policy bank for local recipients.

Hello,

I see that I can create policy banks which are used
accourding to
which ip/port amavisd-new received a message.

Is it also possible to create a policy bank for mail to
domains in
local_domains_maps? I wish to handle incoming mail a
bit different
than outgoing mail, and it would be nice to have the same
setup on
both smarthosts and mx servers.

It seems that amavisd-new has all the information required
to
differentiate between outgoing and incoming mail, so I'm
hoping that
I won't have to change the mailserver setup to filter
messages on
different ports.

-- 
Erland Nylend


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On 8/13/07, Erland Nylend <erlandlyse.net> wrote:
> Hello,
>
> I see that I can create policy banks which are used
accourding to
> which ip/port amavisd-new received a message.
>
> Is it also possible to create a policy bank for mail to
domains in
> local_domains_maps? I wish to handle incoming mail a
bit different
> than outgoing mail, and it would be nice to have the
same setup on
> both smarthosts and mx servers.
>
> It seems that amavisd-new has all the information
required to
> differentiate between outgoing and incoming mail, so
I'm hoping that
> I won't have to change the mailserver setup to filter
messages on
> different ports.
>
> --
> Erland Nylend

There is a MYUSERS policy bank, but keep in mind senders are
often forged.
This is from amavisd.conf-sample:

## the name 'MYUSERS' has special semantics: this policy
bank gets loaded
## whenever the sender matches local_domains_maps. This
only makes sense
## if local sender addresses can be trusted -- for example
by requiring
## authentication before letting users send with their local
address.
#
# $policy_bank{'MYUSERS'} = {
#   final_virus_destiny => D_BOUNCE, # bounce only to
authenticated local users
#   final_banned_destiny=> D_BOUNCE,
# };

Actually, it's not immediately apparent to me what would
prevent a
forged sender from loading this policy bank so I think it
would
require you to configure Postfix to reject non-authenticated
mail
addressed from any of your domains; which is typically done
using
something like this (which breaks forwarding):

http://www.arschkrebs.de/postfix/postfix_incoming.shtml

If you are going to do that, then you might as well use the
MYNETS
policy bank and something like this as an alternate:

http://www200.pair.com/mecham/spam/bypassing.html#10

-- 
Gary V

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On 2007-08-13, 08:36, Gary V wrote:
> There is a MYUSERS policy bank, but keep in mind
senders are often forged.
> This is from amavisd.conf-sample:

I've seen it, but it seems to be unusable for what I'm
trying to
accomplish. I want to set up separate settings for  incoming
mail
versus outgoing mail.

I need a very similar policy bank, but one that is loaded
when the
_recipient_ matches local_domains_maps, instead of the
sender.

If the recipient matches local_domains_maps, then load a
specified
policy-map which contains settings for incoming mail. All
other mail
is outgoing.

> Actually, it's not immediately apparent to me what
would prevent a
> forged sender from loading this policy bank so I think
it would
> require you to configure Postfix to reject
non-authenticated mail
> addressed from any of your domains; which is typically
done using
> something like this (which breaks forwarding):
> 
> http://www.arschkrebs.de/postfix/postfix_incoming.shtml
> 
> If you are going to do that, then you might as well use
the MYNETS
> policy bank and something like this as an alternate:
> 
http://www200.pair.com/mecham/spam/bypassing.html#10

I suppose I could also configure postfix to send incoming
mail to
filtering on a different port than outgoing mail, and then
use
different policy banks for incoming/outgoing.

.. but that was what I hoped I wouldn't have to do, since
amavisd
allready has all the information it needs to separate
incoming/outgoing.

-- 
Erland Nylend


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On 8/13/07, Erland Nylend <erlandlyse.net> wrote:
> On 2007-08-13, 08:36, Gary V wrote:
> > There is a MYUSERS policy bank, but keep in mind
senders are often forged.
> > This is from amavisd.conf-sample:
>
> I've seen it, but it seems to be unusable for what I'm
trying to
> accomplish. I want to set up separate settings for 
incoming mail
> versus outgoing mail.
>
> I need a very similar policy bank, but one that is
loaded when the
> _recipient_ matches local_domains_maps, instead of the
sender.
>
> If the recipient matches local_domains_maps, then load
a specified
> policy-map which contains settings for incoming mail.
All other mail
> is outgoing.
>

All domains you accept mail for should be in local_domains_maps. They
would use the existing default policy bank (it has no name).
This bank
loads the settings in the config file (typically
amavisd.conf). Then
you use one or more other banks for outgoing mail - these
would be
based on client address or whether they are otherwize
authenticated.

>
> I suppose I could also configure postfix to send
incoming mail to
> filtering on a different port than outgoing mail, and
then use
> different policy banks for incoming/outgoing.
>
> .. but that was what I hoped I wouldn't have to do,
since amavisd
> allready has all the information it needs to separate
> incoming/outgoing.
>
> --
> Erland Nylend
>

-- 
Gary V

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Erland,

> I need a very similar policy bank, but one that is
loaded when the
> _recipient_ matches local_domains_maps, instead of the
sender.

Can't be done. A message can have multiple recipients.

A policy bank applies to a message processing as a whole,
it can conceptually only be loaded on some property that
pertains
to a message as a whole, such as sender's IP address,
sender address, incoming port number, ...

A mechanism that applies per-recipient is *_maps lookups.

> If the recipient matches local_domains_maps, then load
a specified
> policy-map which contains settings for incoming mail.
All other mail
> is outgoing.

Differenting outgoing and all-internal from incoming mail
is based on sending client's IP address (mynetworks or port-based).

- incoming: foreign sending client
- outgoing: internal sending client and non-local recipient
- internal: internal sending client and local recipient

(authenticatd mail from roaming users should preferably
be handled the same as mail from internal hosts)

> I suppose I could also configure postfix to send
incoming mail to
> filtering on a different port than outgoing mail, and
then use
> different policy banks for incoming/outgoing.

Yes, that is the way to go.

Also, authenticated mail from roaming clients should be
sent
to the filtering port, just as mail originating from
inside.


If using a policy bank other than MYNETS for such a
purpose,
don't forget to also set:
  originating => 1,
key/value pair in such a policy bank.

(with MYNETS this is turned on implicitly for backwards
compatibility; it doesn't hurt to be explicit there too)


See examples in:
  http://www.ijs.si/software/amavisd/amavisd-new
-docs.html#pbanks-ex
  http://www.ijs.si/software/amavisd/amavisd-new-docs
.html#dkim

Mark

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/