sendmail+greylist-milter problem

Russell Coker russell at
Sun Dec 25 11:29:55 UTC 2005

On Friday 23 December 2005 22:47, Russell Coker <russell at> wrote:
> On Thursday 22 December 2005 03:53, "Nicolas Mailhot"
> <nicolas.mailhot at> wrote:
> > On Mer 21 décembre 2005 17:18, Russell Coker wrote:
> > > The problem here is that there is no policy for greylist-milter (or any
> > > other
> > > milter for that matter).
> >
> > amavis+postfix has been included in default selinux policy for quite a
> > long time. I'm pretty sure the policy applies to sendmail+amavis too.
> I should have thought of Amavis, I wrote a good chunk of the Amavis policy.
> You are correct that it SHOULD work with Sendmail, I designed it such that
> it would work with Sendmail and Qmail but I've never tested it with
> anything other than Postfix.
> I'll use the mta_filter_t domain that Alexey suggests and make Amavis such
> a filter as well.

I've attached a first cut at the policy for the mta_filter_t, I still have 
other things to do but I believe that the policy in this patch is only an 
improvement over the current situation and is therefore worth merging.  This 
replaces the postgrey.te and postgrey.fc files as postgrey will run in the 
same domain (but my patch doesn't remove those files).  Note that the 
ifdef(`distro_mandriva' does not imply that you would run SE Linux on 
Mandriva (much more work would need to be done for that), merely that if you 
want to force Mandriva packages to work on Fedora then you need to have the 
policy support the directories that they choose.  Mandriva seems to be the 
only distribution with Postgrey RPMs.

I haven't yet got Amavis working on my test machine so the Amavis policy isn't 
merged.  Amavis requires some extra work because it has the daemon to get new 
virus definitions (freshclam).  My plan is that the daemon to get new virus 
definitions will run in a separate domain and write to files that are 
read-only for the mta_filter_t domain.  Of course if freshclam is cracked 
then you could end up with a virus definition that marks every message as 
being a virus (which would be really bad), but gives it a little extra 
isolation from the mail server domains.  Among other things I plan to have a 
boolean to determine whether the mta_filter_t domain can do TCP/UDP 
networking, preventing the filter from making connections to the outside 
world could be very useful.

Incidentally if someone wants to package Postgrey and Amavis for Fedora Extras 
then that would be really good.

PS Alexy, I'm not sure if you want to get involved in SE Linux policy 
development to the level of testing this patch out.  If not then just wait a 
week or so and this will become a standard policy feature.

PPS  Happy holidays everyone!

--   My NSA Security Enhanced Linux packages  Bonnie++ hard drive benchmark    Postal SMTP/POP benchmark  My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: text/x-diff
Size: 6037 bytes
Desc: not available
URL: <>

More information about the fedora-selinux-list mailing list