Re: Postfix and amavisd-new

• Previous message: Bob Cunningham: "Re: Large mail gateway setup"
• Maybe in reply to: db: "Postfix and amavisd-new"
• Next in thread: db: "Re: Postfix and amavisd-new"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

db wrote:
> Hi list
>
> I'm using postfix-2.2.3 with amavisd-new 2.3.1 on FreeBSD 5.4.
> I've read some tutorials, but I'm still a little unsure how this works.

>
> Current setup:
> command_directory = /usr/local/sbin
> config_directory = /usr/local/etc/postfix
> daemon_directory = /usr/local/libexec/postfix
> debug_peer_level = 2
> html_directory = no
> mail_owner = postfix
> mailq_path = /usr/local/bin/mailq
> manpage_directory = /usr/local/man
> mydestination =
> newaliases_path = /usr/local/bin/newaliases
> proxy_interfaces = my_ip
> queue_directory = /var/spool/postfix
> readme_directory = no
> relay_domains = proxy:pgsql:/usr/local/etc/postfix/relaydomainmap
> relay_recipient_maps = proxy:pgsql:/usr/local/etc/postfix/relayaliasmap
> sample_directory = /usr/local/etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = maildrop
> smtpd_client_restrictions = reject_rbl_client bl.spamcop.net,
> reject_rbl_client list.dsbl.org, permit
> transport_maps = proxy:pgsql:/usr/local/etc/postfix/mxmap
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = proxy:pgsql:/usr/local/etc/postfix/aliasmap
> virtual_mailbox_domains = proxy:pgsql:/usr/local/etc/postfix/domainmap
> virtual_transport = maildrop
>
> As shown all mails are in the relay tabel or virtual tabel and mail are
> delivered with maildrop (mail to local users in /etc/alias are being
> forwardet to some mail adress, since all users are virtual users).
>
> I want postfix to send mail to amavisd-new after the address lookup, so that
> only mails with a valid recipient are scanned, so in main.cf I added:
> content_filter = scan:10.0.0.5:10024
>
> And in master.cf:
> scan unix - - n - 10 smtp
> -o smtp_data_done_timeout=1200 #?
since you're sending mail to amavis, use a larger timeout (default is
600 if my memory is good). this is because amavis will take sometime to
scan the message.

> -o smtp_send_xforward_command=yes
>
> localhost:10025 inet n - n - 10 smtpd
use 127.0.0.1 instead of localhost

> -o content_filter= # Or else it would loop
> -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks
> -o smtpd_recipient_restrictions=
replace this with
        -o my_networks=127.0.0.0/8
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
so that it only accepts connections from localhost.

> -o smtpd_client_restrictions= # Don't do those lookups again
you can also add
        -o smtpd_helo_restrictions=
the purpose of these is to avoid applying those restrictions (in case
you have them in your main.cf).

> -o smtpd_authorized_xforward_hosts=10.0.0.5
> -o strict_rfc821_envelopes=yes #?
at this point, email has passed through postfix, and so email addresses
should be well formed. default is to support broken clients that use
rfc822 style addresses. you can set this in your main.cf if you want
(but make sure your clients do generate valid addresses).

> -o smtpd_error_sleep_time=0 #?
in case of misbehaving clients, postfix sleeps before continuing. this
would be bad when the mail is from amavisd.

> -o smtpd_soft_error_limit=1001 #?
> -o smtpd_hard_error_limit=1000 #?
at this point, email is sent by amavisd, so be more tolerant. allow that
many errors before "getting too angry".

>
> So now only mails with valid addresses are scanned?

if you correctly implement rcpt validation (which you seem to do), only
valid rcpt email passes the first listener, whatever you do next.
The thing is to avoid a second validation, which you do with the
no_unknown_***. so that seems ok.

>
> Are local mail scanned? I have seen some set
> local_recipient_maps=
> in localhost:10025, so wondered if local mail was not scanned? Which would in
> fact be the desired behavior, since the mail will be scanned again after the
> forward from /etc/alias.

if your setup is all virtual, why care about /etc/aliases? this will
only be used for system generated mail which goes through postfix by way
of pickup and not smtpd. just set myorigin to your virtual domain. (you
can even use virtual aliases instead of /etc/aliases).

>
> Are relay mail scanned? If not, how can I make it so? (no plans of doing that
> right now, but it would be nice to know).

all mail received by smtpd will be scanned.

>
> I of course want to disable checks on 10025 that has already been done on 25,
> but in order to determine if the mail is "virtual" and thereby for maildrop
> is has to lookup the mail address again or how does that work?

relay_domains and virtual_[alias|mailbox]_domains tell whether an email
is to be delivered through relay or virtual. depending on your setup,
you may or may not need a lookup to determine where the mailbox is and
which uid/gid to use.

> Are receive_override_options or smtpd_recipient_restrictions used for
> disabling these checks?
>
> Lines with #? at the end are added because they were there in the tutorials,
> but I don't know why?

is the above enough?

>
> Any others options I should add?
>

suggestions given above.

• Previous message: Bob Cunningham: "Re: Large mail gateway setup"
• Maybe in reply to: db: "Postfix and amavisd-new"
• Next in thread: db: "Re: Postfix and amavisd-new"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]