On 12/02/2018 10:42, Giovanni wrote:
Karol Augustin <ka...@augustin.pl> wrote:
Hi,
I am explicitly copying original authors of threads I am referring to in
this email, as I don't know if they are still monitoring the list for
solution to the problem.
I would like to thank Giovanni for supplying the patch, which has now
spread across internet.
There is evidence of a critical bug in quite a few threads on this list
that manifests itself in various ways. Some users have problems with
DKIM signatures of outgoing mail, others with mail marked as
RelayedOpenRelay in the logs.
The issue is caused by Amavis not honoring originating flag, which
causes all sender addresses to be treated as "foreign", which obviously
has a huge potential of breaking mail flow especially in environments
where there are multiple e-mail paths and policy banks configured.
I hit the same problem when I upgraded to 2.11.0 few days ago and asked
similar question in a reply to existing thread.
https://lists.amavis.org/pipermail/amavis-users/2018-February/005284.html
The same issue was described earlier in following thread:
https://lists.amavis.org/pipermail/amavis-users/2017-November/005116.html
Original mention of this problem was made by Giovanni, who kindly
provided a one line fix to the problem:
https://lists.amavis.org/pipermail/amavis-users/2016-July/004428.html
for the records, the patch I sumbitted 2 years ago fixes the bug with postfix;
there are some corner cases (spotted by an Opensmtpd instance, maybe by some
other mta as well) that needs an additianal one line fix.
Full patch follows.
Giovanni
--- amavisd.orig Tue Apr 26 21:24:33 2016
+++ amavisd Fri Aug 5 12:32:39 2016
@@ -22806,6 +22806,7 @@ sub process_smtp_request($$$$) {
}
# load policy banks from the 'client_ipaddr_policy' lookup
Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;
+ $msginfo->originating(c('originating'));
$msginfo->client_addr($cl_ip); # ADDR
$msginfo->client_port($cl_port); # PORT
@@ -34338,6 +34330,7 @@ sub collect_some_dkim_info($) {
$sig_ind++;
}
Amavis::load_policy_bank($_,$msginfo) for @bank_names;
+ $msginfo->originating(c('originating'));
$msginfo->dkim_signatures_valid(\@signatures_valid) if @signatures_valid;
# if (ll(5) && $sig_ind > 0) {
# # show which header fields are covered by which signature
I just wanted to add feedback to this one. I've had this issue for some
time, but haven't had time to track it down untill now. I started
digging and ended with the same conclusions as the two above contributors.
I have had debug turned on, and I am positive that the following holds:
- my client IP is in @mynetworks.
- the recipient is not local.
- the sending domain is in @local_domains_maps.
- Postfix uses xforward and amavis sees the proper client IP.
- the log from amavisd shows the policy bank has originating set.
And yet my log from amavis says RelayedOpenRelay.
My setup is simple; all the possible clients are on private IPs, the
world is on public
Adding the posted one line patch to 2.11.0 seems to make it all work
well for me, my logs now show RelayedOutbound for email going out via
the correct policy bank.
mvh,
A
--
Alexander Hoogerhuis | http://no.linkedin.com/in/alexh
Boxed Solutions AS | +47 908 21 485 - al...@boxed.no
"Given enough eyeballs, all bugs are shallow." -Eric S. Raymond
