Amavis-new 中发件人白名单问题

Amavis-new 中发件人白名单问题

我有一个CentOS6服务器Amavis 2.9.1+Postfix 2.6.6+ 我使用的 clamav 0.99邮件中继(又名邮件网关),网络设置如下:eth0(10.10.132.104) 作为外部的接口 eth1 (10.10.133.104) 作为内部的接口(向内部用户发送邮件或发送外发邮件的地方)

我使用以下 master.cf 安装了 postfix(我只粘贴相关部分):

#smtp   inet    n       -       y       -       -       smtpd
10.10.133.104:smtp      inet    n       -       y       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o cleanup_service_name=no-headerchecks
  -o content_filter=
127.0.0.1:smtp  inet    n       -       y       -       -       smtpd
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o cleanup_service_name=no-headerchecks
   -o content_filter=
10.10.132.104:smtp      inet    n       -       y       -       -       smtpd

127.0.0.1:10025 inet n    -       y       -       -     smtpd
   -o content_filter=
   -o smtpd_delay_reject=no
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_data_restrictions=reject_unauth_pipelining
   -o smtpd_end_of_data_restrictions=
   -o smtpd_restriction_classes=
   -o mynetworks=127.0.0.0/8,10.0.0.0/8
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o smtpd_client_connection_count_limit=0
   -o smtpd_client_connection_rate_limit=0
   -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
   -o local_header_rewrite_clients=
   -o smtpd_milters=
   -o local_recipient_maps=
   -o relay_recipient_maps=
….
….
amavisfeed unix    -       -       n        -      2     lmtp
   -o lmtp_data_done_timeout=1200
   -o lmtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
   -o max_use=20

另一方面,amavis 目前仅对来自外部网络的邮件起作用。在 main.cf 中,amavisfeed 被指定为过滤器默认值:

...
content_filter=amavisfeed:[127.0.0.1]:10024
...

在 amavis 中,我的主要目的是阻止所有内容(除了病毒、坏标头等)。禁止文件, 包括。压缩.rar一些发件人例外。

因此,在我的 amavis.conf 中,我更改了 $banned_filename_re,添加了一行,内容如下:

  qr'^\.(zip|rar)$'i,                            # block zip and rar type 

拦截工作正常,直到我使用一些“bypass_”过滤器以避免在从某些发件人收到某些邮件时被拦截。使用以下策略库(例如,我的域名是“test.mydomain.com”):

read_hash(\%whitelist_sender, '/etc/amavisd/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);

$interface_policy{'10024'} = 'EXTERNAL';

# regular incoming mail, originating from anywhere (usually from outside)
$policy_bank{'EXTERNAL'} = {
  # # just use global settings, no special overrides
  log_level => 4,
  auth_required_release => 0,  # do not require secret_id for amavisd-release
   bypass_banned_checks_maps => [[qw( [email protected] [email protected] [email protected] )]],
};

现在假设外部用户[电子邮件保护]”向我的内部用户[电子邮件保护]”并附有 .zip 附件。它成功通过,但由于收件人匹配(并且不是发件人)..:来自日志:

….
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) dkim: public key s=s2014 d=libero.it k=rsa, 2048-bit key
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) dkim: VALID Author+Sender+MailFrom signature by d=libero.it, From:
<[email protected]>, a=rsa-sha256, c=relaxed/relaxed, s=s2014, [email protected]
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) Original mail size: 5472196; quota set to: 524288000 bytes (fmin=5,
fmax=500, qmin=102400, qmax=524288000)
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) Checking: xeO-t6yJ68dS EXTERNAL [212.48.25.196] <[email protected]>-> <[email protected]>
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) 2822.From: <[email protected]>
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup_acl([email protected]) matches key ".test.mydomain.com", result=1
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup [local_domains] => true,  "[email protected]" matches, result="1", matching_key=".test.mydomain.com"
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup [bypass_virus_checks] => undef, "[email protected]" does not match
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup_acl([email protected]) matches key "[email protected]", result=1
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup => true,  "[email protected]" matches, result="1", matching_key="[email protected]"
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup [bypass_spam_checks] => undef, "[email protected]" does not match
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) Extracting mime components from a file

事实上,如果我改变bypass_banned_checks_maps行,那么读起来:

   bypass_banned_checks_maps => [[qw( [email protected] [email protected] )]],

我重新发送了同一封邮件,发件人未列入白名单,并且邮件是受阻(禁止并退回)并隔离:

…...
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) Checking: lCsEqup1nnwy EXTERNAL [212.48.25.196] <[email protected]> 
-> <[email protected]>
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) 2822.From: <[email protected]>
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup_acl([email protected]) matches key ".test.mydomain.com", result=1
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup [local_domains] => true, "[email protected]" matches, result="1", matching_key=".test.mydomain.com"
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup [bypass_virus_checks] => undef, "[email protected]" does not match
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup_acl([email protected]), no match
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup => undef, "[email protected]" does not match
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup [bypass_spam_checks] => undef, "[email protected]" does not match
…...
Mar 16 15:14:58 test-mailgw postfix/lmtp[10620]: 64B778287E: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.1, delays=0.63/0.01/0.01/1.4, dsn=2.5.0, status=sent (250 2.5.0 Ok <[email protected]>, DSN was sent (554 5.7.0 Bounce, id=10611-01 - BANNED: .pdf,joomla_15_quickstart.pdf))
Mar 16 15:14:58 test-mailgw postfix/qmgr[631]: 64B778287E: removed
…….

因为,本质上,它会不断检查收件人的邮件地址,而不是发件人的邮件地址......

现在,又出现了一个越来越奇怪的行为!如果我使用白名单包含文件中的 read_hash 更改我的 EXTERNAL policy_bank,我会在其中每行写入一个地址,因此:

  • 我的/etc/amavisd/白名单文件内容如下:

    [电子邮件保护] 外部域2.tld

  • 和我的amavisd.conf政策性银行如下:

    …. read_hash(\%whitelist_sender,'/etc/amavisd/whitelist'); @whitelist_sender_maps = (\%whitelist_sender);

    $interface_policy{'10024'} = '外部';

    $policy_bank{'EXTERNAL'} = { log_level => 5, auth_required_release => 0, # amavisd-release 不需要 secret_id bypass_banned_checks_maps => ['@whitelist_sender_maps'],
    }; ….

我发送了与上例相同的邮件(外部“[电子邮件保护]”对我内心的“[电子邮件保护]”),我得到:

…...
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) Checking: S6fD-MRTCySL EXTERNAL [212.48.25.196] <[email protected]> -> <[email protected]>
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) 2822.From: <[email protected]>
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup_acl([email protected]) matches key ".test.mydomain.com", result=1
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup [local_domains] => true,  "[email protected]" matches, result="1",matching_key=".test.mydomain.com"
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup [bypass_virus_checks] => undef, "[email protected]" does not match
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup: (scalar) matches, result="@whitelist_sender_maps"
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup => true, "[email protected]" matches, result="@whitelist_sender_maps", matching_key="(constant:@whitelist_sender_maps)"
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup [bypass_spam_checks] => undef, "[email protected]" does not match
…..

…邮件传递为干净的,并到达目的地。(另外,为什么“result=”@whitelist_sender_maps”?)

有人能帮助我,告诉我我错在哪里以及为什么错吗?

提前感谢你的帮助。Gabo

答案1

似乎无法仅通过 amavis 实现此目的。另一种方法是使用单独的策略库,禁用对被禁文件名的检查,并让 Postfix 将来自白名单发件人地址的电子邮件定向到该策略库。

基本实现如下:

将以下内容添加到 amavisd.conf:

$interface_policy{'10026'} = 'NOBANNED';

$policy_bank{'NOBANNED'} = {
  # # just use global settings, no special overrides
  log_level => 4,
  auth_required_release => 0,
  bypass_banned_checks_maps => [1],
};

创建一个文件/etc/postfix/whitelist_filter,内容如下:

[email protected]  FILTER smtp:[127.0.0.1]:10026

为此文件创建哈希文件:

postmap hash:/etc/postfix/whitelist_filter

并添加行

check_client_access hash:/etc/postfix/whitelist_filter

smtpd_recipient_restrictions在...的某处/etc/postfix/main.cf

相关内容