Another sendmail relaying problem.

Cowles, Steve steve at stevecowles.com
Tue Jun 29 01:04:30 UTC 2004 

Travis Fraser wrote:
> Thank you for the smtpd_recipient_restrictions information. I have
> been using Postfix on a test network first, as you suggest.
> 
> As far as implementing SpamAssassin with Postfix, I was looking at
> Mailscanner or amavisd-new. Do you have a simpler suggestion for
> calling SA from within the recipient_restrictions checks?

Before I answer your post, be sure you define your e-mail requirements to
meet your needs. Mailscanner/Amavisd-new all have their purpose in life,
especially if you are implementing a high volume mail server that requires
both AV and SA to be called for each inbound e-mail. In my case, I admin a
low volume (2000+) e-mail a day postfix MTA which front-ends an Exchange
server. Furthermore, virus checking is done on the Exchange server, not
through postfix filtering. So implementing a product such as amavisd-new was
an unnecessary overhead in my opinion. Your requirements may differ.

With the above in mind, I simply call SA using postfix's builtin filtering
capabilites as follows:

1) Get SA (spamd) running on your MTA first. I'll leave the details of
starting and verifying SA is working properly on your system to you.

2) In /etc/mail/master.cf, add the following:
filter  unix    -       n       n       -       10       pipe
  flags=Fq
  user=spamassassin
  argv=/usr/bin/spamc -f -x -e /usr/sbin/sendmail -i -f $sender $recipient

NOTE: I limit postfix to spawning 10 instances of spamc simultainiously.
This meets my load requirements. Also, adjust the flags setting to meet your
requirements. The call to /usr/bin/sendmail is actully the postfix supplied
sendmail, not the sendmail MTA. The postfix supplied sendmail simply
re-injects the scanned (filtered) e-mail back into postfix on a pipe for
final delivery.

3) Add the following to /etc/postfix/main.cf smtpd_recipient_restrictions
section.

smtpd_recipient_restrictions =
  [snip...]
  check_recipient_access hash:/etc/postfix/filtered_domains
  permit

4) In /etc/postfix/filtered_domains add an entry for each of your hosted
domains:
mydomain1.com   FILTER  filter:spamassassin
mydomain2.com   FILTER  filter:spamassassin
mydomain3.com   FILTER  filter:spamassassin

NOTE: My MTA is also a backup MX for another site, so I run spamassassin
only for e-mail being delivered to the domains that I host, not for e-mail
that is queued up on my MTA in a backup MX mode. Also, this stops outbound
e-mail from being processed by SA, but still allows Exchange to scan
outbound e-mail for viruses prior to submitting to postfix.

5) Build the /etc/postfix/filtered_domains database
# postmap /etc/postfix/filtered_domains

6) Reload postfix and test. Be sure you test from an external source, not a
system from your local network (mynetworks) or SA will not be called.
Remember the order specified in smtpd_recipient_restrictions. If you want to
test from a system on your network, move the call to check_recipient_access
above mynetworks.

Again, the method I present above meets my requirements. This is NOT the
preferred method if you are running a high volume MTA. Especially if you
need to call both SA and AV filters for each inbound e-mail on your postfix
MTA. If that's the case, use amavisd-new or a product that meets your
requirements to perform filtering.

Steve Cowles

More information about the fedora-list mailing list