Postfix + Amavisd mail loop

maffo

New Member


Messages: 5

Hello all,
I'm new here and I am looking for some help in troubleshooting a mail loop on my machine.
I am running Postfix and Amavisd on FreeBSD 10.1 and I'm pretty sure the problem is just matter of something small and stupid that I can't seem to find.
I have uploaded the contents of my main.cf, master.cf, and amavisd.conf at these links:
amavisd.conf -> http://pastebin.com/xR9jD9zn
master.cf -> http://pastebin.com/83bVEng1
main.cf -> http://pastebin.com/rZCusffJ

Here's an extract of /var/log/maillog for the last mail I tried to send to an external address (again posted on pastebin): http://pastebin.com/cWeMMEiD

I was trying to setting them up in the same way as this article (https://takahisa.info/2010/03/11/setup-dkim-on-postfix-with-amavisd-new/) with DKIM signing, SpamAssassin, and ClamAV scan controller by Amavisd.

Any help would be greatly appreciated.
 
OP
M

maffo

New Member


Messages: 5

Anybody please?
I'm trying different resources but I really can't get my head around it...
 

Murph

Well-Known Member

Reaction score: 183
Messages: 297

Your configuration for ports 10025 and 10027 in master.cf is incorrect. You need a much longer configuration for those ports, like the example at the bottom of your file, or the one in the Postfix FILTER_README.

As an absolute minimum, the following is mandatory:
Code:
localhost:10025 inet n    -       n       -       -     smtpd
    -o content_filter=
localhost:10027 inet n    -       n       -       -     smtpd
    -o content_filter=

That is the absolute minimum, but is very unlikely to be sufficient for any normal use cases. It simply prevents messages relayed in on those ports from going back through the filter again. All normal use cases should have something much longer. I strongly recommend using the example in the Amavis README.postfix as a starting point (it is up to you to determine what local modifications you need beyond this, and to verify suitability for your purposes; this example is not necessarily complete):

Code:
127.0.0.1:10025 inet n    -       n       -       -     smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
    -o local_header_rewrite_clients=

You may well also want to add -o smtpd_authorized_xforward_hosts=127.0.0.0/8 to that. If you want to live in an IPv6-centric or IPv6-only world (now or in the future), you need to replace 127.0.0.1:10025 with localhost:10025 and add [::1]/128 to mynetworks and smtpd_authorized_xforward_hosts. Current signs are that IPv4 will still be heavily used for at least the next 10 years or so; so no real hurry to eliminate its use on internal services.

The two key things are that those ports need pretty much all of the normal Postfix filtering, checks, security, etc disabled; but are bound to listen only to localhost (which normally makes remote connections impossible) and have a single security restriction to permit only localhost. They can be abused by local users (people who can run processes directly on localhost), which essentially means that Amavis is only suitable for cases where local users on the mail server itself can all be trusted. Mail users who do not have local shell access and only access the system via POP3 / IMAP / SMTP / etc are not normally a problem, as they are normally unable to directly connect to localhost-only ports.

I strongly recommend (re-)reading FILTER_README carefully before putting this anywhere near production.
 
Top