rosca,
> Great!!! Thanks Mark, I've read your mail carefully and so I ve solved. In
> /etc/amavisd.conf I ve put
>
> $inet_socket_port = [10024,10026];
> $interface_policy{'10026'} = 'SENDERBYPASS';
> $policy_bank{'SENDERBYPASS'} = {
> originating => 1,
> };
>
> and in /etc/postfix/main.cf I have set:
> smtpd_client_restrictions =
> check_client_access
> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
>
> where /etc/postfix/mysql-check-client-filter-access.cf:
> query = <returns 'FILTER smtp-amavis:[127.0.0.1]:10026 if ip is enabled
> for relaying, the action set in DB otherwise>
Looks alright. Besides checking for IP address, it is
usually useful to also treat authenticated roaming clients
as locals. See the approach described in:
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-postfix-dual-path
> One thing that I can do after I have separated traffic originating
> inside my network, from the other traffic passing through my mail
> gateway, is to stop to analyse that traffic agaist viruses.
>
> Indeed, I then realized that I would like to continue to scan email
> originating from my network and destined still to my network.
Why you would not want to check outbound mail for viruses?
It could prevent an internal infected host from polluting the net.
Usually performance is not of concern, as the proportion of
outbound mail is likely to be small compared to all mail.
Same often holds true for outbound spam cheching, and a
benefit of checking outbound mail for spam is to provide
a good source of ham to Bayes autolearning, and again to
block an internal zombiized PC from distributing spam.
> So I have thought to extend the set of restrictions for client access
> so:
>
> smtpd_client_restrictions =
> check_client_access
> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
> -> check_recipient_access
> proxy:mysql:/etc/postfix/mysql-relay-filter-domain.cf
>
> After I have modified the query part of 'check_client_access'
> restriction as follows:
>
> query = select IF(STRCMP(action,'OK'),action,'DUNNO') from access where
> inet_aton(ip) & inet_aton(mask) = inet_aton('%s') & inet_aton(mask)
> order by mask DESC limit 0,1;
>
> and set the query part of 'check_recipient_access' restriction as
> follows:
>
> query = select if(count(*)>0,'OK','FILTER
> smtp-amavis:[127.0.0.1]:10026') from domain where domain='%s' and
> active='1'
>
> But I don't have fully verified that this solution could be a correct
> one. Could it work? Anyway, has anyone a better solution to my latest
> issue?
You must not forget that a message can have more than one recipient,
so a message could be both internal-to-internal and outbound
at the same time. It is dangerous (and usually incorrect)
to tack a FILTER in a check_recipient_access, because these
rules are run multiple times (for each recipient), and only
the last FILTER setting remains in place. So the resulting
FILTER would depend on what was the last recipient specified
(internal or external).
Mark
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
