Amavis is rejecting mails arriving via backup MX

Discussion in 'Installation/Configuration' started by WhitcombeRD, Oct 27, 2022.

  1. WhitcombeRD

    WhitcombeRD Member

    I'm running the standard Perfect Server Debian 10 install (using SA,amavis, installed a few years ago) on Debian on a VPS as a primary mail server and also another server elsewhere running ispconfig3 which im using as a backup MX.

    The problem i have is all emails sent from the backup MX queue get rejected by Amavis on the primary server as spam as seen below:

    Code:
    Oct 27 14:04:07 host amavis[12418]: (12418-08) Blocked SPAM {DiscardedInternal}, ORIGINATING LOCAL [127.0.0.1] [gmail server ip] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: blah, Hits: 4.333, size: 3390, dkim_sd=20210112:gmail.com, 403 ms
    Oct 27 14:04:07 host postfix/lmtp[19222]: id: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.47, delays=0.04/0.02/0/0.41, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=idid - spam)
    Oct 27 14:04:07 host postfix/qmgr[19174]: id: removed
    The backup MX is configured as follows and appears to be correctly accepting and relaying mail as per the logs.

    What im doing here is stopping Postfix on the primary server (to trigger a send to backup), letting the test email sent from my gmail account to the main account get accepted by the backup and then restarting postfix and flushing the backup queue.

    The actual mail gets sent from the backup to the primary but then gets rejected via Amavis as Spam . I think its to do with the originating local part but not sure.

    Can anyone walk me through how to get the server to always accept mail from the backup? Im aware of the pros and cons of a backup MX but i want one temporarily whilst i reinstall the main server and dont want mails getting lost or misrouted during the setup and downtime.
    Do i need to whitelist something?
     
  2. pyte

    pyte Well-Known Member HowtoForge Supporter

    You can whitelist the IP Address of the backup MX within your postfix/amavisd-new config.

    Add this to your postfix configuration:
    Code:
    smtpd_client_restrictions = ... check_client_access hash:/etc/postfix/amavis_bypass ...
    
    Then create the file /etc/postfix/amavis_bypass and add the content
    Code:
    IP_OF_BACKUP_MX FILTER smtp-amavis:[127.0.0.1]:10026
    
    Add this to your amavisd-new config:

    Code:
    $inet_socket_port = [... 10026 ...];
    $interface_policy{'10026'} = 'CLIENTBYPASS';
    
    $policy_bank{'CLIENTBYPASS'} = { # from trusted clients
    bypass_spam_checks_maps => [1], # don't spam-check
    bypass_banned_checks_maps => [1], # don't banned-check
    final_spam_destiny => D_PASS, # insure spam passes
    final_banned_destiny => D_PASS, # insure banned files pass
    };
    I don't know your exact configuration so please be aware and make sure you understand what you change!
     
    WhitcombeRD and till like this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    When the suggested changes work for you, then it's important to make them update-safe. e.g. settings from postfix main.cf can be made update safe by creating a file:

    /usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master

    where you add the new "smtpd_client_restrictions ......' line as well. The ISPConfig updater then takes care that this custom config is used instead of the default config when doing an update.
     
    pyte likes this.
  4. WhitcombeRD

    WhitcombeRD Member

    Thanks for that, all makes sense but i can't get postfix to accept the additional client_access line.
    My current restrictions line reads:
    Code:
    smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining , permit
    
    Adding the extra check hash yields the following errors in mail.log:
    I've created the file and it exists and is readable in the postfix directory.

    Is there a conflict where its only seeing one client_access or is it somehow causing conflict with the other line?[/QUOTE]
     
  5. pyte

    pyte Well-Known Member HowtoForge Supporter

    Create the file /etc/postfix/amavis_bypass (Note: without .db) and fill it according to my post above. Then run "postmap /etc/postfix/amavis_bypass" (Note: without .db) this should create the file /etc/postfix/amavis_bypass.db (Note: with .db) and try again.
     
    WhitcombeRD likes this.
  6. WhitcombeRD

    WhitcombeRD Member

    That worked, forgot the postmap bit (its been years since i set this up).

    Relaying from the main domain now works - thanks for that.

    Edit:- or not. Made some changes now broke the lot. I'll plough on though - your changes certainly worked initially so thanks

    Code:
    Oct 28 12:05:52 vps postfix/smtpd[18847]: NOQUEUE: filter: RCPT from backupmx_host [backup_mx_ip]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<backupmx_ip>
    Oct 28 12:05:52 vps postfix/smtpd[18847]: 63DB91F61F: client=backup_mx_host[backup_mx_ip]
    Oct 28 12:05:52 vps postfix/cleanup[18850]: 63DB91F61F: message-id=<CANjqCcD61MKKP8XcndQhMbTVr7ZrcUVOtD050s8UXbOyz85YdA@mail.gmail.com>
    Oct 28 12:05:52 vps postfix/qmgr[18842]: 63DB91F61F: from=<[email protected]>, size=3453, nrcpt=1 (queue active)
    Oct 28 12:05:52 vps postfix/smtpd[18847]: disconnect from backup_mx_host[backup_mx_ip] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
    Oct 28 12:05:53 vps amavis[13947]: (13947-12) Blocked SPAM {DiscardedInternal}, ORIGINATING LOCAL [127.0.0.1] [209.85.216.49] <[email protected]> -> <[email protected]>, Message-ID: <CANjqCcD61MKKP8XcndQhMbTVr7ZrcUVOtD050s8UXbOyz85YdA@mail.gmail.com>, mail_id: Aut6y4Kb-qMZ, Hits: 4.333, size: 3453, dkim_sd=20210112:gmail.com, 1082 ms
    
    
    Seems its not now seeing the client list again. Not reporting a match
     
    Last edited: Oct 28, 2022
  7. pyte

    pyte Well-Known Member HowtoForge Supporter

    May you tell us what you changed?

    Did you restart the amavisd-new services after changing its config?
     
  8. WhitcombeRD

    WhitcombeRD Member

    I think i've found the issue in amavisd but want to be entirely sure i havent created a new one.

    Older amavis-d line was:

    Code:
    $inet_socket_port = [10024,10026];
    
    # :* = send to incoming Port + 1
    $forward_method = 'smtp:127.0.0.1:*';
    $notify_method = 'smtp:127.0.0.1:*';
    $interface_policy{'10026'} = 'ORIGINATING';
    $policy_bank{'ORIGINATING'} = {
      originating => 1,
    };
    
    Ive changed it to:
    Code:
    $inet_socket_port = [10024,10026];
    $interface_policy{'10026'} = 'CLIENTBYPASS';
    
    $policy_bank{'CLIENTBYPASS'} = { # from trusted clients
    bypass_spam_checks_maps => [1], # don't spam-check
    bypass_banned_checks_maps => [1], # don't banned-check
    final_spam_destiny => D_PASS, # insure spam passes
    final_banned_destiny => D_PASS, # insure banned files pass
    };
    
    # END BACKUP MX TEST
    
    
    # $inet_socket_port = [10024,10026];
    
    # :* = send to incoming Port + 1
    $forward_method = 'smtp:127.0.0.1:*';
    $notify_method = 'smtp:127.0.0.1:*';
    
    In other words, removed "Originating" policy and replaced with clientbypass.

    This seems to work in that mail is coming in from the backupMX and from normal servers outside that *BUT* are my changes correct or are they going to bypass the spam check for all incomings?

    FWIW normal inbound mail is showing as a pass by "RelayInbound" and backup "ClientBypass" in logs. I haven't had any spam yet to actually see what happens.
     
  9. pyte

    pyte Well-Known Member HowtoForge Supporter

    I don't know what the "Originating" rule was for, but if you don't need it that should be fine.
    To see what happends with spam messages just send a mail from a external mailbox with this string in the body:
    Code:
    XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
     
  10. WhitcombeRD

    WhitcombeRD Member

    I haven't really touched that file so the rule was there by an ISPConfig install a few years ago so not sure of its function.
    Im assuming each port can only have 1 active interface policy in there?
    Either way the body spam test seems to work although strangely the notification email for this post just got filtered as spam (all previous ones arrived).

    Thanks a lot for your help - although im relatively familiar with Postfix, once Amavis starts getting mixed in im out of my depth there.

    It seems to be working now and i'll keep an eye on logs to check things go where they should.
     
    pyte likes this.
  11. pyte

    pyte Well-Known Member HowtoForge Supporter

    Thats not strange :p ... The mail for the notification contains the string posted above ;) So indeed it is spam!
    You can just use another port for both configs i've posted above and keep the "Originating" Rule intact.

    No worries :)
     
    WhitcombeRD likes this.
  12. WhitcombeRD

    WhitcombeRD Member

    Doh.
    Thats glaringly obvious now!
     
    pyte likes this.

Share This Page