On Wed, 15 Jan 2020 at 18:00, Dominic Raferd <domi...@timedicer.co.uk> wrote: > > > On Wed, 15 Jan 2020 at 16:50, Simon B <simon.buongio...@gmail.com> wrote: >> >> On Wed, 15 Jan 2020 at 17:43, Jaroslaw Rafa <r...@rafa.eu.org> wrote: >> > >> > Dnia 15.01.2020 o godz. 17:26:48 Simon B pisze: >> > > >> > > Amavis listens on 10024, and postfix listens on 10025 >> > > >> > > That means mail comes in on 587, it goes to amavis on 10024 and comes >> > > back on 10025 before going out. >> > [...] >> > > and mail is flowing. I am not happy since the solution to the >> > > original problem has been to make smtpd_helo_restrictions=permit and >> > > even though it's internal we operate a zero-trust policy, and "permit" >> > > is not that. >> > >> > Does Amavis actually connect to 127.0.0.1 when injecting mail back to >> > Postfix? If yes, then maybe you don't have 127.0.0.1 in $mynetworks >> > >> > It can also be that Amavis doesn't connect to 127.0.0.1, but to some other >> > IP on your server - then you need to put that IP in $mynetworks too, or >> > reconfigure Amavis so that it connects to 127.0.0.1 >> >> I don't know where else it could connect... In master.cf it is defined >> >> 119 #The amavis reciever >> 120 127.0.0.1:10025 inet n - - - - smtpd >> >> > If it works with "permit", it should also work with "permit_mynetworks", >> > provided that the value of $mynetworks includes the actual IP Amavis is >> > connecting to. >> >> it should, but it isn't - hence the reason I have asked here for help. >> >> # postconf -n | grep -n mynetworks >> 36:mynetworks = 127.0.0.0/8, [::1]/128 >> 37:mynetworks_style = host > > > Try removing 'mynetworks' from definitions since it overwrites > 'mynetworks_style=host' which should already restrict the definition of > mynetworks to the local machine (and might do so in a more correct way?) > Try adding 'reject' after 'permit_mynetworks' at the end of one of the > restriction lists (for smtpd-from-amavis) e.g. smtpd_client_restrictions - > this gives you the full protection
Thanks. That works and meets our objectives. Appreciate the fantastic support. Simon
