mouss escribió:
> Roman Medina-Heigl Hernandez a écrit :
>> The (real) problem is the following: my Amavis/Spamasssin setup analyzes
>> mail and adds X-Spam-* headers accordingly but it does NOT block/drop any
>> mail. Filtering is done at the MDA level via sieve, which analyzes headers
>> and decides what to do with certain mails based on those headers (the
>> advantage is that the user has the last choice, so he/she can decide
>> whether the spam threshold would be, etc).
>>
>
> that's how I do it. all mail is delivered except:
> - if rejected at postfix level
> - if blocked because of a virus check (even this I used to deliver to a
> specific folder. but I stopped it...).
>
> dest folder depends on rules implemented in dovecot sieve. default for
> spam is the "Junk" folder.
>
>> Now, I need my MTA to perform additional functionality: to act as relay for
>> CERTAIN domains (keeping, of course, the *other* domains which my server
>> owns mailboxes for). I do NOT control the final delivery for these "relayed
>> domains" (I do NOT own final MTA with mailboxes), so I'd like to make some
>> blocking based on headers but ONLY for my relayed domains.
>>
>> Postfix supports filtering based on headers but all mail (relayed and not
>> relayed) would be filtered in this case (which is not what I want), I don't
>> know how could I add the "conditional" behaviour: "if mail destination is
>> one of my relayed domains, check headers and drop spam mail; if not, don't
>> check headers". I think Postfix supports the concept of "classes", but I
>> never used them and I don't know if what I need could be done with that
>> feature.
>>
>
> you need to pass relayed mail via a specific smtp which has its own
> cleanup, in which case you can associate specific header_checks.
>
> The difficulty in your case is that transport_maps are common to all
> smtpd listeners. so you can't do it with just "ok, move'em first to this
> smtp, then relay after that".
>
> you could use FILTER as an access check result, but you'll have a
> problem for multi-recipient mail (only one filter is used however is the
> number of recipients).
>
> now, things may be easier if yoy tell us more about your setup. which
> content filter do you use? do you use amavisd-new? (with amavisd-new,
I'm using Amavisd-new v.2.6.1 and chaining by using the content-filter trick:
- main smtpd
content_filter=amavisfeed:[127.0.0.1]:10024
- secondary smtpd with "-o content_filter=", for receiving the reinjected
mail from amavisd-new.
My "postconf -n" config:
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
delay_warning_time = 4
disable_vrfy_command = yes
mail_name = mxhs
mailbox_command = procmail -a "$EXTENSION"
message_reject_characters = \0
message_size_limit = 35651584
mydestination = $myhostname localhost localhost.$mydomain
myhostname = mx.hosting-seguridad.com
mynetworks = 127.0.0.2, 127.0.0.3
myorigin = $myhostname
recipient_delimiter = +
relay_domains = hash:/etc/postfix/listas hash:/etc/postfix/mxbackup
relay_recipient_maps = hash:/etc/postfix/relay_recipients
hash:/var/lib/mailman/data/virtual-mailman
relocated_maps = hash:/etc/postfix/relocated
show_user_unknown_table_name = no
smtp_bind_address = XXX
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noplaintext
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
permit_mynetworks,
reject_authenticated_sender_login_mismatch,permit_sasl_authenticated,
reject_unauth_destination, reject_unlisted_recipient,
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = $virtual_mailbox_maps
smtpd_tls_CAfile = /etc/ssl/certs/gd_bundle.crt
smtpd_tls_cert_file = /etc/ssl/certs/mail.hosting-seguridad.com.crt
smtpd_tls_key_file = /etc/ssl/private/mail.hosting-seguridad.com.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
transport_maps = hash:/etc/postfix/listas hash:/etc/postfix/mxbackup_migracion
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/valias.mysql,
proxy:mysql:/etc/postfix/vdomainalias_alias.mysql
proxy:mysql:/etc/postfix/vdomainalias_user.mysql
virtual_mailbox_domains = proxy:mysql:/etc/postfix/vdomain.mysql
virtual_mailbox_maps = proxy:mysql:/etc/postfix/vuser.mysql
virtual_transport = lmtp:unix:/private/cyrus
> you have more flexibility). also, what exactly do you want to do with
> header_checks. maybe it's ok to apply them to all inbound mail?
I'd like to drop email if *any* of the following conditions are met:
1/ "X-Amavis-Alert" *contains* "INFECTED" or "BANNED"
2/ "X-Spam-Flag" *contains* "YES"
Relating your 2nd question, perhaps it's not that easy. I'm currently
sharing MX + SMTP functionality (not a good idea, I think, but it's how I
set up this years ago). I mean, same port 25 is used for "receiving" mail
for a domain (mx) and for "sending" (smtp, with sasl auth, of course). This
means that I'm currently analyzing (amavisd-new) both "mx" *and*
"smtp/saslauth" traffic (yes, this is suboptimal).
So "outgoing" mail (from my server's perspective) could be "mx" mail (being
relayed to final mta), or "smtp/saslauth" mail. I don't want both kind of
traffic to be header-filtered, but only the first one (relayed). So I guess
the only way is checking for destination domain.
>> Hope it is clear now, and sorry for the long email. You're making a great
>> work here in this list, mouss. Thank you in advance.
>
> thanks for the compliment. but most of all, thanks to the great guys
> here with whom I learned...
This is a chain, of course :) If Wietse hadn't started it, we wouldn't be
here in this list! :)
Cheers,
-Roman
