<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 6, 2020 at 5:45 AM Patrick Ben Koetter <<a href="mailto:p@sys4.de">p@sys4.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Ian,<br>
<br>
* Ian Evans <<a href="mailto:dheianevans@gmail.com" target="_blank">dheianevans@gmail.com</a>>:<br>
> On Tue, Aug 4, 2020 at 6:19 PM Patrick Ben Koetter <<a href="mailto:p@sys4.de" target="_blank">p@sys4.de</a>> wrote:<br>
> > for any domain/recipient that amavis should feel responsible for add its<br>
> > name<br>
> > to @local_domains_maps or let amavis read it from a file, e.g.<br>
> > /etc/postfix/relay_domains:<br>
> ><br>
> > @local_domains_maps = (<br>
> > ".$mydomain",<br>
> > read_hash('/etc/postfix/relay_domains')<br>
> > );<br>
> ><br>
> > This will tell amavis what it should classify as "incoming".<br>
> ><br>
> > For any IP address/network that is internal add it to @mynetworks. This<br>
> > will<br>
> > tell amavis which sources are internal:<br>
> ><br>
> > @mynetworks = qw(<br>
> > <a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a><br>
> > );<br>
> ><br>
> > In reverse conclusion all other senders not listed in @mynetworks are<br>
> > considered to be "outside".<br>
> ><br>
> > If your authenticated senders submit messages via Port 465 or 587 then<br>
> > route<br>
> > their messages into a dedicated port into amavis and assign that port to a<br>
> > policy bank, where you declare everything in that policy bank as<br>
> > originating:<br>
> ><br>
> > # Claim the port:<br>
> > @listen_sockets = (<br>
> > # Release<br>
> > '[::1]:9998',<br>
> > # Post-Queue, Submission<br>
> > '[::1]:10024',<br>
> > # Pre-Queue, MTA zu MTA<br>
> > "$MYHOME/amavisd.sock"<br>
> > );<br>
> ><br>
> > # Assign the port to a $policy_bank:<br>
> > $interface_policy{'10024'} = 'SUBMISSION';<br>
> ><br>
> > # Tag everything as $originating in that policy_bank:<br>
> > $policy_bank{'SUBMISSION'} = {<br>
> > originating => 1,<br>
> > bypass_spam_checks_maps => [1],<br>
> > final_virus_destiny => D_BOUNCE,<br>
> > final_banned_destiny=> D_PASS,<br>
> > final_bad_header_destiny => D_PASS,<br>
> > banned_filename_maps => ['MYNETS-DEFAULT'],<br>
> > warnbadhsender => 0,<br>
> > forward_method => 'smtp:<a href="http://127.0.0.1:10025" rel="noreferrer" target="_blank">127.0.0.1:10025</a>',<br>
> > notify_method => 'smtp:<a href="http://127.0.0.1:10025" rel="noreferrer" target="_blank">127.0.0.1:10025</a>',<br>
> > undecipherable_subject_tag => undef,<br>
> > };<br>
> ><br>
> ><br>
> > > Just so I don't upset the apple cart, what do I need to add and to which<br>
> > > file do I need to add it?<br>
> ><br>
> > I suggest you copy over 50-user to 60-mysystem and add your local config<br>
> > there. It will never be overwritten by an update.<br>
> ><br>
> ><br>
> Patrick, thanks for the detailed notes. I wanted to respond when I had<br>
> time to look at my setup. A few questions:<br>
> <br>
> I only handle email for my domain so I'm assuming this is okay?<br>
> <br>
> @local_domains_maps = (<br>
> ".$mydomain"<br>
> );<br>
<br>
Assuming that $mydomain resolves to what your own domain is, yes. IIRC on<br>
Debian/Ubuntu this is read from /etc/mailname.<br>
<br>
<br>
> @mynetworks = qw(<br>
> <a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a><br>
> );<br>
> <br>
> My biggest question and config I don't want to foul up is the submission<br>
> section for the amavis config.<br>
> <br>
> Here's what's in my <a href="http://master.cf" rel="noreferrer" target="_blank">master.cf</a> in Postfix:<br>
> <br>
> submission inet n - - - - smtpd<br>
> -o syslog_name=postfix/submission<br>
> -o smtpd_tls_security_level=encrypt<br>
> -o smtpd_sasl_auth_enable=yes<br>
> -o smtpd_reject_unlisted_recipient=no<br>
> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject<br>
> -o milter_macro_daemon_name=ORIGINATING<br>
> #OpenDKIM signing<br>
> -o smtpd_milters=inet:localhost:12345<br>
> <br>
> So the email is sent to port 587 and processed through OpenDKIM. Being<br>
> coffee and sleep-deprived I don't want to FUBAR anything in the amavis<br>
> config? Your example said to claim the port:<br>
><br>
> # Claim the port:<br>
> @listen_sockets = (<br>
> # Release<br>
> '[::1]:9998',<br>
> # Post-Queue, Submission<br>
> '[::1]:10024',<br>
> # Pre-Queue, MTA zu MTA<br>
> "$MYHOME/amavisd.sock"<br>
> );<br>
<br>
<br>
I wouldn't use OpenDKIM on submission, because you can't mix MILTER with<br>
with Postfix' content_filter(s) and on submission I'd always use<br>
content_filter, because that gives submitters the feeling their mail server is<br>
really fast (queue first, scan later), whereas MILTER do scan first, queue<br>
later and users will see their mail client hanging in there waiting for the<br>
server to come back and finally accept the message.<br>
<br>
This said I propose:<br>
<br>
- Setup amavis to DKIM sign/verify messages<br>
- Use Postfix content_filter to hand off messages to amavis e.g. on port 10026<br>
- Configure another listen_socket in amavis that listens on localhost:10026<br>
- Mapp this listener to your submission policy bank.<br>
<br>
p@rick<br>
<br></blockquote><div>Patrick,</div><div><br></div><div>I'm a few Ubuntu's behind schedule (dealing with a family medical issue the last few yrs has left behind in preparing my site's code for PHP 7.) So I'm still using the old Amavis which if I remember correctly has problems signing DKIM. So I'll archive this thread and handle it it as soon as I get in 20 LTS.</div><div><br></div><div>I really appreciate the details of your answers. All the best to you and yours.</div></div></div>