Outgoing mail being scanned? Open relay warning.

[Patrick Ben Koetter]

Ian,

* Ian Evans <dheianevans at gmail.com>:
> On Tue, Aug 4, 2020 at 3:38 PM Matus UHLAR - fantomas <uhlar at fantomas.sk>
> wrote:
> 
> > >Open relay? Nonlocal recips but not originating: [person I'm emailing]
> >
> > this happens when 'originating' flag is not set and recipient is not local.
> > maybe you don't have $mynetworks amavis variable set
> >
> 
> Okay bizarre. Just did a grep on my conf.d dir and 'originating' and
> '$mynetworks' don't appear in any of these files:
> 
> 01-debian
> 05-domain_id
> 05-node_id
> 15-av_scanners
> 15-content_filter_mode
> 20-debian_defaults
> 21-ubuntu_defaults
> 25-amavis_helpers
> 30-template_localization
> 40-policy_banks
> 50-user
> 
> Again except for these outgoing notices in the logs, the server has worked
> fine for years. Amavis, Postfix and Dovecot are all on the same server.

for any domain/recipient that amavis should feel responsible for add its name
to @local_domains_maps or let amavis read it from a file, e.g.
/etc/postfix/relay_domains:

@local_domains_maps = (
    ".$mydomain",
    read_hash('/etc/postfix/relay_domains')
);

This will tell amavis what it should classify as "incoming".

For any IP address/network that is internal add it to @mynetworks. This will
tell amavis which sources are internal:

@mynetworks = qw(
    127.0.0.0/8
);

In reverse conclusion all other senders not listed in @mynetworks are
considered to be "outside".

If your authenticated senders submit messages via Port 465 or 587 then route
their messages into a dedicated port into amavis and assign that port to a
policy bank, where you declare everything in that policy bank as originating:

# Claim the port:
@listen_sockets = (
    # Release
    '[::1]:9998',
    # Post-Queue, Submission
    '[::1]:10024',
    # Pre-Queue, MTA zu MTA
    "$MYHOME/amavisd.sock"
    );

# Assign the port to a $policy_bank:
$interface_policy{'10024'}  = 'SUBMISSION';

# Tag everything as $originating in that policy_bank:
$policy_bank{'SUBMISSION'} = {
    originating => 1,
    bypass_spam_checks_maps => [1],
    final_virus_destiny => D_BOUNCE,
    final_banned_destiny=> D_PASS,
    final_bad_header_destiny => D_PASS,
    banned_filename_maps => ['MYNETS-DEFAULT'],
    warnbadhsender => 0,
    forward_method => 'smtp:127.0.0.1:10025',
    notify_method => 'smtp:127.0.0.1:10025',
    undecipherable_subject_tag => undef,
};


> Just so I don't upset the apple cart, what do I need to add and to which
> file do I need to add it?

I suggest you copy over 50-user to 60-mysystem and add your local config
there. It will never be overwritten by an update.

p at rick


-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4436 bytes
Desc: not available
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20200805/f379209f/attachment.bin>