milter messages marked as ALL_TRUSTED

Henrik K hege at hege.li
Wed Apr 22 12:40:32 CEST 2020 

On Wed, Apr 22, 2020 at 12:55:26PM +0300, Henrik K wrote:
> On Wed, Apr 22, 2020 at 12:46:12PM +0300, Henrik K wrote:
> > On Wed, Apr 22, 2020 at 11:29:08AM +0200, Matus UHLAR - fantomas wrote:
> > > >>>>Can you advise me easy way to log e.g. Received: headers from amavisd-new
> > > >>>>or a hint, what more to log?
> > > 
> > > >>On 20.04.20 23:22, Damian wrote:
> > > >>>Run amavis with debug-sa parameter and egrep for "tag RELAY|trusted". Do
> > > >>>you see obvious differences between the two systems?
> > > 
> > > >On Tue, Apr 21, 2020 at 05:32:01PM +0200, Matus UHLAR - fantomas wrote:
> > > >>no differences for now, but you helped me at least a bit.
> > > >>Because of reason unknown to me yet, mail is tagged as originating:
> > > 
> > > On 21.04.20 21:48, Henrik K wrote:
> > > >And you really have atleast amavisd-new 2.11.0-6.1 package version
> > > 
> > > yes.
> > > 
> > > >which has the well know originating bug fixed?
> > > 
> > > I have noticed originatuing bug
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882324
> > > 
> > > but:
> > > 
> > > 1. the bug was about amavisd NOT honoring the "originating" flag
> > >
> > > 2. my problem is that amavis does set "orgiginating" flag for mails that are
> > > not originating
> > 
> > The patch also fixes this case.  Don't read too much into the bug
> > description, you need to understand what the code actually does.  It also
> > sets originating=0, which didn't happen with the missing code.
> 
> Anyways, it's hard to help further without complete picture of your
> configuration, I guess there's many ways policy banks and stuff could mess
> it up.

Actually I found the problem, looking at my locally patched amavisd..

The patch is missing one call.

Look for string

# load policy banks from the 'client_ipaddr_policy' lookup

... there's two of those

But this first one was missing the $msginfo->originating call...  this is
inside the check_ampdp_policy function which I think is used with amavisd-milter

    # load policy banks from the 'client_ipaddr_policy' lookup
    Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;
    $msginfo->originating(c('originating'));
    # additional banks from the request
    Amavis::load_policy_bank(untaint($_),$msginfo) for @$bank_names_ref;

I'll investigate a bit more how to do this the most clean way, but adding
that $msginfo->originating(c('originating')); will make it work..

More information about the amavis-users mailing list