Hello,
I've been using postfix with great success and delight for many years now, but
my config has become quite messy over time, with additions like dkim/spf/dmarc
and various filtering options.
I'm currently having a problem with some locally generated emails (eg. sendmail
command). I would like to filter them with amavisd-new but my current setup
does not allow that as I'm filtering only incoming emails.
I'm also running fetchmail for some user on the server, and I don't want this
mail flow to be filtered.
I really feel like my setup needs some cleanup and I'm not sure were to start.
Some of you have suggested to me, in the past, that I could move to
amavisd-milter instead of smtpd_proxy_filter for antispam/antivirus filtering.
It might be the way but I don't know if it can help me with my new need.
I've tried to force locally generated email filtering with an after-queue
Amavisd setup using something really ugly (I guess):
______________
pickup fifo n - n 60 1 pickup
-o content_filter=smtp-amavis:[127.0.0.1]:10024
smtp-amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
______________
It worked but emails reentering the after-filter SMTP server 127.0.0.1:10025
triggered OpenDMARC failures, sending reports to me and adding a failed
authentication header to email messages.
It looks like an unhealthy hack :/
Here is my setup:
______________
master.cf
______________
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10025.
#
smtpd pass - - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o smtpd_client_connection_count_limit=10
-o smtpd_proxy_ehlo=amavis-filtering
-o disable_mime_output_conversion=yes
-o smtpd_milters=unix:/var/milter-greylist/milter-greylist.sock
-o non_smtpd_milters=
IP.AD.DR.ESS:smtp inet n - n - 1 postscreen
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
policyd-spf unix - n n - 0 spawn
user=nobody argv=/usr/local/bin/policyd-spf
# inside smtp without before-queue (because of milter)
#
127.0.0.1:smtp inet n - n - 5 smtpd
-o smtpd_client_connection_count_limit=10
-o disable_mime_output_conversion=yes
-o smtpd_milters=inet:127.0.0.1:8891
-o non_smtpd_milters=inet:127.0.0.1:8891
#
# After-filter SMTP server. Receive mail from the content filter
# on localhost port 10025.
#
127.0.0.1:10025 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
-o smtpd_milters=inet:localhost:8893
-o non_smtpd_milters=inet:localhost:8893
submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_path=inet:127.0.0.1:12345
-o smtpd_sasl_tls_security_options=noanonymous
-o smtpd_client_auth_rate_limit=2
-o
smtpd_tls_cert_file=/usr/local/etc/letsencrypt/live/host.name/fullchain.pem
-o smtpd_tls_key_file=/usr/local/etc/letsencrypt/live/host.name/privkey.pem
-o smtpd_milters=inet:127.0.0.1:8891
-o non_smtpd_milters=inet:127.0.0.1:8891
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix/submission
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ../..
proxywrite unix - - n - 1 proxymap
#smtp inet n - n - 1 postscreen
postlog unix-dgram n - n - 1 postlogd
______________
______________
main.cf (postconf -nf output)
______________
alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases, hash:/usr/local/mailman/data/aliases
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 4
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command_maps = hash:/usr/local/etc/postfix/mailbox_command_maps
mailbox_transport_maps = hash:/usr/local/etc/postfix/mailbox_transport_maps
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 20971520
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost,
mail.$mydomain, www.$mydomain, listes.$mydomain
myhostname = my.host.name
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = inet:127.0.0.1:8891
owner_request_special = no
permissive_recip = reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_unknown_client_hostname, check_policy_service
unix:private/policyd-spf
policyd-spf_time_limit = 3600
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_blacklist_action = ignore
postscreen_dnsbl_action = enforce
postscreen_dnsbl_max_ttl = 2h
postscreen_dnsbl_min_ttl = 1h
postscreen_dnsbl_sites = zen.spamhaus.org, fresh10.spameatingmonkey.net,
bl.spamcop.net, b.barracudacentral.org
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_whitelist_threshold = 0
postscreen_forbidden_commands = $smtpd_forbidden_commands AUTH
postscreen_greet_action = enforce
postscreen_greet_banner = Do not say anything yet
postscreen_non_smtp_command_action = enforce
postscreen_non_smtp_command_enable = no
postscreen_pipelining_action = ignore
postscreen_pipelining_enable = no
postscreen_reject_footer = \c. $client_address got bounced at $localtime because
it does not meet requirements for distribution on $server_name.
queue_directory = /var/spool/postfix
rbl_reply_maps = texthash:/usr/local/etc/postfix/rbl_reply_map
readme_directory = /usr/local/share/doc/postfix
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:127.0.0.1:10002
recipient_delimiter = +
restrictive_recip = check_sender_access
hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
reject_unknown_client_hostname, reject_non_fqdn_sender, check_policy_service
unix:private/policyd-spf, reject_rbl_client zen.spamhaus.org,
reject_rbl_client
APIKEY.combined.mail.abusix.zone,
reject_rhsbl_client
APIKEY.dblack.mail.abusix.zone, reject_rhsbl_helo
APIKEY.dblack.mail.abusix.zone,
reject_rhsbl_sender fresh.spameatingmonkey.net, reject_rhsbl_sender
APIKEY.dblack.mail.abusix.zone,
reject_rhsbl_client fresh.spameatingmonkey.net, reject_rhsbl_reverse_client
fresh.spameatingmonkey.net reject_rbl_client b.barracudacentral.org
sample_directory = /usr/local/etc/postfix
sender_canonical_classes = envelope_sender
sender_canonical_maps = tcp:127.0.0.1:10001
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_dns_support_level = dnssec
smtp_send_xforward_command = yes
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_cert_file = /usr/local/etc/letsencrypt/live/host.name/fullchain.pem
smtp_tls_ciphers = medium
smtp_tls_key_file = /usr/local/etc/letsencrypt/live/host.name/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = dane
smtpd_authorized_xforward_hosts = 127.0.0.0/8
smtpd_banner = $myhostname ESMTP Communigate PRO
smtpd_hard_error_limit = 3
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
check_recipient_access hash:/usr/local/etc/postfix/recipient_access,
check_client_access cidr:/usr/local/etc/postfix/client_access_cidr,
check_client_access hash:/usr/local/etc/postfix/client_access,
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_restriction_classes = restrictive_recip, permissive_recip
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_soft_error_limit = 2
smtpd_tls_CAfile = $smtp_tls_CAfile
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/host.name/fullchain.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/host.name/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
tls_preempt_cipherlist = yes
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual,
hash:/usr/local/mailman/data/virtual-mailman,
regexp:/usr/local/etc/postfix/virtual-regexp
virtual_transport = virtual
______________
Help appreciated!
thanks,
pat pro
