Thomas,
> > Actually, there may be a better way. You probably already have
> > separate MTA for inbound mail (MX) and a different IP address for
> > mail submission (port 587 and 25, SASL/TLS). Such separation is
> > beneficial for DKIM signing decisions too.
>
> Not exactly but i can implemented very easy. Because we already use
> different domains for MX, this can be changed to point to an ip alias
> on the mail systems.
Yes, IP alias suffices to distinguish MSA from MX,
it needn't be a separate box. It can even be the same postfix.
> > So probably from the mail route you already know if a message is
> > on its way out or in. This double path can lead through amavisd in a
> > form of two separate TCP port numbers, each loading its policy bank.
>
> Is this done by a policy daemon in postfix? Or how can postifx decide
> which of both content filter (TCP port) has to be used for amavisd?
It needn't be a policy daemon, it suffices to tack a content_filter
option to the smtpd service, overriding a global setting for that
particular smtpd. Or use client- or sender- restrictions maps with
a FILTER on the right-hand side, again overriding the global setting
for content_filter.
For example (in master.cf):
# regular MX
192.168.0.66:25 inet n - n - 200 smtpd
-o smtpd_milters=inet:127.0.0.1:10024
# dedicated mail submission IP address, port 25
10.1.2.3:25 inet n - n - 200 smtpd
-o smtpd_milters=inet:127.0.0.1:10026
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
# mail submission, any address, port 587
submission inet n - n - - smtpd
-o smtpd_milters=inet:127.0.0.1:10026
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
and then in amavisd.conf:
$inet_socket_port = [10024,10026];
$interface_policy{'10024'} = 'INBOUND';
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'INBOUND'} = {
local_domains_maps => (1), # declare all recipients are local
};
$policy_bank{'ORIGINATING'} = { # mail originating from our users
originating => 1,
allow_disclaimers => 1, # enables disclaimer insertion if available
# force MTA conversion to 7-bit before DKIM signing
# to avoid later conversions, destroying signature:
smtpd_discard_ehlo_keywords => ['8BITMIME'],
};
> Maybe a stupid question but what are the risk to use a '.' in
> @local_domains_maps for everthing.
The main reason why I allow X-Virus-Scanned to be inserted to
any mail, but X-Spam-* only to inbound mail, is a respect
towards our own internal users: it would look bad is outbound
mail were labeled as spam by our own filter and sent to a
customer. Same goes for mail defanging (sanitation) and
adding address extensions (plus addressing).
The risk of declaring any recipient to be local is:
outbound mail would be tested for penpals even though it
shouldn't be, recipient notifications could be sent to
external users, X-Amavis-OS-Fingerprint could be inserted
to outbound mail revealing internal information,
foreign recipients could get an address extension added
(e.g. '+spam'), adding disclaimers won't work, statistics
counters would be wrong (amavisd-agent). Details may change
in the future and have changed in the past.
Mark
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
