Hi, I am explicitly copying original authors of threads I am referring to in this email, as I don't know if they are still monitoring the list for solution to the problem. I would like to thank Giovanni for supplying the patch, which has now spread across internet.
There is evidence of a critical bug in quite a few threads on this list that manifests itself in various ways. Some users have problems with DKIM signatures of outgoing mail, others with mail marked as RelayedOpenRelay in the logs. The issue is caused by Amavis not honoring originating flag, which causes all sender addresses to be treated as "foreign", which obviously has a huge potential of breaking mail flow especially in environments where there are multiple e-mail paths and policy banks configured. I hit the same problem when I upgraded to 2.11.0 few days ago and asked similar question in a reply to existing thread. https://lists.amavis.org/pipermail/amavis-users/2018-February/005284.html The same issue was described earlier in following thread: https://lists.amavis.org/pipermail/amavis-users/2017-November/005116.html Original mention of this problem was made by Giovanni, who kindly provided a one line fix to the problem: https://lists.amavis.org/pipermail/amavis-users/2016-July/004428.html Fedora has already fixed the issue internally and Debian has open bug for the same: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882324 https://bugzilla.redhat.com/show_bug.cgi?id=1364730 As there was no reaction from developer since 2.11.0 was released (almost 2 years ago at the time of writing this email), I am sending the fix for everyone searching for solutions to the problem. I have tested the attached patch and it fixes the issue. It resolves the problems where email passing through Amavis is missclassified as originating flag is not respected. Obviously the side effect of this is that outgoing email is not DKIM signed if Amavis is configured to do so. This is the effect I have noticed on my system after upgrading: Problematic log entries with 2.11.0: amavis[24157]: (24157-01) Passed CLEAN {AcceptedInternal}, AM.PDP-SOCK LOCAL [66.220.155.153] [66.220.155.153] /AM.PDP <external_address> -> <local_address> amavis[23558]: (23558-01) Passed CLEAN {RelayedOpenRelay}, ORIGINATING [127.0.0.1]:43008 ESMTP/ESMTP <local_address> -> <external_address> amavis[23371]: (23371-01) Passed CLEAN {RelayedInbound}, ORIGINATING [86.47.99.235]:57284 [86.47.99.235] ESMTP/ESMTP <local_address> -> <local_address> The thing I do not understand is that the only policy bank marked as originating->0 is AM.PDP-SOCK, which in 2.11.0 is the only one that is marked LOCAL in the logs. The remaining banks mentioned in the logs above are marked originating -> 1, and are all treated as non-local. With 2.10 (same config): amavis[25242]: (25242-01) Passed CLEAN {AcceptedInbound}, AM.PDP-SOCK [2607:f8b0:4001:c0b::234] [2607:f8b0:4001:c0b::234] /AM.PDP <external_address> -> <local_address>, amavis[23104]: (23104-03) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [78.11.15.22]:58925 [78.11.15.22] ESMTP/ESMTP <local_address> -> <external_address> amavis[25250]: (25250-01) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [127.0.0.1]:43838 ESMTP/ESMTP <local_address> -> <local_address> After I applied the attached patch the issue was resolved. There is literally one line that needs to be added: "$msginfo->originating(c('originating'));". It would be much appreciated if the following patch could be applied to Amavis directly without relying on various distribution maintainers to fix the problem. --- amavisd.orig Tue Apr 26 21:24:33 2016 +++ amavisd Fri Jul 1 01:03:15 2016 @@ -34338,6 +34329,7 @@ sub collect_some_dkim_info($) { $sig_ind++; } Amavis::load_policy_bank($_,$msginfo) for @bank_names; + $msginfo->originating(c('originating')); $msginfo->dkim_signatures_valid(\@signatures_valid) if @signatures_valid; # if (ll(5) && $sig_ind > 0) { # # show which header fields are covered by which signature Thanks, Karol -- Karol Augustin ka...@augustin.pl http://karolaugustin.pl/ +353 85 775 5312