| View previous topic :: View next topic |
| Author |
Message |
nasher
Tux's lil' helper
Joined: 21 Feb 2003
Posts: 125
|
 Posted: Mon Dec 01, 2003 2:09 pm Post subject: postfix - amavis - how can i disable LAN mail scanning |
 |
|
see topic ;p
if a client is sending an email to the internet amavis is scanning this mail too. how can i disable it ? |
|
| Back to top |
|
 |
nat
Apprentice
Joined: 04 Sep 2002
Posts: 205
|
| Posted: Mon Dec 01, 2003 7:17 pm Post subject: |
|
|
I dont really know how your amavis is set up but i think you could do it by editing /etc/postfix/master.cf
change this line: | Code: | | smtp inet n - - - - smtpd |
with those two: | Code: | <outsideip>:smtp inet n - - - - smtpd
<insideip>:smtp inet n - - - - smtpd -o content_filter= |
make sure you can't reach your insideip:25 from the outside or it could be possible to send mail bypassing the virus filter. |
|
| Back to top |
|
|
nasher
Tux's lil' helper
Joined: 21 Feb 2003
Posts: 125
|
| Posted: Tue Dec 02, 2003 1:35 pm Post subject: |
|
|
hm
what i can do too is connect to 10025 with the mailclient
but that port is local open and i dont know how to set it open to eth0 |
|
| Back to top |
|
|
nat
Apprentice
Joined: 04 Sep 2002
Posts: 205
|
| Posted: Wed Dec 03, 2003 8:33 am Post subject: |
|
|
in your master.cf:
| Code: | | localhost:10025 inet n - n - - smtpd -o content_filter= |
That means that smtpd is listening on localhost:10025 with no content filter. You could add a
| Code: | | <ip-of-eth0>:10025 inet n - n - - smtpd -o content_filter= |
And it would listen on port 10025 on eth0. After that you could add a forwarding rule in iptables from <ip-of-eth0>:25 to <ip-of-eth0>:10025. You could also remove localhost in the line above, but then you must make sure that the firewall blocks port 10025 from the outside. |
|
| Back to top |
|
|
nasher
Tux's lil' helper
Joined: 21 Feb 2003
Posts: 125
|
| Posted: Wed Dec 03, 2003 9:18 am Post subject: |
|
|
ye i tried that already,
sometimes it works and other times the connection timed out
realy strange.
an other prob is the security.. coz if the mail server isnt behind a firewall everyone can send mail trough that port.. 10025
i was just wondering if LAN clients could send mail to port 25 without being scanned by amavis but that isnt possible without connecting to an other port.. like 10025
so, i let it on localhost |
|
| Back to top |
|
|
nat
Apprentice
Joined: 04 Sep 2002
Posts: 205
|
| Posted: Wed Dec 03, 2003 10:45 am Post subject: |
|
|
| Code: | | iptables -i eth1 -p tcp --dport 10025 -j DROP |
or something like that should drop connections from eth1 (I guess thats your outside interface?) destinated for port 10025.
But...
| nat wrote: | I dont really know how your amavis is set up but i think you could do it by editing /etc/postfix/master.cf
change this line: | Code: | | smtp inet n - - - - smtpd |
with those two: | Code: | <outsideip>:smtp inet n - - - - smtpd
<insideip>:smtp inet n - - - - smtpd -o content_filter= |
|
Doesn't that work? That should set up 2 smtpd listeners, one that is listening on the outside interface and another on the inside interface. The difference is that mail that comes from the inside interface is not scanned (-o content_filter=) |
|
| Back to top |
|
|
nasher
Tux's lil' helper
Joined: 21 Feb 2003
Posts: 125
|
| Posted: Wed Dec 17, 2003 8:13 am Post subject: |
|
|
heh ;]
after a while i tried this again, searched on some mailinglists but couldnt find any interested info.
down here i'll explain what my situation is at this moment.
| Code: |
[cloud/internet] -> firewall -> forward port 25 to .254 -> linux mail server
client > lan > port 25 mail server > default gw > [cloud/internet]
|
ok. for so far it isnt hard to understand i guess 
but here it comes ;o
now i installed an other machine that will replace the current mail server.
This one is installed with postfix / amavisd-new / spamassassin
everything is working ok.
only one thing i dont like, its scanning client mail too.
This means: when a client is sending his email outside, its scanning on spam / virusses and the last thing is dublicated coz they have a virusscanner localy at their pc.
i read the postfix README files and i ended with the README_FILTER
there i chooses the part of multiple interfaces (like the posts above this one)
i was forgotten that i can bind multiple ips to one interface so thats why i tried this again.
i bind a ip: 192.168.0.199 and 192.168.0.200
i read a manual that said:(master.cf)
| Code: |
192.168.0.199:smtp inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
127.0.0.1:smtp inet n - n - - smtpd
-o smtpd_client_restrictions=permit_mynetworks,reject
192.168.0.200:smtp inet n - n - - smtpd
-o smtpd_client_restrictions=permit_mynetworks,reject
|
but this didnt work for me. i get errors like: address already in use ed.
after trying many hours my instinct (duno i didnt have) said me,
| Code: |
smtp inet n - n - - smtpd -v
|
binds all addresses on port 25 ed.
so i comment it out and the error was gone  (i couldnt find if this is the right way so.. if its not please reply)
but an other problem:
127.0.0.1:smtp inet n - n - - smtpd
-o smtpd_client_restrictions=permit_mynetworks,reject
this doesnt set port 10025 open so amavis couldnt reinject it.
i changed the whole stuff now to :
| Code: |
[cloud/internet] -> firewall -> forward port 25 to .220 -> linux mail server
client > lan .199 > port 25 mail server > default gw > [cloud/internet]
|
| Code: |
#smtp inet n - n - - smtpd -v
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 nqmgr
#tlsmgr fifo - - n 300 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
smtp-amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200
192.168.0.220:smtp inet n - n - - smtpd
-o smtpd_client_restrictions=permit_mynetworks,reject
127.0.0.1:10025 inet n - n - - smtpd
-o smtpd_client_restrictions=permit_mynetworks,reject
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
192.168.0.199:smtp inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8,192.168.0.0/24
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
|
and in my main.cf:
| Code: |
content_filter = smtp-amavis:[127.0.0.1]:10024
|
my question is, can someone tell me if i doing this on the right way.
maybe paste a how-to
or past his own situation / id's.
maybe i forgot extra things under etc.
| Code: |
192.168.0.220:smtp inet n - n - - smtpd
|
my port list is:
| Code: |
tcp 0 0 *:imaps *:* LISTEN
tcp 0 0 *:pop3s *:* LISTEN
tcp 0 0 localhost:10024 *:* LISTEN
tcp 0 0 localhost:10025 *:* LISTEN
tcp 0 0 *:pop-3 *:* LISTEN
tcp 0 0 *:imap2 *:* LISTEN
tcp 0 0 gentoo.goor.bauhui:smtp *:* LISTEN
tcp 0 0 gentoo.goor.bauhui:smtp *:* LISTEN
|
so your ended here ;] did i take enough time of your life ? |
|
| Back to top |
|
|
nasher
Tux's lil' helper
Joined: 21 Feb 2003
Posts: 125
|
| Posted: Fri Dec 19, 2003 9:01 am Post subject: |
|
|
| *bump* |
|
| Back to top |
|
|
nat
Apprentice
Joined: 04 Sep 2002
Posts: 205
|
| Posted: Fri Jan 09, 2004 3:16 pm Post subject: |
|
|
Sorry I havent answered. Did you find a solution?
When looking at your setup I think I'd set up two listeners on all interfaces. no scanning on port 25 but doing contentfiler on 10025.
That would be in master.cf:
| Code: |
smtp inet n - n - - smtpd -o content_filter=
smtp-amavis inet n - n - - smtpd
|
Then would I forward port 25 on firewall to port 10025 on mailserver and making amavis to deliver the mail to localhost:25 when scanned. |
|
| Back to top |
|
|
nasher
Tux's lil' helper
Joined: 21 Feb 2003
Posts: 125
|
| Posted: Fri Jan 09, 2004 3:18 pm Post subject: |
|
|
jep i disabled
| Code: |
#smtp inet n - n - - smtpd
|
in master.cf and added;
| Code: |
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=check_relay_domains,permit_mynetworks,reject
-o mynetworks=127.0.0.0/8,192.168.0.0/24
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
192.168.0.252:smtp inet n - n - - smtpd
# -o smtpd_client_restrictions=check_relay_domains,permit_mynetworks,reject
192.168.0.254:smtp inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8,192.168.0.0/24
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
|
|
|
| Back to top |
|
|
|
Networking & Security
