Hi there! I'm referring to my earlier post here. The time has come to put amavisd and ClamAV into service but I want to keep spamassasin and policydweight in service and in place. So that my roundcube-users can define their filterrules the same way as before. Additonally the ISPConfig Spamfilter-Stuff shall run. I've disabled the anti-spam stuff of ISPConfig according to this in the main.cf (but I did neither uninstall nor stop amavis or clamAV). So to put them back to service I removed the uncomment-tags and ended up with the following errors when an user tried to send E-Mails: Code: Aug 4 11:41:15 flux01 postfix/smtp[6660]: 54F51B607D: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=319, delays=319/0.03/0/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host 127.0.0.1[127.0.0.1]) Here is my main.cf (ISPConfig Anti-Spam-Stuff is commented out again): Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # LOCAL PATHNAME INFORMATION queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix # QUEUE AND PROCESS OWNERSHIP mail_owner = postfix default_privs = vmail # INTERNET HOST AND DOMAIN NAMES myhostname = flux01 mydomain = xxxxx.net # SENDING MAIL myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP Mailserver # RECEIVING MAIL inet_interfaces = all inet_protocols = all mydestination = localhost.localdomain, localhost, flux01.xxxxxx.net # REJECTING MAIL FOR UNKNOWN LOCAL USERS local_recipient_maps = proxy:unix:passwd.byname $alias_maps unknown_local_recipient_reject_code = 550 # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file=/etc/postfix/mail.cert smtpd_tls_key_file=/etc/postfix/mail.key smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_auth_only = no smtp_helo_required = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. # SASL smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth_dovecot smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no broken_sasl_auth_clients = yes alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases # Read-Maps proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps mynetworks = 127.0.0.0/8 [::1]/128 mailbox_size_limit = 0 # Virtual mailboxes virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_limit = 0 message_size_limit = 104857600 mailbox_size_limit = 200000000 virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_alias_domains = virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_transport = dovecot transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, check_policy_service inet:127.0.0.1:12525 smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf # Destination Limits dovecot_destination_recipient_limit = 1 spamassassin_destination_recipient_limit = 1 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks # ISPConfig Anti-Spam #content_filter = amavis:[127.0.0.1]:10024 #receive_override_options = no_address_mappings #Relay at xxxxx.com relayhost = [xxxx.com] smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth smtp_sasl_security_options = noanonymous smtp_sasl_type = cyrus smtp_use_tls = yes smtp_enforce_tls = yes smtp_tls_enforce_peername = no This is my master.cf: Code: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd -o content_filter=spamassassin #submission inet n - - - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - - - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient} spamassassin unix - n n - - pipe user=spamd:spamd argv=/usr/bin/spamc -u $(recipient) -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_bind_address=127.0.0.1 I would appreciate any help.
amavisd is a replacement for spamassassin, as it uses spamassassin internally. So running a separate spamassassin beside amavis makes no sense. Using policyd is not problem. Regarding the error that you get, it seems as if you configured your postfix to require tls. But the internal connection to amavisd does not need tls and amavisd does not support tls for the internal mail exchange with postfix. So you should remove the tls reqzirement in your main.cf.
I totally agree that an TLS-Encryption on a loopback interface is a waste of processor time. But the consequence to shut down the entire TLS-Encryption for the server is a major hit on the security concept. Instead I disabled the tls-encryption for the amavis loopback in the master.cf: Code: amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes [B]-o smtp_tls_security_level=none[/B] 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_bind_address=127.0.0.1 [B]-o smtp_tls_security_level=none[/B] Thanks for giving me the punch into the right direction. ;-)
