milter messages marked as ALL_TRUSTED

Henrik K hege at hege.li
Wed Apr 22 13:41:08 CEST 2020 

On Wed, Apr 22, 2020 at 02:30:47PM +0300, Henrik K wrote:
> On Wed, Apr 22, 2020 at 02:21:25PM +0300, Henrik K wrote:
> > On Wed, Apr 22, 2020 at 01:40:32PM +0300, Henrik K wrote:
> > >
> > > Actually I found the problem, looking at my locally patched amavisd..
> > > 
> > > The patch is missing one call.
> > > 
> > > Look for string
> > > 
> > > # load policy banks from the 'client_ipaddr_policy' lookup
> > > 
> > > ... there's two of those
> > > 
> > > But this first one was missing the $msginfo->originating call...  this is
> > > inside the check_ampdp_policy function which I think is used with amavisd-milter
> > > 
> > >     # load policy banks from the 'client_ipaddr_policy' lookup
> > >     Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;
> > >     $msginfo->originating(c('originating'));
> > >     # additional banks from the request
> > >     Amavis::load_policy_bank(untaint($_),$msginfo) for @$bank_names_ref;
> > > 
> > > I'll investigate a bit more how to do this the most clean way, but adding
> > > that $msginfo->originating(c('originating')); will make it work..
> > 
> > Bug filed:
> > 
> > https://gitlab.com/amavis/amavis/-/issues/61
> 
> This can also be worked around by always forcing a policy load.
> 
> There good example in amavisd documentation:
> 
> $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname
> 
> # Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c
> # (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'):
> $policy_bank{'AM.PDP-SOCK'} = {
>   protocol => 'AM.PDP',
>   auth_required_release => 0,  # do not require secret_id for amavisd-release
> };
> 
> This forces Amavis::load_policy_bank to be called and the load_policy_bank
> function itself will run the $msginfo->originating(c('originating')); call..
> 
> I suspect I'm not the only one who simply has these lines in amavisd.conf root and
> not a policy bank.
> 
> $protocol = 'AM.PDP';
> $auth_required_release = 0;

Duh sorry for the noise, I was testing hastily..  that doesn't work even
trying originating=>0 in AM.PDP-SOCK policy.  Seems that it requires the
code patch.  The codebase is nightmare to read through..

More information about the amavis-users mailing list