Postfix: How to malware & spam scan outgoing SMTP SASL auth users?

Question

Although I have found two answers to this, I can't work out how to actually implement them, and at least one of them doesn't actually answer the question. So if anyone has any experience to share I'd be very grateful.

I have a server (Ubuntu 18.04) running Postfix. I'm already rate limiting SASL senders using postfwd, and using and other things to scan outgoing mail from the local machine/network (eg from web servers) using Amavis. That's all OK, and looks like this in main.cf:

smtpd_sender_restrictions =
    check_client_access cidr:/etc/postfix/internal_clients_filter,
    permit_mynetworks, 
    reject_unknown_sender_domain

and in master.cf

senderCheck  unix  -       n       n       -       15       spawn
  user=nobody argv=/opt/policyd/src/policyd.pl  max_idle=30 max_use=50 daemon_timeout=50

127.0.0.1:10025 inet    n    -    n    -    -    smtpd
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_data_restrictions=
    -o smtpd_end_of_data_restrictions=
    -o local_header_rewrite_clients=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

How do I go about putting SASL senders (who are by definition not on my network) through a spam and malware scan in the same way as I am doing for local senders?

score 0 · Accepted Answer · answered Jan 12 '21 at 08:07

The answer to this, somewhat embarrassingly, was that the SASL-auth users were being filtered. However, I hadn't specified a syslog_name for the smtpd listener in master.cf so I wasn't seeing evidence of that working in all the noise (SASL-auth senders are perhaps 1% of all the traffic in the log).

So in penance, the following is a full description of my now slightly amended config in full, which passes both outgoing mail (eg web apps on the local network) and SASL-authenticated accounts sending mail from arbitrary external networks out via our mail server.

Using Ubuntu 18.04 with stock packages unless otherwise noted:

Firstly, I needed to add the clamav user to the same group as amavis:

$ id clamav
uid=115(clamav) gid=115(clamav) groups=115(clamav),126(amavis)

Changes to /etc/amavis/conf.d files:

05-domain_id

@local_domains_acl = ( ".$mydomain" );

# I've got multiple IP addresses on my machine and only want one to be used for mail:
@inet_acl = qw(127.0.0.1 [::1] 185.73.x.x [2001:ba8:0:x::x]);

15-content_filter_mode: enable spam and anti-virus checking

20-debian_defaults: Set and create quarantine directory (owned by amavis user+group) and set final_spam_destiny to D_DISCARD

40-policy_banks:

$interface_policy{'10024'} = 'INTERNAL'; 
$policy_bank{'INTERNAL'} = {  # mail originating from clients in cidr:/etc/postfix/internal_clients_filter
  bypass_spam_checks_maps   => [0],  # spam-check outgoing mail 
  bypass_banned_checks_maps => [0],  # banned-check outgoing mail 
  bypass_header_checks_maps => [0],  # header-check outgoing mail  
  forward_method => 'smtp:[127.0.0.1]:10025', # relay to Postfix listener on port 10025
};

In Postfix main.cf:

smtpd_sender_restrictions =
    check_client_access cidr:/etc/postfix/internal_clients_filter,
    permit_mynetworks, 
    reject_unknown_sender_domain

/etc/postfix/internal_clients_filter:

0.0.0.0/0 FILTER smtp:127.0.0.1:10024
::/0 FILTER smtp:[::1]:10024

In master.cf

127.0.0.1:10025 inet    n    -    n    -    -    smtpd
    -o syslog_name=amavis-reentry
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_data_restrictions=
    -o smtpd_end_of_data_restrictions=
    -o local_header_rewrite_clients=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

Reload amavis and postfix to get new configs. Look for "amavis-reentry" in your logs and you should see the results of the filtering.

Postfix: How to malware & spam scan outgoing SMTP SASL auth users?

1 Answers1