amavis postfix integration problem

[bluethundr]

Hi again, folks

I have decided to have a fresh start using Ubuntu Server 9.10 created by RightScale on the AWS cloud.

I have gotten farther than I did under CentOS due to the dearth of Red Hat-based packages for the components I need. Prior to my attempt to integrate Amavis with Postfix I was sending *AND* receiving e-mail with impunity!

However, f I do a telnet test with Amavis enabled...

root@cloud1:~# telnet cloud1 25
Trying 127.0.0.1...
Connected to cloud1.
Escape character is '^]'.
220 cloud1 ESMTP Postfix (Ubuntu) This is JiffyCloud!
ehlo cloud1
250-cloud1
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <bluethundr@externaldom.com>
250 2.1.0 Ok
RCPT TO: <bluethundr@newdom.com>
250 2.1.5 Ok
data 
354 End data with <CR><LF>.<CR><LF>
this is a test during meet the press
.
250 2.0.0 Ok: queued as 2B4E78C1DB
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@cloud1:~# telnet cloud1 25
Trying 127.0.0.1...
Connected to cloud1.
Escape character is '^]'.
220 cloud1 ESMTP Postfix (Ubuntu) This is JiffyCloud!
EHLO cloud1
250-cloud1
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <bluethundr@externaldom.com>
250 2.1.0 Ok
RCPT TO: <bluethundr@newdom.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
hello hello hello test blah 
blah blah blah
.
250 2.0.0 Ok: queued as 013CF8C1DF
quit
221 2.0.0 Bye
Connection closed by foreign host.

This is the result in my postfix logs:

Apr 18 11:47:16 domU-AB-CD-EF-GH-A1-A2 postfix/smtpd[8391]: 2B4E78C1DB: client=cloud1[127.0.0.1]
Apr 18 11:47:24 domU-AB-CD-EF-GH-A1-A2 postfix/cleanup[8395]: 2B4E78C1DB: message-id=<20100418154716.2B4E78C1DB@cloud1>
Apr 18 11:47:24 domU-AB-CD-EF-GH-A1-A2 postfix/qmgr[8389]: 2B4E78C1DB: from=<bluethundr@xxxxx.com>, size=355, nrcpt=1 (queue active)
Apr 18 11:47:24 domU-AB-CD-EF-GH-A1-A2 postfix/qmgr[8389]: warning: connect to transport private/amavis: Connection refused
Apr 18 11:47:24 domU-AB-CD-EF-GH-A1-A2 postfix/error[8396]: 2B4E78C1DB: to=<bluethundr@newdomain.com>, relay=none, delay=21, delays=21/0/0/0, dsn=4.3.0, status=deferred (mail transport unavailable)
Apr 18 11:47:27 domU-AB-CD-EF-GH-A1-A2 postfix/smtpd[8391]: disconnect from cloud1[127.0.0.1]

I have added the amavis user and group:

root@cloud1:~# groups amavis
amavis : amavis

First as with the Amavis I am including my main.cf and master.cf config files for your consideration.



master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
        -o content_filter=
        -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
	-o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
#Amavis
#amavis      unix    -       -       -       -       2       smtp
#            -o smtp_data_done_timeout=1200
#            -o smtp_send_xforward_command=yes
#            -o disable_dns_lookups=yes
#            -o max_use=20
#127.0.0.1:10025 inet    n       -       -       -       -       smtpd
#            -o content_filter=
#            -o local_recipient_maps=
#            -o relay_recipient_maps=
#            -o smtpd_restriction_classes=
#            -o smtpd_delay_reject=no
#            -o smtpd_client_restrictions=permit_mynetworks,reject
#            -o smtpd_helo_restrictions=
#            -o smtpd_sender_restrictions=
#            -o smtpd_recipient_restrictions=permit_mynetworks,reject
#            -o smtpd_data_restrictions=reject_unauth_pipelining
#            -o smtpd_end_of_data_restrictions=
#            -o mynetworks=127.0.0.0/8
#            -o smtpd_error_sleep_time=0
#            -o smtpd_soft_error_limit=1001
#            -o smtpd_hard_error_limit=1000
#            -o smtpd_client_connection_count_limit=0
#            -o smtpd_client_connection_rate_limit=0
#            -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

This would appear to be the one line of configuration in main.cf which breaks the entire postfix environment on this machine.

content_filter = amavis:[127.0.0.1]:10024

main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) This is JiffyCloud!
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = cloud1
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = cloud1.newdom.com, cloud1, localhost.localdomain, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mynetworks_style = host
masquerade_domains = cloud1.newdom.com [URL unfurl="true"]www.newdom.com[/URL] !sub.dyndomain.com
masquerade_exceptions = root
local_recipient_maps = 
mydestination =
# how long if undelivered before sending warning update to sender
delay_warning_time = 4h 
# will it be a permanent error or temporary 
unknown_local_recipient_reject_code = 450
# how long to keep message on queue before return as failed. 
# some have 3 days, I have 16 days as I am backup server for some people 
# whom go on holiday with their server switched off. 
maximal_queue_lifetime = 7d
# max and min time in seconds between retries if connection failed 
minimal_backoff_time = 1000s 
maximal_backoff_time = 8000s 
# how long to wait when servers connect before receiving rest of data 
smtp_helo_timeout = 60s
# how many address can be used in one message. 
# effective stopper to mass spammers, accidental copy in whole address list 
# but may restrict intentional mail shots. 
smtpd_recipient_limit = 16 
# how many error before back off. 
smtpd_soft_error_limit = 3 
# how many max errors before blocking it. 
smtpd_hard_error_limit = 12

# Requirements for the HELO statement 
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit 
# Requirements for the sender details 
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit 
# Requirements for the connecting server 
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org 
# Requirement for the recipient address 
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit smtpd_data_restrictions = reject_unauth_pipelining
# require proper helo at connections
smtpd_helo_required = yes 
# waste spammers time before rejecting them 
smtpd_delay_reject = yes 
disable_vrfy_command = yes
# not sure of the difference of the next two 
# but they are needed for local aliasing 
alias_maps = hash:/etc/postfix/aliases 
alias_database = hash:/etc/postfix/aliases 
# this specifies where the virtual mailbox folders will be located 
virtual_mailbox_base = /var/spool/mail/virtual 
# this is for the mailbox location for each user
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf 
# and their user id 
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf 
# and group id 
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
# and this is for aliases 
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf 
# and this is for domain lookups 
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf 
# this is how to connect to the domains (all virtual, but the option is there) 
# not used yet 
# transport_maps = mysql:/etc/postfix/mysql_transport.cf
#content_filter = amavis:[127.0.0.1]:10024
# Postgrey Configuration
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated,
		reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, 
		check_policy_service inet:127.0.0.1:10023, permit

15_content_filter_mode

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Please note, that anti-virus checking is DISABLED by 
# default.
# If You wish to enable it, please uncomment the following lines:


@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);


#
# Default SPAM checking mode
# Please note, that anti-spam checking is DISABLED by 
# default.
# If You wish to enable it, please uncomment the following lines:


@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # ensure a defined return

I would love to continue this project with Amavis integration intact with a bit of skillful help and very much appreciate any input you could provide!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apollo: “I will not serve under a man who questions my integrity.”

Adama: “And I won’t have an officer under my command who doesn’t have any.”


This is my public RSA key: 5A4873A9
Key fingerprint = 0C0F 1769 83C3 8318 7424 73B1 55C5 4B3E 5A48 73A9
GPG me!!!

 

[Noway2]

Connection refused typically means that the port is closed. Is anything listening on port 10024 and did you specify in the amavis configuration 20-debian_defaults: $inet_socket_port = 10024; ?

 

[Noway2]

One other thing I just remembered. If you are running 9.10 (Karmic), I found that some of the mail functions don't start automatically. The problem is the ordering in the rc?.d scripts. If you find that a process (spamassassin, amavis, etc) isn't running via a PS command, try moving it to a higher number.

The problem as I understand it from the debian bug reports is that there are some dependencies on network functions that take longer to start up than they used to.

 

[bluethundr]

Thanks for the tips!

I took your advice and tried moving amavis to a higher number.

I moved amavis from S19amavis to S75amavis in my current runlevel which is runlevel 4.

Before:

root@cloud1:/etc/rc4.d# ls
README	   S19postgrey		S20courier-authdaemon  S20getsshkey	 S20saslauthd  S70pppd-dns	     S97rightscale
S16ssh	   S19spamassassin	S20courier-imap        S20nscd		 S50proftpd    S80righthostname_ec2  S98rightlink
S19amavis  S20clamav-daemon	S20courier-imap-ssl    S20openbsd-inetd  S50rsync      S90righthostname      S99ondemand
S19mysql   S20clamav-freshclam	S20exim4	       S20postfix	 S70dns-clean  S91apache2	     S99rc.local

After:

root@cloud1:/etc/rc4.d# ls
README	     S19spamassassin	    S20courier-imap	 S20nscd	   S50rsync	 S76saslauthd	       S97rightscale
S16ssh	     S20clamav-daemon	    S20courier-imap-ssl  S20openbsd-inetd  S70dns-clean  S80righthostname_ec2  S98rightlink
S19mysql     S20clamav-freshclam    S20exim4		 S20postfix	   S70pppd-dns	 S90righthostname      S99ondemand
S19postgrey  S20courier-authdaemon  S20getsshkey	 S50proftpd	   S75amavis	 S91apache2	       S99rc.local

After doing so I ran init 4 in the hopes that it would run, but when I issue a ps -ef | grep amavis turns up nothing.

You might also notice that I have moved on for the time being and now am encountering problems with SASL.

More news on that at 11, I'm trying to wrestle only one alligator at a time.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apollo: “I will not serve under a man who questions my integrity.”

Adama: “And I won’t have an officer under my command who doesn’t have any.”


This is my public RSA key: 5A4873A9
Key fingerprint = 0C0F 1769 83C3 8318 7424 73B1 55C5 4B3E 5A48 73A9
GPG me!!!

 

[bluethundr]

Update.. I decided to reboot the whole box and lo and behold, amavis runs!

root@cloud1:~# ps -ef | grep amavis
amavis    1823     1  0 14:20 ?        00:00:00 amavisd (master)
amavis    1883  1823  0 14:20 ?        00:00:00 amavisd (virgin child)
amavis    1884  1823  0 14:20 ?        00:00:00 amavisd (virgin child)
root      2261  2178  0 14:42 pts/1    00:00:00 grep amavis

But mail is still being refused tho it appears to be listening.

Apr 18 14:41:03 domU-12-34-56-78-9A-A1 postfix/smtpd[2196]: connect from cloud1[127.0.0.1]
Apr 18 14:41:26 domU-12-34-56-78-9A-A1 postfix/smtpd[2196]: EACF68C20B: client=cloud1[127.0.0.1]
Apr 18 14:42:03 domU-12-34-56-78-9A-A1 postfix/cleanup[2200]: EACF68C20B: message-id=<20100418184126.EACF68C20B@cloud1>
Apr 18 14:42:03 domU-12-34-56-78-9A-A1 postfix/qmgr[1791]: EACF68C20B: from=<bluethundr@externaldom.com>, size=366, nrcpt=1 (queue active)
Apr 18 14:42:03 domU-12-34-56-78-9A-A1 postfix/qmgr[1791]: warning: connect to transport private/amavis: Connection refused
Apr 18 14:42:03 domU-12-34-56-78-9A-A1 postfix/error[2193]: EACF68C20B: to=<bluethundr@newdom.com>, relay=none, delay=47, delays=47/0/0/0, dsn=4.3.0, status=deferred (mail transport unavailable)
Apr 18 14:42:06 domU-12-34-56-78-9A-A1 postfix/smtpd[2196]: disconnect from cloud1[127.0.0.1]

baby steps.. baby steps...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apollo: “I will not serve under a man who questions my integrity.”

Adama: “And I won’t have an officer under my command who doesn’t have any.”


This is my public RSA key: 5A4873A9
Key fingerprint = 0C0F 1769 83C3 8318 7424 73B1 55C5 4B3E 5A48 73A9
GPG me!!!

 

[bluethundr]

Amavis is apparently doing it's job however. I tried to send the system the eicar.com attachment and (thankfully) got this response...

msmtp: the server did not accept the mail                                                                                               
msmtp: server message: 552-5.7.0 Our system detected an illegal attachment on your message. Please                                      
msmtp: server message: 552-5.7.0 visit [URL unfurl="true"]http://mail.google.com/support/bin/answer.py?answer=6590[/URL] to                                      
msmtp: server message: 552 5.7.0 review our attachment guidelines. m13sm15065492vcs.1                                                   
msmtp: could not send mail (account default from /home/bluethundr/.msmtprc)

I am currently checking out the amavis site to see if I can figure out how to get it to allow traffic....

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apollo: “I will not serve under a man who questions my integrity.”

Adama: “And I won’t have an officer under my command who doesn’t have any.”


This is my public RSA key: 5A4873A9
Key fingerprint = 0C0F 1769 83C3 8318 7424 73B1 55C5 4B3E 5A48 73A9
GPG me!!!