Re: [Dspam-user] dspam break dk dkim signatures

[Stevan Bajić]

On 27.12.2011 15:10, fakessh @ wrote:
[...]
this master.cf
http://pastebin.com/x0PsRikk

I just started to look at your master.cf. I have to confess that I am 
confused.

Just starting with the first service entry I see this here:
smtp    inet    n       -       n       -       -       smtpd
        -o receive_override_options=no_address_mappings
        -o content_filter=amavisfeed:[127.0.0.1]:10024
        -o 
smtpd_data_restrictions=check_sender_access,pcre:/etc/postfix/add_my_header
        #-o smtpd_proxy_filter=127.0.0.1:10041
        #-o smtpd_client_connection_count_limit=10
        # Postfix 2.7 and later performance feature.
        #-o smtpd_proxy_options=speed_adjust
        -o  smtpd_sasl_auth_enable=yes
        -o stress=yes


Okay. You run smtpd on the default port on all interfaces. Fine. But why 
then later this here:
smtp      inet  n       -       n       -       1       postscreen


On the same port you do run postscreen? Should that not be (all together):
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
   -o receive_override_options=no_address_mappings
   -o content_filter=amavisfeed:[127.0.0.1]:10024
   -o 
smtpd_data_restrictions=check_sender_access,pcre:/etc/postfix/add_my_header
   #-o smtpd_proxy_filter=127.0.0.1:10041
   #-o smtpd_client_connection_count_limit=10
   # Postfix 2.7 and later performance feature.
   #-o smtpd_proxy_options=speed_adjust
   -o  smtpd_sasl_auth_enable=yes
   -o stress=yes

dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy


Might I ask you why permit your own network on the submission service? 
Is that really something you want? And you have a mix-up of old and new 
parameters here. smtpd_tls_security_level is new and overriding the old 
and now obsolete parameter smtpd_enforce_tls:

submission inet n       -       n       -       -       smtpd
     -o smtpd_tls_security_level=encrypt
     -o milter_macro_daemon_name=ORIGINATING
     -o smtpd_sasl_auth_enable=yes
      -o smtpd_sasl_authenticated_header=yes
      -o receive_override_options=no_address_mappings
  -o smtpd_enforce_tls=yes
   -o content_filter=amavisfeed:[127.0.0.1]:10024
   -o smtpd_etrn_restrictions=reject
   -o 
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
   -o 
smtpd_data_restrictions=check_sender_access,pcre:/etc/postfix/add_my_header
   -o stress=yes


I see that you have made on 127.0.0.1:10030 another SMTPD that you use 
to inject mail back from dkimproxy back to Postfix:
# service for accepting messages FROM the DKIM signing proxy
127.0.0.1:10030 inet  n  -      n       -       10      smtpd
#    -o content_filter=lmtp:unix:/var/run/dspam/dspam.sock
     -o content_filter=
    -o 
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8


Here I ask my self why you have not disabled milters? You should add to 
'receive_override_options' the value 'no_milters' else you are going to 
run again all your milters against the message. IMHO this explains why 
you have certain checks done 2 to 3 times per message.

Not only that is a problem but reading your main.cf I see this here:
content_filter = dkimproxy:[127.0.0.1]:10029

Why? Why a content filter inside main.cf when you do all the stuff from 
within master.cf?


Okay. And now my confusion. I don't see how your mail flow is working. 
If I try to go from top down when looking at master.cf then this is how 
the mail flow (just with normal SMTP) on your system:

1) Mail from the internet
2) Postfix on your system on port 25
2.1) Postscreen
2.2) Postfix is sending the message to the content filter (Amavisd-New)
3) Amavisd-New on 127.0.0.1:10024 in LMTP mode is reading the message
3.1) Amavisd-New is forwarding the message to 127.0.0.1:10025 using SMTP 
(You have configured your Amavisd-New with different routing paths 
depending on macros. But you don't set that macro value on normal 
messages. So the default for $forward_method and $notify_method is used 
and that is 127.0.0.1:10025).
4) Message is re-injected into Postfix on your system on port 10025 
using SMTP by Amavisd-New
4.1) Postfix is sending the message to the content filter (dkimproxy)
5) dkimproxy on 127.0.0.1:10029 is reading the message
6) (I guess... don't know the config of dkimproxy) Message is 
re-injected into Postfix on your system on port 10030 using SMTP by 
dkimproxy
7) Delivery


On submission you do +/- the same except that your switch policy banks 
in Amavisd-New and you forward the message to 127.0.0.1:10026 (dkimproxy 
doing signing?).


Is this possible? Is this how you have your setup in mind?


--
Kind Regards from Switzerland,

Stevan Bajić

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox_______________________________________________
Dspam-user mailing list
Dspam-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspam-user