我有一个CentOS6服务器与Amavis 2.9.1 + Postfix 2.6.6 + clamav 0.99,我用作邮件中继 (又名邮件网关 ),networking设置如下:eth0( 10.10.132.104 )作为外部接口eth1( 10.10。 133.104 )作为内部接口(向内部用户发送邮件,或发出邮件)
我安装了下面的master.cf后缀(我只粘贴rilevant部分):
#smtp inet n - y - - smtpd 10.10.133.104:smtp inet n - y - - smtpd -o smtpd_client_restrictions=permit_mynetworks,reject -o cleanup_service_name=no-headerchecks -o content_filter= 127.0.0.1:smtp inet n - y - - smtpd -o smtpd_client_restrictions=permit_mynetworks,reject -o cleanup_service_name=no-headerchecks -o content_filter= 10.10.132.104:smtp inet n - y - - smtpd 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8,10.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings -o local_header_rewrite_clients= -o smtpd_milters= -o local_recipient_maps= -o relay_recipient_maps= …. …. amavisfeed unix - - n - 2 lmtp -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 另一方面,amavis此刻只在来自外部networking的邮件中发挥作用。 在main.cf中,amavisfeed被指定为filter默认值:
... content_filter=amavisfeed:[127.0.0.1]:10024 ...
amavis的主要目的是阻止所有的(除病毒,头文件等) 被禁止的文件 ,包括.zip和.rar , 但是一些发件人exception。
所以,在我的amavis.conf中,我改变了$ banned_filename_re,添加一行以便读取:
qr'^\.(zip|rar)$'i, # block zip and rar type
该块工作正常,直到我使用一些“bypass_”filter,以避免阻止某些邮件从某些发件人传入时。 使用以下策略银行(例如, 我的域名是“test.mydomain.com” ):
read_hash(\%whitelist_sender, '/etc/amavisd/whitelist'); @whitelist_sender_maps = (\%whitelist_sender); $interface_policy{'10024'} = 'EXTERNAL'; # regular incoming mail, originating from anywhere (usually from outside) $policy_bank{'EXTERNAL'} = { # # just use global settings, no special overrides log_level => 4, auth_required_release => 0, # do not require secret_id for amavisd-release bypass_banned_checks_maps => [[qw( [email protected] [email protected] [email protected] )]], };
现在假设外部用户 “ [email protected] ”用一个.zip附件发送邮件给我的内部用户 “ [email protected] ”。 它通过成功,但由于收件人匹配(而不是发件人 )..:从日志:
…. Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) dkim: public key s=s2014 d=libero.it k=rsa, 2048-bit key Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) dkim: VALID Author+Sender+MailFrom signature by d=libero.it, From: <[email protected]>, a=rsa-sha256, c=relaxed/relaxed, s=s2014, [email protected] Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) Original mail size: 5472196; quota set to: 524288000 bytes (fmin=5, fmax=500, qmin=102400, qmax=524288000) Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) Checking: xeO-t6yJ68dS EXTERNAL [212.48.25.196] <[email protected]>-> <[email protected]> Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) 2822.From: <[email protected]> Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup_acl([email protected]) matches key ".test.mydomain.com", result=1 Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup [local_domains] => true, "[email protected]" matches, result="1", matching_key=".test.mydomain.com" Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup [bypass_virus_checks] => undef, "[email protected]" does not match Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup_acl([email protected]) matches key "[email protected]", result=1 Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup => true, "[email protected]" matches, result="1", matching_key="[email protected]" Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup [bypass_spam_checks] => undef, "[email protected]" does not match Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) Extracting mime components from a file
事实上,如果我更改了bypass_banned_checks_maps行,那么读取:
bypass_banned_checks_maps => [[qw( [email protected] [email protected] )]],
并且我重新发送相同的邮件,发件人没有列入白名单 ,邮件被阻止 (BANNED和BOUNCED)并被隔离:
…... Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) Checking: lCsEqup1nnwy EXTERNAL [212.48.25.196] <[email protected]> -> <[email protected]> Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) 2822.From: <[email protected]> Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup_acl([email protected]) matches key ".test.mydomain.com", result=1 Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup [local_domains] => true, "[email protected]" matches, result="1", matching_key=".test.mydomain.com" Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup [bypass_virus_checks] => undef, "[email protected]" does not match Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup_acl([email protected]), no match Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup => undef, "[email protected]" does not match Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup [bypass_spam_checks] => undef, "[email protected]" does not match …... Mar 16 15:14:58 test-mailgw postfix/lmtp[10620]: 64B778287E: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.1, delays=0.63/0.01/0.01/1.4, dsn=2.5.0, status=sent (250 2.5.0 Ok <[email protected]>, DSN was sent (554 5.7.0 Bounce, id=10611-01 - BANNED: .pdf,joomla_15_quickstart.pdf)) Mar 16 15:14:58 test-mailgw postfix/qmgr[631]: 64B778287E: removed …….
因为,实质上,它一直在检查收件人的邮件地址,而不是发件人一个…。
而现在,更多的怪物和怪异的行为! 如果我更改我的EXTERNAL policy_bank,使用白名单包含文件中的read_hash(每行写一个地址),以便:
我的/ etc / amavisd / whitelist文件如下所示:
[email protected] externaldomain2.tld
和我的amavisd.conf的政策库如下:
… … read_hash(\%whitelist_sender,'/ etc / amavisd / whitelist'); @whitelist_sender_maps =(\%whitelist_sender);
$ interface_policy {'10024'} ='EXTERNAL';
$ policy_bank {'EXTERNAL'} = {log_level => 5,auth_required_release => 0,#不需要secret_id用于amavisd-release bypass_banned_checks_maps => ['@whitelist_sender_maps'],
}; …。
而且我把前面的例子(外部“ [email protected] ”)的邮件发送到我的内部“ [email protected] ”,我得到:
…... Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) Checking: S6fD-MRTCySL EXTERNAL [212.48.25.196] <[email protected]> -> <[email protected]> Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) 2822.From: <[email protected]> Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup_acl([email protected]) matches key ".test.mydomain.com", result=1 Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup [local_domains] => true, "[email protected]" matches, result="1",matching_key=".test.mydomain.com" Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup [bypass_virus_checks] => undef, "[email protected]" does not match Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup: (scalar) matches, result="@whitelist_sender_maps" Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup => true, "[email protected]" matches, result="@whitelist_sender_maps", matching_key="(constant:@whitelist_sender_maps)" Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup [bypass_spam_checks] => undef, "[email protected]" does not match …..
…邮件通过清洁 ,并到达目的地。 (另外,为什么“结果=”@ whitelist_sender_maps“?)
有谁能帮助我,并build议我在哪里,为什么我错了?
在此先感谢您的帮助。 加博
看来这是不可能单靠amavis来做到这一点的。 另一种方法是使用一个单独的政策库,禁止检查禁止的文件名,让Postfix将白名单发件人地址中的电子邮件直接发送到该政策库。
一个基本的实现可以做如下:
将以下内容添加到amavisd.conf中:
$interface_policy{'10026'} = 'NOBANNED'; $policy_bank{'NOBANNED'} = { # # just use global settings, no special overrides log_level => 4, auth_required_release => 0, bypass_banned_checks_maps => [1], };
创build一个文件/etc/postfix/whitelist_filter ,内容如下:
[email protected] FILTER smtp:[127.0.0.1]:10026
为这个文件创build哈希文件:
postmap hash:/etc/postfix/whitelist_filter
并添加行
check_client_access hash:/etc/postfix/whitelist_filter
在/etc/postfix/main.cf中的smtpd_recipient_restrictions中的某处。