On Wed, October 23, 2013 1:48 pm, Gilles Chehade wrote: > On Wed, Oct 23, 2013 at 01:40:40PM -0000, Michiel van Es wrote: >> On Wed, October 23, 2013 1:12 pm, Gilles Chehade wrote: >> > On Wed, Oct 23, 2013 at 01:03:32PM -0000, Michiel van Es wrote: >> >> >> >> I have it working. >> >> For people who want to use this: >> >> >> >> 1) install clamsmtp - it is a clam smtp proxy which accepts incoming >> and >> >> then outgoing connections (putting a message back in the queue) >> >> >> >> 2) use something similar as setup - adjust to your own needs: >> >> >> >> table vdomains "/usr/local/etc/vdomains" >> >> table vusers "/usr/local/etc/users" >> >> listen on lo port 10025 tag CLAM >> >> accept tagged CLAM from any for domain <vdomains> virtual <vusers> >> >> deliver >> >> to mda "procmail -f -" >> >> accept tagged CLAM for any relay >> >> accept from any for any relay via smtp://127.0.0.1:10026 >> >> >> > >> > The above is working but as an open-relay, you will want to adjust the >> > ruleset, something along the lines of: >> > >> > listen on lo port 10025 tag CLAM_IN >> > listen on lo port 10027 tag CLAM_OUT >> > >> > accept tagged CLAM_IN for domain <vdomains> virtual <vusers> deliver >> to >> > mda "procmail -f -" >> > accept tagged CLAM_OUT for any relay >> > accept from local for any relay via smtp://127.0.0.1:10026 # will >> > reinject in CLAM_IN >> > accept from any for any relay via smtp://127.0.0.1:10028 # will >> reinject >> > in CLAM_OUT >> > >> > There may be better/other ways, that's just from the top of my head >> >> Hmm I see the open relay problem with my setup as default everything >> matches the relay option which is not a vuser/vdomain. >> But I don't get the route any more :( >> OpenSMTPD listens on 10025 and 10027 >> clamstmpd listens on 10026 >> > > In the example above you'd have clamsmtpd listen on two different > ports, one for scanning incoming mails and one for scanning > outgoing mails. > > ie: > > internet -> smtpd -> clamsmtpd:10026 -> smtpd:10025 (CLAM_IN) > internal -> smtpd -> clamsmtpd:10028 -> smtpd:10027 (CLAM_OUT) > > and so the relay rule would only match for internal connections > whereas the mails coming from internet only match the accept > rules for your local domains
So my config would look like this? => listen on lo listen on eth0 tls certificate mail.pragmasec.nl auth-optional hostname mail.pragmasec.nl listen on eth0 port 587 tls certificate mail.pragmasec.nl auth hostname mail.pragmasec.nl expire 7d table vdomains "/usr/local/etc/vdomains" table vusers "/usr/local/etc/users" listen on lo port 10025 tag CLAM_IN listen on lo port 10027 tag CLAM_OUT accept tagged CLAM_IN for domain <vdomains> virtual <vusers> deliver to mda "procmail -f -" accept tagged CLAM_OUT for any relay accept from local for any relay via smtp://127.0.0.1:10026 # will reinject in CLAM_IN accept from any for any relay via smtp://127.0.0.1:10028 # will reinject in CLAM_OUT It still is an open relay. > >> >> but I dont understand what it will do if does not match the above rules? >> it will go to CLAM OUT ? and opensmtpd rejects it? (I have to change >> 10028 >> to 10027 then). >> > > When no rule is matched, envelope is rejected. > The best way to understand is to run with -T rules as it will display the > rule that matched an envelope, this way you can test with local mails and > mails from the public interface I will test it with the -t rules option > > >> Sorry for all the questions and thanks for all the help! :) >> > > NP, also I suspect you're not the only one willing to use ClamAV given > how many times I received private mails on that topic ;-) > > Hehe..well I hope I can contribute something (not an open relay :( ;) ) > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg > > -- > You received this mail because you are subscribed to [email protected] > To unsubscribe, send a mail to: [email protected] > > -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
