Hi
I have debian 9 and postfix 3.1.14. Generally, I have distributed mail
traffic over several machines

- separately for sent mail - here I have postfix
- separately for incoming e-mails - here I have postfix + external amavis


The general outline is this:

1) mail arrives at postfix
2) postfix transfers it to Amavis
    - it really is a local haproxy which directs to one of three amavis

3) mail returns from amavis on a given ip: port (which is filtered from
outside the firewall)
4) using LMTP to dovecot cluster and then to maildirs and then to sieve
      virtual_transport = lmtp: inet: 10.0.100.5: 24




Some my restryctions
smtpd_client_restrictions =
# local map with host and network wgo must go to amavis or without amavisa
        check_client_access cidr:/etc/postfix/amavis_bypass,
        reject_unauth_pipelining,
        permit

/etc/postfix/amavis_bypass

#without amavis
86.xxx.xxx.0/24 OK
89.xxx.xxx.0/24 Ok
10.0.100.21/32 OK
10.0.100.22/32 OK
10.0.100.23/32 OK
10.0.100.24/32 OK
10.0.100.25/32 OK
89.206.41.19/32 OK
#other go to amavis
0.0.0.0/0 FILTER smtp-amavis:[127.0.0.1]:10628



master.cf:
smtp-amavis     unix    -       -       -       -       80       smtp
        -o smtp_data_done_timeout=6000s
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes

#80 cosnnections - and in my amavis I have 90 (10+overtime )


#returns from amavis  IP .199

86.xxx.xxx.199:10027 inet n  -   n   -   -      smtpd
    -o smtpd_proxy_timeout=900s
    -o content_filter=
    -o mynetworks_style=host
    -o mynetworks=10.0.100.0/24,86.xxx.xxx.199/32,
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o strict_rfc821_envelopes=yes
    -o smtp_tls_security_level=none
    -o smtpd_tls_security_level=none
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_end_of_data_restrictions=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings


All works fine but sometimes my "users" use a mial forwarding .... In
that forwarding have (100-200 email) like

u...@domain1.ltd ---> us...@domain1.ltd, us...@domain1.ltd,
u...@domain2.ltd, us...@domainx.ltd

And all forward e-mail was "releback" in smtp and go to amavis.

In amavis I get:

Apr 16 15:11:11 amavis2 amavis[10499]: (10499-01) ESMTP
[86.xxx.xxx.155]:10628
/var/amavis/tmp/amavis-20200416T151111-10499-r3E5zU6i: <na...@epf.pl> ->
<us...@domain1.ltd>,<use...@domain1.ltd>,<use...@domain1.ltd>,<use...@domain1.ltd>,<us...@domain12.ltd>,<us...@domain1.ltd>
SIZE=2129 BODY=7BIT Received: from myserver.domainltd.pl
([86.xxx.xxx.199]) by localhost (amavis2.localdomain [86.xxx.xxx.155])
(amavisd-new, port 10628) with ESMTP; Thu, 16 Apr 2020 15:11:11 +0200 (CEST)


Apr 16 15:11:11 amavis2 amavis[10499]: (10499-01) spam_scan:
score=-0.198 autolearn=no autolearn_force=no
tests=[BAYES_00=-1.9,DCC_REPUT_70_89=0.1,HTML_IMAGE_RATIO_06=0.001,HTML_MESSAGE=0.001,IQ_EMAIL_KASA_2=0.5,RCVD_IN_DNSWL_NONE=-0.0001,SUBJ_ALL_CAPS=0.5,UNIVERSAL_HTMLv20160523_1=0.1,UNIVERSAL_HTMLv20160523_2=0.1,UNIVERSAL_HTMLv20160523_3=0.1,UNIVERSAL_HTMLv20160523_5=0.1,URIBL_BLOCKED=0.2]
recips=22
Apr 16 15:11:11 amavis2 amavis[10499]: (10499-01) spam_scan:
score=-0.198 autolearn=no autolearn_force=no
tests=[BAYES_00=-1.9,DCC_REPUT_70_89=0.1,HTML_IMAGE_RATIO_06=0.001,HTML_MESSAGE=0.001,IQ_EMAIL_KASA_2=0.5,RCVD_IN_DNSWL_NONE=-0.0001,SUBJ_ALL_CAPS=0.5,UNIVERSAL_HTMLv20160523_1=0.1,UNIVERSAL_HTMLv20160523_2=0.1,UNIVERSAL_HTMLv20160523_3=0.1,UNIVERSAL_HTMLv20160523_5=0.1,URIBL_BLOCKED=0.2]
recips=4
Apr 16 15:11:11 amavis2 amavis[10499]: (10499-01)  spam_scan:
score=-0.198 autolearn=no autolearn_force=no
tests=[BAYES_00=-1.9,DCC_REPUT_70_89=0.1,HTML_IMAGE_RATIO_06=0.001,HTML_MESSAGE=0.001,IQ_EMAIL_KASA_2=0.5,RCVD_IN_DNSWL_NONE=-0.0001,SUBJ_ALL_CAPS=0.5,UNIVERSAL_HTMLv20160523_1=0.1,UNIVERSAL_HTMLv20160523_2=0.1,UNIVERSAL_HTMLv20160523_3=0.1,UNIVERSAL_HTMLv20160523_5=0.1,URIBL_BLOCKED=0.2]
recips=82
Apr 16 15:11:11 amavis2 amavis[10499]: (10499-01) spam_scan:
score=-0.198 autolearn=no autolearn_force=no
tests=[BAYES_00=-1.9,DCC_REPUT_70_89=0.1,HTML_IMAGE_RATIO_06=0.001,HTML_MESSAGE=0.001,IQ_EMAIL_KASA_2=0.5,RCVD_IN_DNSWL_NONE=-0.0001,SUBJ_ALL_CAPS=0.5,UNIVERSAL_HTMLv20160523_1=0.1,UNIVERSAL_HTMLv20160523_2=0.1,UNIVERSAL_HTMLv20160523_3=0.1,UNIVERSAL_HTMLv20160523_5=0.1,URIBL_BLOCKED=0.2]
recips=72

and searching all e-mail from forwarded e-mail list to local awl (mysql)
in amavis

what is stupid.......

sometimes i get

delay=127.0.0.1[127.0.0.1]:10628, conn_use=3, delay=6773,
delays=6517/5.8/0/250, dsn=4.4.2, status=deferred (lost connection with
127.0.0.1[127.0.0.1] while sending end of data -- message may be sent
more than once)


now i change "smtp_connection_reuse_time_limit=400s"

because i get in postfix log:

"delay=127.0.0.1[127.0.0.1]:10628, conn_use=3, delay=6773,
delays=6517/5.8/0/250, dsn=4.4.2, status=deferred (lost connection with
127.0.0.1[127.0.0.1] while sending end of data -- message may be sent
more than once)"

and in log amavis I found terminate connections after 300s
"smtp_connection_reuse_time_limit" is default 300s
 



I solve this problem by adding:
in master.cf

1)smtp       inet  n       -       y       -       100      smtpd -o
receive_override_options=no_address_mappings

2)remove "no_address_mappings" in transport:
    ......
    86.xxx.xxx.199:10027 inet n  -   n   -   -      smtpd
    -o smtpd_proxy_timeout=900s
    ......


Works fine but all incomming "aliasgroup" from my allow network (without
amavis) not working - this is obvious (no_address_mappings in smtp)


and change map /etc/postfix/amavis_bypass
...
#without amavis
86.xxx.xxx.0/24 FILTER smtp:10.0.100.5:10025
.....

and I add another local transport like:

10.0.100.5:10025 inet n  -   n   -   -  smtpd
    -o content_filter=
    -o mynetworks_style=host
    -o mynetworks=10.0.100.0/24
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o strict_rfc821_envelopes=yes
    -o smtp_tls_security_level=none
    -o smtpd_tls_security_level=none
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_end_of_data_restrictions=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
   -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks


This working - My question is. Is there a simpler solution? Because now
my "mail route" is:

- incomming e-mail
- if IP (whitlisted) go to: 
   - local transport 10.0.100.5 and go to lmtp

- if IP (from 0.0.0.0) go to:
   - local haproxy
   - local haproxy go to amavis
   - amavis scanned
   - amavis return to postfix
- postfix local transport 10.0.100.5 and go to lmtp


Reply via email to