Per-socket interface policies

Disassembler disassembler at
Mon Apr 6 08:51:17 CEST 2015

I'm trying to configure multiple mail paths as described on
except instead of TCP, I want to use unix sockets.
I'm using Ubuntu 14.04, originally with maintaner-provided amavisd-new
2.7.1-2ubuntu3, but I'm getting the same result also with vanilla 2.10.1

>From this part of code in allow_deny_hook (line numbers as in 2.10.1) I
assume it's possible to define policies per-socket in similar way as
  12974  my($prop, $sock, $is_ux, @bank_names);
  12975  $prop = $self->{server}; $sock = $prop->{client};
  12976  $is_ux = $sock && $sock->UNIVERSAL::can('NS_proto') &&
  12977           $sock->NS_proto eq 'UNIX';
  12978  if ($is_ux) {
  12979    push(@bank_names, $interface_policy{"SOCK"});
  12980    my $path = Net::Server->VERSION >= 2 ? $sock->NS_port
  12981                                         : $sock->NS_unix_path;
  12982    push(@bank_names, $interface_policy{$path})  if defined $path;

I have following part of configuration in amavisd.conf:
  $inet_socket_port = undef;
  $unix_socketname = ['/var/spool/postfix/amavis/amavis-incoming',
  $unix_socket_mode = 0660;
  $forward_method = 'smtp:/var/spool/postfix/amavis/amavis-forward';
  $notify_method = 'smtp:/var/spool/postfix/amavis/amavis-forward';
  $interface_policy{'/var/spool/postfix/amavis/amavis-incoming'} =
  $interface_policy{'/var/spool/postfix/amavis/amavis-outgoing'} =
  $policy_bank{'incoming'} = { # Used for spam and AV checks
      protocol => 'LMTP',
      auth_required_release => 0,
  $policy_bank{'outgoing'} = { # Used for spam and AV checks and for DKIM
      protocol => 'LMTP',
      auth_required_release => 0,
      originating => 1,
      smtpd_discard_ehlo_keywords => ['8BITMIME'],
      spam_admin_maps  => ['postmaster'],
      virus_admin_maps => ['postmaster'],

And following in of postfix
  smtp      inet  n       -       -       -       -       smtpd
  submission inet n       -       -       -       -       smtpd
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  smtps     inet  n       -       -       -       -       smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  amavis-feed unix -      -       -       -       4       lmtp
    -o disable_dns_lookups=yes
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o lmtp_tls_note_starttls_offer=no

The configuration happily runs, sockets are created, but whenever I connect
to a socket, I get following lines to syslog:
  Apr  6 08:09:30 devbuntu2 amavis[99217]: Net::Server: 2015/04/06-08:09:30
  Apr  6 08:09:30 devbuntu2 amavis[99217]: loaded base policy bank
  Apr  6 08:09:30 devbuntu2 amavis[99217]: loaded policy bank "AM.PDP-SOCK"
which effectively means that the connection to the socket was registered,
but amavis cannot determine _which_ socket it was.
Dump of the socket object shows only
  $VAR1 = bless( \\*Symbol::GEN35, 'Net::Server::Proto::UNIX' );\n
  $VAR1 = 'Ref = "Net::Server::Proto::UNIX" (*||UNIX|*)\n';\n
depending on how I ask.. nevertheless it's visible, that the object is
empty, thus it's not possible to get the correct socket path on line 12980
of the code above.

If I switch everything to TCP, configuration works as intended
  Apr  6 07:32:03 devbuntu2 amavis[98333]: Net::Server: 2015/04/06-07:32:03
CONNECT TCP Peer: "[]:43264" Local: "[]:10026"
  Apr  6 07:32:03 devbuntu2 amavis[98333]: () loaded base policy bank
  Apr  6 07:32:03 devbuntu2 amavis[98333]: () loaded policy bank "outgoing"

Am I missing something obvious or is it really a bug? If the inability to
select the policy based on socket name would be intentional (and bypassed by
hardcoded 'SOCK' string), why is there even that part of code seemingly
allowing it?

More information about the amavis-users mailing list