On Thu, Aug 6, 2020 at 5:45 AM Patrick Ben Koetter <[email protected]> wrote:
> Ian, > > * Ian Evans <[email protected]>: > > On Tue, Aug 4, 2020 at 6:19 PM Patrick Ben Koetter <[email protected]> wrote: > > > for any domain/recipient that amavis should feel responsible for add > its > > > name > > > to @local_domains_maps or let amavis read it from a file, e.g. > > > /etc/postfix/relay_domains: > > > > > > @local_domains_maps = ( > > > ".$mydomain", > > > read_hash('/etc/postfix/relay_domains') > > > ); > > > > > > This will tell amavis what it should classify as "incoming". > > > > > > For any IP address/network that is internal add it to @mynetworks. This > > > will > > > tell amavis which sources are internal: > > > > > > @mynetworks = qw( > > > 127.0.0.0/8 > > > ); > > > > > > In reverse conclusion all other senders not listed in @mynetworks are > > > considered to be "outside". > > > > > > If your authenticated senders submit messages via Port 465 or 587 then > > > route > > > their messages into a dedicated port into amavis and assign that port > to a > > > policy bank, where you declare everything in that policy bank as > > > originating: > > > > > > # Claim the port: > > > @listen_sockets = ( > > > # Release > > > '[::1]:9998', > > > # Post-Queue, Submission > > > '[::1]:10024', > > > # Pre-Queue, MTA zu MTA > > > "$MYHOME/amavisd.sock" > > > ); > > > > > > # Assign the port to a $policy_bank: > > > $interface_policy{'10024'} = 'SUBMISSION'; > > > > > > # Tag everything as $originating in that policy_bank: > > > $policy_bank{'SUBMISSION'} = { > > > originating => 1, > > > bypass_spam_checks_maps => [1], > > > final_virus_destiny => D_BOUNCE, > > > final_banned_destiny=> D_PASS, > > > final_bad_header_destiny => D_PASS, > > > banned_filename_maps => ['MYNETS-DEFAULT'], > > > warnbadhsender => 0, > > > forward_method => 'smtp:127.0.0.1:10025', > > > notify_method => 'smtp:127.0.0.1:10025', > > > undecipherable_subject_tag => undef, > > > }; > > > > > > > > > > Just so I don't upset the apple cart, what do I need to add and to > which > > > > file do I need to add it? > > > > > > I suggest you copy over 50-user to 60-mysystem and add your local > config > > > there. It will never be overwritten by an update. > > > > > > > > Patrick, thanks for the detailed notes. I wanted to respond when I had > > time to look at my setup. A few questions: > > > > I only handle email for my domain so I'm assuming this is okay? > > > > @local_domains_maps = ( > > ".$mydomain" > > ); > > Assuming that $mydomain resolves to what your own domain is, yes. IIRC on > Debian/Ubuntu this is read from /etc/mailname. > > > > @mynetworks = qw( > > 127.0.0.0/8 > > ); > > > > My biggest question and config I don't want to foul up is the submission > > section for the amavis config. > > > > Here's what's in my master.cf in Postfix: > > > > submission inet n - - - - smtpd > > -o syslog_name=postfix/submission > > -o smtpd_tls_security_level=encrypt > > -o smtpd_sasl_auth_enable=yes > > -o smtpd_reject_unlisted_recipient=no > > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > > -o milter_macro_daemon_name=ORIGINATING > > #OpenDKIM signing > > -o smtpd_milters=inet:localhost:12345 > > > > So the email is sent to port 587 and processed through OpenDKIM. Being > > coffee and sleep-deprived I don't want to FUBAR anything in the amavis > > config? Your example said to claim the port: > > > > # Claim the port: > > @listen_sockets = ( > > # Release > > '[::1]:9998', > > # Post-Queue, Submission > > '[::1]:10024', > > # Pre-Queue, MTA zu MTA > > "$MYHOME/amavisd.sock" > > ); > > > I wouldn't use OpenDKIM on submission, because you can't mix MILTER with > with Postfix' content_filter(s) and on submission I'd always use > content_filter, because that gives submitters the feeling their mail > server is > really fast (queue first, scan later), whereas MILTER do scan first, queue > later and users will see their mail client hanging in there waiting for the > server to come back and finally accept the message. > > This said I propose: > > - Setup amavis to DKIM sign/verify messages > - Use Postfix content_filter to hand off messages to amavis e.g. on port > 10026 > - Configure another listen_socket in amavis that listens on localhost:10026 > - Mapp this listener to your submission policy bank. > > p@rick > > Patrick, I'm a few Ubuntu's behind schedule (dealing with a family medical issue the last few yrs has left behind in preparing my site's code for PHP 7.) So I'm still using the old Amavis which if I remember correctly has problems signing DKIM. So I'll archive this thread and handle it it as soon as I get in 20 LTS. I really appreciate the details of your answers. All the best to you and yours.
