Luis Hernán Otegui writes,
> The trick (at least for me, and I'm running Postfix), is to tell your
> SASL authenticated users to use a different port, like 465 or 587. In
> fact, port 25 was nominated to be a server-to-server mail exchange
> service. Clients should use Submission or smtps port.
Indeed.
> smtps inet n - n - - smtpd
> -o content_filter=amavis:[127.0.0.1]:10026
> $inet_socket_port = [10024,10026]; # listen on multiple TCP ports
> $interface_policy{'10026'} = 'SASLBYPASS';
> $policy_bank{'SASLBYPASS'} = { # mail from submission and smtps ports
> bypass_spam_checks_maps => [1], # don't spam-check this mail
> bypass_banned_checks_maps => [0], # don't banned-check this mail
> bypass_header_checks_maps => [1], # don't header-check this mail
> };
Right. In addition to the above (which is the cleanest solution),
one may use postfix FILTER restrictions rhs to reroute mail
to a dedicated amavisd port when user has been authenticated,
even if mail was sumbitted on port 25. See example at:
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
| But how would amavisd knew that mail is originating, that is it comes from
| sasl authenticated user? What about case, when amavisd is separated from
| machine that authenticated user and received the message, to pass it to
| external amavisd machines?
By using different Postfix content_filter options for different
services and at different points in 'restrictions' list, as
shown in these examples.
The dedicated submission port as shown by Luis (or a dedicated
submission IP address, preferably both) is the cleanest solution,
but it is possible (although a bit clumsy) to achieve the same
with submissions on port 25.
Having a dedicated mail submission IP address is desirable for
another reason: SpamAssassin has now a config option msa_networks.
Specifying your submission IP address in msa_networks is a
reliable way to tell SpamAssassin that mail came in from an
internal or authenticated roaming user, so it can apply the
correct set of DUL RBL lists and SPF check for such submission.
The dedicated IP address could just be an additional alias IP
address on the same interface of the same host, and the same
Postfix instance can take care of it - it just requires one
additional entry in master.cf.
Mark
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
