Outgoing mail being scanned? Open relay warning.

Patrick Ben Koetter p at sys4.de
Thu Aug 6 11:44:41 CEST 2020 

Ian,

* Ian Evans <dheianevans at gmail.com>:
> On Tue, Aug 4, 2020 at 6:19 PM Patrick Ben Koetter <p at sys4.de> wrote:
> > for any domain/recipient that amavis should feel responsible for add its
> > name
> > to @local_domains_maps or let amavis read it from a file, e.g.
> > /etc/postfix/relay_domains:
> >
> > @local_domains_maps = (
> >     ".$mydomain",
> >     read_hash('/etc/postfix/relay_domains')
> > );
> >
> > This will tell amavis what it should classify as "incoming".
> >
> > For any IP address/network that is internal add it to @mynetworks. This
> > will
> > tell amavis which sources are internal:
> >
> > @mynetworks = qw(
> >     127.0.0.0/8
> > );
> >
> > In reverse conclusion all other senders not listed in @mynetworks are
> > considered to be "outside".
> >
> > If your authenticated senders submit messages via Port 465 or 587 then
> > route
> > their messages into a dedicated port into amavis and assign that port to a
> > policy bank, where you declare everything in that policy bank as
> > originating:
> >
> > # Claim the port:
> > @listen_sockets = (
> >     # Release
> >     '[::1]:9998',
> >     # Post-Queue, Submission
> >     '[::1]:10024',
> >     # Pre-Queue, MTA zu MTA
> >     "$MYHOME/amavisd.sock"
> >     );
> >
> > # Assign the port to a $policy_bank:
> > $interface_policy{'10024'}  = 'SUBMISSION';
> >
> > # Tag everything as $originating in that policy_bank:
> > $policy_bank{'SUBMISSION'} = {
> >     originating => 1,
> >     bypass_spam_checks_maps => [1],
> >     final_virus_destiny => D_BOUNCE,
> >     final_banned_destiny=> D_PASS,
> >     final_bad_header_destiny => D_PASS,
> >     banned_filename_maps => ['MYNETS-DEFAULT'],
> >     warnbadhsender => 0,
> >     forward_method => 'smtp:127.0.0.1:10025',
> >     notify_method => 'smtp:127.0.0.1:10025',
> >     undecipherable_subject_tag => undef,
> > };
> >
> >
> > > Just so I don't upset the apple cart, what do I need to add and to which
> > > file do I need to add it?
> >
> > I suggest you copy over 50-user to 60-mysystem and add your local config
> > there. It will never be overwritten by an update.
> >
> >
>  Patrick, thanks for the detailed notes. I wanted to respond when I had
> time to look at my setup. A few questions:
> 
> I only handle email for my domain so I'm assuming this is okay?
> 
>   @local_domains_maps = (
>     ".$mydomain"
> );

Assuming that $mydomain resolves to what your own domain is, yes. IIRC on
Debian/Ubuntu this is read from /etc/mailname.


> @mynetworks = qw(
>     127.0.0.0/8
> );
> 
> My biggest question and config I don't want to foul up is the submission
> section for the amavis config.
> 
> Here's what's in my master.cf in Postfix:
> 
> submission inet n       -       -       -       -       smtpd
>   -o syslog_name=postfix/submission
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_reject_unlisted_recipient=no
>   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>   -o milter_macro_daemon_name=ORIGINATING
> #OpenDKIM signing
>   -o smtpd_milters=inet:localhost:12345
> 
> So the email is sent to port 587 and processed through OpenDKIM. Being
> coffee and sleep-deprived I don't want to FUBAR anything in the amavis
> config? Your example said to claim the port:
>
>   # Claim the port:
> @listen_sockets = (
>     # Release
>     '[::1]:9998',
>     # Post-Queue, Submission
>     '[::1]:10024',
>     # Pre-Queue, MTA zu MTA
>     "$MYHOME/amavisd.sock"
>     );


I wouldn't use OpenDKIM on submission, because you can't mix MILTER with
with Postfix' content_filter(s) and on submission I'd always use
content_filter, because that gives submitters the feeling their mail server is
really fast (queue first, scan later), whereas MILTER do scan first, queue
later and users will see their mail client hanging in there waiting for the
server to come back and finally accept the message.

This said I propose:

- Setup amavis to DKIM sign/verify messages
- Use Postfix content_filter to hand off messages to amavis e.g. on port 10026
- Configure another listen_socket in amavis that listens on localhost:10026
- Mapp this listener to your submission policy bank.

p at rick

-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the amavis-users mailing list