Another sendmail relaying problem.
Cowles, Steve
steve at stevecowles.com
Tue Jun 29 01:04:30 UTC 2004
Travis Fraser wrote:
> Thank you for the smtpd_recipient_restrictions information. I have
> been using Postfix on a test network first, as you suggest.
>
> As far as implementing SpamAssassin with Postfix, I was looking at
> Mailscanner or amavisd-new. Do you have a simpler suggestion for
> calling SA from within the recipient_restrictions checks?
Before I answer your post, be sure you define your e-mail requirements to
meet your needs. Mailscanner/Amavisd-new all have their purpose in life,
especially if you are implementing a high volume mail server that requires
both AV and SA to be called for each inbound e-mail. In my case, I admin a
low volume (2000+) e-mail a day postfix MTA which front-ends an Exchange
server. Furthermore, virus checking is done on the Exchange server, not
through postfix filtering. So implementing a product such as amavisd-new was
an unnecessary overhead in my opinion. Your requirements may differ.
With the above in mind, I simply call SA using postfix's builtin filtering
capabilites as follows:
1) Get SA (spamd) running on your MTA first. I'll leave the details of
starting and verifying SA is working properly on your system to you.
2) In /etc/mail/master.cf, add the following:
filter unix - n n - 10 pipe
flags=Fq
user=spamassassin
argv=/usr/bin/spamc -f -x -e /usr/sbin/sendmail -i -f $sender $recipient
NOTE: I limit postfix to spawning 10 instances of spamc simultainiously.
This meets my load requirements. Also, adjust the flags setting to meet your
requirements. The call to /usr/bin/sendmail is actully the postfix supplied
sendmail, not the sendmail MTA. The postfix supplied sendmail simply
re-injects the scanned (filtered) e-mail back into postfix on a pipe for
final delivery.
3) Add the following to /etc/postfix/main.cf smtpd_recipient_restrictions
section.
smtpd_recipient_restrictions =
[snip...]
check_recipient_access hash:/etc/postfix/filtered_domains
permit
4) In /etc/postfix/filtered_domains add an entry for each of your hosted
domains:
mydomain1.com FILTER filter:spamassassin
mydomain2.com FILTER filter:spamassassin
mydomain3.com FILTER filter:spamassassin
NOTE: My MTA is also a backup MX for another site, so I run spamassassin
only for e-mail being delivered to the domains that I host, not for e-mail
that is queued up on my MTA in a backup MX mode. Also, this stops outbound
e-mail from being processed by SA, but still allows Exchange to scan
outbound e-mail for viruses prior to submitting to postfix.
5) Build the /etc/postfix/filtered_domains database
# postmap /etc/postfix/filtered_domains
6) Reload postfix and test. Be sure you test from an external source, not a
system from your local network (mynetworks) or SA will not be called.
Remember the order specified in smtpd_recipient_restrictions. If you want to
test from a system on your network, move the call to check_recipient_access
above mynetworks.
Again, the method I present above meets my requirements. This is NOT the
preferred method if you are running a high volume MTA. Especially if you
need to call both SA and AV filters for each inbound e-mail on your postfix
MTA. If that's the case, use amavisd-new or a product that meets your
requirements to perform filtering.
Steve Cowles
More information about the fedora-list
mailing list