Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

amavis postfix integration problem

Status
Not open for further replies.

bluethundr

Technical User
Jan 4, 2009
31
US
Hi again, folks

I have decided to have a fresh start using Ubuntu Server 9.10 created by RightScale on the AWS cloud.

I have gotten farther than I did under CentOS due to the dearth of Red Hat-based packages for the components I need. Prior to my attempt to integrate Amavis with Postfix I was sending *AND* receiving e-mail with impunity!

However, f I do a telnet test with Amavis enabled...

Code:
root@cloud1:~# telnet cloud1 25
Trying 127.0.0.1...
Connected to cloud1.
Escape character is '^]'.
220 cloud1 ESMTP Postfix (Ubuntu) This is JiffyCloud!
ehlo cloud1
250-cloud1
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <bluethundr@externaldom.com>
250 2.1.0 Ok
RCPT TO: <bluethundr@newdom.com>
250 2.1.5 Ok
data 
354 End data with <CR><LF>.<CR><LF>
this is a test during meet the press
.
250 2.0.0 Ok: queued as 2B4E78C1DB
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@cloud1:~# telnet cloud1 25
Trying 127.0.0.1...
Connected to cloud1.
Escape character is '^]'.
220 cloud1 ESMTP Postfix (Ubuntu) This is JiffyCloud!
EHLO cloud1
250-cloud1
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <bluethundr@externaldom.com>
250 2.1.0 Ok
RCPT TO: <bluethundr@newdom.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
hello hello hello test blah 
blah blah blah
.
250 2.0.0 Ok: queued as 013CF8C1DF
quit
221 2.0.0 Bye
Connection closed by foreign host.

This is the result in my postfix logs:
Code:
Apr 18 11:47:16 domU-AB-CD-EF-GH-A1-A2 postfix/smtpd[8391]: 2B4E78C1DB: client=cloud1[127.0.0.1]
Apr 18 11:47:24 domU-AB-CD-EF-GH-A1-A2 postfix/cleanup[8395]: 2B4E78C1DB: message-id=<20100418154716.2B4E78C1DB@cloud1>
Apr 18 11:47:24 domU-AB-CD-EF-GH-A1-A2 postfix/qmgr[8389]: 2B4E78C1DB: from=<bluethundr@xxxxx.com>, size=355, nrcpt=1 (queue active)
Apr 18 11:47:24 domU-AB-CD-EF-GH-A1-A2 postfix/qmgr[8389]: warning: connect to transport private/amavis: Connection refused
Apr 18 11:47:24 domU-AB-CD-EF-GH-A1-A2 postfix/error[8396]: 2B4E78C1DB: to=<bluethundr@newdomain.com>, relay=none, delay=21, delays=21/0/0/0, dsn=4.3.0, status=deferred (mail transport unavailable)
Apr 18 11:47:27 domU-AB-CD-EF-GH-A1-A2 postfix/smtpd[8391]: disconnect from cloud1[127.0.0.1]

I have added the amavis user and group:

Code:
root@cloud1:~# groups amavis
amavis : amavis

First as with the Amavis I am including my main.cf and master.cf config files for your consideration.



master.cf
Code:
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
        -o content_filter=
        -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
	-o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
#Amavis
#amavis      unix    -       -       -       -       2       smtp
#            -o smtp_data_done_timeout=1200
#            -o smtp_send_xforward_command=yes
#            -o disable_dns_lookups=yes
#            -o max_use=20
#127.0.0.1:10025 inet    n       -       -       -       -       smtpd
#            -o content_filter=
#            -o local_recipient_maps=
#            -o relay_recipient_maps=
#            -o smtpd_restriction_classes=
#            -o smtpd_delay_reject=no
#            -o smtpd_client_restrictions=permit_mynetworks,reject
#            -o smtpd_helo_restrictions=
#            -o smtpd_sender_restrictions=
#            -o smtpd_recipient_restrictions=permit_mynetworks,reject
#            -o smtpd_data_restrictions=reject_unauth_pipelining
#            -o smtpd_end_of_data_restrictions=
#            -o mynetworks=127.0.0.0/8
#            -o smtpd_error_sleep_time=0
#            -o smtpd_soft_error_limit=1001
#            -o smtpd_hard_error_limit=1000
#            -o smtpd_client_connection_count_limit=0
#            -o smtpd_client_connection_rate_limit=0
#            -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

This would appear to be the one line of configuration in main.cf which breaks the entire postfix environment on this machine.

Code:
content_filter = amavis:[127.0.0.1]:10024

main.cf

Code:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) This is JiffyCloud!
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = cloud1
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = cloud1.newdom.com, cloud1, localhost.localdomain, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mynetworks_style = host
masquerade_domains = cloud1.newdom.com [URL unfurl="true"]www.newdom.com[/URL] !sub.dyndomain.com
masquerade_exceptions = root
local_recipient_maps = 
mydestination =
# how long if undelivered before sending warning update to sender
delay_warning_time = 4h 
# will it be a permanent error or temporary 
unknown_local_recipient_reject_code = 450
# how long to keep message on queue before return as failed. 
# some have 3 days, I have 16 days as I am backup server for some people 
# whom go on holiday with their server switched off. 
maximal_queue_lifetime = 7d
# max and min time in seconds between retries if connection failed 
minimal_backoff_time = 1000s 
maximal_backoff_time = 8000s 
# how long to wait when servers connect before receiving rest of data 
smtp_helo_timeout = 60s
# how many address can be used in one message. 
# effective stopper to mass spammers, accidental copy in whole address list 
# but may restrict intentional mail shots. 
smtpd_recipient_limit = 16 
# how many error before back off. 
smtpd_soft_error_limit = 3 
# how many max errors before blocking it. 
smtpd_hard_error_limit = 12

# Requirements for the HELO statement 
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit 
# Requirements for the sender details 
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit 
# Requirements for the connecting server 
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org 
# Requirement for the recipient address 
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit smtpd_data_restrictions = reject_unauth_pipelining
# require proper helo at connections
smtpd_helo_required = yes 
# waste spammers time before rejecting them 
smtpd_delay_reject = yes 
disable_vrfy_command = yes
# not sure of the difference of the next two 
# but they are needed for local aliasing 
alias_maps = hash:/etc/postfix/aliases 
alias_database = hash:/etc/postfix/aliases 
# this specifies where the virtual mailbox folders will be located 
virtual_mailbox_base = /var/spool/mail/virtual 
# this is for the mailbox location for each user
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf 
# and their user id 
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf 
# and group id 
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
# and this is for aliases 
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf 
# and this is for domain lookups 
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf 
# this is how to connect to the domains (all virtual, but the option is there) 
# not used yet 
# transport_maps = mysql:/etc/postfix/mysql_transport.cf
#content_filter = amavis:[127.0.0.1]:10024
# Postgrey Configuration
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated,
		reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, 
		check_policy_service inet:127.0.0.1:10023, permit

15_content_filter_mode

Code:
use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Please note, that anti-virus checking is DISABLED by 
# default.
# If You wish to enable it, please uncomment the following lines:


@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);


#
# Default SPAM checking mode
# Please note, that anti-spam checking is DISABLED by 
# default.
# If You wish to enable it, please uncomment the following lines:


@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # ensure a defined return


I would love to continue this project with Amavis integration intact with a bit of skillful help and very much appreciate any input you could provide!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apollo: “I will not serve under a man who questions my integrity.”

Adama: “And I won’t have an officer under my command who doesn’t have any.”


This is my public RSA key: 5A4873A9
Key fingerprint = 0C0F 1769 83C3 8318 7424 73B1 55C5 4B3E 5A48 73A9
GPG me!!!
 
Connection refused typically means that the port is closed. Is anything listening on port 10024 and did you specify in the amavis configuration 20-debian_defaults: $inet_socket_port = 10024; ?

 
One other thing I just remembered. If you are running 9.10 (Karmic), I found that some of the mail functions don't start automatically. The problem is the ordering in the rc?.d scripts. If you find that a process (spamassassin, amavis, etc) isn't running via a PS command, try moving it to a higher number.

The problem as I understand it from the debian bug reports is that there are some dependencies on network functions that take longer to start up than they used to.
 
Thanks for the tips!

I took your advice and tried moving amavis to a higher number.

I moved amavis from S19amavis to S75amavis in my current runlevel which is runlevel 4.

Before:
Code:
root@cloud1:/etc/rc4.d# ls
README	   S19postgrey		S20courier-authdaemon  S20getsshkey	 S20saslauthd  S70pppd-dns	     S97rightscale
S16ssh	   S19spamassassin	S20courier-imap        S20nscd		 S50proftpd    S80righthostname_ec2  S98rightlink
S19amavis  S20clamav-daemon	S20courier-imap-ssl    S20openbsd-inetd  S50rsync      S90righthostname      S99ondemand
S19mysql   S20clamav-freshclam	S20exim4	       S20postfix	 S70dns-clean  S91apache2	     S99rc.local

After:
Code:
root@cloud1:/etc/rc4.d# ls
README	     S19spamassassin	    S20courier-imap	 S20nscd	   S50rsync	 S76saslauthd	       S97rightscale
S16ssh	     S20clamav-daemon	    S20courier-imap-ssl  S20openbsd-inetd  S70dns-clean  S80righthostname_ec2  S98rightlink
S19mysql     S20clamav-freshclam    S20exim4		 S20postfix	   S70pppd-dns	 S90righthostname      S99ondemand
S19postgrey  S20courier-authdaemon  S20getsshkey	 S50proftpd	   S75amavis	 S91apache2	       S99rc.local

After doing so I ran init 4 in the hopes that it would run, but when I issue a ps -ef | grep amavis turns up nothing.

You might also notice that I have moved on for the time being and now am encountering problems with SASL.

More news on that at 11, I'm trying to wrestle only one alligator at a time. :)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apollo: “I will not serve under a man who questions my integrity.”

Adama: “And I won’t have an officer under my command who doesn’t have any.”


This is my public RSA key: 5A4873A9
Key fingerprint = 0C0F 1769 83C3 8318 7424 73B1 55C5 4B3E 5A48 73A9
GPG me!!!
 
Update.. I decided to reboot the whole box and lo and behold, amavis runs!

Code:
root@cloud1:~# ps -ef | grep amavis
amavis    1823     1  0 14:20 ?        00:00:00 amavisd (master)
amavis    1883  1823  0 14:20 ?        00:00:00 amavisd (virgin child)
amavis    1884  1823  0 14:20 ?        00:00:00 amavisd (virgin child)
root      2261  2178  0 14:42 pts/1    00:00:00 grep amavis

But mail is still being refused tho it appears to be listening.

Code:
Apr 18 14:41:03 domU-12-34-56-78-9A-A1 postfix/smtpd[2196]: connect from cloud1[127.0.0.1]
Apr 18 14:41:26 domU-12-34-56-78-9A-A1 postfix/smtpd[2196]: EACF68C20B: client=cloud1[127.0.0.1]
Apr 18 14:42:03 domU-12-34-56-78-9A-A1 postfix/cleanup[2200]: EACF68C20B: message-id=<20100418184126.EACF68C20B@cloud1>
Apr 18 14:42:03 domU-12-34-56-78-9A-A1 postfix/qmgr[1791]: EACF68C20B: from=<bluethundr@externaldom.com>, size=366, nrcpt=1 (queue active)
Apr 18 14:42:03 domU-12-34-56-78-9A-A1 postfix/qmgr[1791]: warning: connect to transport private/amavis: Connection refused
Apr 18 14:42:03 domU-12-34-56-78-9A-A1 postfix/error[2193]: EACF68C20B: to=<bluethundr@newdom.com>, relay=none, delay=47, delays=47/0/0/0, dsn=4.3.0, status=deferred (mail transport unavailable)
Apr 18 14:42:06 domU-12-34-56-78-9A-A1 postfix/smtpd[2196]: disconnect from cloud1[127.0.0.1]

baby steps.. baby steps...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apollo: “I will not serve under a man who questions my integrity.”

Adama: “And I won’t have an officer under my command who doesn’t have any.”


This is my public RSA key: 5A4873A9
Key fingerprint = 0C0F 1769 83C3 8318 7424 73B1 55C5 4B3E 5A48 73A9
GPG me!!!
 
Amavis is apparently doing it's job however. I tried to send the system the eicar.com attachment and (thankfully) got this response...

Code:
msmtp: the server did not accept the mail                                                                                               
msmtp: server message: 552-5.7.0 Our system detected an illegal attachment on your message. Please                                      
msmtp: server message: 552-5.7.0 visit [URL unfurl="true"]http://mail.google.com/support/bin/answer.py?answer=6590[/URL] to                                      
msmtp: server message: 552 5.7.0 review our attachment guidelines. m13sm15065492vcs.1                                                   
msmtp: could not send mail (account default from /home/bluethundr/.msmtprc)

I am currently checking out the amavis site to see if I can figure out how to get it to allow traffic....

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apollo: “I will not serve under a man who questions my integrity.”

Adama: “And I won’t have an officer under my command who doesn’t have any.”


This is my public RSA key: 5A4873A9
Key fingerprint = 0C0F 1769 83C3 8318 7424 73B1 55C5 4B3E 5A48 73A9
GPG me!!!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top