DevHeads.net

Wanting incoming and outgoing e-mail montiroed for spam and virii

Right I am tyring to get postfix with amavisd-ng to probe and stop virus and spam mail.

However it seems that localhost is going through without scrutiny and
some incoming e-mail is not being stopped.

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
cyrus_sasl_config_path = /usr/contrib/lib/sasl2/
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = nk.ca
disable_vrfy_command = yes
fast_flush_domains = $relay_domains, nk.ca, nl2k.ab.ca
hash_queue_names = " " defer deferred
header_checks = regexp:/etc/postfix/header_checks
html_directory = /var/www/docs/postfix
in_flow_delay = 1s
inet_interfaces = all
local_destination_concurrency_limit = 2
local_recipient_maps = unix:passwd.byname $alias_maps
local_transport = local
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 104857600
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 21000000
milter_protocol = 6
mydestination = $myhostname, localhost.$mydomain, localhost, www.$mydomain, ns1.$mydomain, ftp.$mydomain, secure.$mydomain, localhost.nl2k.ab.ca , localhost.nk.ca , $mydomain, mail.nk.ca, <a href="http://www.nk.ca" title="www.nk.ca">www.nk.ca</a>, nk.ca, valid.nk.ca, secure.nl2k.ab.ca, dspam.nk.ca, dspam.netknow.ca, dspam.nl2k.ca, dspam.nl2k.ab.ca, edmontonab.ca, internetedmonton.ca, edmontoninternetserviceprovider.ca, internetalberta.ca, albertainternet.ca, albertainternetserviceprovider.ca, netknow.ca, nl2k.ca, nl2k.ab.ca, valid.nl2k.ab.ca, secure.nl2k.ab.ca, mail.nl2k.ab.ca, home.nl2k.ab.ca
mydomain = nk.ca
myhostname = doctor.nl2k.ab.ca
mynetworks = 204.209.81.0/24, 208.118.93.0/24, 208.118.94.0/24, 127.0.0.0/8
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = $virtual_alias_domains
relay_recipient_maps = hash:/etc/postfix/access
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_loglevel = 2
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_error_sleep_time = 0
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unverified_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client combined.njabl.org, reject_rbl_client dev.null.dk, reject_rbl_client flowgoaway.com, reject_rbl_client relays.visi.com, reject_rbl_client bl.spamcop.net, reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = mail.nk.ca
smtpd_sasl_path = smtpd
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/mail.nk.ca.2009.cert.pem
smtpd_tls_key_file = /etc/postfix/mail.nk.ca.2009.key.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
soft_bounce = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = <surpressed>
virtual_alias_maps = hash:/etc/postfix/virtual

And the master.cf is

#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10125
-o content_filter=amavisfeed:[120.0.0.1]:10024
## -o cleanup_service_name=pre-cleanup

127.0.0.1:25 inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10125
-o content_filter=amavisfeed:[120.0.0.1]:10024
# -o receive_override_options=no_address_mappings

204.209.81.1:25 inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10125
-o content_filter=amavisfeed:[120.0.0.1]:10024
# -o receive_override_options=no_address_mappings

amavisfeed unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

##pre-cleanup unix n - n - 0 cleanup
## -o virtual_alias_maps=

##cleanup unix n - n - 0 cleanup
## -o mime_header_checks= 1
## -o nested_header_checks= 2
## -o body_checks= 3
## -o header_checks= 4

submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
## -o cleanup_service_name=pre-cleanup

smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
spamchk unix - n n - 10 pipe
flags=Rq user=milter argv=/usr/contrib/bin/spamchk -f ${sender} -- ${recipient}
pickup fifo n - n 60 1 pickup
-o content_filter=
## -o cleanup_service_name=pre-cleanup

cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
## -o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
-o smtpd_proxy_filter=127.0.0.1:10125

#amavisfeed unix - - n - 2 lmtp
# -o lmtp_data_done_timeout=1200
# -o lmtp_send_xforward_command=yes
# -o disable_dns_lookups=yes
# -o max_use=20

anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
spamassassin unix - n n - - pipe
user=milter argv=/usr/contrib/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no

127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=

# For injecting mail back into postfix from the filter
127.0.0.1:10126 inet n - n - 16 smtpd
-o content_filter=spamchk:dummy
-o smtpd_proxy_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o mynetworks=127.0.0.1
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

# -o smtpd_delay_reject=no
# -o smtpd_client_restrictions=permit_mynetworks,reject
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_recipient_restrictions=permit_mynetworks,reject
# -o smtpd_data_restrictions=reject_unauth_pipelining
# -o smtpd_end_of_data_restrictions=
# -o smtpd_restriction_classes=
# -o mynetworks=127.0.0.0/8, 204.209.81.0/24, 208.118.93.0/24,
# -o smtpd_error_sleep_time=0
# -o smtpd_soft_error_limit=1001
# -o smtpd_hard_error_limit=1000
# -o smtpd_client_connection_count_limit=0
# -o smtpd_client_connection_rate_limit=0
# -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
# -o local_header_rewrite_clients=

#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
retry unix - - n - - error
proxywrite unix - - n - 1 proxymap
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog

Am I missing something?

Comments

Re: Wanting incoming and outgoing e-mail montiroed for spam and

By mouss at 04/18/2010 - 15:43

The Doctor a écrit :

use amavisd-new instead of amavis-ng.

what do you mean by "localhost is going through"?

if you talk about mail submitted via the sendmail command, then it's
because you have "-o content_filter=" under pickup (in master.cf). if
you meant something else, please explain.

anyway, why would spam get out of localhost? is it because of a web
application? if so, better make the application use SMTP instead of the
sendmail.

it's just here. you are disabling the content filter for pickup.

Re: Wanting incoming and outgoing e-mail montiroed for spam and

By Victor Duchovni at 04/18/2010 - 15:35

LOGS.

The phrase "going through without scrutity" is vague and
lacks specificity with regard to the observed symptoms

You must provide clear explanation of which filtering you expected to
get, and what you got instead (LOGS).

And the configuration again with all of that, so that one does not have
to re-assemble the full problem descrition from fragments of multiple
messages.