Bypass banned content check from localhost , and bypass incoming badh problem

weber at zackbummfertig.de weber at zackbummfertig.de
Sat Jan 26 09:41:56 CET 2013 


-------- Originalnachricht --------
Betreff: Re: Bypass banned content check from localhost , and bypass 
incoming badh problem
Datum: 2013-01-26 09:41
Absender: weber at zackbummfertig.de
Empfänger: Patrick Ben Koetter <p at sys4.de>



Am 2013-01-25 21:56, schrieb Patrick Ben Koetter:
> * weber at zackbummfertig.de <weber at zackbummfertig.de>:
>> any idea patrick ?
>
> Sorry for the delayed answer. Today was a busy day... :/

its okay, was busy here too ... ;-)

>
>
>> Am 2013-01-24 15:26, schrieb weber at zackbummfertig.de:
>> >(internet)---(server -> aviramailgate -> amavis -> postfix (clamav)
>> >-> dovecot
>> >
>> >(mails arrive on port 25 and go amavis)
>> >
>> >/etc/postfix/master.cf =
>> >
>> >smtpd     pass  -       -       n       -       -       smtpd
>> >        -o content_filter=avira-smtp:[127.0.0.1]:10027
>> >        -o cleanup_service_name=pre-cleanup
>> >
>> >127.0.0.1:10025 inet    n   -   -   -   - smtpd
>> >        -o cleanup_service_name=cleanup
>> >        -o content_filter=dspam-lmtp:unix:/var/run/dspam/dspam.sock
>> >        -o local_header_rewrite_clients=
>> >        -o local_recipient_maps=
>> >        -o mynetworks=127.0.0.0/8
>> >        -o mynetworks_style=host
>> >        -o 
>> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
>> >        -o relay_recipient_maps=
>> >        -o smtp_send_xforward_command=yes
>> >        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>> >        -o smtpd_client_connection_count_limit=0
>> >        -o smtpd_client_connection_rate_limit=0
>> >        -o smtpd_client_restrictions=permit_mynetworks,reject
>> >        -o smtpd_data_restrictions=reject_unauth_pipelining
>> >        -o smtpd_delay_reject=no
>> >        -o smtpd_end_of_data_restrictions=
>> >        -o smtpd_error_sleep_time=0
>> >        -o smtpd_hard_error_limit=1000
>> >        -o smtpd_helo_restrictions=
>> >        -o smtpd_recipient_restrictions=permit_mynetworks,reject
>> >        -o smtpd_restriction_classes=
>> >        -o smtpd_sender_restrictions=
>> >        -o smtpd_soft_error_limit=1001
>> >        -o strict_rfc821_envelopes=yes
>> >
>> >
>> >127.0.0.1:10026 inet n  -       n       -       -       smtpd
>> >        -o content_filter=
>> >        -o local_header_rewrite_clients=
>> >        -o local_recipient_maps=
>> >        -o mynetworks=127.0.0.0/8
>> >        -o mynetworks_style=host
>> >        -o 
>> receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
>> >        -o relay_recipient_maps=
>> >        -o smtp_send_xforward_command=yes
>> >        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>> >        -o smtpd_client_connection_count_limit=0
>> >        -o smtpd_client_connection_rate_limit=0
>> >        -o smtpd_client_restrictions=permit_mynetworks,reject
>> >        -o smtpd_data_restrictions=reject_unauth_pipelining
>> >        -o smtpd_delay_reject=no
>> >        -o smtpd_end_of_data_restrictions=
>> >        -o smtpd_error_sleep_time=0
>> >        -o smtpd_hard_error_limit=1000
>> >        -o smtpd_helo_restrictions=
>> >        -o smtpd_recipient_restrictions=permit_mynetworks,reject
>> >        -o smtpd_restriction_classes=
>> >        -o smtpd_sender_restrictions=
>> >        -o smtpd_soft_error_limit=1001
>> >        -o strict_rfc821_envelopes=yes
>> >
>> >
>> >
>> >
>> >
>> >-------------------------------------------------------------------
>> >
>> >/etc/amavisd.conf =
>> >
>> >$inet_socket_port = 10024;
>> >
>> >
>> >(i think i dont touched this block:)
>> >$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
>> >  originating => 1,  # is true in MYNETS by default, but let's make 
>> it explicit
>> >  os_fingerprint_method => undef,  # don't query p0f for internal 
>> clients
>> >  bypass_banned_checks_maps => [1],
>> >};
>> >
>> >
>> ># it is up to MTA to re-route mail from authenticated roaming users 
>> or
>> ># from internal hosts to a dedicated TCP port (such as 10026) for 
>> filtering
>> >$interface_policy{'10026'} = 'ORIGINATING';
>
>
> You have a Postfix smtpd server listening on 10026 AND you tell 
> amavis to
> listen on 10026 too? I doubt this will work. Did you tell amavis to 
> bind to
> port 10026?

No, not all. I have :

/etc/amavisd.conf =

$inet_socket_port = 10024;


and then tell amavis to notify and forward on different ports:

$notify_method  = 'smtp:[127.0.0.1]:10026';
$forward_method = 'smtp:[127.0.0.1]:10025';  # set to undef with


amavis listens on 10024

# telnet 127.0.0.1 10024
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready





>
>> >$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from 
>> our users
>> >  originating => 1,  # declare that mail was submitted by our smtp 
>> client
>> >  allow_disclaimers => 1,  # enables disclaimer insertion if 
>> available
>> >  # notify administrator of locally originating malware
>> >  virus_admin_maps => ["virusalert\@$mydomain"],
>> >  spam_admin_maps  => ["virusalert\@$mydomain"],
>> >  warnbadhsender   => 1,
>> >  # forward to a smtpd service providing DKIM signing service
>> >
>> >  #### weber change start
>> >  forward_method => 'smtp:[127.0.0.1]:10026',
>> >  ### weber change stop
>> >
>> >  # force MTA conversion to 7-bit (e.g. before DKIM signing)
>> >  smtpd_discard_ehlo_keywords => ['8BITMIME'],
>> >  bypass_banned_checks => [1],  # allow sending any file names and
>> >types
>> >  final_bad_header_destiny => D_PASS,
>> >  terminate_dsn_on_notify_success => 0,  # don't remove
>> >NOTIFY=SUCCESS option
>> >};
>> >
>> >
>> >### weber change start
>> >$notify_method  = 'smtp:[127.0.0.1]:10026';
>> >$forward_method = 'smtp:[127.0.0.1]:10025';  # set to undef with
>> >milter!
>> >### weber change stop
>> >
>> >Do you need more from my config files?
>
> Not at the moment. We need to fix the routing first, before we can 
> test and
> evenually fix the filters on the route.
>
> Make shure mail really enters on your policy_bank port. When in doubt 
> log
> verbose in amavis to see on which port _exactly_ amavis receives a 
> message.
>
> p at rick
>
>> >Am 2013-01-24 15:06, schrieb Patrick Ben Koetter:
>> >>* weber at zackbummfertig.de <weber at zackbummfertig.de>:
>> >>>Patrick,
>> >>>thanks for answering, but it dont work for me.
>> >>>i still get "Banned content messages" and mail is not sent out...
>> >>>Do i also have to set something in the master.cf to enable this
>> >>>policy_bank ORIGINATING ?
>> >>
>> >>
>> >>Please post config that shows how you route messages from
>> >>Postfix (?) into
>> >>amavis and the relevant parts in amavis that route those
>> >>messages to the
>> >>policy bank including its settings.
>> >>
>> >>p at rick
>> >>
>> >>>marko, from hamburg
>> >>>
>> >>>(sorry,hatte vorhin nur auf reply gedrückt)
>> >>
>> >>Kein Thema. Hatte ich mir schon gedacht.
>> >>
>> >>
>> >>>
>> >>>Am 2013-01-24 13:11, schrieb Patrick Ben Koetter:
>> >>>>* weber at zackbummfertig.de <weber at zackbummfertig.de>:
>> >>>>>i want my users to be able to send banned content files.
>> >>>>>
>> >>>>>my goal is to have a map in amavis where i can set which user 
>> is
>> >>>>>allowed to send banned content.
>> >>>>>
>> >>>>> ferdinand at domain.de is allowed to send,
>> >>>>> ulrike at domain.de is NOT allowed to send,
>> >>>>>
>> >>>>>banned content.
>> >>>>
>> >>>>
>> >>>>I recommend you let local users send over submission (587) port
>> >>>>and create a
>> >>>>dedicated policy for those senders:
>> >>>>
>> >>>>$policy_bank{'ORIGINATING'} = {
>> >>>>    originating => 1,
>> >>>>    bypass_spam_checks_maps   => [1],
>> >>>>    bypass_banned_checks_maps => [1],
>> >>>>    final_virus_destiny => D_REJECT,
>> >>>>    final_bad_header_destiny => D_PASS,
>> >>>>    terminate_dsn_on_notify_success => 0,
>> >>>>};
>> >>>>
>> >>>>p at rick
>> >>>
>>
>>

More information about the amavis-users mailing list