On Thu, Sep 15, 2016 at 10:36:43AM -0500, postadmin wrote:
> Remote Server/Client with public IP is configured with the following
> transport:
>
> "domainofserver.org smtp:domainofserver.org:587"
You're providing submission service to suitably authorized clients.
Presumably via SASL, client certs or a list of IP addresses in
mynetworks.
> Mail from Remote Server/Client is accepted by domainofserver.org & bypasses
> the postfix spamassassin.
That's a choice you make. Should authorized submission mail be
spam-filtered or not?
> The mail server accepting the mail is configured with a the following
> master.cf filter.
>
> "smtp inet n - n - - smtpd -o
> content_filter=spamassassin"
That's port 25 non-submission traffic, it get spam-filtered.
> At this point it appears that all mail from "Remote Server/Client" is passed
> directly without being filtered by the spamassassin.
Of course, because the content_filter is defined just for the port
25 inbound MX service via master.cf. You can, if you wish, set
content_filter in main.cf to apply to all email, including submission.
> However mail from the internet that is sent via smtp without transport
> mapping is filtered as anticipated.
That is, non-submission mail for your domain from remote domains
is filtered, while (at least potentially) outbound mail from
authorized submission clients is not. If your trusted users don't
send spam, you're fine.
> Hoping to clarify if possible how to reject the Remote Server/Client
> "transport" mail and if so how what configuration etc are needed.
The default Postfix master.cf file has no port 587 submission
service. If you do not wish to offer that service, feel free
to remove it from master.cf, or
# Use *verbatim* service name/type from master.cf
#
master_service_disable = submission/inet
or just change access controls to limit it's use:
master.cf:
submission .. smtpd
...
-o smtpd_relay_restrictions=$mua_relay_restrictions
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
main.cf:
mua_relay_restrictions = permit_mynetworks, reject
mua_recipient_restrictions = permit_mynetworks, reject
> The question specfic to "master_service_disable" was an attempt to determine
> if the mail is being passed is due to it not being considered "inet" and
> perhaps due to the transport being
> considered a postdrop queue.
You're back to meaningless jargon. Seems most likely you don't
really understand what you're saying here.
> Perhaps an smtpd_command_filter is an option however it is unknown what smtp
> commands are allowing the mail to be accepted as a "postrdrop queue"
> localhost.localdomain
> email instead of an smtp inet mail that is normally processed by
> spamassassin.
If your unfiltered mail is really coming in via "postdrop" (thus
the pickup service), then it is sent locally via the sendmail(1)
CLI, and not coming in from the network at all. Perhaps you have
a compromised PHP web service on your machine.
In which case, submission/587 has nothing to do with it. You're
still not describing your real problem. Good luck.
--
Viktor.
