[Cialug] postfix issue

david l goodrich dlg at dorkzilla.org
Thu Nov 16 14:46:16 CST 2006


On Thu, Nov 16, 2006 at 11:44:37AM -0600, Jeff Davis wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Who had the postfix problem at the meeting last night?
> 
> If you send me (off the list) the section of your config where you're
> performing that check I'll be glad to help.
> 
> - -Jeff
>

That was me.  I appreciate all your help.  I'll send it to the
list as well, maybe this'll be useful later.

A little background on my setup.  My mail server is in NYC and
connected via a VPN to a server running amavisd-new and
spamassassin in Rochester, MN.  This link is not the fastest
thing in the world, and amavisd by default automatically passes
messages over 64k anyway, so I thought I would spare myself a lot
of trouble and just not send messages greater than 64k to the
anti-spam server in the first place.

Through the reading I've done on the Internet, I determined the
only way to do that is to set up a policy filter at the
smtpd_end_of_data_restrictions level, since postfix only has an
idea of the size of the message after it has been accepted.  At
least, that's what Wietse Venema suggested[1].

I am not doing my spam filtering quite like in the poster of the
message[2].  amavisd-new is listening on port 10024 of the
anti-spam server, and once it has filtered the message and added
headers, sends it back to the postfix server on port 10025.

So my master.cf looks like this:
smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_end_of_data_restrictions=check_policy_service,unix:private/filterlogic

and then:
10025     inet  n       -       n       -       -       smtpd
  -o smtpd_authorized_xforward_hosts=172.20.0.0/16
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=
  -o receive_override_options=no_unknown_recipient_checks

and finally
filterlogic     unix  -       n       n       -       - spawn
     user=nobody argv=/usr/pkg/bin/perl /usr/local/bin/filterlogic.pl

of course, all the usual bits for pickup, cleanup, discard, etc
are all still there.

filterlogic.pl is just the greylist.pl that was included with the
distribution, but the smtpd_access_policy function was changed to
suit my needs.  this policy filter also checks to see if an
authenticated user (i.e. myself) sent the message, and if so will
not filter it.

 sub smtpd_access_policy {

    # Specify the location of the filter
    $filter = 'smtp:sparky.dsrw.org:10024';
    # and the message size to automatically pass
    $messagesize = 1024 * 64;

    my $size;
    my $sender;
    $size = lc $attr{"size"};
    $sender = lc $attr{"sasl_username"};
   
    if ($size > $messagesize || length($sender) > 0)
        { return "ok"; }
    else
        { return "filter " . $filter; }
 }


The problem I have seen is that since postfix can't report a size
to the policy filter until after it has accepted the message,
postfix accepts the message from the client, sends a 2xx accept
code, and /then/ runs the filter.  If the link to the anti-spam
server is down, postfix seems to just drop the message, but the
sending server has no idea, since postfix returned a 2xx and the
sending server assumes everything is fine.  This seems broken to
me.

More bits and pieces of master.cf and main.cf are available upon
request, of course.  Nothing much secret in them :]  Thanks again
for your help.
  --waldo


1. http://archives.neohapsis.com/archives/postfix/2006-06/0430.html
2. http://www.postfix.org/FILTER_README.html#advanced_filter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20061116/7b58463a/attachment.pgp


More information about the Cialug mailing list