> > In this context what does "client" mean? So far I thought it is the
> > MTA that passes mail to check to amavisd-new. However it seems that
> > Postfix somehow forwards the address of its SMTP client and amavisd
> > select policy bank upon this information.
>
> Indeed, it is the IP address of a sending host, passed by Postfix
> to amavisd via XFORWARD command in the SMTP protocol.
Thanks for the clarification.
However it is ambigous a bit yet. Let's assume the following
scenario:
User send mail from hostA. HostA passes mail to next MTA, hostB.
HostB ask amavisd on hostC to check mail. In this case which host
is "client"? HostA or hostB?
In the logs one can find address of both. (%e and %a)
> > I have more than one MTAs using a common spamfilter infrastructure.
> > Is there any way to configure amavisd to choose policy bank by
> > address of these MTAs or I have to make this decision on
> > port number? (When every MTA sends mail on different ports of course).
>
> True, you'd need to associate policy banks with port numbers
> and let each MTA submit to amavisd on a different port number,
> if you need to distinguish between them. It would be possible
> to achieve similar through custom hooks, but unless you have
> very many MTAs, the port-per-MTA approach is the simplest.
Yes, this afternoon I reconfigured amavisd and worked well.
Then - understandig the "client IP address concept" - I tried
to solve the last week problem with multiple scans of the same
mail. I thought I set up an other policy bank with several bypass_*
config variables.
@client_ipaddr_policy= (
[qw(
<MTA1_IPV4>
[<MTA1_IPV6>]
<MTA2_IPV4>
[<MTA2_IPV6>]
)] => 'TRUSTED',
\...@mynetworks=> 'MYNETS',
);
$policy_bank{TRUSTED} = {
bypass_banned_checks_maps => [ 1 ],
bypass_spam_checks_maps => [ 1 ],
bypass_virus_checks_maps => [ 1 ],
bypass_header_checks_maps => [ 1 ],
};
My test mails from MTA0 went through MTA1, MTA2, and MTA1 again
and back to MTA0. MTA1 and MTA2 are configured to use service of amavisd.
Amavisd received them 3 times. I expected that effective scan
will be done at first time only because when MTAs receive message
from each other the partner's address will be found in
@client_ipaddr_policy. However the result is: scan, scan, no scan.
That is quite strange.
Rough log entries:
...Passed CLEAN [IPv6:<MTA0_IPV6>] [IPv6:<MTA0_IPV6>] <My address> -> <Mailing
list address>, ..., Hits: -3.107,... 3027 ms
...Passed CLEAN, NO_DSN [<MTA1_IPV6>] [IPv6:<MTA0_IPV6>] <My address> ->
<Mailing list address>, ..., Hits: -1.307,... 2325 ms
...Passed CLEAN, TRUSTED [IPv6:MTA2_IPv6] [IPv6:<MTA0_IPV6>] <List-bounce
address> -> <My address>, ..., Hits: -,... 199 ms
Note that "IPV6:" prefix is missing from the second entry.
NO_DSN is name of a port based policy bank. As far as I can understand
both address and port based policy may be in effect at the same time.
However TRUSTED is ineffective at the second step.
I have no idea. Any advice will be appreciated. :-)
Gabor
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
Please visit http://www.ijs.si/software/amavisd/ regularly
For administrativa requests please send email to rainer at openantivirus dot
org
