interface_policy and postfix
Patrick Ben Koetter
p at sys4.de
Wed Dec 30 23:36:06 CET 2015
Hi Alex,
* Alex <mysqlstudent at gmail.com>:
> Hi,
>
> On Mon, Dec 28, 2015 at 1:48 AM, Patrick Ben Koetter <p at sys4.de> wrote:
> > * Alex <mysqlstudent at gmail.com>:
> >> Hi,
> >>
> >> I'm using amavisd-new-2.10.1 and postfix-3.0.3 on fc22. I have a bunch
> >> of IPs that I need to effectively whitelist to allow all mail to skip
> >> being processed by amavisd.
> >>
> >> I'm trying to understand how to use the %interface_policy capability,
> >> and whether that's a better option than to just add the IPs to a
> >> $policy_bank.
> >
> > Interface policies are triggered by the interface/port via which mail enters
> > the amavis framework. This requires logic on the sending side (here: Postfix)
> > and on the receiving side. The sending side must know to via which interface
> > it should route messages to amavis. amavis on the receiving side must provide
> > interfaces and policies as required.
> >
> > I suggest you use an approach that requires no logic on the Postfix side. Use
> > @client_ipaddr_policy in amavis to identify specific IPs/IP ranges and map
> > them to policies.
>
> That's what I thought, and overnight, I read a ton more docs about
> interface_policy, and just couldn't get it to work. I'm actually doing
> it using client_ipaddr_policy with postfix already, but wasn't sure it
> was the right way for what I was trying to do.
>
> When people spoke about bypassing amavisd, I was thinking they were
> bypassing amavisd altogether, when they were really talking about just
> the bypass_* options in the policy banks, which is what I was already
> doing.
You can do both and obviously it requires less resources if you bypass amavis
at all. But then - at least by my personal standards - I always scan for
viruses/malware. I may exempt senders or recipients from spam checks, phishing
etc. but not from malware detection.
> I realize you can actually bypass amavisd altogether, but it's messy
> and appears to require an additional IP.
You could also do something like:
192.168.2.1 PREPEND Content-Inspection: PASS
Then check for the header with header_checks and define an action that routes
the message to amavis if does NOT contain the "Content-Inspection: PASS" as
header:
!/^Content-Inspection: PASS$/ FILTER smtp-amavis:[127.0.0.1]:10024
But this feels clumsy and error prone.
> > We're using MILTER to connect Postfix and amavis. You are using content_filter
> > to hand mail over to amavis. You're log line may vary. The approach to use
> > @client_ipaddr_policy remains the same.
>
> Can you explain this further? You're not using something like
> "content_filter = smtp-amavis:[127.0.0.1]:10024" with postfix?
We are not using content_filter. We use MILTERs whenever possible.
First of all, because we run our servers in Germany and Germany requires us to
either reject a message before we queue it or deliver it to the recipient, we
do pre-queue filtering.
Within the domain of pre-queue filtering we could use smtpd_proxy_filter or
the MILTER API to connect a content filter (framework) such as amavis with
Postfix.
Why prefer MILTERs over smtpd_proxy_filter?
A few qualities come to mind:
Variety
There are many MILTERs out there to choose from when we build a mail
platform. The have been tested well.
Speed
Most milters are fast. By definition a MILTER runs in memory only.
Log
With content_... or ...-proxy_filter logging becomes ugly. One message
passing back and forth between several message processing applications may
generate many queue ID - each time it (re)enters the Postfix mail server.
With MILTER log entries keep in sequence. No new queue IDs. Reading log is
simple. Parsing log is simple. I love it. ;)
> I'm actually thinking of also implementing MIMEdefang, and believe you
> need to use a MILTER to do that, but wasn't sure how that would be
> done.
Sooner or later you probably also want to implement DMARC. Then you will have
to use OpenDKIM and OpenDMARC - both MILTERs.
How to implement:
Postfix uses smtpd_milters or non_smtpd_milters to intergrate MILTERS into the
Postfix message flow. Postfix connects to a MILTER either via a UNIX domain
socket or via a TCP socket. If the MILTER doesn't reside on the same machine
as Postfix use stunnel to protect the unencrypted MILTER TCP socket.
amavis does not implement a MILTER API. In order to use it via a MILTER you
need to use amavisd-milter as bridge. Towards Postfix it offes a MILTER API
and towards amavisd-new it uses the AM.PDP (amavis policy delegation
protocol).
A config sketch could be:
###
# main.cf
# Where should the smtpd server meet milters?
smtpd_milters =
# Opendkim
unix:milter/dkim
# Opendmarc
unix:milter/dmarc
# amavis via milter
inet:localhost:10024
###
# master.cf
# notification channel for amavis
127.0.0.1:10025 inet n - n - - smtpd
-o syslog_name=postfix-reentry
-o smtpd_banner=$smtpd_reentry_banner
-o content_filter=
-o smtpd_milters=unix:milter/dkim
-o milter_macro_daemon_name=DKIMSign
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_delay_reject=no
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_relay_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
### This is on Gentoo
# /etc/conf.d/amavisd-milter
# Unix domain socket locations
SOCKET="inet:10024 at 127.0.0.1"
AM_SOCKET="/var/amavis/amavisd.sock"
# Working directory
AM_TMP="/var/amavis/tmp"
# Pid file location
PIDFILE="/var/amavis/amavisd-milter.pid"
# Maximum connections
MAX_CON="20"
DOPTIONS="-s $SOCKET -p $PIDFILE -S $AM_SOCKET -w $AM_TMP -m $MAX_CON -B"
And finally in amavis:
#############################################################################
## SERVER
#
$max_servers = 16;
# Where to listen for incoming connections?
@listen_sockets = (
# Release
'[::1]:9998',
# Post-Queue, Submission
'[::1]:10026',
# Pre-Queue, MTA to MTA
"$MYHOME/amavisd.sock"
);
That's about it. Once you have tweaked it to fit your setup bringing in the
@client_ipaddr_policy should be fairly simple.
p at rick
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the amavis-users
mailing list