Good morning,
Could perhaps be, that Amavis is not storing the XCLIENT variable LOGIN
(http://www.postfix.org/XCLIENT_README.html) in mail_via_smtp() where
should handle LOGIN XCLIENT attribute?.
my(@params) = map
{ my($n,$v) = @$_;
# Postfix since version 20060610 uses xtext-encoded (RFC 3461)
# strings in XCLIENT and XFORWARD attribute values, previous
# versions expected plain text with neutered special
characters;
# see README_FILES/XFORWARD_README
if (defined $v && $v ne '') {
$v =~ s/[^\041-\176]/?/gs; # isprint
$v =~ s/[<>()\\";\@]/?/gs; # other chars that are special
in hdrs
# postfix/src/smtpd/smtpd.c NEUTER_CHARACTERS
$v = xtext_encode($v);
substr($v,255) = '' if length($v) > 255; # chop xtext, not
nice
}
!defined $v || $v eq '' || !$xfwd_supp_opt{$n} ? () :
("$n=$v") }
( ['ADDR',$cl_ip],
['NAME',$msginfo->client_name],
['PORT',$msginfo->client_port],
['PROTO',$msginfo->client_proto],
['HELO',$msginfo->client_helo],
['SOURCE',$msginfo->client_source],
['IDENT',$msginfo->queue_id] );
Perhaps it needs a :
['LOGIN',$msginfo->auth_user] and then through XCLIENT or XFORWARD from
Amavis would send back again to Postfix receiving smtpd instance the
LOGIN parameter in order for it (origin sasl_username) to be received in
the Postfix smtpd receiving instance through XCLIENT?.
What do you think?. Perhaps it has not been considered for some reason?.
Cheers,
---
EGOITZ AURREKOETXEA
Dpto. de sistemas
944 209 470
Parque Tecnológico. Edificio 103
48170 Zamudio (Bizkaia)
[email protected]
www.sarenet.es [1]
Antes de imprimir este correo electrónico piense si es necesario
hacerlo.
El 2021-05-20 09:38, Egoitz Aurrekoetxea escribió:
> ATENCION: Este correo se ha enviado desde fuera de la organización. No pinche
> en los enlaces ni abra los adjuntos a no ser que reconozca el remitente y
> sepa que el contenido es seguro.
>
> Good morning,
>
> I was trying to implement different policy banks in a testing env, in order
> to get :
>
> + Policy bank (FROM-THE-REST-OF-THE-INTERNET) -> Incoming external mail (from
> the Internet in general) to be always tagged with a modified version of Anomy
> Sanitizer and scanned for cleaning virus and spam.
>
> + Policy bank (COMING-FROM-CUSTOMER-1 OR COMING-FROM-CUSTOMER-2) -> Incoming
> mail coming from well known ips, to be tagged with Anomy Sanitizer just in
> case the email goes for a domain that is not one of the domains that go out
> through that well known ips. For instance, comes from the ips of
> custoner1.net and goes for customer2.net domain, then tag with Anomy
> Sanitizer just for that "non customer1.net domain".
>
> + Policy bank (OUTGOING-SIGN) -> Outgoing mail generated by a mua that will
> have previously be authenticated, to be signed with DKIM and to have a
> disclaimer set with Altermime. Have created a dedicated port for this policy
> bank.
>
> I'm sending mail traffic to Amavis, using XCLIENT extension
> (http://www.postfix.org/XCLIENT_README.html) and seems that Amavis, is
> identifying properly (source ip connected to Postfix based and transferred to
> Amavis with XCLIENT) which policy bank should apply to each mail.It's still
> not working totally (the maps, the Sanitizer part and so in each policy
> bank...), because I assume I have entered some config variable incorrectly,
> perhaps in the hash of the config of the policy bank, but that it's not
> worrying me at present.
>
> BUT, I have a big problem, that am not able to get solved for just outgoing
> mail (third commented case). In the Postfix smtpd instance where returns mail
> handled by Amavisd, I needed to get passed the original SASL user with
> XCLIENT. The reason of this, is because depending on the sasl authenticated
> user (in Postfix, prior to Amavis, an authenticated MUA), I need to apply
> it's corresponding FILTER action in Postfix (yes even it has returned from
> Amavis and we are in the smtpd where we receive the returning traffic to
> Postfix by Amavis), in the smtpd instance where Amavis is returning
> scanned/tagged/signed traffic. I'm not able of receiving that sasl_username
> with XCLIENT back from Amavis in the smtpd returning instance. Is it possible
> to do that?. I receive other XCLIENT params, like (in this case) the Postfix
> ip that feeded Amavisd, but I needed the sasl_username the MUA used.
>
> I know I could tell Postfix to enter a heder in the message with the
> authenticated user, once a user authenticates, but I prefer not doing it
> because it could become faked.
>
> I have seen that Amavis has or had the possibility of authenticating to the
> returning smtpd instance (that could be OK too... in case Amavisd XCLIENT
> does not pass sasl_username to the returning smtpd instance), but I have seen
> it commented in the Amavisd code in the mail_via_smtp function. Concretely :
>
> _ $auth_capable = 1;_
> _# my $sasl = Authen::SASL->new(_
> _# 'callback' => { 'user' => $auth_user, 'authname' => $auth_user,_
> _# 'pass' => $msginfo->auth_pass });_
> _# $smtp_handle->auth($sasl) or die "sending AUTH,
> user=$auth_user\n";#flush_
> _ do_log(0,"Sorry, AUTH not supported in this version of amavisd!");_
> _ section_time($which_section);_
>
> So, is it possible, is some manner, to receive in the Postfix instance of
> smtpd, where you receive the returning back traffic from Amavisd, the
> sasl_username with which Postfix authenticated the user for allowing to send
> that email, now coming tagged/signed/whatever from Amavis?.
>
> I do paste the commented created config below in case it could help.
>
> Very thankful for you time :)
>
> Best regards,
>
> ============================================================================================================================================
>
>
> _$interface_policy{'10025'} = 'OUTGOING-SIGN';_
>
> _@client_ipaddr_policy= (_
> _[qw(192.168.14.10)] => 'COMING-FROM-CUSTOMER-1', [qw(192.168.14.11)] =>
> 'COMING-FROM-CUSTOMER-2', [qw(192.168.14.12)] => 'COMING-FROM-CUSTOMER-3',
> [qw(0.0.0.0)] => 'FROM-THE-REST-OF-THE-INTERNET'_
> _);_
>
> _$policy_bank{'FROM-THE-REST-OF-THE-INTERNET'} = {_
> _forward_method => 'smtp:*:10026',_
> _enable_anomy_sanitizer => 1,_
> _anomy_sanitizer_args => [ [qw(/usr/local/etc/sanitizer.cfg)] ],_
> _defang_spam => 1,_
>
> _defang_maps_by_ccat => [ {'CC_CLEAN' => { '@.' => 'anomy' }, 'CC_SPAM' => {
> '@.' => 'anomy' }, 'CC_BANNED' => { '@.' => 'anomy' }, 'CC_VIRUS' => { '@.'
> => 'anomy' } }],_
> _};_
>
> _$policy_bank{'COMING-FROM-CUSTOMER-1'} = {_
> _forward_method => 'smtp:*:10026',_
> _bypass_spam_checks_maps => [ { '@.' } ],_
> _bypass_banned_checks_maps => [ { '@.' } ],_
> _enable_anomy_sanitizer => 1,_
> _anomy_sanitizer_args => [ [qw(/usr/local/etc/sanitizer.cfg)] ],_
> _defang_spam => 1,_
>
> _defang_maps_by_ccat => [ {'CC_CLEAN' => { '@.' => 'anomy', '@ramattack.net'
> => '' }, 'CC_SPAM' => { '@.' => 'anomy', '@ramattack.net' => '' },
> 'CC_BANNED' => { '@.' => 'anomy', '@ramattack.net' => '' }, 'CC_VIRUS' => {
> '@.' => 'anomy', '@ramattack.net' => ''} }],_
>
> _dkim_signature_options_bysender_maps => [ { } ],_
> _};_
>
> _$policy_bank{'COMING-FROM-CUSTOMER-2'} = {_
> _forward_method => 'smtp:*:10026',_
> _bypass_spam_checks_maps => [ { '@.' } ],_
> _bypass_banned_checks_maps => [ { '@.' } ],_
>
> _enable_anomy_sanitizer => 1,_
> _anomy_sanitizer_args => [ [qw(/usr/local/etc/sanitizer.cfg)] ],_
> _defang_spam => 1,_
>
> _defang_maps_by_ccat => [ {'CC_CLEAN' => { '@.' => 'anomy', '@sarenet.es' =>
> '' }, 'CC_SPAM' => { '@.' => 'anomy', '@sarenet.es' => '' }, 'CC_BANNED' => {
> '@.' => 'anomy', 'sarenet.es' => '' }, 'CC_VIRUS' => { '@.' => 'anomy',
> '@sarenet.es' => ''} }],_
>
> _dkim_signature_options_bysender_maps => [ { } ],_
> _};_
>
> _$policy_bank{'OUTGOING-SIGN'} = {_
> _$forward_method = 'smtp:*:10027',_
> _bypass_spam_checks_maps => [ { '@.' } ],_
> _bypass_banned_checks_maps => [ { '@.' } ],_
> _enable_anomy_sanitizer => 0,_
> _altermime => '/usr/bin/altermime',_
> _altermime_args_disclaimer => [ [qw(--verbose
> --disclaimer=/etc/firmas_corporativas/disclaimer-_OPTION_.txt
> --disclaimer-html=/etc/firmas_corporativas/disclaimer-_OPTION_.html)] ],_
> _defang_maps_by_ccat => [ { 'CC_CATCHALL' => { '@.' => 'disclaimer' } } ],_
> _disclaimer_options_bysender_maps => [ { 'sarenet.es' => 'sarenet.es',
> 'ramattack.net' => 'ramattack.net' } ],_
> _allow_disclaimers => 1,_
> _dkim_signature_options_bysender_maps => [ { 'sarenet.es' => {ttl =>
> 21*24*3600, c => 'simple/simple'}, 'ramattack.net' => {ttl => 21*24*3600, c
> => 'simple/simple'}} ],_
> _};_
>
> ============================================================================================================================================
>
>
> --
>
> EGOITZ AURREKOETXEA
> Dpto. de sistemas
> 944 209 470
> Parque Tecnológico. Edificio 103
> 48170 Zamudio (Bizkaia)
> [email protected]
> www.sarenet.es [1]
> Antes de imprimir este correo electrónico piense si es necesario hacerlo.
Links:
------
[1] http://www.sarenet.es
