On Fri, 15 Jan 2016, Curtis Villamizar wrote:
In message <pine.neb.4.64.1601151625480.18...@pokey.whooppee.com>
Paul Goyette writes:
I'm having a little bit of a problem with my configuration... :)
I have followed all of the how-to docs on getting things set up, and
everything works fine when an Email client connects to my primary mail
server. The postfix rules get triggered and the dspam filter gets
invoked.
The problem occurs when a "foreign" client uses my backup MX relay
machine. The backup-MX machine is part of my own network, so it gets
included in the primary server's $mynetworks (via 'mynetworks_style =
subnet'). Unfortunately this seems to cause my
smtpd_client_restrictions = permit_mynetworks,
check_client_access ...dspam...
to permit the message without triggering the dspam filter.
Hi Paul,
I'm not the expert that some on this list are ... but here goes.
Take a look at http://www.postfix.org/SMTPD_ACCESS_README.html#danger
and see if it seems familiar. If so the answer might be in the use of
smtpd_relay_restrictions rather than smtpd_recipient_restrictions as
long as you are running postfix >= 2.10.
If not, then you might be able to move reject_unauth_destination up in
the list.
Is there a more appropriate way to trigger the dspam filter, so that
messages that are relayed by the backup MX server get filtered, BUT
messages that _originate_on_ the backup MX server are not filtered?
How about http://www.postfix.org/SMTPD_PROXY_README.html ?
Stated another way, there are 3 classes of messages involved:
1. Messages that originate on either of the MX servers.
2. Messages that originate externally, and are initially sent to the
backup-MX machine; the backup-MX does the usual store-&-forward
to get messages to the primary-MX machine.
3. Messages that originate externally and are sent directly to the
primary-MX machine.
Class 1 should _not_ be processed by dspam, and currently behaving
as desired
Class 2 _should_ be processed, but currently is not being processed
Class 3 _should_ be processed, and is currently behaving as desired.
Config details are available - just ask for them!
If that didn't help and no one else responds, then maybe go for it.
Hmmm, I don't think that either of these references is relevant. (But
I am definitely not an expert, so I could easily be wrong!)
I _think_ my basic problem is that the backup-MX is a "trusted client"
for the primary-MX. There doesn't seem to be any way for the primary-MX
to differentiate between messages that _originate_ on the backup-MX and
messages that are coming from "outside" and just being relayed.
So when messages arrives at the primary-MX from the backup-MX, they
_ALL_ get accepted by the permit_mynetworks entry, and they don't get
processed by the dspam filter.
In case it wasn't obvious from the earlier message, I would like to run
dspam - or any other filter - only on the primary-MX machine, which is
where all mail is delivered and read. (Users on the backup-MX machine
can originate Email with internal or external destinations.)
Here's what I think is the relevant configuration data on the primary
MX server machine. (FWIW, it's a NetBSD system on amd64 hardware, and
running postfix 2.10.)
[main.cf]
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
mail.$mydomain, www.$mydomain, ftp.$mydomain
mynetworks_style = subnet
...
transport_maps = hash:/etc/postfix/transport
local_recipient_maps = proxy:unix:passwd.byname $alias_maps $transport_maps
...
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_reject_unlisted_sender = yes
smtpd_client_restrictions = permit_mynetworks,
check_client_access
regexp:/etc/postfix/dspam_filter_access
smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
permit
smtpd_sender_restrictions = permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
smtpd_recipient_restrictions = permit_mynetworks,
permit
smtpd_data_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
reject_unauth_destination,
reject_multi_recipient_bounce,
reject_rbl_client relays.nether.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
permit
smtpd_relay_restrictions = permit_mynetworks,
reject_unauth_destination
[master.cf]
# ======================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ======================================================================
smtp inet n - n - - smtpd
pickup unix n - n 60 1 pickup
# -o content_filter=lmtp:unix:/tmp/dspam.sock
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# dspam
#
dspam unix - n n - 10 pipe
flags=Ru user=dspam
argv=/usr/pkg/bin/dspam --deliver=innocent --user $user -i -f $sender
-- $reci
pient
dspam-retrain unix - n n - 10 pipe
flags=Ru user=dspam
argv=/usr/pkg/bin/dspam-retrain $nexthop $sender $recipient
[transport.db]
s...@whooppee.com dspam-retrain:spam
h...@whooppee.com dspam-retrain:innocent
+------------------+--------------------------+------------------------+
| Paul Goyette | PGP Key fingerprint: | E-mail addresses: |
| (Retired) | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd.org |
+------------------+--------------------------+------------------------+
