On Wed, 5 Aug 2020 at 19:19, Ian Evans <[email protected]> wrote: > > On Tue, Aug 4, 2020 at 6:19 PM Patrick Ben Koetter <[email protected]> wrote: >> >> Ian, >> >> * Ian Evans <[email protected]>: >> > On Tue, Aug 4, 2020 at 3:38 PM Matus UHLAR - fantomas <[email protected]> >> > wrote: >> > >> > > >Open relay? Nonlocal recips but not originating: [person I'm emailing] >> > > >> > > this happens when 'originating' flag is not set and recipient is not >> > > local. >> > > maybe you don't have $mynetworks amavis variable set >> > > >> > >> > Okay bizarre. Just did a grep on my conf.d dir and 'originating' and >> > '$mynetworks' don't appear in any of these files: >> [snip]> >> > Again except for these outgoing notices in the logs, the server has worked >> > fine for years. Amavis, Postfix and Dovecot are all on the same server. >> >> for any domain/recipient that amavis should feel responsible for add its name >> to @local_domains_maps or let amavis read it from a file, e.g. >> /etc/postfix/relay_domains: >> >> @local_domains_maps = ( >> ".$mydomain", >> read_hash('/etc/postfix/relay_domains') >> ); >> >> This will tell amavis what it should classify as "incoming". >> >> For any IP address/network that is internal add it to @mynetworks. This will >> tell amavis which sources are internal: >> >> @mynetworks = qw( >> 127.0.0.0/8 >> ); >> >> In reverse conclusion all other senders not listed in @mynetworks are >> considered to be "outside". >> >> If your authenticated senders submit messages via Port 465 or 587 then route >> their messages into a dedicated port into amavis and assign that port to a >> policy bank, where you declare everything in that policy bank as originating: >> >> # Claim the port: >> @listen_sockets = ( >> # Release >> '[::1]:9998', >> # Post-Queue, Submission >> '[::1]:10024', >> # Pre-Queue, MTA zu MTA >> "$MYHOME/amavisd.sock" >> ); >> >> # Assign the port to a $policy_bank: >> $interface_policy{'10024'} = 'SUBMISSION'; >> >> # Tag everything as $originating in that policy_bank: >> $policy_bank{'SUBMISSION'} = { >> originating => 1, >> bypass_spam_checks_maps => [1], >> final_virus_destiny => D_BOUNCE, >> final_banned_destiny=> D_PASS, >> final_bad_header_destiny => D_PASS, >> banned_filename_maps => ['MYNETS-DEFAULT'], >> warnbadhsender => 0, >> forward_method => 'smtp:127.0.0.1:10025', >> notify_method => 'smtp:127.0.0.1:10025', >> undecipherable_subject_tag => undef, >> }; >> >> >> > Just so I don't upset the apple cart, what do I need to add and to which >> > file do I need to add it? >> >> I suggest you copy over 50-user to 60-mysystem and add your local config >> there. It will never be overwritten by an update. >> > > Patrick, thanks for the detailed notes. I wanted to respond when I had time > to look at my setup. A few questions: > > I only handle email for my domain so I'm assuming this is okay? > > @local_domains_maps = ( > ".$mydomain" > ); > @mynetworks = qw( > 127.0.0.0/8 > ); > > My biggest question and config I don't want to foul up is the submission > section for the amavis config. > > Here's what's in my master.cf in Postfix: > > submission inet n - - - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_reject_unlisted_recipient=no > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > -o milter_macro_daemon_name=ORIGINATING > #OpenDKIM signing > -o smtpd_milters=inet:localhost:12345 > > So the email is sent to port 587 and processed through OpenDKIM. Being coffee > and sleep-deprived I don't want to FUBAR anything in the amavis config? Your > example said to claim the port: > > # Claim the port: > @listen_sockets = ( > # Release > '[::1]:9998', > # Post-Queue, Submission > '[::1]:10024', > # Pre-Queue, MTA zu MTA > "$MYHOME/amavisd.sock" > ); > > So which one do I change? And will that interfere with the master.cf > submission interfacing with OpenDKIM. > > Thanks again. If I was feeling better I'm sure this would be clearer to me. > > Take care.
Do you need to change anything? I see OpenRelay reported by amavis all the time and I just ignore it (I know I am not running an open relay). And I think it is wise to have amavis check outgoing emails.
