Re: amavis and postfix policy

Thread: Re: amavis and postfix policy

Search this list only Search all lists
Re: amavis and postfix policy
	2007-01-24 12:45:21
Rob, > I assume when you say there are no semantics you mean it's going to be > hard to get AM.PDP to give the answers to Postfix I am looking for? The current code is very simple: sub postfix_policy($$$) { my($conn,$msginfo,$attr_ref) = _; my(response); if ($attr_ref->{'request'} ne 'smtpd_access_policy') { die("unknown 'request' value: " . $attr_ref->{'request'}); } else { response = 'action=DUNNO'; } response; } It receives a hash %$attr_ref of attribute key/value pairs exactly as given by Postfix, and returns a list of key/value response lines as its return value. It its above implementation it always replies with a single line: action=DUNNO regardless of what information Postfix provides in its query. What is missing is your semantics code: check what information came in, and prepare a suitable response. You may start experimenting with is as it stands, it will always reply with action=DUNNO, so it won't affect the outcome of Postfix restrictions. Add some arbitrary TCP port number (like 2552) to the $inet_socket_port list as the only or an additional tcp port number, then associate a policy bank with it, the mail purpose of it being to specify a protocol name (in place of a default SMTP protocol): amavisd.conf: $inet_socket_port = [2552]; $interface_policy{'2552'} = 'Pf-POLICY'; $policy_bank{'Pf-POLICY'} = { protocol => 'AM.PDP', # Amavis or Postfix policy delegation protocol }; Restart amavisd (preferably in debugging mode: amavisd debug ) and check that it works: $ telnet 127.0.0.1 2552 Connected ... request=smtpd_access_policy aaa=bbb sender=xxx action=DUNNO request=smtpd_access_policy kkk=whatever lll=1,2,3 mmm=xx action=DUNNO ^] telnet> Connection closed. Check the log: amavis[37740]: (37740-01) loaded policy bank "Pf-POLICY" amavis[37740]: (37740-01) policy protocol: aaa=bbb amavis[37740]: (37740-01) Request: smtpd_access_policy(): : [] <xxx> -> <> amavis[37740]: (37740-01) TIMING [total 1 ms] - got data: 0 (3%)3, rundown: 1 (97%)100 amavis[37740]: (37740-01) policy protocol: kkk=whatever amavis[37740]: (37740-01) policy protocol: lll=1,2,3 amavis[37740]: (37740-01) policy protocol: mmm=xx amavis[37740]: (37740-01) Request: smtpd_access_policy(): : [] <> -> <> amavis[37740]: (37740-01) TIMING [total 0 ms] - got data: 0 (3%)3, rundown: 0 (97%)100 Now hook it into your Postfix (set: soft_bounce = yes just in case!): main.cf: soft_bounce = yes smtpd_policy_service_max_idle = 3s smtpd_policy_service_max_ttl = 30s smtpd_recipient_restrictions = ... check_policy_service inet:[127.0.0.1]:2552 ... and watch the amavisd log (at $log_level=5), e.g: amavis[37736]: (37736-15) loaded policy bank "Pf-POLICY" amavis[37736]: (37736-15) policy protocol: reverse_client_name=p54ACC4ED.dip0.t-ipconnect.de amavis[37736]: (37736-15) policy protocol: recipient_count=0 amavis[37736]: (37736-15) policy protocol: instance=9f5f.45b7a488.c9e83.0 amavis[37736]: (37736-15) policy protocol: size=0 amavis[37736]: (37736-15) policy protocol: etrn_domain= amavis[37736]: (37736-15) policy protocol: sasl_method= amavis[37736]: (37736-15) policy protocol: sasl_username= amavis[37736]: (37736-15) policy protocol: sasl_sender= amavis[37736]: (37736-15) policy protocol: ccert_subject= amavis[37736]: (37736-15) policy protocol: ccert_issuer= amavis[37736]: (37736-15) policy protocol: ccert_fingerprint= amavis[37736]: (37736-15) policy protocol: encryption_protocol= amavis[37736]: (37736-15) policy protocol: encryption_cipher= amavis[37736]: (37736-15) policy protocol: encryption_keysize=0 > Do you have any other thoughts as to a solution that would work for me > and for others or maybe I should just let this go for now. Now all you need to do is to provide the missing decision-making in sub postfix_policy You may disable whole code sections in amavisd which you won't be needing: amavisd.conf: bypass_virus_checks_maps = (1); bypass_spam_checks_maps = (1); bypass_banned_checks_maps= (1); $bypass_decode_part = 1; and provide sufficient number of child processes: $max_servers = 20; Verify at amavisd startup that non-needed sections are NOT LOADED. Although amavisd could handle Posfix policy requests on one port and the usual content filtering requests on another, mixing the two would probably not work well, one being many and leightweight requests, the other being few and fat requests. Good luck. Mark ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: amavis and postfix policy
	2007-01-25 05:27:24
Mark Martinec wrote: > What is missing is your semantics code: check what information > came in, and prepare a suitable response. ok, we shall begin. I do code a little perl, I shall pass it back with a brown bag > You may disable whole code sections in amavisd > which you won't be needing: > > amavisd.conf: > > bypass_virus_checks_maps = (1); > bypass_spam_checks_maps = (1); > bypass_banned_checks_maps= (1); > $bypass_decode_part = 1; > > and provide sufficient number of child processes: > > $max_servers = 20; > > Verify at amavisd startup that non-needed sections are NOT LOADED. > > Although amavisd could handle Posfix policy requests on > one port and the usual content filtering requests on another, > mixing the two would probably not work well, one being > many and leightweight requests, the other being few and > fat requests. ah, I think this (another amavisd to handle policy requests) makes it a less than canonical solution, but so be it. I could hack a policy daemon together myself, but really I feeling this should be something anyone inclined can config up with readily available components. There are enough policy daemon project already. Ah well, I guess the best solution will win in the long run. I might see what Wietse thinks is the right solution. Thanks for you help I'll reply when I have a little more (code), Rob ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )