[SOLVED] amavisd-new not loading MYNETS policy

Discussion in 'Server Operation' started by biro, Nov 8, 2018.

  1. biro

    biro New Member

    I have postfix mail server with amavisd-new filter for incoming messages which works great.
    I am using amavis for adding DKIM signature and disclaimer footer in emails and this works great when users send messages by authenticating.
    smtpd_sender_restrictions =
            check_sender_access regexp:/etc/postfix/tag_as_originating.re
            check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    # cat tag_as_originating.re
    /^/  FILTER smtp-amavis:[]:10026
    # cat tag_as_foreign.re
    /^/  FILTER smtp-amavis:[]:10024

    However i am unable to make it add DKIM for emails sent with linux mail command, for example:
    echo "test" | mail -r [email protected] -Sreplyto="[email protected]" -s "Test" [email protected]
    In amavis log it shows:
    The raw message headers contain:
    Received: by domain.com (Postfix, from userid 0)
        id 514D526411F7; Thu,  8 Nov 2018 12:22:25 +0100 (CET)
    so i guess it is unable to see the email coming from localhost.
    Because there is no IP address in this Received header it shows in log: ip_from_received: no IP address in: Received: by domain.com (Postfix, from userid 0)
    In postfix config i added header checks to replace header if it contains "Postfix, from userid ":
    /^Received: by(.*) \(Postfix, from userid[^\)]+(.+)$/ REPLACE Received: from${1} ([])${2}
    Now the emails Received header looks like:
    Amavis log shows: ip_from_received: but still it shows in log "dkim: not signing mail which is not originating from our site"

    In amavisd.conf i use default @mynetworks value:
    @mynetworks = qw( [::1] [FE80::]/10 [FEC0::]/10

    Why it does not match to MYNETS and does not set originating=1?

    Is there any way making amavis add DKIM and disclaimer when linux mail command (or php mail() function) is used?

    I could provide other postfix and amavis config values if needed.
    Help is appreciated.
  2. biro

    biro New Member

    I found the solution.
    I created new listening port in amavis and connected it to new policy bank called LOCALHOST. I enabled originating and disclaimer for LOCALHOST, then changed master.cf to add content filter for pickup:
    pickup    fifo  n       -       n       60      1       pickup
       -o content_filter=smtp-amavis:[]:10127
    Now it is working as wanted.
    If someone can tell me if it's the best solution or possible vulnerability is opened, please let me know.

    I hope this is useful for other users.
  3. LHavlicek

    LHavlicek New Member

    I apologize in advance for my English.

    Although the issue is resolved, I would be interested in why the original solution does not work and emails from the local PHP mail() are not signed - they are sent from the local network, so the condition

    smtpd_sender_restrictions =
             check_sender_access regexp: /etc/postfix/tag_as_originating.re
    and should be sent to port amavis: 10026?

    I have the same problem on Ubuntu 18.04, installed according to the Perfect Server manual for this OS.
  4. biro

    biro New Member

    In php.ini check the config parameter sendmail_path. If it is like the default config:
    sendmail_path = /usr/sbin/sendmail -t -i
    the sendmail program does not use SMTP but local pickup. http://www.postfix.org/pickup.8.html
    The setting smtpd_sender_restrictions you posted is related to smpt protocol (sender connects to the smtp service on port 25 and drops message the postifx is determining and processing it).

    If you need to apply filtering on such local pickup messages it must be described in master.cf as i mentioned it above:
    pickup    fifo  n       -       n       60      1       pickup
       -o content_filter=smtp-amavis:[]:10127
    Instead if 10127 you may use any other amavis port as per your amavisd-new configuration.
    Taleman likes this.
  5. LHavlicek

    LHavlicek New Member

    I understand now. I did not know that PHP mail() is not via SMTP. Thank you, biro.

Share This Page