Can someone help me to get amavisd working with my cbpolicyd?
Versions:
Amavis: amavisd-new-2.9.1-2.el6.noarch.rpm CentOS / EPEL repository
CBPolicyD: cluebringer-v2.1.x-201310261831.noarch.rpm
Postfix: postfix-2.6.6-6.el6_5.x86_64.rpm
Amavis bin patched with amavisd-2.8.1_policyd_201308131703.patch
This is the debug log while starting the cbpolicyd, which shows that the
amavis module is active and enabled:
################################################################################################
[2014/11/14-11:26:02 - 13472] [CBPOLICYD] NOTICE: Policyd v2 /
Cluebringer - v2.1.x-201310261831
[2014/11/14-11:26:02 - 13472] [CBPOLICYD] NOTICE: Initializing system
modules.
[2014/11/14-11:26:02 - 13472] [CBPOLICYD] NOTICE: System modules
initialized.
[2014/11/14-11:26:02 - 13472] [CBPOLICYD] NOTICE: Module load started...
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: => AccessControl: enabled
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: => Amavis: enabled
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: => Accounting: enabled
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: => CheckHelo: enabled
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: => CheckSPF: enabled
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: => Greylisting: enabled
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: => Quotas: enabled
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: => Protocol(Postfix): enabled
[2014/11/14-11:26:02 - 13472] [CBPOLICYD] NOTICE: Module load done.
[2014/11/14-11:26:02 - 13472] [CBPOLICYD] NOTICE: Session tracking is
ENABLED.
[2014/11/14-11:26:02 - 13472] [CBPOLICYD] DEBUG: Opening syslog,
destination = 'native', facility = 'mail'.
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: 2014/11/14-11:26:02 cbp
(type Net::Server::PreFork) starting! pid(13472)
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: Using default listen value
of 128
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: Binding to TCP port 10031
on host *
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: Setting gid to "506 506"
[2014/11/14-11:26:02 - 13472] [CORE] NOTICE: Setting uid to "505"
[2014/11/14-11:26:02 - 13472] [CORE] INFO: Setting up serialization via
flock
[2014/11/14-11:26:02 - 13472] [CORE] INFO: Beginning prefork (4 processes)
[2014/11/14-11:26:02 - 13472] [CORE] INFO: Starting "4" children
[2014/11/14-11:26:02 - 13474] [CORE] DEBUG: Child Preforked (13474)
[2014/11/14-11:26:02 - 13474] [CBPOLICYD] DEBUG: Starting up caching engine
[2014/11/14-11:26:02 - 13472] [CORE] DEBUG: Parent ready for children.
[2014/11/14-11:26:02 - 13476] [CORE] DEBUG: Child Preforked (13476)
[2014/11/14-11:26:02 - 13476] [CBPOLICYD] DEBUG: Starting up caching engine
[2014/11/14-11:26:02 - 13477] [CORE] DEBUG: Child Preforked (13477)
[2014/11/14-11:26:02 - 13477] [CBPOLICYD] DEBUG: Starting up caching engine
[2014/11/14-11:26:02 - 13475] [CORE] DEBUG: Child Preforked (13475)
[2014/11/14-11:26:02 - 13475] [CBPOLICYD] DEBUG: Starting up caching engine
##############################################################################################
And this is the debug log while processing emails:
##############################################################################################
[2014/11/13-13:56:52 - 18992] [PROTOCOLS/Postfix] DEBUG: Possible
Postfix protocol
[2014/11/13-13:56:52 - 18992] [PROTOCOLS/Postfix] INFO: Identified
Postfix protocol
[2014/11/13-13:56:52 - 18992] [TRACKING] DEBUG: No session tracking data
exists for request: $VAR1 = {
'ccert_fingerprint' => '',
'sasl_method' => '',
'sasl_sender' => '',
'size' => 3375,
'_timestamp' => 1415883412,
'helo_name' => 'duda',
'reverse_client_name' => 'unknown',
'queue_id' => '399CA208A3',
'encryption_cipher' => '',
'encryption_protocol' => '',
'etrn_domain' => '',
'ccert_subject' => '',
'request' => 'smtpd_access_policy',
'protocol_state' => 'END-OF-MESSAGE',
'stress' => '',
'_peer_address' => '127.0.0.1',
'recipient' => '[email protected]',
'sasl_username' => '',
'instance' => '1bb7.5464aa91.39579.0',
'protocol_name' => 'ESMTP',
'encryption_keysize' => '0',
'recipient_count' => '1',
'ccert_issuer' => '',
'sender' => '[email protected]',
'client_name' => 'unknown',
'client_address' => '10.32.2.152',
'_protocol_transport' => 'Postfix'
};
[2014/11/13-13:56:52 - 18992] [TRACKING] DEBUG: Protocol state is
'END-OF-MESSAGE', decoding policy...
[2014/11/13-13:56:52 - 18992] [TRACKING] DEBUG: Decoded into: $VAR1 = undef;
[2014/11/13-13:56:52 - 18992] [TRACKING] DEBUG: Request translated into
session data: $VAR1 = {
'SASLUsername' => '',
'QueueID' => '399CA208A3',
'RecipientData' => '',
'Instance' => '1bb7.5464aa91.39579.0',
'EncryptionCipher' => '',
'Size' => '4',
'EncryptionKeySize' => '0',
'UnixTimestamp' => 1415883412,
'ProtocolTransport' => 'Postfix',
'EncryptionProtocol' => '',
'Helo' => 'duda',
'ClientAddress' => '10.32.2.152',
'ClientName' => 'unknown',
'Sender' => '[email protected]',
'SASLSender' => '',
'_ClientAddress' => bless( {
'raw_ip' => '10.32.2.152',
'ip' => '10.32.2.152',
'ip_version' => 4,
'cidr' => 32
}, 'awitpt::netip' ),
'ProtocolState' => 'END-OF-MESSAGE',
'Protocol' => 'ESMTP',
'ClientReverseName' => 'unknown',
'SASLMethod' => ''
};
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] INFO: Got request #11 (pipelined)
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Running module: Access
Control Plugin
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Module 'Access Control
Plugin' returned CBP_SKIP
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Running module:
HELO/EHLO Check Plugin
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Module 'HELO/EHLO Check
Plugin' returned CBP_SKIP
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Running module: SPF
Check Plugin
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Module 'SPF Check
Plugin' returned CBP_SKIP
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Running module:
Greylisting Plugin
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Module 'Greylisting
Plugin' returned CBP_SKIP
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Running module: Quotas
Plugin
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Module 'Quotas Plugin'
returned CBP_SKIP
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Running module:
Accounting Plugin
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Module 'Accounting
Plugin' returned CBP_SKIP
[2014/11/13-13:56:52 - 18992] [CBPOLICYD] DEBUG: Done with modules
[2014/11/13-13:58:34 - 18992] [CBPOLICYD] WARNING: Client closed
connection => Peer: 127.0.0.1:49353, Local: 127.0.0.1:10031
[2014/11/13-13:58:34 - 18699] [CORE] INFO: Killing "1" children
[2014/11/13-13:58:34 - 7099] [CBPOLICYD] DEBUG: Caching engine: hits =
0, misses = 0
[2014/11/13-13:58:34 - 7099] [CBPOLICYD] DEBUG: Shutting down caching
engine (7099)
###############################################################################################
This is my configuration:
###############################################################################################
#
# Server configuration
#
[server]
protocols=<<EOT
Postfix
EOT
# Modules to load
modules=<<EOT
Core
AccessControl
Amavis
Accounting
CheckHelo
CheckSPF
Greylisting
Quotas
EOT
# User to run this daemon as
user=cbpolicyd
group=cbpolicyd
# Filename to store pid of parent process
#pid_file=/var/run/cbpolicyd/cbpolicyd.pid
# Cache file
cache_file=/var/run/cbpolicyd/cache
# Uncommenting the below option will prevent cbpolicyd going into
the background
#background=no
# Preforking configuration
#
# min_server - Minimum servers to keep around
# min_spare_servers - Minimum spare servers to keep around ready to
# handle requests
# max_spare_servers - Maximum spare servers to have around
doing nothing
# max_servers - Maximum servers alltogether
# max_requests - Maximum number of requests each child
will serve
#
# One may want to use the following as a rough guideline...
# Small mailserver: 2, 2, 4, 10, 1000
# Medium mailserver: 4, 4, 12, 25, 1000
# Large mailserver: 8, 8, 16, 64, 1000
# 2014-10-23 SF added configuration suggest by
wiki.policyd.org/cluebringer.conf for medium mailservers
min_servers=4
min_spare_servers=4
max_spare_servers=12
max_servers=25
max_requests=1000
# Log level:
# 0 - Errors only
# 1 - Warnings and errors
# 2 - Notices, warnings, errors
# 3 - Info, notices, warnings, errors
# 4 - Debugging
#log_level=2
log_level=4
# File to log to instead of stdout
log_file=/var/log/cbpolicyd/cbpolicyd.log
# Log destination for mail logs...
# main - Default. Log to policyd's main log mechanism,
accepts NO args
# syslog - log mail via syslog
# format: log_mail=facility@method,args
#
# Valid methods for syslog:
# native - Let Sys::Syslog decide
# unix - Unix socket
# udp - UDP socket
# stream - Stream (for Solaris)
#
# Example: unix native
#log_mail=mail@syslog:native
#
# Example: unix socket
#log_mail=mail@syslog:unix
#
# Example: udp
#log_mail=mail@syslog:udp,127.0.0.1
#
# Example: Solaris
#log_mail=local0@syslog:stream,/dev/log
log_mail=mail@syslog:native
# Things to log in extreme detail
# modules - Log detailed module running information
# tracking - Log detailed tracking information
# policies - Log policy resolution
# protocols - Log general protocol info, but detailed
# bizanga - Log the bizanga protocol
# cache - Log cache usage on client shutdown
#
# There is no default for this configuration option. Options can be
# separated by commas. ie. protocols,modules
#
#log_detail=
log_detail=modules,tracking,policies,protocols,cache
# Protocol to use "tcp" or "unix", defaults to "tcp"
#proto=tcp
# IP to listen on, * for all. Blank for unix sockets
#host=*
# Port to run on, in the case of a unix socket it would be the path
# eg. 10031
# eg. /var/run/cbpolicyd/policyd.sock
#port=10031
# Timeout in communication with clients
# Idle timeout in postfix defaults to 1015s (active connection)
#timeout_idle=1015
# Busy sockets in postfix defaults to 100s
#timeout_busy=115
# cidr_allow/cidr_deny
# Comma, whitespace or semi-colon separated. Contains a CIDR block to
# compare the clients IP to. If cidr_allow or cidr_deny options are
# given, the incoming client must match a cidr_allow and not match a
# cidr_deny or the client connection will be closed.
#cidr_allow=0.0.0.0/0
#cidr_deny=
[database]
#DSN=DBI:SQLite:dbname=policyd.sqlite
DSN=DBI:mysql:database=policyd;host=localhost
Username=cbpolicyd
Password=Ied$xaib8got
#
# What do we do when we have a database connection problem
# tempfail - Return temporary failure
# pass - Return success
bypass_mode=tempfail
# How many seconds before we retry a DB connection
bypass_timeout=30
# Table prefix to use, be sure to generate the schema with the table
# prefix aswell!
#table_prefix=
# Access Control module
# enable=0 # Disabled by default
[AccessControl]
enable=1
# Amavis module
[Amavis]
enable=1
# Accounting module
[Accounting]
enable=1
# CheckHelo module
[CheckHelo]
enable=1
# CheckSPF module
[CheckSPF]
enable=1
# Greylisting module
[Greylisting]
enable=1
#training_mode=1
#defer_message=Greylisting in effect, please come back later
#blacklist_message=Greylisting in effect, sending server blacklisted
# Quotas module
[Quotas]
enable=1
###############################################################################################
Location amavisd-policyd.pm: /usr/local/lib/perl/amavisd-policyd.pm
Changes in amavisd-policyd.pm:
###############################################################################################
package Amavis::Custom;
use strict;
# 2014-10-23 SF changed path to cbpolicyd
#use lib('/usr/local/lib/policyd-2.0','/usr/lib/policyd-2.0');
use lib('/usr/lib64/cbpolicyd-2.1');
my $DB_dsn = "DBI:mysql:database=policyd;host=localhost";
my $DB_user = "<usercbpolicyd>";
my $DB_pass = "<password>";
my $DB_prefix = "";
###############################################################################################
Changes in amavisd.conf
###############################################################################################
use strict;
# a minimalistic configuration file for amavisd-new with all necessary
settings
#
# see amavisd.conf-default for a list of all variables with their
defaults;
# for more details see documentation in INSTALL, README_FILES/*
# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
# 2014-10-23 SF added for cbpolicyd support
include_config_files('/usr/local/lib/perl/amavisd-policyd.pm');
# COMMONLY ADJUSTED SETTINGS:
# @bypass_virus_checks_maps = (1); # controls running of anti-virus code
# @bypass_spam_checks_maps = (1); # controls running of anti-spam code
# $bypass_decode_parts = 1; # controls running of
decoders&dearchivers
$max_servers = 2; # num of pre-forked children (2..30 is
common), -m
$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u
$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g
$mydomain = 'domain.de'; # a convenient default for other settings
###############################################################################################
Postfix Configuration:
###############################################################################################
# main.cf original settings
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
inet_interfaces = all
myhostname = smtp.domain.de
mynetworks = 127.0.0.0/8 10.32.2.0/24 91.239.20.0/24 10.32.249.0/24
header_checks = pcre:/etc/postfix/header_checks
unverified_recipient_reject_code = 577
# 2014-09-30 SF enabled amavisd
content_filter=amavisfeed:[127.0.0.1]:10024
# 2014-09-30 SF add check_policy_service inet:127.0.0.1:10031 for
cbpolicyd usage
smtpd_recipient_restrictions =
# check_policy_service inet:127.0.0.1:10031
permit_mynetworks
check_client_access hash:/etc/postfix/check_client_access
check_sender_access hash:/etc/postfix/check_sender_access
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unauth_destination
check_recipient_access hash:/etc/postfix/check_recipient_whitelist
check_client_access cidr:/etc/postfix/dnswl-header
check_client_access cidr:/etc/postfix/dnswl-permit
reject_rbl_client pbl.spamhaus.org
check_sender_access hash:/etc/postfix/domain_spoofing
check_policy_service inet:127.0.0.1:10031
check_recipient_access hash:/etc/postfix/check_recipient_access
check_recipient_access hash:/etc/postfix/check_reject_unknown
defer
# reject_unverified_recipient
# 2014-09-30 SF add smtpd_end_of_data_restrictions
smtpd_end_of_data_restrictions =
check_policy_service inet:127.0.0.1:10031
transport_maps = hash:/etc/postfix/transport
relay_domains = hash:/etc/postfix/relay_domains
sender_canonical_maps = hash:/etc/postfix/sender_canonical
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/pki/tls/private/smtp.domain.de.key
smtpd_tls_cert_file = /etc/pki/tls/certs/smtp.domain.de.crt
smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_use_tls = yes
smtp_tls_auth_only = no
smtp_tls_key_file = /etc/pki/tls/private/smtp.domain.de.key
smtp_tls_cert_file = /etc/pki/tls/certs/smtp.domain.de.crt
smtp_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtp_tls_loglevel = 3
smtp_tls_session_cache_timeout = 3600s
###############################################################################################
First I thought content_filter isn't needed for the amavis to be
processed in combination with policyd but I found a sample configuration
which has the content_filter option set in postfix/main.cf, so I guess
it's obligatory.
If I configure content_filter I get this error in my maillog from amavis:
###############################################################################################
Nov 7 15:43:14 smtp02-v amavis[5050]: (05050-01)
(!)policyd/process_policy: Fai
led to parse in queue id from received line 'Received: by smtp.domain.de
(Post
fix, from userid 99)\n\tid D081D20836; Fri, 7 Nov 2014 15:43:14 +0100
(CET)\n'
###############################################################################################
I found something like this error in the mailing archive but could not
find a working solution in that thread.
Can someone help me with that stuff?
Thank you in advance.
Best regards
Sebastian
_______________________________________________
Users mailing list
[email protected]
http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
