Open relay? Nonlocal recips but not originating: in my maillog

Karol Augustin karol at augustin.pl
Sat Feb 10 02:04:42 CET 2018 

On 2018-02-10 0:44, Dino Edwards wrote:

> This has been a well publicized issue. As far as I can tell there is no fix, it seems to be a perl issue. Are you using Fedora? 

I couldn't find anything about it. I am using Debian. Can you point me
to any info about it?

It seems weird to be a Perl issue. There are some changes between these
versions around handling policy banks. Do you know what is exact cause
of this? For me it looks like a bug.

This is diff between the versions relating handling policy banks.
Haven't got a chance to dive into that yet...


@@ -12629,14 +13000,20 @@ sub after_chroot_init() {
 # $policy_bank{$policy_bank_name}, or load the default policy bank
(empty name)
 #
 sub load_policy_bank($;$) {
-  my($policy_bank_name,$msginfo) = @_;
-  if (!exists $policy_bank{$policy_bank_name}) {
-    do_log(-1,'policy bank "%s" does not exist, ignored',
$policy_bank_name);
-  } elsif ($policy_bank_name eq '') {
+  my($policy_bank_name, $msginfo) = @_;
+  if (!defined $policy_bank_name) {
+    # silently ignore
+  } elsif (!exists $policy_bank{$policy_bank_name}) {
+    do_log(5,'policy bank "%s" does not exist, ignored',
$policy_bank_name);
+  } elsif ($policy_bank_name eq '') {  # special case
     %current_policy_bank = %{$policy_bank{$policy_bank_name}};  # copy
base
     update_current_log_level();
     do_log(4,'loaded base policy bank');
+  } elsif ($policy_bank_name eq c('policy_bank_name')) {
+    do_log(5,'policy bank "%s" just loaded, ignored',
$policy_bank_name);
   } else {
+    # compatibility: policy bank MYNETS implicitly pre-sets
'originating' flag
+    $current_policy_bank{'originating'} = 1  if $policy_bank_name eq
'MYNETS';
     my $cpbp = c('policy_bank_path');  # currently loaded bank
     my $new_bank_ref = $policy_bank{$policy_bank_name};
     my $do_log5 = ll(5);
@@ -12683,10 +13060,59 @@ sub load_policy_bank($;$) {
     }
     $current_policy_bank{'policy_bank_path'} =
       ($cpbp eq '' ? '' : $cpbp.'/') . $policy_bank_name;
-    update_current_log_level();
     ll(3) && do_log(3,'loaded policy bank "%s"%s', $policy_bank_name,
                       $cpbp eq '' ? '' : " over \"$cpbp\"");
+    # update global settings which may have changed
+    update_current_log_level();
+    $msginfo->originating(c('originating')) if $msginfo;
+  }
+}
+



> 
> -------------------------
> 
> FROM: Karol Augustin <karol at augustin.pl>
> SENT: Friday, February 9, 2018 7:32 PM
> TO: amavis-users at amavis.org
> SUBJECT: Re: Open relay? Nonlocal recips but not originating: in my maillog
> 
> Hi, 
> 
> I have the same problem when I upgraded to 2.11. It looks like
> originating -> 1 is not respected and Amavis decides that all e-mail is
> send from non-local addresses. 
> 
> As soon as I update to 2.11 I get this problem:
> 
> amavis[24157]: (24157-01) Passed CLEAN {AcceptedInternal}, AM.PDP-SOCK
> LOCAL [66.220.155.153] [66.220.155.153] /AM.PDP <external_address> ->
> <local_address>
> amavis[23558]: (23558-01) Passed CLEAN {RelayedOpenRelay}, ORIGINATING
> [127.0.0.1]:43008 ESMTP/ESMTP <local_address> -> <external_address>
> amavis[23371]: (23371-01) Passed CLEAN {RelayedInbound}, ORIGINATING
> [86.47.99.235]:57284 [86.47.99.235] ESMTP/ESMTP <local_address> ->
> <local_address>
> 
> With 2.10 (same config):
> 
> amavis[25242]: (25242-01) Passed CLEAN {AcceptedInbound}, AM.PDP-SOCK
> [2607:f8b0:4001:c0b::234] [2607:f8b0:4001:c0b::234] /AM.PDP
> <external_address> -> <local_address>,
> amavis[25244]: (25244-01) Passed CLEAN {RelayedOutbound}, ORIGINATING
> LOCAL [127.0.0.1]:43684 ESMTP/ESMTP <local_address> ->
> <external_address>
> amavis[25250]: (25250-01) Passed CLEAN {RelayedInternal}, ORIGINATING
> LOCAL [127.0.0.1]:43838 ESMTP/ESMTP <local_address> -> <local_address>
> 
> I have following relevant config:
> 
> $inet_socket_port = [10026,10027];
> $interface_policy{'10026'} = 'ORIGINATING';
> $interface_policy{'10027'} = 'PICKUP';
> 
> $policy_bank{'AM.PDP-SOCK'} = {
> protocol => 'AM.PDP',
> originating => [1],
> };
> 
> $policy_bank{'PICKUP'} = {  # mail originating from @mynetworks
> originating => [1],
> enable_dkim_verification => 1,
> enable_dkim_signing => 0,
> bypass_spam_checks_maps   => 1,  # don't spam-check internal mail
> bypass_banned_checks_maps => 1,  # don't banned-check internal mail
> #  spam_kill_level_maps => 4,
> bypass_decode_parts => 1,
> bypass_header_checks_maps => 1,
> bypass_virus_checks_maps  => 1,
> bypass_banned_checks_maps => 1,
> #  remove_existing_x_scanned_headers => 1.
> };
> 
> $policy_bank{'ORIGINATING'} = {  # mail originating from our users
> originating => 0,
> enable_dkim_verification => 1,
> final_virus_destiny      => D_BOUNCE,
> final_banned_destiny     => D_BOUNCE,
> final_spam_destiny       => D_BOUNCE,
> 
> };
> 
> $sql_select_policy = 'SELECT name, 3.5 as spam_tag2_level, 9 as
> spam_kill_level FROM virtual_domains WHERE CONCAT("@",name) IN (%k)';
> 
> Thanks,
> Karol
> 


-- 
Karol Augustin
karol at augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

More information about the amavis-users mailing list