On Wed, October 23, 2013 2:13 pm, Michiel van Es wrote: > On Wed, October 23, 2013 1:48 pm, Gilles Chehade wrote: >> On Wed, Oct 23, 2013 at 01:40:40PM -0000, Michiel van Es wrote: >>> On Wed, October 23, 2013 1:12 pm, Gilles Chehade wrote: >>> > On Wed, Oct 23, 2013 at 01:03:32PM -0000, Michiel van Es wrote: >>> >> >>> >> I have it working. >>> >> For people who want to use this: >>> >> >>> >> 1) install clamsmtp - it is a clam smtp proxy which accepts incoming >>> and >>> >> then outgoing connections (putting a message back in the queue) >>> >> >>> >> 2) use something similar as setup - adjust to your own needs: >>> >> >>> >> table vdomains "/usr/local/etc/vdomains" >>> >> table vusers "/usr/local/etc/users" >>> >> listen on lo port 10025 tag CLAM >>> >> accept tagged CLAM from any for domain <vdomains> virtual <vusers> >>> >> deliver >>> >> to mda "procmail -f -" >>> >> accept tagged CLAM for any relay >>> >> accept from any for any relay via smtp://127.0.0.1:10026 >>> >> >>> > >>> > The above is working but as an open-relay, you will want to adjust >>> the >>> > ruleset, something along the lines of: >>> > >>> > listen on lo port 10025 tag CLAM_IN >>> > listen on lo port 10027 tag CLAM_OUT >>> > >>> > accept tagged CLAM_IN for domain <vdomains> virtual <vusers> >>> deliver >>> to >>> > mda "procmail -f -" >>> > accept tagged CLAM_OUT for any relay >>> > accept from local for any relay via smtp://127.0.0.1:10026 # will >>> > reinject in CLAM_IN >>> > accept from any for any relay via smtp://127.0.0.1:10028 # will >>> reinject >>> > in CLAM_OUT >>> > >>> > There may be better/other ways, that's just from the top of my head >>> >>> Hmm I see the open relay problem with my setup as default everything >>> matches the relay option which is not a vuser/vdomain. >>> But I don't get the route any more :( >>> OpenSMTPD listens on 10025 and 10027 >>> clamstmpd listens on 10026 >>> >> >> In the example above you'd have clamsmtpd listen on two different >> ports, one for scanning incoming mails and one for scanning >> outgoing mails. >> >> ie: >> >> internet -> smtpd -> clamsmtpd:10026 -> smtpd:10025 (CLAM_IN) >> internal -> smtpd -> clamsmtpd:10028 -> smtpd:10027 (CLAM_OUT) >> >> and so the relay rule would only match for internal connections >> whereas the mails coming from internet only match the accept >> rules for your local domains > > So my config would look like this? => > > listen on lo > listen on eth0 tls certificate mail.pragmasec.nl auth-optional hostname > mail.pragmasec.nl > listen on eth0 port 587 tls certificate mail.pragmasec.nl auth hostname > mail.pragmasec.nl > expire 7d > table vdomains "/usr/local/etc/vdomains" > table vusers "/usr/local/etc/users" > listen on lo port 10025 tag CLAM_IN > listen on lo port 10027 tag CLAM_OUT > accept tagged CLAM_IN for domain <vdomains> virtual <vusers> deliver to > mda "procmail -f -" > accept tagged CLAM_OUT for any relay > accept from local for any relay via smtp://127.0.0.1:10026 # will reinject > in CLAM_IN > accept from any for any relay via smtp://127.0.0.1:10028 # will reinject > in CLAM_OUT > > It still is an open relay.
The rules config showed witb above setup: debug: smtpd: scanning offline queue... debug: smtpd: offline scanning done debug: smtp: new client on listener: 0x16c8ea0 [warn] event_del: event has no event_base set. smtp-in: New session 000000000e4816f7 from host mxtb-pws3.mxtoolbox.com [64.20.227.133] expand: 0x16ce828: expand_insert() called for address:[email protected] expand: 0x16ce828: inserting node expand: lka_expand: address: [email protected] [depth=0] lookup: check "64.20.227.133" as NETADDR in table static:<localhost> -> 0 lookup: check "64.20.227.133" as NETADDR in table static:<anyhost> -> found rule matched: accept from <anyhost> for any relay via smtp://127.0.0.1:10028 expand: 0x16ce828: clearing expand tree smtp-in: Closing session 000000000e4816f7 debug: smtp: 0x1753ef0: deleting session: done I think something is wrong with: accept from any for any relay via smtp://127.0.0.1:10028 # will reinject in CLAM_OUT As it match 'the rest' and will insert it back in clamsmtpd and back in an acceptable queue. > >> >>> >>> but I dont understand what it will do if does not match the above >>> rules? >>> it will go to CLAM OUT ? and opensmtpd rejects it? (I have to change >>> 10028 >>> to 10027 then). >>> >> >> When no rule is matched, envelope is rejected. >> The best way to understand is to run with -T rules as it will display >> the >> rule that matched an envelope, this way you can test with local mails >> and >> mails from the public interface > > I will test it with the -t rules option > >> >> >>> Sorry for all the questions and thanks for all the help! :) >>> >> >> NP, also I suspect you're not the only one willing to use ClamAV given >> how many times I received private mails on that topic ;-) >> >> > Hehe..well I hope I can contribute something (not an open relay :( ;) ) > >> >> -- >> Gilles Chehade >> >> https://www.poolp.org @poolpOrg >> >> -- >> You received this mail because you are subscribed to [email protected] >> To unsubscribe, send a mail to: [email protected] >> >> > > > > -- > You received this mail because you are subscribed to [email protected] > To unsubscribe, send a mail to: [email protected] > > -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
