Per-socket interface policies
Disassembler
disassembler at dasm.cz
Mon Apr 6 08:51:17 CEST 2015
Hello,
I'm trying to configure multiple mail paths as described on
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-amavisd-path
except instead of TCP, I want to use unix sockets.
I'm using Ubuntu 14.04, originally with maintaner-provided amavisd-new
2.7.1-2ubuntu3, but I'm getting the same result also with vanilla 2.10.1
>From this part of code in allow_deny_hook (line numbers as in 2.10.1) I
assume it's possible to define policies per-socket in similar way as
per-port
12974 my($prop, $sock, $is_ux, @bank_names);
12975 $prop = $self->{server}; $sock = $prop->{client};
12976 $is_ux = $sock && $sock->UNIVERSAL::can('NS_proto') &&
12977 $sock->NS_proto eq 'UNIX';
12978 if ($is_ux) {
12979 push(@bank_names, $interface_policy{"SOCK"});
12980 my $path = Net::Server->VERSION >= 2 ? $sock->NS_port
12981 : $sock->NS_unix_path;
12982 push(@bank_names, $interface_policy{$path}) if defined $path;
I have following part of configuration in amavisd.conf:
$inet_socket_port = undef;
$unix_socketname = ['/var/spool/postfix/amavis/amavis-incoming',
'/var/spool/postfix/amavis/amavis-outgoing'];
$unix_socket_mode = 0660;
$forward_method = 'smtp:/var/spool/postfix/amavis/amavis-forward';
$notify_method = 'smtp:/var/spool/postfix/amavis/amavis-forward';
$interface_policy{'/var/spool/postfix/amavis/amavis-incoming'} =
'incoming';
$interface_policy{'/var/spool/postfix/amavis/amavis-outgoing'} =
'outgoing';
$policy_bank{'incoming'} = { # Used for spam and AV checks
protocol => 'LMTP',
auth_required_release => 0,
};
$policy_bank{'outgoing'} = { # Used for spam and AV checks and for DKIM
signing
protocol => 'LMTP',
auth_required_release => 0,
originating => 1,
smtpd_discard_ehlo_keywords => ['8BITMIME'],
spam_admin_maps => ['postmaster'],
virus_admin_maps => ['postmaster'],
};
And following in main.cf/master.cf of postfix
smtp inet n - - - - smtpd
-o
content_filter=amavis-feed:unix:/var/spool/postfix/amavis/amavis-incoming
submission inet n - - - - smtpd
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o
content_filter=amavis-feed:unix:/var/spool/postfix/amavis/amavis-outgoing
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o
content_filter=amavis-feed:unix:/var/spool/postfix/amavis/amavis-outgoing
amavis-feed unix - - - - 4 lmtp
-o disable_dns_lookups=yes
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o lmtp_tls_note_starttls_offer=no
The configuration happily runs, sockets are created, but whenever I connect
to a socket, I get following lines to syslog:
Apr 6 08:09:30 devbuntu2 amavis[99217]: Net::Server: 2015/04/06-08:09:30
CONNECT UNIX Socket: ""
Apr 6 08:09:30 devbuntu2 amavis[99217]: loaded base policy bank
Apr 6 08:09:30 devbuntu2 amavis[99217]: loaded policy bank "AM.PDP-SOCK"
which effectively means that the connection to the socket was registered,
but amavis cannot determine _which_ socket it was.
Dump of the socket object shows only
$VAR1 = bless( \\*Symbol::GEN35, 'Net::Server::Proto::UNIX' );\n
or
$VAR1 = 'Ref = "Net::Server::Proto::UNIX" (*||UNIX|*)\n';\n
depending on how I ask.. nevertheless it's visible, that the object is
empty, thus it's not possible to get the correct socket path on line 12980
of the code above.
If I switch everything to TCP, configuration works as intended
Apr 6 07:32:03 devbuntu2 amavis[98333]: Net::Server: 2015/04/06-07:32:03
CONNECT TCP Peer: "[127.0.0.1]:43264" Local: "[127.0.0.1]:10026"
Apr 6 07:32:03 devbuntu2 amavis[98333]: () loaded base policy bank
Apr 6 07:32:03 devbuntu2 amavis[98333]: () loaded policy bank "outgoing"
Am I missing something obvious or is it really a bug? If the inability to
select the policy based on socket name would be intentional (and bypassed by
hardcoded 'SOCK' string), why is there even that part of code seemingly
allowing it?
More information about the amavis-users
mailing list