[pfx] Re: Problems with check_sender_access and bypassing Amavis

[Noel Jones via Postfix-users]

On 9/20/2023 2:51 PM, Bryan K. Walton via Postfix-users wrote:
We have a Postfix server that works with Amavisd-new to do spam and
virus scanning. In my main.cf, I have the following:
content_filter = amavisfeed:[127.0.0.1]:10024

Then, I have master.cf configured as such:

# AMAVISD-NEW
amavisfeed unix -       -       n       -       2       smtp
         -o smtp_data_done_timeout=1200
         -o smtp_send_xforward_command=yes
         -o disable_dns_lookups=yes
         -o max_use=20

127.0.0.1:10025 inet    n       -       n       -       -       smtpd
         -o content_filter=
         -o smtpd_delay_reject=no
         -o smtpd_client_restrictions=permit_mynetworks,reject
         -o smtpd_helo_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o smtpd_data_restrictions=reject_unauth_pipelining
         -o smtpd_end_of_data_restrictions=
         -o smtpd_restriction_classes=
         -o mynetworks=127.0.0.0/8
         -o smtpd_error_sleep_time=0
         -o smtpd_soft_error_limit=1001
         -o smtpd_hard_error_limit=1000
         -o smtpd_client_connection_count_limit=0
         -o smtpd_client_connection_rate_limit=0
         -o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
         -o local_header_rewrite_clients=

This works for amavis scanning.  However, there is one outgoing mail
domain (we will call it example.com) that we want to exempt from
Amavis scanning.  To do that, I've added to our
smtpd_sender_restrictions in main.cf:

check_sender_access hash:/etc/postfix/specific_sender_rules

The /etc/postfix/specific_sender_rules file contains:
example.com          FILTER smtp:[127.0.0.1]:10025

I've found that this doesn't work. Mail that hits the server from this
sending domain still gets handed off to Amavis on port 10024.

Am I doing this incorrectly?  It was my understanding that the
check_sender_access hash should cause mail from that domain to get
immediately handed off to postfix on port 10025 for next hop delivery.

The general idea is correct.

If the mail is submitted via the local sendmail command, smtpd 
access settings are not applied.
The check_sender_access must be BEFORE any permit_mynetworks or 
permit_sasl_authenticated.
If the mail is submitted via submission port, it usually has 
settings overrides in master.cf and must have the 
check_sender_access somewhere in that path.





  -- Noel Jones
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org