Amavisd-new policy banks and sasl_username in the returning smtpd instance

Egoitz Aurrekoetxea egoitz at sarenet.es
Thu May 20 09:38:01 CEST 2021 

Good morning, 

I was trying to implement different policy banks in a testing env, in
order to get : 

+ Policy bank (FROM-THE-REST-OF-THE-INTERNET) -> Incoming external mail
(from the Internet in general) to be always tagged with a modified
version of Anomy Sanitizer and scanned for cleaning virus and spam. 

+ Policy bank (COMING-FROM-CUSTOMER-1 OR COMING-FROM-CUSTOMER-2) ->
Incoming mail coming from well known ips, to be tagged with Anomy
Sanitizer just in case the email goes for a domain that is not one of
the domains that go out through that well known ips. For instance, comes
from the ips of custoner1.net and goes for customer2.net domain, then
tag with Anomy Sanitizer just for that "non customer1.net domain". 

+ Policy bank (OUTGOING-SIGN) -> Outgoing mail generated by a mua that
will have previously be authenticated, to be signed with DKIM and to
have a disclaimer set with Altermime. Have created a dedicated port for
this policy bank. 

I'm sending mail traffic to Amavis, using XCLIENT extension
(http://www.postfix.org/XCLIENT_README.html) and seems that Amavis, is
identifying properly (source ip connected to Postfix based and
transferred to Amavis with XCLIENT) which policy bank should apply to
each mail.It's still not working totally (the maps, the Sanitizer part
and so in each policy bank...), because I assume I have entered some
config variable incorrectly, perhaps in the hash of the config of the
policy bank, but that it's not worrying me at present. 

BUT, I have a big problem, that am not able to get solved for just
outgoing mail (third commented case). In the Postfix smtpd instance
where returns mail handled by Amavisd, I needed to get passed the
original SASL user with XCLIENT. The reason of this, is because
depending on the sasl authenticated user (in Postfix, prior to Amavis,
an authenticated MUA), I need to apply it's corresponding FILTER action
in Postfix (yes even it has returned from Amavis and we are in the smtpd
where we receive the returning traffic to Postfix by Amavis), in the
smtpd instance where Amavis is returning scanned/tagged/signed traffic.
I'm not able of receiving that sasl_username with XCLIENT back from
Amavis in the smtpd returning instance. Is it possible to do that?. I
receive other XCLIENT params, like (in this case) the Postfix ip that
feeded Amavisd, but I needed the sasl_username the MUA used. 

I know I could tell Postfix to enter a heder in the message with the
authenticated user, once a user authenticates, but I prefer not doing it
because it could become faked. 

I have seen that Amavis has or had the possibility of authenticating to
the returning smtpd instance (that could be OK too... in case Amavisd
XCLIENT does not pass sasl_username to the returning smtpd instance),
but I have seen it commented in the Amavisd code in the mail_via_smtp
function. Concretely : 

_      $auth_capable = 1;_
_#     my $sasl = Authen::SASL->new(_
_#       'callback' => { 'user' => $auth_user, 'authname' =>
$auth_user,_
_#                       'pass' => $msginfo->auth_pass });_
_#     $smtp_handle->auth($sasl) or die "sending AUTH,
user=$auth_user\n";#flush_
_      do_log(0,"Sorry, AUTH not supported in this version of
amavisd!");_
_      section_time($which_section);_ 

So, is it possible, is some manner, to receive in the Postfix instance
of smtpd, where you receive the returning back traffic from Amavisd, the
sasl_username with which Postfix authenticated the user for allowing to
send that email, now coming tagged/signed/whatever from Amavis?. 

I do paste the commented created config below in case it could help. 

Very thankful for you time :) 

Best regards, 

============================================================================================================================================


_$interface_policy{'10025'} = 'OUTGOING-SIGN';_ 

_ at client_ipaddr_policy= (_
_[qw(192.168.14.10)] => 'COMING-FROM-CUSTOMER-1', [qw(192.168.14.11)] =>
'COMING-FROM-CUSTOMER-2', [qw(192.168.14.12)] =>
'COMING-FROM-CUSTOMER-3', [qw(0.0.0.0)] =>
'FROM-THE-REST-OF-THE-INTERNET'_
_);_

_$policy_bank{'FROM-THE-REST-OF-THE-INTERNET'} = {_
_forward_method => 'smtp:*:10026',_
_enable_anomy_sanitizer => 1,_
_anomy_sanitizer_args => [ [qw(/usr/local/etc/sanitizer.cfg)] ],_
_defang_spam => 1,_

_defang_maps_by_ccat => [ {'CC_CLEAN' => { '@.' => 'anomy' }, 'CC_SPAM'
=> { '@.' => 'anomy' }, 'CC_BANNED' => { '@.' => 'anomy' }, 'CC_VIRUS'
=> { '@.' => 'anomy' } }],_
_};_

_$policy_bank{'COMING-FROM-CUSTOMER-1'} = {_
_forward_method => 'smtp:*:10026',_
_bypass_spam_checks_maps   => [ { '@.' } ],_
_bypass_banned_checks_maps => [ { '@.' } ],_
_enable_anomy_sanitizer => 1,_
_anomy_sanitizer_args => [ [qw(/usr/local/etc/sanitizer.cfg)] ],_
_defang_spam => 1,_

_defang_maps_by_ccat => [ {'CC_CLEAN' => { '@.' => 'anomy',
'@ramattack.net' => '' }, 'CC_SPAM' => { '@.' => 'anomy',
'@ramattack.net' => '' }, 'CC_BANNED' => { '@.' => 'anomy',
'@ramattack.net' => '' }, 'CC_VIRUS' => { '@.' => 'anomy',
'@ramattack.net' => ''} }],_

_dkim_signature_options_bysender_maps => [ { } ],_
_};_

_$policy_bank{'COMING-FROM-CUSTOMER-2'} = {_
_forward_method => 'smtp:*:10026',_
_bypass_spam_checks_maps   => [ { '@.' } ],_
_bypass_banned_checks_maps => [ { '@.' } ],_

_enable_anomy_sanitizer => 1,_
_anomy_sanitizer_args => [ [qw(/usr/local/etc/sanitizer.cfg)] ],_
_defang_spam => 1,_

_defang_maps_by_ccat => [ {'CC_CLEAN' => { '@.' => 'anomy',
'@sarenet.es' => '' }, 'CC_SPAM' => { '@.' => 'anomy', '@sarenet.es' =>
'' }, 'CC_BANNED' => { '@.' => 'anomy', 'sarenet.es' => '' }, 'CC_VIRUS'
=> { '@.' => 'anomy', '@sarenet.es' => ''} }],_

_dkim_signature_options_bysender_maps => [ { } ],_
_};_

_$policy_bank{'OUTGOING-SIGN'} = {_
_$forward_method = 'smtp:*:10027',_
_bypass_spam_checks_maps   => [ { '@.' } ],_
_bypass_banned_checks_maps => [ { '@.' } ],_
_enable_anomy_sanitizer => 0,_
_altermime => '/usr/bin/altermime',_
_altermime_args_disclaimer => [ [qw(--verbose
--disclaimer=/etc/firmas_corporativas/disclaimer-_OPTION_.txt
--disclaimer-html=/etc/firmas_corporativas/disclaimer-_OPTION_.html)]
],_
_defang_maps_by_ccat => [ { 'CC_CATCHALL' => { '@.' => 'disclaimer' } }
],_
_disclaimer_options_bysender_maps => [ { 'sarenet.es' => 'sarenet.es',
'ramattack.net' => 'ramattack.net' } ],_
_allow_disclaimers => 1,_
_dkim_signature_options_bysender_maps => [ { 'sarenet.es' => {ttl =>
21*24*3600, c => 'simple/simple'}, 'ramattack.net' => {ttl =>
21*24*3600, c => 'simple/simple'}} ],_
_};_ 

============================================================================================================================================


-- 

EGOITZ AURREKOETXEA 
Dpto. de sistemas 
944 209 470
Parque Tecnológico. Edificio 103
48170 Zamudio (Bizkaia) 
egoitz at sarenet.es 
www.sarenet.es [1] 
Antes de imprimir este correo electrónico piense si es necesario
hacerlo. 

 

Links:
------
[1] http://www.sarenet.es
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20210520/56e4cbb8/attachment.htm>

More information about the amavis-users mailing list