Amavis on wrong port on Debian 11

Discussion in 'Installation/Configuration' started by Stefan Schumacher, Jul 27, 2021.

Tags:
  1. Hi
    I tried ISPconfig on Debian 11, which is supposedly going to be released on Saturday. Nearly everything works fine, but I have a problem which even a reconfigure with php update.sh --force could not fix. If I try to send emails from Thunderbird - I can receive Emails by the way - I get the following error message in mail.log:
    mail2 postfix/lmtp[1964521]: connect to 127.0.0.1[127.0.0.1]:10026: Connection refused
    I assume this is Postfix trying to connect to Amavis to scan my email which is running on port 10024.
    The strange thing: There is already a line :
    content_filter = lmtp:[127.0.0.1]:10024 in /etc/postfix/main.cf.
    How can I either a) make Amavis accept Emails on port 10026 or b) have them delivered by Postfix to 10024, where Amavis is already waiting.

    Yours sincerely
    Stefan
     
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Amavis should be listening on both ports; is it running?
     
  3. ● amavis.service - Interface between MTA and virus scanner/content filters
    Loaded: loaded (/lib/systemd/system/amavis.service; enabled; vendor preset: enabled)
    Active: active (running) since Mon 2021-07-26 16:09:21 CEST; 24h ago
    Docs: http://www.ijs.si/software/amavisd/#doc

    root@mail2:~# netstat -tulpen | grep amavis
    tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 114 3581946 1588212/amavisd-new
    tcp6 0 0 ::1:10024 :::* LISTEN 114 3581947 1588212/amavisd-new
     
  4. Oh, and I found this in /etc/amavis/conf.d/50-user:
    $inet_socket_port = [10024,10026];
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to restart amavis.

    As a side note: Debian 11 is not supported yet, ISPConfig does not ship with a config file set for it nor is it able to recognize this OS. And for new systems, I highly recommend using Rspamd instead of Amavis.
     
  6. Restarting did not fix the problem. I know that ISPConfig is not yet targetted at Debian 11, but it seemed at least worth trying considering that from Saturday on Debian 10 is going to be Oldstable. Setting up a new email Server on an Oldstable seemed counterproductive. But thanks for the advice, I will have a look at Rspamd.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

  8. Hello

    I followed the Instructions, but reconfiguring services throw one error:
    Configuring Rspamd
    chgrp: Zugriff auf '/etc/rspamd/local.d/worker-controller.inc' nicht möglich: Datei oder Verzeichnis nicht gefunden
    chmod: Zugriff auf '/etc/rspamd/local.d/worker-controller.inc' nicht möglich: Datei oder Verzeichnis nicht gefunden
    The file worker-controller-inc exists and has the following permissions. It was changed three minutes ago, so the update script did modify it during its run.
    -rw-r--r-- 1 root root 242 28. Jul 11:47 worker-controller.inc

    --------------------------------------------------------------------------------------
    root@mail2:/etc/rspamd/local.d# cat worker-controller.inc
    # Included from top-level .conf file
    type = "controller";
    count = 1;
    password = "$2$7shazzwbbeb736ewytfptw5e78gc1eut$5md73mxrxnbof1u5cjmouwycsnti94hzeowi6ggk9u77y4zscfwb";
    secure_ip = "127.0.0.1";
    secure_ip = "::1";
    --------------------------------------------------------------------------------------

    Can I ignore these warning or is there something I would have to do manually?

    Yours sincerely
    Stefan
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    You can ignore the error.
     
  10. Good news. I can now send outgoing mails. I am going to test the setup at little with different mailclients. If anything of interest happens I will report back in a different thread since the topic of this thread has obviously changed from amavis to spamd.
    Yours sincerely
    Stefan
     
    Th0m and till like this.
  11. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    The file should be mode 640, group _rspamd:
    Code:
    -rw-r----- 1 root _rspamd    242 Apr 20 13:31 worker-controller.inc
    
    Perhaps there's an error in the updater that runs chown/chmod before having copied that template into place? I wouldn't expect that to be specific to Debian 11, but who knows.
     
  12. lnxgs

    lnxgs Member

    Same problem on Debian 11 with last Ispconfig. I cannot send emails outside. I've followed the guide of Till and it works.
     
  13. liane

    liane Member HowtoForge Supporter

    Same problem, Debian 11, mails don't go outside because of amavis.
    I followed the guide mentioned above, also changed the permissions for the worker-controller.inc file as told by @Jesse Norell.
    Rebooted the server, but problem is still there, mails don't go outside, they still want to connect to Amavis
    Code:
    status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)
    
    Amavis still not listening to port 10026, and refuses to stop
    Code:
    # systemctl stop amavisd-new
    Failed to stop amavisd-new.service: Unit amavisd-new.service not loaded.
    # netstat -tap | grep amavis
    tcp        0      0 localhost:10024         0.0.0.0:*               LISTEN      251/amavisd-new (ma
    tcp6       0      0 localhost:10024         [::]:*                  LISTEN      251/amavisd-new (ma
    
    What's strange is that rspamd reports activity?

    Edit: New mails go out, but thoses stuck in defered queue still try to connect to Amavis and stay there. Let's free them please
     
    Last edited: Dec 14, 2021
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Try command:

    postsuper -r ALL
     
    Mladen likes this.
  15. liane

    liane Member HowtoForge Supporter

    Perfect, they're all gone. Thank you all!
     
  16. SirAdams

    SirAdams New Member

    Recently I did a system upgrade from Debian 10 to Debian 11 and found out I have the same problem.
    Today I found a solution to the problem and at the same time I am reporting a bug with a developer.
    Unfortunately, installing rspamd did not solve the problem, but the tool is graphically very nice.

    chmod 644 /etc/amavis/conf.d/50-user
    #bug #3.2.7p1
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    The correct permissions for this file are 640 and not 644 and that's what the ISPConfig installer sets for this file. With your change to 644 you just opened up a huge security hole on your system, you should change that back immediately before your system gets taken over. Files that contain the password to the administration database of the system may never be world-readable, as any user or website on your system can read it now.

    And switching from Amavis to Rspamd as suggested fixes any Amavis related issue of course as Amavis is not even be used anymore on the system then.
     
  18. SirAdams

    SirAdams New Member

    Perhaps it is as you say, but by default in Debian this directory and files have root.root privileges not amavis so if you say it is dangerous then ispconfig should chgrp on amavis.
    In Debian, amavis works with amavis user privileges, not root. Same as named it works with bind privileges.

    root@mail:/etc/amavis/conf.d# ps -A -f|grep amavis
    amavis 197074 1 0 21:57 ? 00:00:03 /usr/sbin/amavisd-new (master)
    amavis 197100 1 0 21:57 ? 00:00:00 /usr/bin/perl -T /usr/sbin/amavis-mc -f
    amavis 197112 197074 0 21:57 ? 00:00:00 /usr/sbin/amavisd-new (virgin child)
    amavis 197113 197074 0 21:57 ? 00:00:00 /usr/sbin/amavisd-new (virgin child)
    amavis 197128 1 0 21:57 ? 00:00:00 /usr/bin/perl -T /usr/sbin/amavisd-snmp-subagent -f
    root 204765 203705 0 23:08 pts/2 00:00:00 grep amavis
    root@mail:/etc/amavis/conf.d# ps -A -f|grep named
    bind 196953 1 0 21:56 ? 00:00:04 /usr/sbin/named -f -u bind

    For me, Rspamd is new and I have updated the production server that has e-mail and websites so it has to work.

    root@mail:/var/log# netstat -tulpen|grep amav
    tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 117 1881973 205687/amavisd-new
    tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 117 1881975 205687/amavisd-new
    tcp6 0 0 ::1:10024 :::* LISTEN 117 1881974 205687/amavisd-new
    tcp6 0 0 ::1:10026 :::* LISTEN 117 1881976 205687/amavisd-new

    You can use chgrp amavis /etc/amavis/conf.d/50-user instead of chmod 644 /etc/amavis/conf.d/50-user

    My problem is I need a working solution for now. I did not expect such problems after the system upgrade.
     
    Last edited: Feb 10, 2022
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    That's just partially correct. On Debian until version 10, amavis has read its config files as root user and then dropped privileges to the amavis user afterward for security reasons, that's the way most daemons work on Linux incl. Apache etc. So amavis was always able to read files that only the root user can read and ISPConfig sets the permission correctly as root:root with 640 permission for all Debian versions incl. Debian 10. On Debian 11, the way amavis works has changed and amavis requires a different setup now. But on Debian 11, ISPConfig is not using Amavis anymore to filter Emails, it uses Rspamd as mentioned already earlier.
     

Share This Page