Amavisd-new policy banks and sasl_username in the returning smtpd instance

Egoitz Aurrekoetxea egoitz at sarenet.es
Thu May 20 10:39:25 CEST 2021 

Good morning, 

Could perhaps be, that Amavis is not storing the XCLIENT variable LOGIN
(http://www.postfix.org/XCLIENT_README.html) in mail_via_smtp() where
should handle LOGIN XCLIENT attribute?. 

      my(@params) = map
        { my($n,$v) = @$_;
          # Postfix since version 20060610 uses xtext-encoded (RFC 3461)
          # strings in XCLIENT and XFORWARD attribute values, previous
          # versions expected plain text with neutered special
characters;
          # see README_FILES/XFORWARD_README
          if (defined $v && $v ne '') {
            $v =~ s/[^\041-\176]/?/gs;  # isprint
            $v =~ s/[<>()\\";\@]/?/gs;  # other chars that are special
in hdrs
                     # postfix/src/smtpd/smtpd.c NEUTER_CHARACTERS
            $v = xtext_encode($v);
            substr($v,255) = ''  if length($v) > 255;  # chop xtext, not
nice
          }
          !defined $v || $v eq '' || !$xfwd_supp_opt{$n} ? () :
("$n=$v") }
        ( ['ADDR',$cl_ip],               
['NAME',$msginfo->client_name],
          ['PORT',$msginfo->client_port],
['PROTO',$msginfo->client_proto],
          ['HELO',$msginfo->client_helo],
['SOURCE',$msginfo->client_source],
          ['IDENT',$msginfo->queue_id] ); 

Perhaps it needs a : 

['LOGIN',$msginfo->auth_user] and then through XCLIENT or XFORWARD from
Amavis would send back again to Postfix receiving smtpd instance the
LOGIN parameter in order for it (origin sasl_username) to be received in
the Postfix smtpd receiving instance through XCLIENT?. 

What do you think?. Perhaps it has not been considered for some reason?.


Cheers, 

---

EGOITZ AURREKOETXEA 
Dpto. de sistemas 
944 209 470
Parque Tecnológico. Edificio 103
48170 Zamudio (Bizkaia) 
egoitz at sarenet.es 
www.sarenet.es [1] 
Antes de imprimir este correo electrónico piense si es necesario
hacerlo. 

El 2021-05-20 09:38, Egoitz Aurrekoetxea escribió:

> ATENCION: Este correo se ha enviado desde fuera de la organización. No pinche en los enlaces ni abra los adjuntos a no ser que reconozca el remitente y sepa que el contenido es seguro.
> 
> Good morning, 
> 
> I was trying to implement different policy banks in a testing env, in order to get : 
> 
> + Policy bank (FROM-THE-REST-OF-THE-INTERNET) -> Incoming external mail (from the Internet in general) to be always tagged with a modified version of Anomy Sanitizer and scanned for cleaning virus and spam. 
> 
> + Policy bank (COMING-FROM-CUSTOMER-1 OR COMING-FROM-CUSTOMER-2) -> Incoming mail coming from well known ips, to be tagged with Anomy Sanitizer just in case the email goes for a domain that is not one of the domains that go out through that well known ips. For instance, comes from the ips of custoner1.net and goes for customer2.net domain, then tag with Anomy Sanitizer just for that "non customer1.net domain". 
> 
> + Policy bank (OUTGOING-SIGN) -> Outgoing mail generated by a mua that will have previously be authenticated, to be signed with DKIM and to have a disclaimer set with Altermime. Have created a dedicated port for this policy bank. 
> 
> I'm sending mail traffic to Amavis, using XCLIENT extension (http://www.postfix.org/XCLIENT_README.html) and seems that Amavis, is identifying properly (source ip connected to Postfix based and transferred to Amavis with XCLIENT) which policy bank should apply to each mail.It's still not working totally (the maps, the Sanitizer part and so in each policy bank...), because I assume I have entered some config variable incorrectly, perhaps in the hash of the config of the policy bank, but that it's not worrying me at present. 
> 
> BUT, I have a big problem, that am not able to get solved for just outgoing mail (third commented case). In the Postfix smtpd instance where returns mail handled by Amavisd, I needed to get passed the original SASL user with XCLIENT. The reason of this, is because depending on the sasl authenticated user (in Postfix, prior to Amavis, an authenticated MUA), I need to apply it's corresponding FILTER action in Postfix (yes even it has returned from Amavis and we are in the smtpd where we receive the returning traffic to Postfix by Amavis), in the smtpd instance where Amavis is returning scanned/tagged/signed traffic. I'm not able of receiving that sasl_username with XCLIENT back from Amavis in the smtpd returning instance. Is it possible to do that?. I receive other XCLIENT params, like (in this case) the Postfix ip that feeded Amavisd, but I needed the sasl_username the MUA used. 
> 
> I know I could tell Postfix to enter a heder in the message with the authenticated user, once a user authenticates, but I prefer not doing it because it could become faked. 
> 
> I have seen that Amavis has or had the possibility of authenticating to the returning smtpd instance (that could be OK too... in case Amavisd XCLIENT does not pass sasl_username to the returning smtpd instance), but I have seen it commented in the Amavisd code in the mail_via_smtp function. Concretely : 
> 
> _      $auth_capable = 1;_
> _#     my $sasl = Authen::SASL->new(_
> _#       'callback' => { 'user' => $auth_user, 'authname' => $auth_user,_
> _#                       'pass' => $msginfo->auth_pass });_
> _#     $smtp_handle->auth($sasl) or die "sending AUTH, user=$auth_user\n";#flush_
> _      do_log(0,"Sorry, AUTH not supported in this version of amavisd!");_
> _      section_time($which_section);_ 
> 
> So, is it possible, is some manner, to receive in the Postfix instance of smtpd, where you receive the returning back traffic from Amavisd, the sasl_username with which Postfix authenticated the user for allowing to send that email, now coming tagged/signed/whatever from Amavis?. 
> 
> I do paste the commented created config below in case it could help. 
> 
> Very thankful for you time :) 
> 
> Best regards, 
> 
> ============================================================================================================================================ 
> 
> _$interface_policy{'10025'} = 'OUTGOING-SIGN';_ 
> 
> _ at client_ipaddr_policy= (_
> _[qw(192.168.14.10)] => 'COMING-FROM-CUSTOMER-1', [qw(192.168.14.11)] => 'COMING-FROM-CUSTOMER-2', [qw(192.168.14.12)] => 'COMING-FROM-CUSTOMER-3', [qw(0.0.0.0)] => 'FROM-THE-REST-OF-THE-INTERNET'_
> _);_
> 
> _$policy_bank{'FROM-THE-REST-OF-THE-INTERNET'} = {_
> _forward_method => 'smtp:*:10026',_
> _enable_anomy_sanitizer => 1,_
> _anomy_sanitizer_args => [ [qw(/usr/local/etc/sanitizer.cfg)] ],_
> _defang_spam => 1,_
> 
> _defang_maps_by_ccat => [ {'CC_CLEAN' => { '@.' => 'anomy' }, 'CC_SPAM' => { '@.' => 'anomy' }, 'CC_BANNED' => { '@.' => 'anomy' }, 'CC_VIRUS' => { '@.' => 'anomy' } }],_
> _};_
> 
> _$policy_bank{'COMING-FROM-CUSTOMER-1'} = {_
> _forward_method => 'smtp:*:10026',_
> _bypass_spam_checks_maps   => [ { '@.' } ],_
> _bypass_banned_checks_maps => [ { '@.' } ],_
> _enable_anomy_sanitizer => 1,_
> _anomy_sanitizer_args => [ [qw(/usr/local/etc/sanitizer.cfg)] ],_
> _defang_spam => 1,_
> 
> _defang_maps_by_ccat => [ {'CC_CLEAN' => { '@.' => 'anomy', '@ramattack.net' => '' }, 'CC_SPAM' => { '@.' => 'anomy', '@ramattack.net' => '' }, 'CC_BANNED' => { '@.' => 'anomy', '@ramattack.net' => '' }, 'CC_VIRUS' => { '@.' => 'anomy', '@ramattack.net' => ''} }],_
> 
> _dkim_signature_options_bysender_maps => [ { } ],_
> _};_
> 
> _$policy_bank{'COMING-FROM-CUSTOMER-2'} = {_
> _forward_method => 'smtp:*:10026',_
> _bypass_spam_checks_maps   => [ { '@.' } ],_
> _bypass_banned_checks_maps => [ { '@.' } ],_
> 
> _enable_anomy_sanitizer => 1,_
> _anomy_sanitizer_args => [ [qw(/usr/local/etc/sanitizer.cfg)] ],_
> _defang_spam => 1,_
> 
> _defang_maps_by_ccat => [ {'CC_CLEAN' => { '@.' => 'anomy', '@sarenet.es' => '' }, 'CC_SPAM' => { '@.' => 'anomy', '@sarenet.es' => '' }, 'CC_BANNED' => { '@.' => 'anomy', 'sarenet.es' => '' }, 'CC_VIRUS' => { '@.' => 'anomy', '@sarenet.es' => ''} }],_
> 
> _dkim_signature_options_bysender_maps => [ { } ],_
> _};_
> 
> _$policy_bank{'OUTGOING-SIGN'} = {_
> _$forward_method = 'smtp:*:10027',_
> _bypass_spam_checks_maps   => [ { '@.' } ],_
> _bypass_banned_checks_maps => [ { '@.' } ],_
> _enable_anomy_sanitizer => 0,_
> _altermime => '/usr/bin/altermime',_
> _altermime_args_disclaimer => [ [qw(--verbose --disclaimer=/etc/firmas_corporativas/disclaimer-_OPTION_.txt --disclaimer-html=/etc/firmas_corporativas/disclaimer-_OPTION_.html)] ],_
> _defang_maps_by_ccat => [ { 'CC_CATCHALL' => { '@.' => 'disclaimer' } } ],_
> _disclaimer_options_bysender_maps => [ { 'sarenet.es' => 'sarenet.es', 'ramattack.net' => 'ramattack.net' } ],_
> _allow_disclaimers => 1,_
> _dkim_signature_options_bysender_maps => [ { 'sarenet.es' => {ttl => 21*24*3600, c => 'simple/simple'}, 'ramattack.net' => {ttl => 21*24*3600, c => 'simple/simple'}} ],_
> _};_ 
> 
> ============================================================================================================================================ 
> 
> --
> 
> EGOITZ AURREKOETXEA 
> Dpto. de sistemas 
> 944 209 470
> Parque Tecnológico. Edificio 103
> 48170 Zamudio (Bizkaia) 
> egoitz at sarenet.es 
> www.sarenet.es [1] 
> Antes de imprimir este correo electrónico piense si es necesario hacerlo.
 

Links:
------
[1] http://www.sarenet.es
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20210520/e8fd7f66/attachment.htm>

More information about the amavis-users mailing list