interface_policy and postfix

Patrick Ben Koetter p at sys4.de
Mon Dec 28 07:48:55 CET 2015


* Alex <mysqlstudent at gmail.com>:
> Hi,
> 
> I'm using amavisd-new-2.10.1 and postfix-3.0.3 on fc22. I have a bunch
> of IPs that I need to effectively whitelist to allow all mail to skip
> being processed by amavisd.
> 
> I'm trying to understand how to use the %interface_policy capability,
> and whether that's a better option than to just add the IPs to a
> $policy_bank.

Interface policies are triggered by the interface/port via which mail enters
the amavis framework. This requires logic on the sending side (here: Postfix)
and on the receiving side. The sending side must know to via which interface
it should route messages to amavis. amavis on the receiving side must provide
interfaces and policies as required.

I suggest you use an approach that requires no logic on the Postfix side. Use
@client_ipaddr_policy in amavis to identify specific IPs/IP ranges and map
them to policies. 

Here's an example:

@client_ipaddr_policy = (
    [qw( 0.0.0.0/8 127.0.0.1/32 [::] [::1] )] => 'LOCALHOST',
    [qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS',
    [qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )] => 'PARTNER',
    [qw( 212.7.160.0/19 )] => 'SUBMISSION',
    \@mynetworks => 'MYNETS'
);


On the left side you can see a list of IP ranges and on the right side you see
names of policy banks.

This works allthough Postfix is the client and amavis sees only Postfix IP
address submitting mail all the time, because Postfix and amavis support the
XFORWARD protocol. Using the XFORWARD protocol Postfix forwards information
from the client that submitted the mail to Postfix to amavis. This includes
the original clients IP address.

You can see that it works in the log. The following log line shows a mail I
sent to someone a few minutes ago. It entered Postfix via the submission
service. This triggered two policies in amavis: SUBMISSION and LOCAL:

Dec 28 07:25:02 echo amavis[21323]: (21323-06) Passed CLEAN {RelayedInternal}, SUBMISSION LOCAL [::1] [188.193.163.7] <p at sys4.de> -> <recipient at example.com>, Message-ID: <20151228062500.GA22018 at sys4.de>, mail_id: jJpQ6HMd9ZgC, Hits: -, size: 1186, 193 ms

We're using MILTER to connect Postfix and amavis. You are using content_filter
to hand mail over to amavis. You're log line may vary. The approach to use
@client_ipaddr_policy remains the same.

I believe this is a lot cleaner than interface policies. You only need to
configure on application. The logic is already in place. You simply need to
provide the configuration.

p at rick

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
 


More information about the amavis-users mailing list