Outgoing mail being scanned? Open relay warning.

Ian Evans dheianevans at gmail.com
Fri Aug 7 14:46:22 CEST 2020 

On Thu, Aug 6, 2020 at 5:45 AM Patrick Ben Koetter <p at sys4.de> wrote:

> Ian,
>
> * Ian Evans <dheianevans at gmail.com>:
> > On Tue, Aug 4, 2020 at 6:19 PM Patrick Ben Koetter <p at sys4.de> wrote:
> > > for any domain/recipient that amavis should feel responsible for add
> its
> > > name
> > > to @local_domains_maps or let amavis read it from a file, e.g.
> > > /etc/postfix/relay_domains:
> > >
> > > @local_domains_maps = (
> > >     ".$mydomain",
> > >     read_hash('/etc/postfix/relay_domains')
> > > );
> > >
> > > This will tell amavis what it should classify as "incoming".
> > >
> > > For any IP address/network that is internal add it to @mynetworks. This
> > > will
> > > tell amavis which sources are internal:
> > >
> > > @mynetworks = qw(
> > >     127.0.0.0/8
> > > );
> > >
> > > In reverse conclusion all other senders not listed in @mynetworks are
> > > considered to be "outside".
> > >
> > > If your authenticated senders submit messages via Port 465 or 587 then
> > > route
> > > their messages into a dedicated port into amavis and assign that port
> to a
> > > policy bank, where you declare everything in that policy bank as
> > > originating:
> > >
> > > # Claim the port:
> > > @listen_sockets = (
> > >     # Release
> > >     '[::1]:9998',
> > >     # Post-Queue, Submission
> > >     '[::1]:10024',
> > >     # Pre-Queue, MTA zu MTA
> > >     "$MYHOME/amavisd.sock"
> > >     );
> > >
> > > # Assign the port to a $policy_bank:
> > > $interface_policy{'10024'}  = 'SUBMISSION';
> > >
> > > # Tag everything as $originating in that policy_bank:
> > > $policy_bank{'SUBMISSION'} = {
> > >     originating => 1,
> > >     bypass_spam_checks_maps => [1],
> > >     final_virus_destiny => D_BOUNCE,
> > >     final_banned_destiny=> D_PASS,
> > >     final_bad_header_destiny => D_PASS,
> > >     banned_filename_maps => ['MYNETS-DEFAULT'],
> > >     warnbadhsender => 0,
> > >     forward_method => 'smtp:127.0.0.1:10025',
> > >     notify_method => 'smtp:127.0.0.1:10025',
> > >     undecipherable_subject_tag => undef,
> > > };
> > >
> > >
> > > > Just so I don't upset the apple cart, what do I need to add and to
> which
> > > > file do I need to add it?
> > >
> > > I suggest you copy over 50-user to 60-mysystem and add your local
> config
> > > there. It will never be overwritten by an update.
> > >
> > >
> >  Patrick, thanks for the detailed notes. I wanted to respond when I had
> > time to look at my setup. A few questions:
> >
> > I only handle email for my domain so I'm assuming this is okay?
> >
> >   @local_domains_maps = (
> >     ".$mydomain"
> > );
>
> Assuming that $mydomain resolves to what your own domain is, yes. IIRC on
> Debian/Ubuntu this is read from /etc/mailname.
>
>
> > @mynetworks = qw(
> >     127.0.0.0/8
> > );
> >
> > My biggest question and config I don't want to foul up is the submission
> > section for the amavis config.
> >
> > Here's what's in my master.cf in Postfix:
> >
> > submission inet n       -       -       -       -       smtpd
> >   -o syslog_name=postfix/submission
> >   -o smtpd_tls_security_level=encrypt
> >   -o smtpd_sasl_auth_enable=yes
> >   -o smtpd_reject_unlisted_recipient=no
> >   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> >   -o milter_macro_daemon_name=ORIGINATING
> > #OpenDKIM signing
> >   -o smtpd_milters=inet:localhost:12345
> >
> > So the email is sent to port 587 and processed through OpenDKIM. Being
> > coffee and sleep-deprived I don't want to FUBAR anything in the amavis
> > config? Your example said to claim the port:
> >
> >   # Claim the port:
> > @listen_sockets = (
> >     # Release
> >     '[::1]:9998',
> >     # Post-Queue, Submission
> >     '[::1]:10024',
> >     # Pre-Queue, MTA zu MTA
> >     "$MYHOME/amavisd.sock"
> >     );
>
>
> I wouldn't use OpenDKIM on submission, because you can't mix MILTER with
> with Postfix' content_filter(s) and on submission I'd always use
> content_filter, because that gives submitters the feeling their mail
> server is
> really fast (queue first, scan later), whereas MILTER do scan first, queue
> later and users will see their mail client hanging in there waiting for the
> server to come back and finally accept the message.
>
> This said I propose:
>
> - Setup amavis to DKIM sign/verify messages
> - Use Postfix content_filter to hand off messages to amavis e.g. on port
> 10026
> - Configure another listen_socket in amavis that listens on localhost:10026
> - Mapp this listener to your submission policy bank.
>
> p at rick
>
> Patrick,

I'm a few Ubuntu's behind schedule (dealing with a family medical issue the
last few yrs has left behind in preparing my site's code for PHP 7.) So I'm
still using the old Amavis which if I remember correctly has problems
signing DKIM. So I'll archive this thread and handle it it as soon as I get
in 20 LTS.

I really appreciate the details of your answers. All the best to you and
yours.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20200807/bd57efdb/attachment.htm>

More information about the amavis-users mailing list