amavisd-new-2.3.2 - SA 3.1 - Outbound SMTP

Hello,
I'm currently having the same problem. Unfortunatelly found
no solution yet.
I think the problem isn't one of amavisd-new rather than
one of postfix.

Amavisd-new offers with 'policy_bank' a feature to handle
such things.
But I found no way to configure postfix using another port
for mailfiltering
for mails being sent via smtp_auth.
The only way seems to be using two different IP-Addresses or
different 
ports:
  One for Incoming mail traffic (e.g. Port 25)
  Another one for smtp_auth. (e.g. Port 587)
(See also http://sourceforge.net/mailarchive/message.php?msg_
id=9867255)

Does somone have a solution without 2 different IPs or 2
different ports.

Any help would be aprecciated.

Thanks valli

> Hi
>  My users can SMTP auth against the server if they are
travelling etc -
>  This all works fine but is there a way to stop some
checks being run on
>  the mails if SMTP Auth has occured? I am sometimes
seeing messages get
>  blocked outbound even though SMTP has been succesful
and it appears to
>  be because they are connecting over dynamic IP blocks.
eg.
>  
>  X-Spam-Status: Yes, hits=5.681 tag=-999.9 tag2=5
kill=5
>    tests=[ADVANCE_FEE_1=0, AWL=0.143,
MSGID_FROM_MTA_ID=1.393,
>    RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046,
TW_MG=0.077,
>  TW_WU=0.077]
>  X-Spam-Score: 5.681
>  X-Spam-Level: *****
>  X-Spam-Flag: YES
>  
>  Is there anyway to configure this so that if they are
using SMTP Auth
>  them ignore dynamic IP checks?
>  
>  thanks



-- 
Valentin Schmid
valliicsurselva.ch
Tel.: ++41 81 936 03 75
Fax:  ++41 81 936 03 76
ICSurselva AG - Internet Intranet Solutions



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking
scripting language
that extends applications into web and mobile media. Attend
the live webcast
and join the prime developer group breaking into this new
coding territory!
http://sel.as-us.falkag.net/
sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Valentin wrote:

> Hello,
> I'm currently having the same problem. Unfortunatelly
found no solution yet.
> I think the problem isn't one of amavisd-new rather
than one of postfix.

> Amavisd-new offers with 'policy_bank' a feature to
handle such things.
> But I found no way to configure postfix using another
port for mailfiltering
> for mails being sent via smtp_auth.

Did you mean 'without using another port'?

> The only way seems to be using two different
IP-Addresses or different 
> ports:
>   One for Incoming mail traffic (e.g. Port 25)
>   Another one for smtp_auth. (e.g. Port 587)
> (See also http://sourceforge.net/mailarchive/message.php?msg_
id=9867255)

> Does somone have a solution without 2 different IPs or
2 different ports.
> Any help would be aprecciated.
> Thanks valli

'Example 3' in the the link I provided does not require an
additional
IP address or port. All it takes is a minute of study to
understand how
it works and of course it requires the rest of the solution
(the
corresponding policy bank) be configured in amavisd.conf.
This could
be simplified by using the same policy bank (configured to
bypass spam
checks) for authenticated users and users in mynetworks and
by having the catchall /etc/postfix/filter-catchall.regexp
use the
standard port 10024:

smtpd_recipient_restrictions =
  reject_unauth_pipelining, reject_non_fqdn_recipient,
reject_non_fqdn_sender,
  reject_unknown_recipient_domain,
reject_unknown_sender_domain,  
  permit_sasl_authenticated, permit_tls_clientcerts, permit
mynetworks,
  reject_unauth_destination,
  check_sender_access
regexp:/etc/postfix/filter-catchall.regexp

# global default, this permissive setting is used unless
# sender makes it to filter-catchall.regexp:
content_filter=smtp-amavis:[127.0.0.1]:10040

/etc/postfix/filter-catchall.regexp:
/^/ FILTER smtp-amavis:[127.0.0.1]:10024

In amavisd.conf:

$inet_socket_port = [10024,10040];

$interface_policy{'10040'} = 'PERMISSIVE';
# sender came here because they did not make it to
# the more restrictive catchall
$policy_bank{'PERMISSIVE'} = {  # OK to bypass spam and
banned checks
  bypass_spam_checks_maps   => [1],  # don't spam-check
this mail
  bypass_banned_checks_maps => [1],  # don't
banned-check this mail
  final_spam_destiny => D_PASS,
  final_banned_destiny=> D_PASS,
};

The main drawback to this approach is you have to be very
careful about
any access lists or restrictions in
smtpd_recipient_restrictions
that OK/PERMIT something/someone prior to:
check_sender_access
regexp:/etc/postfix/filter-catchall.regexp
because they would use the more permissive policy bank. The
order of
any access lists would be important and testing would be in
order.

It's more 'permit then deny' rather than 'deny then
permit'.

Gary V



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking
scripting language
that extends applications into web and mobile media. Attend
the live webcast
and join the prime developer group breaking into this new
coding territory!
http://sel.as-us.falkag.net/
sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/