Outgoing mail being scanned? Open relay warning.

Ian Evans dheianevans at gmail.com
Wed Aug 5 20:18:19 CEST 2020 

On Tue, Aug 4, 2020 at 6:19 PM Patrick Ben Koetter <p at sys4.de> wrote:

> Ian,
>
> * Ian Evans <dheianevans at gmail.com>:
> > On Tue, Aug 4, 2020 at 3:38 PM Matus UHLAR - fantomas <uhlar at fantomas.sk
> >
> > wrote:
> >
> > > >Open relay? Nonlocal recips but not originating: [person I'm emailing]
> > >
> > > this happens when 'originating' flag is not set and recipient is not
> local.
> > > maybe you don't have $mynetworks amavis variable set
> > >
> >
> > Okay bizarre. Just did a grep on my conf.d dir and 'originating' and
> > '$mynetworks' don't appear in any of these files:
> [snip]>
> > Again except for these outgoing notices in the logs, the server has
> worked
> > fine for years. Amavis, Postfix and Dovecot are all on the same server.
>
> for any domain/recipient that amavis should feel responsible for add its
> name
> to @local_domains_maps or let amavis read it from a file, e.g.
> /etc/postfix/relay_domains:
>
> @local_domains_maps = (
>     ".$mydomain",
>     read_hash('/etc/postfix/relay_domains')
> );
>
> This will tell amavis what it should classify as "incoming".
>
> For any IP address/network that is internal add it to @mynetworks. This
> will
> tell amavis which sources are internal:
>
> @mynetworks = qw(
>     127.0.0.0/8
> );
>
> In reverse conclusion all other senders not listed in @mynetworks are
> considered to be "outside".
>
> If your authenticated senders submit messages via Port 465 or 587 then
> route
> their messages into a dedicated port into amavis and assign that port to a
> policy bank, where you declare everything in that policy bank as
> originating:
>
> # Claim the port:
> @listen_sockets = (
>     # Release
>     '[::1]:9998',
>     # Post-Queue, Submission
>     '[::1]:10024',
>     # Pre-Queue, MTA zu MTA
>     "$MYHOME/amavisd.sock"
>     );
>
> # Assign the port to a $policy_bank:
> $interface_policy{'10024'}  = 'SUBMISSION';
>
> # Tag everything as $originating in that policy_bank:
> $policy_bank{'SUBMISSION'} = {
>     originating => 1,
>     bypass_spam_checks_maps => [1],
>     final_virus_destiny => D_BOUNCE,
>     final_banned_destiny=> D_PASS,
>     final_bad_header_destiny => D_PASS,
>     banned_filename_maps => ['MYNETS-DEFAULT'],
>     warnbadhsender => 0,
>     forward_method => 'smtp:127.0.0.1:10025',
>     notify_method => 'smtp:127.0.0.1:10025',
>     undecipherable_subject_tag => undef,
> };
>
>
> > Just so I don't upset the apple cart, what do I need to add and to which
> > file do I need to add it?
>
> I suggest you copy over 50-user to 60-mysystem and add your local config
> there. It will never be overwritten by an update.
>
>
 Patrick, thanks for the detailed notes. I wanted to respond when I had
time to look at my setup. A few questions:

I only handle email for my domain so I'm assuming this is okay?

  @local_domains_maps = (
    ".$mydomain"
);
@mynetworks = qw(
    127.0.0.0/8
);

My biggest question and config I don't want to foul up is the submission
section for the amavis config.

Here's what's in my master.cf in Postfix:

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#OpenDKIM signing
  -o smtpd_milters=inet:localhost:12345

So the email is sent to port 587 and processed through OpenDKIM. Being
coffee and sleep-deprived I don't want to FUBAR anything in the amavis
config? Your example said to claim the port:

  # Claim the port:
@listen_sockets = (
    # Release
    '[::1]:9998',
    # Post-Queue, Submission
    '[::1]:10024',
    # Pre-Queue, MTA zu MTA
    "$MYHOME/amavisd.sock"
    );

So which one do I change? And will that interfere with the master.cf
submission interfacing with OpenDKIM.

Thanks again. If I was feeling better I'm sure this would be clearer to me.

Take care.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20200805/6014f62c/attachment.htm>

More information about the amavis-users mailing list