Bypass banned content check from localhost , and bypass incoming badh problem
weber at zackbummfertig.de
weber at zackbummfertig.de
Fri Jan 25 17:54:33 CET 2013
any idea patrick ?
Am 2013-01-24 15:26, schrieb weber at zackbummfertig.de:
> (internet)---(server -> aviramailgate -> amavis -> postfix (clamav)
> -> dovecot
>
>
> (mails arrive on port 25 and go amavis)
>
> /etc/postfix/master.cf =
>
> smtpd pass - - n - - smtpd
> -o content_filter=avira-smtp:[127.0.0.1]:10027
> # -o content_filter=lmtp-amavis:[127.0.0.1]:10024
> -o cleanup_service_name=pre-cleanup
>
>
>
> 127.0.0.1:10025 inet n - - - - smtpd
> -o cleanup_service_name=cleanup
> -o content_filter=dspam-lmtp:unix:/var/run/dspam/dspam.sock
> -o local_header_rewrite_clients=
> -o local_recipient_maps=
> -o mynetworks=127.0.0.0/8
> -o mynetworks_style=host
> -o
>
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
> -o relay_recipient_maps=
> -o smtp_send_xforward_command=yes
> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> -o smtpd_client_connection_count_limit=0
> -o smtpd_client_connection_rate_limit=0
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions=reject_unauth_pipelining
> -o smtpd_delay_reject=no
> -o smtpd_end_of_data_restrictions=
> -o smtpd_error_sleep_time=0
> -o smtpd_hard_error_limit=1000
> -o smtpd_helo_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_restriction_classes=
> -o smtpd_sender_restrictions=
> -o smtpd_soft_error_limit=1001
> -o strict_rfc821_envelopes=yes
>
>
> 127.0.0.1:10026 inet n - n - - smtpd
> -o content_filter=
> -o local_header_rewrite_clients=
> -o local_recipient_maps=
> -o mynetworks=127.0.0.0/8
> -o mynetworks_style=host
> -o
>
> receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
> -o relay_recipient_maps=
> -o smtp_send_xforward_command=yes
> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> -o smtpd_client_connection_count_limit=0
> -o smtpd_client_connection_rate_limit=0
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions=reject_unauth_pipelining
> -o smtpd_delay_reject=no
> -o smtpd_end_of_data_restrictions=
> -o smtpd_error_sleep_time=0
> -o smtpd_hard_error_limit=1000
> -o smtpd_helo_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_restriction_classes=
> -o smtpd_sender_restrictions=
> -o smtpd_soft_error_limit=1001
> -o strict_rfc821_envelopes=yes
>
>
>
>
>
> -------------------------------------------------------------------
>
> /etc/amavisd.conf =
>
> $inet_socket_port = 10024;
>
>
> (i think i dont touched this block:)
> $policy_bank{'MYNETS'} = { # mail originating from @mynetworks
> originating => 1, # is true in MYNETS by default, but let's make
> it explicit
> os_fingerprint_method => undef, # don't query p0f for internal
> clients
> bypass_banned_checks_maps => [1],
> };
>
>
> # it is up to MTA to re-route mail from authenticated roaming users
> or
> # from internal hosts to a dedicated TCP port (such as 10026) for
> filtering
> $interface_policy{'10026'} = 'ORIGINATING';
>
>
> $policy_bank{'ORIGINATING'} = { # mail supposedly originating from
> our users
> originating => 1, # declare that mail was submitted by our smtp
> client
> allow_disclaimers => 1, # enables disclaimer insertion if
> available
> # notify administrator of locally originating malware
> virus_admin_maps => ["virusalert\@$mydomain"],
> spam_admin_maps => ["virusalert\@$mydomain"],
> warnbadhsender => 1,
> # forward to a smtpd service providing DKIM signing service
>
> #### weber change start
> forward_method => 'smtp:[127.0.0.1]:10026',
> ### weber change stop
>
> # force MTA conversion to 7-bit (e.g. before DKIM signing)
> smtpd_discard_ehlo_keywords => ['8BITMIME'],
> bypass_banned_checks => [1], # allow sending any file names and
> types
> final_bad_header_destiny => D_PASS,
> terminate_dsn_on_notify_success => 0, # don't remove
> NOTIFY=SUCCESS option
> };
>
>
> ### weber change start
> $notify_method = 'smtp:[127.0.0.1]:10026';
> $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with
> milter!
> ### weber change stop
>
>
>
>
>
> Do you need more from my config files?
>
>
> thanks
>
> marko
>
>
>
>
>
>
>
>
>
>
> Am 2013-01-24 15:06, schrieb Patrick Ben Koetter:
>> * weber at zackbummfertig.de <weber at zackbummfertig.de>:
>>> Patrick,
>>> thanks for answering, but it dont work for me.
>>> i still get "Banned content messages" and mail is not sent out...
>>> Do i also have to set something in the master.cf to enable this
>>> policy_bank ORIGINATING ?
>>
>>
>> Please post config that shows how you route messages from Postfix
>> (?) into
>> amavis and the relevant parts in amavis that route those messages to
>> the
>> policy bank including its settings.
>>
>> p at rick
>>
>>> marko, from hamburg
>>>
>>> (sorry,hatte vorhin nur auf reply gedrückt)
>>
>> Kein Thema. Hatte ich mir schon gedacht.
>>
>>
>>>
>>> Am 2013-01-24 13:11, schrieb Patrick Ben Koetter:
>>> >* weber at zackbummfertig.de <weber at zackbummfertig.de>:
>>> >>i want my users to be able to send banned content files.
>>> >>
>>> >>my goal is to have a map in amavis where i can set which user is
>>> >>allowed to send banned content.
>>> >>
>>> >> ferdinand at domain.de is allowed to send,
>>> >> ulrike at domain.de is NOT allowed to send,
>>> >>
>>> >>banned content.
>>> >
>>> >
>>> >I recommend you let local users send over submission (587) port
>>> >and create a
>>> >dedicated policy for those senders:
>>> >
>>> >$policy_bank{'ORIGINATING'} = {
>>> > originating => 1,
>>> > bypass_spam_checks_maps => [1],
>>> > bypass_banned_checks_maps => [1],
>>> > final_virus_destiny => D_REJECT,
>>> > final_bad_header_destiny => D_PASS,
>>> > terminate_dsn_on_notify_success => 0,
>>> >};
>>> >
>>> >p at rick
>>>
More information about the amavis-users
mailing list