Outgoing mail being scanned? Open relay warning.

Dominic Raferd dominic at timedicer.co.uk
Thu Aug 6 05:49:40 CEST 2020 

On Wed, 5 Aug 2020 at 19:19, Ian Evans <dheianevans at gmail.com> wrote:
>
> On Tue, Aug 4, 2020 at 6:19 PM Patrick Ben Koetter <p at sys4.de> wrote:
>>
>> Ian,
>>
>> * Ian Evans <dheianevans at gmail.com>:
>> > On Tue, Aug 4, 2020 at 3:38 PM Matus UHLAR - fantomas <uhlar at fantomas.sk>
>> > wrote:
>> >
>> > > >Open relay? Nonlocal recips but not originating: [person I'm emailing]
>> > >
>> > > this happens when 'originating' flag is not set and recipient is not local.
>> > > maybe you don't have $mynetworks amavis variable set
>> > >
>> >
>> > Okay bizarre. Just did a grep on my conf.d dir and 'originating' and
>> > '$mynetworks' don't appear in any of these files:
>> [snip]>
>> > Again except for these outgoing notices in the logs, the server has worked
>> > fine for years. Amavis, Postfix and Dovecot are all on the same server.
>>
>> for any domain/recipient that amavis should feel responsible for add its name
>> to @local_domains_maps or let amavis read it from a file, e.g.
>> /etc/postfix/relay_domains:
>>
>> @local_domains_maps = (
>>     ".$mydomain",
>>     read_hash('/etc/postfix/relay_domains')
>> );
>>
>> This will tell amavis what it should classify as "incoming".
>>
>> For any IP address/network that is internal add it to @mynetworks. This will
>> tell amavis which sources are internal:
>>
>> @mynetworks = qw(
>>     127.0.0.0/8
>> );
>>
>> In reverse conclusion all other senders not listed in @mynetworks are
>> considered to be "outside".
>>
>> If your authenticated senders submit messages via Port 465 or 587 then route
>> their messages into a dedicated port into amavis and assign that port to a
>> policy bank, where you declare everything in that policy bank as originating:
>>
>> # Claim the port:
>> @listen_sockets = (
>>     # Release
>>     '[::1]:9998',
>>     # Post-Queue, Submission
>>     '[::1]:10024',
>>     # Pre-Queue, MTA zu MTA
>>     "$MYHOME/amavisd.sock"
>>     );
>>
>> # Assign the port to a $policy_bank:
>> $interface_policy{'10024'}  = 'SUBMISSION';
>>
>> # Tag everything as $originating in that policy_bank:
>> $policy_bank{'SUBMISSION'} = {
>>     originating => 1,
>>     bypass_spam_checks_maps => [1],
>>     final_virus_destiny => D_BOUNCE,
>>     final_banned_destiny=> D_PASS,
>>     final_bad_header_destiny => D_PASS,
>>     banned_filename_maps => ['MYNETS-DEFAULT'],
>>     warnbadhsender => 0,
>>     forward_method => 'smtp:127.0.0.1:10025',
>>     notify_method => 'smtp:127.0.0.1:10025',
>>     undecipherable_subject_tag => undef,
>> };
>>
>>
>> > Just so I don't upset the apple cart, what do I need to add and to which
>> > file do I need to add it?
>>
>> I suggest you copy over 50-user to 60-mysystem and add your local config
>> there. It will never be overwritten by an update.
>>
>
>  Patrick, thanks for the detailed notes. I wanted to respond when I had time to look at my setup. A few questions:
>
> I only handle email for my domain so I'm assuming this is okay?
>
>   @local_domains_maps = (
>     ".$mydomain"
> );
> @mynetworks = qw(
>     127.0.0.0/8
> );
>
> My biggest question and config I don't want to foul up is the submission section for the amavis config.
>
> Here's what's in my master.cf in Postfix:
>
> submission inet n       -       -       -       -       smtpd
>   -o syslog_name=postfix/submission
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_reject_unlisted_recipient=no
>   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>   -o milter_macro_daemon_name=ORIGINATING
> #OpenDKIM signing
>   -o smtpd_milters=inet:localhost:12345
>
> So the email is sent to port 587 and processed through OpenDKIM. Being coffee and sleep-deprived I don't want to FUBAR anything in the amavis config? Your example said to claim the port:
>
>   # Claim the port:
> @listen_sockets = (
>     # Release
>     '[::1]:9998',
>     # Post-Queue, Submission
>     '[::1]:10024',
>     # Pre-Queue, MTA zu MTA
>     "$MYHOME/amavisd.sock"
>     );
>
> So which one do I change? And will that interfere with the master.cf submission interfacing with OpenDKIM.
>
> Thanks again. If I was feeling better I'm sure this would be clearer to me.
>
> Take care.

Do you need to change anything? I see OpenRelay reported by amavis all
the time and I just ignore it (I know I am not running an open relay).
And I think it is wise to have amavis check outgoing emails.

More information about the amavis-users mailing list