~ubuntu-branches/ubuntu/natty/amavisd-new/natty

Viewing changes to README_FILES/README.postfix

Committer: Bazaar Package Importer
Author(s): Christian Perrier
Date: 2007-02-24 19:27:53 UTC
mfrom: (3.1.7 feisty)
Revision ID: james.westby@ubuntu.com-20070224192753-fvvima53q1jrp34x

Tags: 1:2.4.2-6.1

http://bugs.debian.org/405243

http://bugs.debian.org/408734

http://bugs.debian.org/409831

* Non-maintainer upload to fix pending l10n issues.
* Debconf translations
  - Remove extra debian/po/de.po~
  - Convert all translation files to UTF-8
  - Russian. Closes: #405243
  - Spanish. Closes: #408734
  - Italian. Closes: #409831
* Add very simple LSB headers to init scripts

files added:
JpegTester.pm

Macintosh.tar.gz

README_FILES/README.banned

README_FILES/README.courier-old

README_FILES/README.ldap

README_FILES/README.sendmail-dual.old

README_FILES/README.sql

README_FILES/TODO-SNMP-AGENT

README_FILES/amavisd-new-docs.html

TODO

amavisd-agent

amavisd-nanny

amavisd-new-courier-old.patch

amavisd-new.spec

amavisd-release

amavisd.conf-default

amavisd.conf-sample

debian/amavisd-new-cronjob

debian/amavisd-new-cronjob.8

debian/amavisd-new.examples

debian/amavisd-new.lintian

debian/amavisd-new.templates

debian/conf

debian/conf/10-debian_scripts

debian/conf/20-package

debian/disabled.old-headerfolding-patch.diff

debian/etc/conf.d

debian/etc/conf.d/01-debian

debian/etc/conf.d/05-domain_id

debian/etc/conf.d/05-node_id

debian/etc/conf.d/15-av_scanners

debian/etc/conf.d/15-content_filter_mode

debian/etc/conf.d/20-debian_defaults

debian/etc/conf.d/25-amavis_helpers

debian/etc/conf.d/30-template_localization

debian/etc/conf.d/50-user

debian/extract-upstream-en_US-templates.pl

debian/po

debian/po/POTFILES.in

debian/po/cs.po

debian/po/de.po

debian/po/es.po

debian/po/fr.po

debian/po/it.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/ru.po

debian/po/templates.pot

helper-progs/amavis.pl

p0f-analyzer.pl

test-messages/sample.tar.gz.compl

files removed:
debian/etc/amavisd.conf

debian/etc/de_DE

debian/etc/de_DE/charset

debian/etc/de_DE/template-dsn.txt

debian/etc/de_DE/template-spam-admin.txt

debian/etc/de_DE/template-spam-sender.txt

debian/etc/de_DE/template-virus-admin.txt

debian/etc/de_DE/template-virus-recipient.txt

debian/etc/de_DE/template-virus-sender.txt

debian/etc/it_IT

debian/etc/it_IT/charset

debian/etc/it_IT/template-dsn.txt

debian/etc/it_IT/template-spam-admin.txt

debian/etc/it_IT/template-spam-sender.txt

debian/etc/it_IT/template-virus-admin.txt

debian/etc/it_IT/template-virus-recipient.txt

debian/etc/it_IT/template-virus-sender.txt

debian/etc/pt_BR

debian/etc/pt_BR/charset

debian/etc/pt_BR/template-dsn.txt

debian/etc/pt_BR/template-spam-admin.txt

debian/etc/pt_BR/template-spam-sender.txt

debian/etc/pt_BR/template-virus-admin.txt

debian/etc/pt_BR/template-virus-recipient.txt

debian/etc/pt_BR/template-virus-sender.txt

helper-progs/amavis-milter-based-on-1.1.2.3.2.36.c

helper-progs/amavis-milter-based-on-1.1.2.3.2.40-v2.c

helper-progs/amavis-milter-based-on-1.1.2.3.2.40.c

helper-progs/configure.old

test-messages/sample-42-mail-bomb.txt

test-messages/sample-executable.txt

test-messages/sample-nonspam.txt

test-messages/sample-spam-GTUBE-junk.txt

test-messages/sample-spam-GTUBE-nojunk.txt

test-messages/sample-spam.txt

test-messages/sample-virus-executable.txt

test-messages/sample-virus-nested.txt

test-messages/sample-virus-simple.txt

files modified:
AAAREADME.first

INSTALL

LDAP.schema

MANIFEST

README_FILES/README.chroot

README_FILES/README.contributed

README_FILES/README.courier

README_FILES/README.customize

README_FILES/README.exim_v3

README_FILES/README.exim_v3_app

README_FILES/README.exim_v4

README_FILES/README.exim_v4_app

README_FILES/README.exim_v4_app2

README_FILES/README.lookups

README_FILES/README.milter

README_FILES/README.old.scanners

README_FILES/README.performance

README_FILES/README.policy-on-notifications

README_FILES/README.postfix

README_FILES/README.protocol

README_FILES/README.sendmail

README_FILES/README.sendmail-dual

RELEASE_NOTES

amavisd

amavisd-new-courier.patch

amavisd-new-qmqpqq.patch

amavisd.conf

debian/README.Debian

debian/TODO

debian/amavisd-new-milter.init

debian/amavisd-new-milter.postinst

debian/amavisd-new.8

debian/amavisd-new.NEWS

debian/amavisd-new.cron.d

debian/amavisd-new.cron.daily

debian/amavisd-new.dirs

debian/amavisd-new.files

debian/amavisd-new.init

debian/amavisd-new.manpages

debian/amavisd-new.postinst

debian/amavisd-new.postrm

debian/changelog

debian/control

debian/copyright

debian/etc/README.l10n

debian/etc/en_US/template-dsn.txt

debian/etc/en_US/template-spam-admin.txt

debian/etc/en_US/template-spam-sender.txt

debian/etc/en_US/template-virus-admin.txt

debian/etc/en_US/template-virus-recipient.txt

debian/etc/en_US/template-virus-sender.txt

debian/logcheck.ignore

debian/rules

helper-progs/Makefile.in

helper-progs/README

helper-progs/amavis-milter.c

helper-progs/amavis.c

helper-progs/config.h.in

helper-progs/configure

test-messages/README

Show diffs side-by-side

added added

removed removed

README_FILES/README.postfix

which can be found at http://www.ijs.si/software/amavisd/

Author: Mark Martinec <Mark.Martinec@ijs.si>

Last updated: 2004-04-13

Last updated: 2006-02-13

How to use amavisd-new with Postfix

***********************************

A quick recipe for the impatient first.

The sections labeled 'COMMENT' may be skipped on first reading.

Sections labeled 'COMMENT' may be skipped on first reading.

Your Postfix must not be ancient, it must support parameter 'content_filter'.

Check for the purpose of this parameter in ./README_FILES/FILTER_README

of the Postfix distribution. This file was revised in postfix-1.1.9-20020512,

and again in postfix 20030120, you may want to read the latest version.

In the most recent Postfix documentation the setup described here is known

In the more recent Postfix documentation the setup described here is known

as 'Postfix After-Queue Content Filter', section 'Advanced content filter'.

For compatibility with previous versions of amavisd the choice of default

instead of 'scan' as in the Postfix documentation.

We are assuming that Postfix is already installed, configured and is

working as expected. As a safety net during experimenting you might feel

working as expected. As a safety net during experimenting one might feel

better by setting 'soft_bounce=yes' in /etc/postfix/main.cf, and doing

a 'postfix reload'. It will turn hard errors experienced by Postfix into

temporary failures, causing failed mail operations to be retried later.

Don't forget to remove it when things appear to be running well.

Don't forget to remove it later when things appear to be running well.

1. Install and start amavisd (as explained in INSTALL - just the daemon,

no helper programs amavis(.c) or amavisd-milter(.c) are needed)

For the first time it is best to start it interactively and keep it

attached to the terminal:

For the first time it is best to start amavisd daemon interactively

and keep it attached to the terminal:

$ /usr/local/sbin/amavisd debug

$ /etc/init.d/amavis debug

From another window check that it is listening on a

local SMTP port 10024 (default):

local SMTP port 10024 (the default port):

--> $ telnet 127.0.0.1 10024

Trying 127.0.0.1...

Connection closed by foreign host.

2. With a text editor add to the Postfix master.cf file

the following two entries, e.g. near the end of the file:

smtp-amavis unix - - y/n - 2 smtp

-o smtp_data_done_timeout=1200

-o smtp_send_xforward_command=yes

-o disable_dns_lookups=yes

-o max_use=20

127.0.0.1:10025 inet n - y/n - - smtpd

-o content_filter=

-o local_recipient_maps=

-o relay_recipient_maps=

-o smtpd_restriction_classes=

-o smtpd_client_restrictions=

-o smtpd_delay_reject=no

-o smtpd_client_restrictions=permit_mynetworks,reject

-o smtpd_helo_restrictions=

-o smtpd_sender_restrictions=

-o smtpd_recipient_restrictions=permit_mynetworks,reject

-o smtpd_data_restrictions=reject_unauth_pipelining

-o smtpd_end_of_data_restrictions=

-o mynetworks=127.0.0.0/8

-o strict_rfc821_envelopes=yes

-o smtpd_error_sleep_time=0

-o smtpd_soft_error_limit=1001

-o smtpd_hard_error_limit=1000

COMMENT:

the '-o disable_dns_lookups=yes' in the smtp-amavis smtp service is

no longer needed since Postfix 2.0. The '-o smtp_send_xforward_command=yes'

(or '-o lmtp_send_xforward_command=yes') are optional and will be used

by future versions of amavisd-new, primarily for logging purposes.

It does not hurt if specified, even if not yet needed or not yet

supported by the currently running Postfix or amavisd-new.

Of all the options specified above in the second entry, the one

that is essential is the '-o content_filter=' .

-o smtpd_client_connection_count_limit=0

-o smtpd_client_connection_rate_limit=0

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Change the 'y/n' to either 'y' or 'n', depending on how you prefer

the smtp and smtpd postfix services to run - either chroot-ed, or not.

See your other (normal) smtp and smtpd postfix services in this file

See your other (normal) smtp and smtpd postfix services in master.cf

and use the same setting here.

COMMENT:

If you have an entry like 'vscan unix - n n - 2 pipe user=vscan ...'

100

from an ancient amavisd installation, you don't need it anymore and

101

it may be removed. Keeping it does no harm.

COMMENTS:

- Of all the options specified above in the second entry,

the one that is essential is the '-o content_filter=' .

- The '-o smtp_send_xforward_command=yes'

(or '-o lmtp_send_xforward_command=yes' if using LMTP)

is optional, but recommended - amavisd-new benefits from it since V2.0.

It does not hurt if specified even if not yet supported by the currently

running Postfix or amavisd-new.

- the '-o max_use=20' is optional, it overrides the default value of 100,

100

and is primarily useful with lmtp, as the Postfix lmtp client is more

101

aggressive in keeping the connection open than the smtp client;

102

- If there is an entry like 'vscan unix - n n - 2 pipe user=vscan ...'

103

from an ancient amavisd installation, it is not needed any longer

104

and may be removed. Keeping it does no harm.

105

- for IPv6 enabled MTA, consider: -o mynetworks=127.0.0.0/8,[::1]/128

102

106

103

107

104

108

3. Do a 'postfix reload', check its log file for any complaints,

116

120

117

121

4. If you want, simulate a mail sent to amavisd and see if it gets delivered

118

122

via Postfix to its recipient. Try first with a simple and clean message,

119

then with an EICAR test virus pattern which should be recognized by all

120

virus scanners (unless you have them disabled or not installed):

123

then a message with an EICAR test virus pattern which should be recognized

124

by all virus scanners (unless all scanners are disabled or not installed):

121

125

122

126

--> $ telnet 127.0.0.1 10024

123

127

Trying 127.0.0.1...

149

153

--> .

150

154

151

155

you should get one of the following replies (or similar), depending on

152

your $final_virus_destiny and *virus_lovers* settings in amavisd.conf:

156

the $final_virus_destiny and *virus_lovers* settings in amavisd.conf:

153

157

*** 550 5.7.1 Message content rejected, id=16968-01 - VIRUS: EICAR-AV-Test

154

158

*** 250 2.5.0 Ok, but 1 BOUNCE

155

159

*** 250 2.7.1 Ok, discarded, id=16984-01 - VIRUS: EICAR-AV-Test

160

164

Connection closed by foreign host.

161

165

162

166

You may need/want to use different sender and recipient addresses.

163

The test pattern must be entered exactly, starting at the beginning

164

of the line (without indentation).

167

The test pattern must be entered exactly to be recognized, starting

168

at the beginning of a line (without indentation).

165

169

166

170

Depending on the settings in amavisd.conf, the sender (test@example.com)

167

171

and the virus administrator may have been sent a (non-)delivery status

176

180

177

181

To the Postfix main.cf file add a line:

178

182

179

content_filter=smtp-amavis:[127.0.0.1]:10024

183

content_filter=smtp-amavis:[127.0.0.1]:10024

180

184

181

185

either with a text editor, or preferably using a shell command:

182

186

# postconf -e 'content_filter=smtp-amavis:[127.0.0.1]:10024'

183

187

184

188

COMMENT:

185

This global setting in main.cf affects any Postfix input service (i.e.

186

smtpd and pickup). If you require a more selective approach, the option

189

The global setting of 'content_filter' in main.cf affects any Postfix

190

input service (i.e. smtpd and pickup). If a more selective approach

191

is required, the option

187

192

-o content_filter=smtp-amavis:[127.0.0.1]:10024

188

193

may be given in master.cf to selected services only, or the option:

189

194

-o content_filter=

190

on selected services may override (clear) the global setting.

195

may override (i.e. clear) the global setting on selected services.

191

196

192

197

193

198

6. Do a 'postfix reload' and watch the logs - both the Postfix logs,

194

199

and the amavisd log file (on the screen or wherever you have it directed).

195

200

196

If you get in trouble, you only need to undo the step 5 and 'postfix reload'.

197

New mail will no longer be tagged with content filter routing.

201

If you get in trouble, you only need to undo the step 5 and do a

202

'postfix reload'. New mail will no longer be tagged with content filter

203

routing.

198

204

199

205

COMMENT:

200

206

The messages that have been received while 'content_filter' was set,

201

207

will still try to get delivered to your old setting of content_filter,

202

and will wait in the queue until successful or deleted - or until you do:

203

postsuper -r ALL; postfix reload

208

and will wait in the queue until successful or deleted or expired - or

209

until you do: postsuper -r ALL; postfix reload

204

210

205

211

If all is fine, you may abort (^C) the process running 'amavisd debug',

206

212

and start amavisd without a 'debug' option, making it detach and daemonize.

208

214

209

215

This completes the integration of amavisd and Postfix.

210

216

It uses the SMTP (or LMTP) protocol for Postfix->amavisd,

211

and SMTP protocol for amavisd->Postfix communication.

217

and uses SMTP protocol for amavisd->Postfix communication.

212

218

This is the fastest and recommended method, and simplest to set up.

213

219

214

220

215

ALTERNATIVE:

216

217

If you have a recent Postfix version such as 2.0, and amavisd-new-20021116

218

or younger, Postfix can be told to feed mail to amavisd via LMTP protocol

219

instead of SMTP. This brings multi-session mail transaction capability and

220

per-recipient status responses. Just replace the service name (last item)

221

TUNING:

222

223

The most important tuning knob is the number of concurrent content filtering

224

processes allowed. Too low a value does not fully utilize the host resources,

225

a somewhat high value wastes memory and gains no benefit to the aggregate

226

mail throughput, while a too high value causes system thrashing and the

227

total system mail throughput starts to drop. A useful starting value is 2,

228

a commonly useful range is perhaps up to 10 (or perhaps 20 on hosts with

229

1 GB of RAM or more, and SA with network tests such as Razor enabled),

230

but the exact value largely depends on host capabilities and the anti-virus

231

and anti-spam options in use.

232

233

It is imperative that both the Postfix and the amavisd-new use the same value.

234

Actually the amavisd setting may be higher that the Postfix, but this serves

235

no useful purpose and just wastes resources. The amavisd.conf parameter is

236

the $max_servers, the Postfix parameter is the maxproc field in the

237

'smtp-amavis' entry (file master.cf).

238

239

Instead of adjusting the maxproc field of the 'smtp-amavis' service,

240

one may prefer to leave it a the default '-', and use a main.cf option

241

for the same purpose:

242

smtp-amavis_destination_concurrency_limit = 2

243

244

For other tuning hints, see README.performance and:

245

http://www.ijs.si/software/amavisd/amavisd-new-magdeburg-20050519.pdf

246

247

248

TO DO 'VIRTUAL ALIAS' MAPPING AND OTHER POSTFIX CLEANUP PROCESSING

249

BEFORE OR AFTER CONTENT FILTERING?

250

251

In a post-queue content filtering setup (a normal amavisd-new setup with

252

Postfix), a mail message passes through smtpd and cleanup Postfix services

253

twice, once before the content filter, and the second time when approved

254

message is passed from the content filter back to MTA. Any transformations

255

and checks done by a cleanup service are thus performed twice. In simpler

256

setups this does not matter much, but in more demanding situations one

257

needs to consider which cleanup instance should perform which task.

258

See cleanup(8) man page.

259

260

In particular, the following should be considered:

261

262

- masquerading

263

264

- canonical address transformations

265

placed before the content filter:

266

content filter will see canonicalized envelope addresses

267

(e.g. external addresses)

268

placed after the content filter:

269

content filter will see largely unmodified envelope addresses

270

271

- virtual alias transformations of envelope recipient addresses

272

placed before the content filter:

273

content filter will see modified (e.g. internalized) envelope addresses

274

placed after the content filter:

275

content filter will see largely unmodified envelope addresses

276

277

- built-in content checks like the header_checks, body_checks, mime processing

278

placed before the content filter:

279

the usual placement, checks should be performed as early as convenient

280

placed after the content filter:

281

most built-in content checks should not be performed again to save time

282

and prevent late bounces. An exception may be the 'placing on hold'

283

of a mail message that the content filter considered a potential threat

284

and inserted a header field 'X-Amavis-Hold: reason', which needs to be

285

done after content filtering.

286

287

- automatic BCC recipient controls

288

should only be done once to prevent mail duplication. The same

289

applies when virtual mapping is used a "poor man's" mailing lists.

290

Adding recipients is normally placed after content filtering;

291

292

- resource and rate controls

293

should be done before the content filtering, and should be disabled

294

or be more liberal in the cleanup service after the content filter;

295

296

To exercise full control over which cleanup service will perform which

297

e-mail address mapping (virtual alias, canonical, masquerading), and

298

which (if any) header/body checks, one needs to use two cleanup services:

299

300

- add a new service 'pre-cleanup';

301

- (optionally) add options to existing service 'cleanup';

302

- add option 'cleanup_service_name=pre-cleanup' to existing services

303

'smtp' and 'pickup';

304

305

as described further down.

306

307

If the full flexibility of having two cleanup services is not needed

308

and Postfix is snapshot 2.0.13-20030706 or later, there is a new parameter

309

'receive_override_options' which eliminates the need for two cleanup

310

services in some more straightforward cases (not all features of having

311

two cleanup services are available). The idea is to use:

312

-o receive_override_options=no_address_mappings

313

for main incoming services (like smtpd and pickup), and the:

314

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

315

for the post-content-filter smtpd service on port 10025.

316

See smtpd(8) man page and the FILTER_README and ADDRESS_REWRITING_README

317

files in the Postfix documentation directory README_FILES.

318

The receive_override_options=no_address_mappings also avoids the need

319

for moving always_bcc option from main.cf to master.cf in common cases.

320

321

322

ALTERNATIVE FOR POSTFIX OLDER THAN 2.2

323

324

Postfix can be told to feed mail to amavisd via LMTP protocol instead

325

of SMTP. This is possible since Postfix 2.0 and since amavisd-new-20021116.

326

327

LMTP brings per-recipient status responses and multi-transaction session

328

capability, the later of which the Postfix service smtp before cca. 2004-08

329

lacked. For newer versions of Postfix with "connection cache" capability

330

(previously known as "session caching"), i.e. the Postfix 2.2 and the

331

snapshots since cca. 2004-08, the per-recipient status responses remains

332

the only (small) advantage of LMTP.

333

334

A LMTP advantage with its per-recipient status responses is most useful when

335

the second MTA instance (on port 10025) returns a 5xx or 4xx SMTP response

336

for some but not all recipients for some reason, or if amavisd-new is

337

(inappropriately) configured to D_REJECT malware instead of D_BOUNCE it.

338

Neither of the two is encountered regularly on well configured systems.

339

340

As it is advisable to perform most of the MTA mail checks (like mail address

341

validation, header and body checks) as soon as mail enters the mailer, the

342

second MTA instance should under normal circumstances hardly ever generate

343

a 5xx or 4xx response. Regarding the second argument, rejecting malware

344

(D_REJECT) in an after-queue setup leads to backscatter generated by MTA

345

and is not a recommended setting in a Postfix after-queue and other

346

dual-MTA settings.

347

348

To use LMTP instead of SMTP just replace the service name (last item)

221

349

'smtp' with 'lmtp' in the master.cf entry: vvvv

222

350

223

351

smtp-amavis unix - - y/n - 2 lmtp

224

352

-o lmtp_data_done_timeout=1200

225

353

-o lmtp_send_xforward_command=yes

226

354

227

(and change parameter names accordingly).

228

229

It works with earlier version of Postfix as well, but there are one or two

230

minor bugs in the Postfix lmtp client code (parsing a LMTP port number,

231

and unnecessarily lowercasing the addresses), so it is easiest to stick

232

to the fresh Postfix version.

233

234

Option 'max_use=10' should be added to main.cf to limit the session reuse.

235

355

(and change option names accordingly).

236

356

237

357

238

358

OPTIONAL:

239

359

240

I also like to set up an e-mail addresses with Postfix to receive

241

all quarantined viruses, so that a mailer will deal with storing

242

(or forwarding) them, and you don't even have to set up a quarantine

243

directory directly and locally accessible to amavisd. Here is one way

244

of doing it, but see 'local(8)' Postfix man page for more options.

245

246

This method of quarantining may be the only method available if amavisd

247

is running chrooted and quarantine should be located outside of chroot jail.

248

249

To the aliases file add an entry for an e-mail address, e.g. 'infected',

250

either to forward its mail to some place, or do a local delivery

251

to a file or directory, e.g.:

360

It is probably a good idea to set strict_rfc821_envelopes=yes in main.cf

361

to reject non-replyable sender addresses such as <@yahoo.com> straight away,

362

otherwise we end up processing such mail with inability to bounce it when

363

needed, effectively losing such mail.

364

365

366

One can set up an e-mail addresses (a mailbox) with Postfix to receive all

367

quarantined viruses so that a mailer will deal with storing or forwarding

368

them, and a local quarantine directory directly can be avoided. Here is

369

one way of doing it, but see 'local(8)' Postfix man page for more options.

370

371

This method of quarantining might be the only method available if amavisd

372

is running chrooted and quarantine is to be located outside of chroot jail.

373

374

To the Postfix aliases file (or database) add an entry for an e-mail address,

375

e.g. 'infected', either to forward its mail to some place, or do a local

376

delivery to a file or directory, e.g.:

252

377

253

378

infected: /var/spool/mail/infected

254

379

258

383

In your amavisd.conf file specify (note the trailing '@') :

259

384

$virus_quarantine_to = 'infected@'; # forward to MTA for delivery

260

385

261

Reload amavisd (amavisd reload) if it is already running, to make it

386

Reload amavisd (amavisd reload) if it is already running to make it

262

387

re-read its config file, and check the log file. All set! Send some

263

388

infected mail and watch it appear at the specified mailbox.

264

389

268

393

to the Postfix master.cf file instead of the item (2.) above,

269

394

in case you need finer control or better understanding.

270

395

It describes a Postfix setup with two cleanup services, as recommended

271

by the new Postfix 2.0.3 ./README_FILES/FILTER_README .

396

by the new Postfix 2.0.3 README_FILES/FILTER_README .

272

397

273

398

Here is an overall picture (adapted from FILTER_README to match

274

399

port numbers and service name as traditionally used by amavisd-new):

286

411

...........................|...........

287

412

^ |

288

413

| v

289

............|..............................

290

: | $inet_socket_port=10024 :

291

: | :

292

: $forward_method='smtp:127.0.0.1:10025' :

293

: $notify_method ='smtp:127.0.0.1:10025' :

294

: :

295

: amavisd-new :

296

...........................................

297

298

299

To be able to get largely unmodified e-mail addresses to content filter

300

(avoiding virtual_alias_maps before the content filter), one needs to

301

use two cleanup services:

302

303

- add new service 'pre-cleanup';

304

- (optionally) add options to existing service 'cleanup';

305

- add option 'cleanup_service_name=pre-cleanup' to existing services

306

'smtp' and 'pickup';

307

308

as described below.

414

............|...............................

415

: | $inet_socket_port=10024 :

416

: | :

417

: $forward_method='smtp:[127.0.0.1]:10025' :

418

: $notify_method ='smtp:[127.0.0.1]:10025' :

419

: :

420

: amavisd-new :

421

............................................

422

309

423

310

424

311

425

# Append this to the master.cf Postfix file and edit to will.

315

429

# ===============================================================

316

430

317

431

# By default amavisd will listen to both protocols (SMTP/LMTP over TCP,

318

# as well as amavis helper protocol on a Unix socket). The older method

432

# as well as to amavis helper protocol on a Unix socket). The older method

319

433

# using the helper program amavis.c still works, but is not recommended, and

320

434

# is not described here. To disable amavisd-new unnecessarily listening on a

321

435

# Unix socket, comment out the assignment to $unix_socketname in amavisd.conf.

322

436

323

437

# NOTE1: match number of sending Postfix processes (the '2' below) with

324

# $max_servers in amavisd.conf. Two or three per CPU should be enough.

438

# $max_servers in amavisd.conf. Two to ten per CPU should be enough.

325

439

# Going beyond 20 just wastes memory and does not help with throughput.

326

440

# NOTE2: point the 'content_filter' hostname part to where amavisd is running,

327

441

# and match the port number with $inet_socket_port in amavisd.conf, e.g:

336

450

# The value in '-o smtp_data_done_timeout=1200' must always be larger

337

451

# (with some margin) than the value of $child_timeout in amavisd.conf

338

452

# NOTE6: the option '-o disable_dns_lookups=yes' is recommended for reducing

339

# latency with Postfix versions older than 2.0, but specify the IP

340

# address and not the DNS name in the content_filter specification

453

# latency with Postfix versions older than 2.0, but specify preferably

454

# an IP address and not a DNS name in the content_filter specification

341

455

# (thanks to Victor Duchovni for the suggestion).

342

456

343

457

# The "smtp-amavis" transport is a dedicated instance of the "smtp"

352

466

-o smtp_send_xforward_command=yes

353

467

#some more ideas:

354

468

# -o disable_dns_lookups=yes

469

# -o max_use=20

470

# -o smtp_bind_address=127.0.0.1

471

# -o strict_rfc821_envelopes=yes

355

472

# -o smtp_line_length_limit=0

356

473

# -o notify_classes=protocol,resource,software

357

474

# -o fallback_relay=backup-filter.example.com:10024

374

491

375

492

# variant 1A: via SMTP, same host (or see 1B for multihost setup)

376

493

# In amavisd.conf choose the host running Postfix and its port number, e.g.:

377

# $notify_method = 'smtp:127.0.0.1:10025';

378

# $forward_method = 'smtp:127.0.0.1:10025';

379

# $relayhost_is_client = 0;

494

# $notify_method = 'smtp:[127.0.0.1]:10025';

495

# $forward_method = 'smtp:[127.0.0.1]:10025';

380

496

381

497

382

498

# The following is the SMTP listener that receives filtered messages from the

386

502

# for bounces and for internally forwarded mail.

387

503

388

504

# Disable all access control other than insisting on connections from one

389

# of the IP addresses of the host. This is typically overkill, but can reduce

390

# resource usage if the default restrictions do lots of checks.

505

# of the IP addresses of the host. This can reduce resource usage if the

506

# default restrictions do lots of checks.

391

507

392

508

# NOTE: set the chroot field the same (y/n) as for your regular smtpd service

393

509

396

512

-o local_recipient_maps=

397

513

-o relay_recipient_maps=

398

514

-o smtpd_restriction_classes=

399

-o smtpd_client_restrictions=

515

-o smtpd_delay_reject=no

516

-o smtpd_client_restrictions=permit_mynetworks,reject

400

517

-o smtpd_helo_restrictions=

401

518

-o smtpd_sender_restrictions=

402

519

-o smtpd_recipient_restrictions=permit_mynetworks,reject

520

-o smtpd_data_restrictions=reject_unauth_pipelining

521

-o smtpd_end_of_data_restrictions=

403

522

-o mynetworks=127.0.0.0/8

404

-o mynetworks_style=host

405

-o strict_rfc821_envelopes=yes

406

#some more ideas:

407

# -o smtpd_data_restrictions=

408

# -o always_bcc=user@example.com

523

-o smtpd_error_sleep_time=0

524

-o smtpd_soft_error_limit=1001

525

-o smtpd_hard_error_limit=1000

526

-o smtpd_client_connection_count_limit=0

527

-o smtpd_client_connection_rate_limit=0

528

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

409

529

410

530

411

531

# The following is the cleanup daemon that handles messages in front of

412

# the content filter. It does header_checks and body_checks (if any),

413

# but does no virtual alias or canonical address mapping,

414

# so that mail comes out of your content filter with the original

415

# recipient addresses still intact.

532

# the content filter. It does header_checks and body_checks (if any), but

533

# does no virtual alias or canonical address mapping, so that mail comes

534

# to a content filter with original recipient addresses still intact.

416

535

417

536

# Virtual alias or canonical address mapping happens in the second

418

537

# cleanup phase after the content filter. This gives the content_filter

419

# access to *largely* unmodified addresses for maximum flexibility.

538

# access to largely unmodified addresses for maximum flexibility.

420

539

421

# Note that some sites may specifically want to perform canonical or

422

# virtual address mapping in front of the content_filter. However,

423

# in that case you still have to enable address rewriting in the

424

# after-filter cleanup instance, in order to correctly process

425

# forwarded mail or bounced mail.

540

# Note that some sites may specifically want to perform canonical and/or

541

# virtual address mapping in front of the content_filter. However, in that

542

# case you still have to enable address rewriting in the after-filter cleanup

543

# instance in order to correctly process forwarded mail or bounced mail.

426

544

427

545

# handle both the canonicalization and virtual_alias_maps later

428

546

# (this will provide content filter with largely unmodified addresses)

457

575

-o header_checks=

458

576

# or use second-stage header checks, to be able to place mail bombs on HOLD

459

577

# -o header_checks=pcre:/etc/postfix/header_checks2

578

# consider also:

579

# -o always_bcc=snooping@example.com

460

580

461

581

# Place the following line (without the leading # and space) into file

462

582

# /etc/postfix/header_checks2, and use the -o header_checks=pcre:... above,

482

602

# - re-injection (forwarding) if $forward_method is smtp:...

483

603

# - notification messages if $notify_method is smtp:...

484

604

# - quarantine if $virus_quarantine_to contains '@'

485

# In amavisd.conf set port number where Postfix (one or more) is

486

# listening for re-injected mail and notifications, and optionally set

487

# $relayhost_is_client to 1, if you want to have host field in the

488

# $forward_method and $notify_method specification dynamically replaced

489

# (re-injection port number is automatically set to one higher than the

490

# port number on which message came in to amavisd, making possible for

491

# several MTA pairs on the same host to independently use amavisd, e.g.

492

# separately for incoming and outgoing mail). To prevent unauthorized use

493

# of the service you SHOULD restrict the set of IP addresses from which

494

# amavisd is willing to accept mail by specifying authorized Postfix host(s)

495

# with the access list @inet_acl in the amavisd.conf file. Bind must not be

496

# restricted to the loopback interface, so set $inet_socket_bind to undef.

605

# In amavisd.conf set port number where Postfix (one or more) is listening

606

# for re-injected mail and notifications, and optionally use an asterisk in

607

# $forward_method and $notify_method specification if host or port field

608

# is to be dynamically replaced (re-injection port number is automatically

609

# set to one higher than the port number on which message came in to amavisd,

610

# making possible for several MTA pairs on the same host to independently

611

# use amavisd, e.g. separately for incoming and outgoing mail). To prevent

612

# unauthorized use of the service you should restrict the set of IP addresses

613

# from which amavisd is willing to accept mail by specifying authorized Postfix

614

# host(s) with the access list @inet_acl in the amavisd.conf file. Bind must

615

# not be restricted to loopback interface, so set $inet_socket_bind to undef.

497

616

498

617

# NOTE1: you SHOULD also restrict Postfix to only accept connections

499

618

# on port 10025 from the amavisd host by '-o mynetworks = ...'

504

623

# -o local_recipient_maps=

505

624

# -o relay_recipient_maps=

506

625

# -o smtpd_restriction_classes=

507

# -o smtpd_client_restrictions=

626

# -o smtpd_delay_reject=no

627

# -o smtpd_client_restrictions=permit_mynetworks,reject

508

628

# -o smtpd_helo_restrictions=

509

629

# -o smtpd_sender_restrictions=

510

630

# -o smtpd_recipient_restrictions=permit_mynetworks,reject

631

# -o smtpd_data_restrictions=reject_unauth_pipelining

632

# -o smtpd_end_of_data_restrictions=

511

633

# -o mynetworks=127.0.0.0/8,10.0.0.0/8,192.168.1.1

512

# -o mynetworks_style=host

513

# -o strict_rfc821_envelopes=yes

514

634

# -o smtpd_error_sleep_time=0

515

635

# -o smtpd_soft_error_limit=1001

516

636

# -o smtpd_hard_error_limit=1000

517

#some more ideas:

518

# -o smtpd_data_restrictions=

519

# -o smtpd_authorized_xforward_hosts=0.0.0.0/0

520

# -o always_bcc=user@example.com

637

# -o smtpd_client_connection_count_limit=0

638

# -o smtpd_client_connection_rate_limit=0

639

# -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

521

640

522

641

523

642

A tip from Wietse Venema (2002-12-12):

525

644

| If you want to filter inbound SMTP mail only, then:

526

645

527

646

| /etc/postfix/main.cf:

528

| smtpd_recipient_restrictions =

647

| smtpd_recipient_restrictions =

529

648

| check_recipient_access hash:/etc/postfix/recipient_access

530

649

| ...the usual stuff here...

531

650

| reject_unauth_destination

538

657

539

658

(comment: the 'foo:bar' is what you would traditionally specify

540

659

in content_filter option, i.e. smtp-amavis:[127.0.0.1]:10024 )

541

542

543

Since Postfix snapshot 2.0.13-20030706 there is a new parameter

544

'receive_override_options' that eliminates the need for two

545

cleanup services. See SMTPD(8) man page, and README_FILES/FILTER_README

546

in the Postfix documentation

Older »