Open relay? Nonlocal recips but not originating: in my maillog
Karol Augustin
karol at augustin.pl
Sat Feb 10 02:04:42 CET 2018
On 2018-02-10 0:44, Dino Edwards wrote:
> This has been a well publicized issue. As far as I can tell there is no fix, it seems to be a perl issue. Are you using Fedora?
I couldn't find anything about it. I am using Debian. Can you point me
to any info about it?
It seems weird to be a Perl issue. There are some changes between these
versions around handling policy banks. Do you know what is exact cause
of this? For me it looks like a bug.
This is diff between the versions relating handling policy banks.
Haven't got a chance to dive into that yet...
@@ -12629,14 +13000,20 @@ sub after_chroot_init() {
# $policy_bank{$policy_bank_name}, or load the default policy bank
(empty name)
#
sub load_policy_bank($;$) {
- my($policy_bank_name,$msginfo) = @_;
- if (!exists $policy_bank{$policy_bank_name}) {
- do_log(-1,'policy bank "%s" does not exist, ignored',
$policy_bank_name);
- } elsif ($policy_bank_name eq '') {
+ my($policy_bank_name, $msginfo) = @_;
+ if (!defined $policy_bank_name) {
+ # silently ignore
+ } elsif (!exists $policy_bank{$policy_bank_name}) {
+ do_log(5,'policy bank "%s" does not exist, ignored',
$policy_bank_name);
+ } elsif ($policy_bank_name eq '') { # special case
%current_policy_bank = %{$policy_bank{$policy_bank_name}}; # copy
base
update_current_log_level();
do_log(4,'loaded base policy bank');
+ } elsif ($policy_bank_name eq c('policy_bank_name')) {
+ do_log(5,'policy bank "%s" just loaded, ignored',
$policy_bank_name);
} else {
+ # compatibility: policy bank MYNETS implicitly pre-sets
'originating' flag
+ $current_policy_bank{'originating'} = 1 if $policy_bank_name eq
'MYNETS';
my $cpbp = c('policy_bank_path'); # currently loaded bank
my $new_bank_ref = $policy_bank{$policy_bank_name};
my $do_log5 = ll(5);
@@ -12683,10 +13060,59 @@ sub load_policy_bank($;$) {
}
$current_policy_bank{'policy_bank_path'} =
($cpbp eq '' ? '' : $cpbp.'/') . $policy_bank_name;
- update_current_log_level();
ll(3) && do_log(3,'loaded policy bank "%s"%s', $policy_bank_name,
$cpbp eq '' ? '' : " over \"$cpbp\"");
+ # update global settings which may have changed
+ update_current_log_level();
+ $msginfo->originating(c('originating')) if $msginfo;
+ }
+}
+
>
> -------------------------
>
> FROM: Karol Augustin <karol at augustin.pl>
> SENT: Friday, February 9, 2018 7:32 PM
> TO: amavis-users at amavis.org
> SUBJECT: Re: Open relay? Nonlocal recips but not originating: in my maillog
>
> Hi,
>
> I have the same problem when I upgraded to 2.11. It looks like
> originating -> 1 is not respected and Amavis decides that all e-mail is
> send from non-local addresses.
>
> As soon as I update to 2.11 I get this problem:
>
> amavis[24157]: (24157-01) Passed CLEAN {AcceptedInternal}, AM.PDP-SOCK
> LOCAL [66.220.155.153] [66.220.155.153] /AM.PDP <external_address> ->
> <local_address>
> amavis[23558]: (23558-01) Passed CLEAN {RelayedOpenRelay}, ORIGINATING
> [127.0.0.1]:43008 ESMTP/ESMTP <local_address> -> <external_address>
> amavis[23371]: (23371-01) Passed CLEAN {RelayedInbound}, ORIGINATING
> [86.47.99.235]:57284 [86.47.99.235] ESMTP/ESMTP <local_address> ->
> <local_address>
>
> With 2.10 (same config):
>
> amavis[25242]: (25242-01) Passed CLEAN {AcceptedInbound}, AM.PDP-SOCK
> [2607:f8b0:4001:c0b::234] [2607:f8b0:4001:c0b::234] /AM.PDP
> <external_address> -> <local_address>,
> amavis[25244]: (25244-01) Passed CLEAN {RelayedOutbound}, ORIGINATING
> LOCAL [127.0.0.1]:43684 ESMTP/ESMTP <local_address> ->
> <external_address>
> amavis[25250]: (25250-01) Passed CLEAN {RelayedInternal}, ORIGINATING
> LOCAL [127.0.0.1]:43838 ESMTP/ESMTP <local_address> -> <local_address>
>
> I have following relevant config:
>
> $inet_socket_port = [10026,10027];
> $interface_policy{'10026'} = 'ORIGINATING';
> $interface_policy{'10027'} = 'PICKUP';
>
> $policy_bank{'AM.PDP-SOCK'} = {
> protocol => 'AM.PDP',
> originating => [1],
> };
>
> $policy_bank{'PICKUP'} = { # mail originating from @mynetworks
> originating => [1],
> enable_dkim_verification => 1,
> enable_dkim_signing => 0,
> bypass_spam_checks_maps => 1, # don't spam-check internal mail
> bypass_banned_checks_maps => 1, # don't banned-check internal mail
> # spam_kill_level_maps => 4,
> bypass_decode_parts => 1,
> bypass_header_checks_maps => 1,
> bypass_virus_checks_maps => 1,
> bypass_banned_checks_maps => 1,
> # remove_existing_x_scanned_headers => 1.
> };
>
> $policy_bank{'ORIGINATING'} = { # mail originating from our users
> originating => 0,
> enable_dkim_verification => 1,
> final_virus_destiny => D_BOUNCE,
> final_banned_destiny => D_BOUNCE,
> final_spam_destiny => D_BOUNCE,
>
> };
>
> $sql_select_policy = 'SELECT name, 3.5 as spam_tag2_level, 9 as
> spam_kill_level FROM virtual_domains WHERE CONCAT("@",name) IN (%k)';
>
> Thanks,
> Karol
>
--
Karol Augustin
karol at augustin.pl
http://karolaugustin.pl/
+353 85 775 5312
More information about the amavis-users
mailing list