domain,	reject_invalid_helo_hostname,	check_client_access
hash:/etc/postfix/client_checks,	check_sender_access
hash:/etc/postfix/sender_checks,	check_recipient_access
pcre:/etc/postfix/relay_recips_access,	reject_rbl_client
zen.spamhaus.org,	permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps =
virtual_alias_maps = hash:/etc/postfix/virtual

Any suggestions greatly appreciated.
Thanks,
Alex

More information about the amavis-users mailing list