[pfx] Configuring header/body checks for mail from outside users only

Mon, 09 Dec 2024 09:20:19 -0800 

Hello,
I run a Postfix server with Amavis/Clamav, Spamassassin and run header and body checks for mails. However, this should only apply to external mails, as it happened that mails sent by a cronjob with a pflogsumm report did not go through because they contained a word that was blocked by the body checks. 


For this purpose, I created an IP alias (127.0.1.2) in the /etc/hosts 
file and then in the /etc/postfix/master.cf according to the 
instructions https://www.postfix.org/BUILTIN_FILTER_README.html#remote_only
 and added the last 6 lines. Now it works that no header/body checks 
are performed for the pflogsumm report. However, I get a warning message 
every minute:



postfix/master[182681]: warning: master_wakeup_timer_event: service 
pickup(public/pickup): Connection refused



Despite research, I have not been able to find out how to get rid of 
this warning message? Does anyone here have an answer? Which connection 
is refused?


Kind regards

Andreas

This is my main.cf configuration:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
authorized_submit_users = root,www-data,vmail
biff = no
body_checks = pcre:/etc/postfix/body_checks
compatibility_level = 3.6
content_filter = smtp-amavis:[127.0.0.1]:10024
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 52428800
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = mailsystem.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = $smtpd_milters
policyd-spf_time_limit = 3600
postscreen_access_list = permit_mynetworks
    cidr:/etc/postfix/postscreen_access.cidr
    cidr:/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
postscreen_dnsbl_sites =
    xxxxxxxxxxxxxxxxxxxxxxxxx.zen.dq.spamhaus.net=127.0.0.[2..255]
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = enforce
rbl_reply_maps = hash:/etc/postfix/dnsbl-reply-map
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = >=0x0303
smtp_tls_protocols = >=0x0303
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated
    reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname

smtpd_milters = local:opendkim/opendkim.sock, 
local:opendmarc/opendmarc.sock,

    local:spamass/spamass.sock
smtpd_proxy_options = speed_adjust
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,

    check_policy_service unix:private/policyd-spf 
reject_unauth_destination,

    reject_rhsbl_sender
    xxxxxxxxxxxxxxxxxxxxxxxxx.dbl.dq.spamhaus.net=127.0.1.[2..99],
    reject_rhsbl_helo
    xxxxxxxxxxxxxxxxxxxxxxxxx.dbl.dq.spamhaus.net=127.0.1.[2..99],
    reject_rhsbl_reverse_client
    xxxxxxxxxxxxxxxxxxxxxxxxx.dbl.dq.spamhaus.net=127.0.1.[2..99],
    reject_rhsbl_sender
    xxxxxxxxxxxxxxxxxxxxxxxxx.zrd.dq.spamhaus.net=127.0.2.[2..24],
    reject_rhsbl_helo
    xxxxxxxxxxxxxxxxxxxxxxxxx.zrd.dq.spamhaus.net=127.0.2.[2..24],
    reject_rhsbl_reverse_client
    xxxxxxxxxxxxxxxxxxxxxxxxx.zrd.dq.spamhaus.net=127.0.2.[2..24],
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
    defer_unauth_destination

smtpd_sender_restrictions = check_sender_access 
hash:/etc/postfix/sender_access
    permit_mynetworks permit_sasl_authenticated 
reject_unknown_sender_domain

    reject_unknown_reverse_client_hostname reject_unknown_client_hostname
smtpd_tls_auth_only = yes

smtpd_tls_cert_file = 
/etc/letsencrypt/live/mailsystem.mydomain.com/fullchain.pem

smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA

smtpd_tls_key_file = 
/etc/letsencrypt/live/mailsystem.mydomain.com/privkey.pem

smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA
smtpd_tls_mandatory_protocols = >=0x0303
smtpd_tls_protocols = >=0x0303
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtputf8_enable = no
tls_server_sni_maps = hash:/etc/postfix/sni_maps

virtual_alias_maps = 
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,

proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
    proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
    proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:2000

And this is my master.cf configuration:

submission inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_tls_wrappermode=no
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

    -o 
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o content_filter=smtp-amavis:[127.0.0.1]:10026
smtp       inet  n       -       y       -       1 postscreen
smtpd      pass  -       -       y       -       -       smtpd
dnsblog    unix  -       -       y       -       0       dnsblog
tlsproxy   unix  -       -       y       -       0       tlsproxy
smtps      inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

    -o 
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o content_filter=smtp-amavis:[127.0.0.1]:10026
pickup     unix  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       - trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp
    -o syslog_name=postfix/$service_name
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
postlog    unix-dgram n  -       n       -       1       postlogd
uucp       unix  -       n       n       -       -       pipe flags=Fqhu
    user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

policyd-spf unix -       n       n       -       0       spawn 
user=policyd-spf

    argv=/usr/bin/policyd-spf
smtp-amavis unix -       -       n       -       4       smtp
    -o syslog_name=postfix/amavis
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
    -o smtp_tls_security_level=none
127.0.0.1:10025 inet n   -       n       -       -       smtpd
    -o syslog_name=postfix/10025
    -o content_filter=
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o strict_rfc821_envelopes=yes
    -o smtp_tls_security_level=none
    -o smtpd_tls_security_level=none
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_end_of_data_restrictions=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0

    -o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

127.0.1.2:smtp inet n    -       n       -       -       smtpd
    -o receive_override_options=no_header_body_checks
127.0.0.1:smtp inet n    -       n       -       -       smtpd
    -o receive_override_options=no_header_body_checks
pickup     fifo  n       -       n       60      1       pickup
    -o receive_override_options=no_header_body_checks

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org






















					Reply via email to