diff --git a/install_amavis.sh b/install_amavis.sh index 83ab1db..63d7604 100755 --- a/install_amavis.sh +++ b/install_amavis.sh @@ -4923,36 +4923,50 @@ else fi +## - Provide an 'After-queue filter' (classic content filter): +## - +## - - The external sender communicates with port 25. +## - - Postfix accepts the email and initially places it in the queue. +## - - Postfix then forwards the email to Amavis (10024). +## - - Amavis returns it to Postfix (typically on 10025). +## - +## - Advantage: +## - Port 25 is 'normal Postfix SMTP' +## - -> Milters (OpenDMARC/OpenDKIM verify) access port 25 cleanly +## - -> DMARC reject happens in the SMTP dialog (if you set it up that way +## - and the checks pass 'pre-queue') +## - +## - Disadvantage: +## - Some types of rejections may no longer happen 'before queue', but only later +## - (depending on the type of check) +## - +## - ## - Set up /etc/postfix/master ## - -## - Forward emails to amavis using "Pre-Queue" Option smtpd_proxy_filter +## - Forward emails to amavis using "After-Queue-Filter" Option content_filter ## - -## - edit /etc/postfix/master.cf and add flags for "smtpd_proxy_filter" (to -## - forward to amavis service on localhost port 10024) and for "content_filter" -## - (to avoid rechecking by "Post-Queue" content_filter) to smtp service +## - edit /etc/postfix/master.cf and add flags for "content_filter" (to +## - forward to amavis service on localhost port 10024) ## - ## - smtp inet n - - - - smtpd -## - -o smtpd_proxy_filter=127.0.0.1:10024 -## - -o content_filter= +## - -o content_filter=amavisfeed:[127.0.0.1]:10024 ## - -## - take care, that, in case NOT to reject, amavis fowards the mail to the -## - MTA (Postfix) for delivering. To avoid loops in checking, install a -## - (Postfix) smtpd service on a local Port (10025) without checking anymore +## - !! Noticw !! +## - - take care localhost:10025 has empty 'content_filter' ## - -## - to do this edit /etc/postfix/master.cf and add service: -## - -## - localhost:10025 inet n - - - - smtpd -## - -o content_filter= -## - -o smtpd_proxy_filter= -## - -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128 -## - -o smtpd_client_restrictions= -## - -o smtpd_helo_restrictions= -## - -o smtpd_sender_restrictions= -## - -o smtpd_recipient_restrictions=permit_mynetworks,reject -## - -o smtpd_data_restrictions= -## - -o mynetworks=127.0.0.0/8,[::1]/128,<$_ipv4_address/32> -## - -o receive_override_options=no_unknown_recipient_checks +## - localhost:10025 inet n - y - - smtpd +## - -o content_filter= +## - -o smtpd_proxy_filter= +## - -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128 +## - -o smtpd_client_restrictions= +## - -o smtpd_helo_restrictions= +## - -o smtpd_sender_restrictions= +## - -o smtpd_recipient_restrictions=permit_mynetworks,reject +## - -o smtpd_data_restrictions= +## - -o mynetworks=127.0.0.0/8,[::1]/128 +## - -o receive_override_options=no_unknown_recipient_checks ## - +## - - take care not to have 'content_filter' set im main.cf postfix_master_cf="/etc/postfix/master.cf" echo "" echononl " Backup file \"${postfix_master_cf}\"" @@ -5004,10 +5018,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do _found=true cat >> $postfix_master_cf << EOF smtp inet n - y - - smtpd - -o smtpd_proxy_filter=127.0.0.1:10024 - -o content_filter= - -o smtpd_milters= - -o non_smtpd_milters= + -o content_filter=amavisfeed:[127.0.0.1]:10024 EOF if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then cat >> $postfix_master_cf << EOF @@ -5031,7 +5042,8 @@ localhost:10025 inet n - y - - smtpd EOF if [[-n "$(which opendmarc)" ]] ; then cat >> $postfix_master_cf << EOF - -o smtpd_milters=local:/opendmarc/opendmarc.sock + # IMPORTANT: no opendmarc here! + #-o smtpd_milters=local:/opendmarc/opendmarc.sock EOF fi cat >> $postfix_master_cf << EOF @@ -5047,8 +5059,7 @@ EOF _found=true cat >> $postfix_master_cf << EOF ${additional_smtp_port} inet n - y - - smtpd - -o smtpd_proxy_filter=127.0.0.1:10024 - -o content_filter= + -o content_filter=amavisfeed:[127.0.0.1]:10024 EOF if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then cat >> $postfix_master_cf << EOF @@ -5073,11 +5084,9 @@ EOF if [[ -n "$(which opendkim)" ]] ; then cat >> $postfix_master_cf << EOF -o smtpd_milters=local:/opendkim/opendkim.sock + -o milter_macro_daemon_name=ORIGINATING EOF fi - cat >> $postfix_master_cf << EOF - #-o milter_macro_daemon_name=ORIGINATING -EOF if ! $smtps_present ; then if ! $localhost_10025_present ; then cat >> $postfix_master_cf << EOF @@ -5095,12 +5104,10 @@ localhost:10025 inet n - y - - smtpd EOF if [[ -n "$(which opendmarc)" ]] ; then cat >> $postfix_master_cf << EOF - -o smtpd_milters=local:/opendmarc/opendmarc.sock + # IMPORTANT: no opendmarc here! + #-o smtpd_milters=local:/opendmarc/opendmarc.sock EOF fi - cat >> $postfix_master_cf << EOF - #-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32 -EOF fi if ! $amavisfeed_present ; then @@ -5130,11 +5137,9 @@ EOF if [[ -n "$(which opendkim)" ]] ; then cat >> $postfix_master_cf << EOF -o smtpd_milters=local:/opendkim/opendkim.sock + -o milter_macro_daemon_name=ORIGINATING EOF fi - cat >> $postfix_master_cf << EOF - #-o milter_macro_daemon_name=ORIGINATING -EOF if ! $localhost_10025_present ; then cat >> $postfix_master_cf << EOF @@ -5152,12 +5157,10 @@ localhost:10025 inet n - y - - smtpd EOF if [[ -n "$(which opendmarc)" ]] ; then cat >> $postfix_master_cf << EOF - -o smtpd_milters=local:/opendmarc/opendmarc.sock + # IMPORTANT: no opendmarc here! + #-o smtpd_milters=local:/opendmarc/opendmarc.sock EOF fi - cat >> $postfix_master_cf << EOF - #-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32 -EOF fi if ! $amavisfeed_present ; then @@ -5191,12 +5194,10 @@ localhost:10025 inet n - y - - smtpd EOF if [[ -n "$(which opendmarc)" ]] ; then cat >> $postfix_master_cf << EOF - -o smtpd_milters=local:/opendmarc/opendmarc.sock + # IMPORTANT: no opendmarc here! + #-o smtpd_milters=local:/opendmarc/opendmarc.sock EOF fi - cat >> $postfix_master_cf << EOF - #-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32 -EOF continue fi