Bypass banned content check from localhost , and bypass incoming badh problem

Patrick Ben Koetter p at sys4.de
Fri Jan 25 21:56:27 CET 2013 

* weber at zackbummfertig.de <weber at zackbummfertig.de>:
> any idea patrick ?

Sorry for the delayed answer. Today was a busy day... :/


> Am 2013-01-24 15:26, schrieb weber at zackbummfertig.de:
> >(internet)---(server -> aviramailgate -> amavis -> postfix (clamav)
> >-> dovecot
> >
> >(mails arrive on port 25 and go amavis)
> >
> >/etc/postfix/master.cf =
> >
> >smtpd     pass  -       -       n       -       -       smtpd
> >        -o content_filter=avira-smtp:[127.0.0.1]:10027
> >        -o cleanup_service_name=pre-cleanup
> >
> >127.0.0.1:10025 inet    n   -   -   -   - smtpd
> >        -o cleanup_service_name=cleanup
> >        -o content_filter=dspam-lmtp:unix:/var/run/dspam/dspam.sock
> >        -o local_header_rewrite_clients=
> >        -o local_recipient_maps=
> >        -o mynetworks=127.0.0.0/8
> >        -o mynetworks_style=host
> >        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
> >        -o relay_recipient_maps=
> >        -o smtp_send_xforward_command=yes
> >        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> >        -o smtpd_client_connection_count_limit=0
> >        -o smtpd_client_connection_rate_limit=0
> >        -o smtpd_client_restrictions=permit_mynetworks,reject
> >        -o smtpd_data_restrictions=reject_unauth_pipelining
> >        -o smtpd_delay_reject=no
> >        -o smtpd_end_of_data_restrictions=
> >        -o smtpd_error_sleep_time=0
> >        -o smtpd_hard_error_limit=1000
> >        -o smtpd_helo_restrictions=
> >        -o smtpd_recipient_restrictions=permit_mynetworks,reject
> >        -o smtpd_restriction_classes=
> >        -o smtpd_sender_restrictions=
> >        -o smtpd_soft_error_limit=1001
> >        -o strict_rfc821_envelopes=yes
> >
> >
> >127.0.0.1:10026 inet n  -       n       -       -       smtpd
> >        -o content_filter=
> >        -o local_header_rewrite_clients=
> >        -o local_recipient_maps=
> >        -o mynetworks=127.0.0.0/8
> >        -o mynetworks_style=host
> >        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
> >        -o relay_recipient_maps=
> >        -o smtp_send_xforward_command=yes
> >        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> >        -o smtpd_client_connection_count_limit=0
> >        -o smtpd_client_connection_rate_limit=0
> >        -o smtpd_client_restrictions=permit_mynetworks,reject
> >        -o smtpd_data_restrictions=reject_unauth_pipelining
> >        -o smtpd_delay_reject=no
> >        -o smtpd_end_of_data_restrictions=
> >        -o smtpd_error_sleep_time=0
> >        -o smtpd_hard_error_limit=1000
> >        -o smtpd_helo_restrictions=
> >        -o smtpd_recipient_restrictions=permit_mynetworks,reject
> >        -o smtpd_restriction_classes=
> >        -o smtpd_sender_restrictions=
> >        -o smtpd_soft_error_limit=1001
> >        -o strict_rfc821_envelopes=yes
> >
> >
> >
> >
> >
> >-------------------------------------------------------------------
> >
> >/etc/amavisd.conf =
> >
> >$inet_socket_port = 10024;
> >
> >
> >(i think i dont touched this block:)
> >$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
> >  originating => 1,  # is true in MYNETS by default, but let's make it explicit
> >  os_fingerprint_method => undef,  # don't query p0f for internal clients
> >  bypass_banned_checks_maps => [1],
> >};
> >
> >
> ># it is up to MTA to re-route mail from authenticated roaming users or
> ># from internal hosts to a dedicated TCP port (such as 10026) for filtering
> >$interface_policy{'10026'} = 'ORIGINATING';


You have a Postfix smtpd server listening on 10026 AND you tell amavis to
listen on 10026 too? I doubt this will work. Did you tell amavis to bind to
port 10026?

> >$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
> >  originating => 1,  # declare that mail was submitted by our smtp client
> >  allow_disclaimers => 1,  # enables disclaimer insertion if available
> >  # notify administrator of locally originating malware
> >  virus_admin_maps => ["virusalert\@$mydomain"],
> >  spam_admin_maps  => ["virusalert\@$mydomain"],
> >  warnbadhsender   => 1,
> >  # forward to a smtpd service providing DKIM signing service
> >
> >  #### weber change start
> >  forward_method => 'smtp:[127.0.0.1]:10026',
> >  ### weber change stop
> >
> >  # force MTA conversion to 7-bit (e.g. before DKIM signing)
> >  smtpd_discard_ehlo_keywords => ['8BITMIME'],
> >  bypass_banned_checks => [1],  # allow sending any file names and
> >types
> >  final_bad_header_destiny => D_PASS,
> >  terminate_dsn_on_notify_success => 0,  # don't remove
> >NOTIFY=SUCCESS option
> >};
> >
> >
> >### weber change start
> >$notify_method  = 'smtp:[127.0.0.1]:10026';
> >$forward_method = 'smtp:[127.0.0.1]:10025';  # set to undef with
> >milter!
> >### weber change stop
> >
> >Do you need more from my config files?

Not at the moment. We need to fix the routing first, before we can test and
evenually fix the filters on the route.

Make shure mail really enters on your policy_bank port. When in doubt log
verbose in amavis to see on which port _exactly_ amavis receives a message.

p at rick

> >Am 2013-01-24 15:06, schrieb Patrick Ben Koetter:
> >>* weber at zackbummfertig.de <weber at zackbummfertig.de>:
> >>>Patrick,
> >>>thanks for answering, but it dont work for me.
> >>>i still get "Banned content messages" and mail is not sent out...
> >>>Do i also have to set something in the master.cf to enable this
> >>>policy_bank ORIGINATING ?
> >>
> >>
> >>Please post config that shows how you route messages from
> >>Postfix (?) into
> >>amavis and the relevant parts in amavis that route those
> >>messages to the
> >>policy bank including its settings.
> >>
> >>p at rick
> >>
> >>>marko, from hamburg
> >>>
> >>>(sorry,hatte vorhin nur auf reply gedrückt)
> >>
> >>Kein Thema. Hatte ich mir schon gedacht.
> >>
> >>
> >>>
> >>>Am 2013-01-24 13:11, schrieb Patrick Ben Koetter:
> >>>>* weber at zackbummfertig.de <weber at zackbummfertig.de>:
> >>>>>i want my users to be able to send banned content files.
> >>>>>
> >>>>>my goal is to have a map in amavis where i can set which user is
> >>>>>allowed to send banned content.
> >>>>>
> >>>>> ferdinand at domain.de is allowed to send,
> >>>>> ulrike at domain.de is NOT allowed to send,
> >>>>>
> >>>>>banned content.
> >>>>
> >>>>
> >>>>I recommend you let local users send over submission (587) port
> >>>>and create a
> >>>>dedicated policy for those senders:
> >>>>
> >>>>$policy_bank{'ORIGINATING'} = {
> >>>>    originating => 1,
> >>>>    bypass_spam_checks_maps   => [1],
> >>>>    bypass_banned_checks_maps => [1],
> >>>>    final_virus_destiny => D_REJECT,
> >>>>    final_bad_header_destiny => D_PASS,
> >>>>    terminate_dsn_on_notify_success => 0,
> >>>>};
> >>>>
> >>>>p at rick
> >>>
> 
> 

-- 
[*] sys4 AG
 
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

More information about the amavis-users mailing list