Quantcast

Setting amavis content_filter in main.cf

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Setting amavis content_filter in main.cf

Robert Moskowitz
I am reading the amavis-new readme for postfix.

It almost reads like main.cf should have:

content_filter=amavisfeed:[127.0.0.1]:10024

rather than how I see it all over in master.cf.  Its presence as an
option in master.cf is very inconsistent.

Are there services in master.cf that should not have a content_filter to
amavisfeed?

thank you

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting amavis content_filter in main.cf

Robert Moskowitz
As I dig into this more, I can see why not to make content_filter
global.  Unless there is some way not to have it work with localhost
connections.

On 03/08/2017 03:03 PM, Robert Moskowitz wrote:

> I am reading the amavis-new readme for postfix.
>
> It almost reads like main.cf should have:
>
> content_filter=amavisfeed:[127.0.0.1]:10024
>
> rather than how I see it all over in master.cf.  Its presence as an
> option in master.cf is very inconsistent.
>
> Are there services in master.cf that should not have a content_filter
> to amavisfeed?
>
> thank you
>
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting amavis content_filter in main.cf

chaouche yacine
Hello Robert,

Here's my setup :


in main.cf :

content_filter = amavis:[127.0.0.1]:10024

This tells postfix to use the amavis "service" (defined later in master.cf) to send all incoming mails to localhost port 10024





in master.cf :
amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes



this defines the amavis "service" as a unix socket named amavis. It is delivering e-mail with the SMTP command to amavis, the mail filtering software.


Once amavis is done scanning the e-mail, it will reinject them to the postfix queue, usually on port 10025. So one must also instruct postfix to listen on that port for incoming e-mail (from amavis). This is also done in master.cf :


127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
#-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks


This defines a new Internet socket for the smtpd dameon listening for requests on 127.0.0.1 port 10025.

Notice that this service doesn't use a content_filter because :

1. The e-mail is coming from already filtered from amavis so there's no need to filter it again.
2. If the -o content_filter is ommited, the content_filter defined in main.cf will apply, which means postfix will reinject mail to amavis, which will filter again and send to postfix, which will send to amavis... (loop) see http://i.imgur.com/aUAsuR1.png for a diagram.


On Wednesday, March 8, 2017 10:07 PM, Robert Moskowitz <[hidden email]> wrote:



As I dig into this more, I can see why not to make content_filter
global.  Unless there is some way not to have it work with localhost
connections.


On 03/08/2017 03:03 PM, Robert Moskowitz wrote:

> I am reading the amavis-new readme for postfix.
>
> It almost reads like main.cf should have:
>
> content_filter=amavisfeed:[127.0.0.1]:10024
>
> rather than how I see it all over in master.cf.  Its presence as an
> option in master.cf is very inconsistent.
>
> Are there services in master.cf that should not have a content_filter
> to amavisfeed?
>
> thank you
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting amavis content_filter in main.cf

Robert Moskowitz
Thank you for this.  I will review it.

One comment I got over on the amavis list was that not to filter from
localhost.  Like mail sent from logwatch.  How does this handle
localhost sent mail?



On 03/09/2017 06:01 AM, chaouche yacine wrote:

> Hello Robert,
>
> Here's my setup :
>
>
> in main.cf :
>
> content_filter = amavis:[127.0.0.1]:10024
>
> This tells postfix to use the amavis "service" (defined later in master.cf) to send all incoming mails to localhost port 10024
>
>
>
>
>
> in master.cf :
> amavis unix - - - - 2 smtp
>          -o smtp_data_done_timeout=1200
>          -o smtp_send_xforward_command=yes
>
>
>
> this defines the amavis "service" as a unix socket named amavis. It is delivering e-mail with the SMTP command to amavis, the mail filtering software.
>
>
> Once amavis is done scanning the e-mail, it will reinject them to the postfix queue, usually on port 10025. So one must also instruct postfix to listen on that port for incoming e-mail (from amavis). This is also done in master.cf :
>
>
> 127.0.0.1:10025 inet n - - - - smtpd
> -o content_filter=
> -o local_recipient_maps=
> -o relay_recipient_maps=
> -o smtpd_restriction_classes=
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> #-o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o mynetworks=127.0.0.0/8
> -o strict_rfc821_envelopes=yes
> -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
>
>
> This defines a new Internet socket for the smtpd dameon listening for requests on 127.0.0.1 port 10025.
>
> Notice that this service doesn't use a content_filter because :
>
> 1. The e-mail is coming from already filtered from amavis so there's no need to filter it again.
> 2. If the -o content_filter is ommited, the content_filter defined in main.cf will apply, which means postfix will reinject mail to amavis, which will filter again and send to postfix, which will send to amavis... (loop) see http://i.imgur.com/aUAsuR1.png for a diagram.
>
>
> On Wednesday, March 8, 2017 10:07 PM, Robert Moskowitz <[hidden email]> wrote:
>
>
>
> As I dig into this more, I can see why not to make content_filter
> global.  Unless there is some way not to have it work with localhost
> connections.
>
>
> On 03/08/2017 03:03 PM, Robert Moskowitz wrote:
>> I am reading the amavis-new readme for postfix.
>>
>> It almost reads like main.cf should have:
>>
>> content_filter=amavisfeed:[127.0.0.1]:10024
>>
>> rather than how I see it all over in master.cf.  Its presence as an
>> option in master.cf is very inconsistent.
>>
>> Are there services in master.cf that should not have a content_filter
>> to amavisfeed?
>>
>> thank you
>>
>>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting amavis content_filter in main.cf

chaouche yacine
Interesting question. In my master.cf, I have two smtp services : one is listening on the internet SMTP port (25) and the other is listening locally on a unix socket


root@messagerie-secours[CHROOT][10.10.10.19] /home/serveur # grep ^smtp /etc/postfix/master.cf
smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
smtp      unix  -       -       -       -       -       smtp
root@messagerie-secours[CHROOT][10.10.10.19] /home/serveur #


If mail coming from localhost is deliverd via the unix socket, then you can try and edit that line to add a blank content_filter option, like so :



smtp unix - - - - - smtp -o content_filter=

See if that works for you (didn't try it myself).

  -- Yassine.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting amavis content_filter in main.cf

Peter Ajamian
> One comment I got over on the amavis list was that not to filter from
> localhost.  Like mail sent from logwatch.  How does this handle
> localhost sent mail?

Those submit through the pickup service, simply donk the content_filter
on the pickup service similar to how you do it on port 10025.

On 10/03/17 03:47, chaouche yacine wrote:
> Interesting question. In my master.cf, I have two smtp services : one
> is listening on the internet SMTP port (25) and the other is
> listening locally on a unix socket

Please do not muck with things you do not understand and please
definitely do not tell other people to muck with them.

> smtp      unix  -       -       -       -       -       smtp

This is the smtp(8) client service, used for making smtp connections to
other machines.  It is not for injecting mail into postfix and will not
do what you think it does.

> If mail coming from localhost is deliverd via the unix socket, then
> you can try and edit that line to add a blank content_filter option,
> like so :
>
> smtp unix - - - - - smtp -o content_filter=

Wrong wrong wrong!  You're lucky that this simply won't do anything
because smtp(8) does not recognize the content_filter setting.  If it
did it could cause mail looping issues but fortunately it simply won't
do anything.

> See if that works for you (didn't try it myself).

Of course you didn't, otherwise you'd know it doesn't work.  But feel
free to make guinea pigs of other people to test your lack of knowledge.


Peter
Loading...