Internal IP range bypass filters

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Internal IP range bypass filters

Simon Wilson-7
I have a bunch of servers that send internal network only emails and  
reports, e.g. logwatch data, etc. All servers are configured to use a  
simple local postfix instance that delivers mail to my primary postfix  
server, specified thus:

relayhost = [192.168.1.235]

That works fine, email hits that server on port 25 and is accepted  
because the addresses are in mynetworks of postfix listening on  
192.168.1.235:25. But at the moment it is then processed through ->  
amavisd lmtp / spamassassin -> Postfix on port 10025 -> delivered. And  
sometimes they get spam trapped (particularly the ones from logwatch  
on postfix with spamassassin info in them).

I'd like the server to not run these internal only emails through  
amavisd-new, but to just send them to the internal destination.

What's the best way?

I have a (currently empty) client_checks test that I could run  
"192.168.1 FILTER [127.0.0.1]:10025" in, but if I try that at the  
moment I get:

warning: connect to transport private/smtp[127.0.0.1]: No such file or  
directory
warning: connect to transport private/retry: Connection refused

which I think is because my postfix on port 10025 is only configured  
to listen to localhost (127.0.0.1:10025 inet;  
smtpd_client_restrictions=permit_mynetworks,reject; and  
mynetworks=127.0.0.0/8)... which makes sense, that service is pretty  
much straight in.

So that got me thinking, is that the best way anyway?

I thought about submitting them to port 587 and disabling scanning on  
MYNETS in amavisd - but then if one of my users gets compromised  
outgoing email is not being spam scanned, so that's not my preference.

What recommendations for running internal source / internal  
destination only emails through with minimal overhead - straight  
through postfix to delivery?

Ideally I want something along the lines of
IF((source IP = 192.168.1.0/24) AND (destination =  
(root,[hidden email],whatever_other_internal)) THEN: send  
through aliases and to delivery transport.

Simon.

--
Simon Wilson
M: 0400 12 11 16

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Internal IP range bypass filters

Wietse Venema
Simon Wilson:
> I have a (currently empty) client_checks test that I could run  
> "192.168.1 FILTER [127.0.0.1]:10025" in, but if I try that at the  

That is not valid syntax. You must specify a delivery method
before the destination:

        FILTER transport:destination

Example:

        FILTER smtp:[127.0.0.1]:10025

(destination is [127.0.0.1]:10025).

> warning: connect to transport private/retry: Connection refused

SeLinux mis-configuration?

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Internal IP range bypass filters

Simon Wilson-7
----- Message from [hidden email] ---------
     Date: Tue, 18 Jul 2017 11:55:52 -0400 (EDT)
     From: [hidden email]
Reply-To: Postfix users <[hidden email]>
  Subject: Re: Internal IP range bypass filters
       To: Postfix users <[hidden email]>


> Simon Wilson:
>> I have a (currently empty) client_checks test that I could run
>> "192.168.1 FILTER [127.0.0.1]:10025" in, but if I try that at the
>
> That is not valid syntax. You must specify a delivery method
> before the destination:
>
> FILTER transport:destination
>
> Example:
>
> FILTER smtp:[127.0.0.1]:10025

Yep that fixed it. Thanks Wietse. I did actually have 'smtp' in there  
but had missed the first colon - all works now.

I needed to make sure that check_client_access was before  
permit_mynetworks for obvious reasons. This FILTER assignment is the  
only thing in there.

Thanks

>
> (destination is [127.0.0.1]:10025).
>
>> warning: connect to transport private/retry: Connection refused
>
> SeLinux mis-configuration?
>
> Wietse


----- End message from [hidden email] -----



--
Simon Wilson
M: 0400 12 11 16

Loading...