On Wed, 15 Jan 2020 at 16:50, Simon B <[email protected]> wrote:
> On Wed, 15 Jan 2020 at 17:43, Jaroslaw Rafa <[email protected]> wrote: > > > > Dnia 15.01.2020 o godz. 17:26:48 Simon B pisze: > > > > > > Amavis listens on 10024, and postfix listens on 10025 > > > > > > That means mail comes in on 587, it goes to amavis on 10024 and comes > > > back on 10025 before going out. > > [...] > > > and mail is flowing. I am not happy since the solution to the > > > original problem has been to make smtpd_helo_restrictions=permit and > > > even though it's internal we operate a zero-trust policy, and "permit" > > > is not that. > > > > Does Amavis actually connect to 127.0.0.1 when injecting mail back to > > Postfix? If yes, then maybe you don't have 127.0.0.1 in $mynetworks > > > > It can also be that Amavis doesn't connect to 127.0.0.1, but to some > other > > IP on your server - then you need to put that IP in $mynetworks too, or > > reconfigure Amavis so that it connects to 127.0.0.1 > > I don't know where else it could connect... In master.cf it is defined > > 119 #The amavis reciever > 120 127.0.0.1:10025 inet n - - - - smtpd > > > If it works with "permit", it should also work with "permit_mynetworks", > > provided that the value of $mynetworks includes the actual IP Amavis is > > connecting to. > > it should, but it isn't - hence the reason I have asked here for help. > > # postconf -n | grep -n mynetworks > 36:mynetworks = 127.0.0.0/8, [::1]/128 > 37:mynetworks_style = host > Try removing 'mynetworks' from definitions since it overwrites 'mynetworks_style=host' which should already restrict the definition of mynetworks to the local machine (and might do so in a more correct way?) Try adding 'reject' after 'permit_mynetworks' at the end of one of the restriction lists (for smtpd-from-amavis) e.g. smtpd_client_restrictions - this gives you the full protection
