@lbutlr schrieb am 16.06.2019 um 23:41:
Seems like the -I fall should be taking care of this for me, at present. But
how do I tell spamass-milter not to check for PBL and other similar tests on
mails from local users to local users?
With postfix, best practice for locally submitted mail is to
1. submit authenticated mail to a different port than 25. Standard port
for submission is 587.
2. On submission port, configure the smtpd daemon to not
spamassassin-scan submitted mail
Since you seem to use spamass-milter, I can give my server as example
how you might do this. With milter, you implement before-queue spam
filtering according to http://www.postfix.org/MILTER_README.html. If you
need after-queue inspecting, consult
http://www.postfix.org/FILTER_README.html and
http://www.postfix.org/SMTPD_PROXY_README.html.
I also includes clamav virus scanning and dkim-signing and verification
with opendkim as milter.
You need to configure main.cf and some local smtpd options in master.cf.
If you want to quickly get to the point of all this, scroll to the last
paragraph of this mail.
Configure smtpd restrictions in /etc/postfix/main.cf:
This implements best practice according to
http://www.postfix.org/SMTPD_ACCESS_README.html. It became rather long,
but posting only an excerpt of the *_restrictions checklist makes it all
pointless. The checklist makes use of the current postfix features for
access control, junk mail control and relay control. It's a strict but
not paranoid restrictions collection suited for at least a tiny or small
mail server. It may be that bigger mail servers need to make it more
forgiving, but on the other hand this might be achieved by writing
offenders to the several local black- and whitelists that are accessed.
# order of restriction list evaluation: client, helo, sender, relay,
recipient, data or end-of-data
# all client commands
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/client_access
# HELO/EHLO
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
check_helo_access hash:/etc/postfix/helo_checks
# MAIL FROM
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_checks,
reject_non_fqdn_sender,
reject_unknown_sender_domain
# RCPT TO
# relay policy
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
# RCPT TO
# spam blocking policy
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
check_recipient_access hash:/etc/postfix/recipient_access,
check_client_access hash:/etc/postfix/rbl_whitelist,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client b.barracudacentral.org,
check_policy_service unix:private/policyd-spf
# DATA
smtpd_data_restrictions =
reject_unauth_pipelining
mua_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_sasl_authenticated,
reject
Configure smtpd milter-related options in /etc/postfix/main.cf:
# milter setup
milter_connect_macros = j {daemon_name} v _
milter_default_action = accept
# milters for the public port 25 smtpd daemon (dkim sign, dmarc check,
virus scan, spam detection)
smtpd_milters =
unix:/var/run/opendkim-postfix/sock,
unix:/var/run/opendmarc-postfix/sock,
unix:/var/run/clamav-milter/clamav-milter.socket,
unix:/run/spamass-milter/postfix/sock
# milters for mail submissions from local applications (dkim sign)
non_smtpd_milters =
unix:/var/run/opendkim-postfix/sock
# milters for the submission smtpd daemon (dkim sign, virus scan)
mua_milters =
unix:/var/run/opendkim-postfix/sock,
unix:/var/run/clamav-milter/clamav-milter.socket
Finally, configure the submission smtpd daemon in /etc/postfix/master.cf:
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_milters=$mua_milters
With these local options in master.cf you exclude spamass-milter
processing from mails submitted on the submission port ($mua_milters)
but instead do dkim-signing. The changed smtpd_recipient_restrictions
allows authenticated submissions only and doesn't reject mail from
blocklists, so anyone from a dial-up network range, such as you and
everybody from his home, is allowed to submit without penalty.
