[Postfixbuch-users] Spamassassin scannt nicht alle Mails
Kai Fürstenberg
postfix at fuersti-net.de
Fr Jun 9 21:57:13 CEST 2006
Niels Kalle schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kai Fürstenberg wrote:
>
>
>> Kai Fürstenberg wrote:
>>
>>
>>> Hallo,
>>>
>
> Hallo Kai.
>
>
>>> niels_kalle wrote:
>>>
>>>
>>>> [..]
>>>>
>>>>
>>>>> Lass uns doch mal ein Update machen. Schick bitte nochmals
>>>>> deine aktuelle master.cf, postconf -n, und die, sagen wir mal
>>>>> 20-30 ersten Zeilen der amavisd.conf
>>>>>
>>>> OK, du hast es so gewollt... ;), hier kommt der Output von
>>>> postconf -n:
>>>>
>>>> 2bounce_notice_recipient = postmaster access_map_reject_code =
>>>> 554 alias_maps = mysql:/etc/postfix/mysql-aliases.cf
>>>> allow_percent_hack = yes append_at_myorigin = yes
>>>> append_dot_mydomain = yes biff = no body_checks =
>>>> pcre:/etc/postfix/body_checks.pcre bounce_notice_recipient =
>>>> postmaster bounce_size_limit = 65536 broken_sasl_auth_clients =
>>>> yes command_directory = /usr/sbin command_time_limit = 600s
>>>> config_directory = /etc/postfix content_filter =
>>>> smtp-amavis:[127.0.0.1]:10024 daemon_directory =
>>>> /usr/lib/postfix debug_peer_level = 2 debug_peer_list =
>>>> mail.humbug.org, nikster.humbug.org, localhost
>>>> default_destination_concurrency_limit = 5
>>>> default_destination_recipient_limit = 1000
>>>> default_process_limit = 150 default_rbl_reply = $rbl_code
>>>> Service unavailable; $rbl_class [$rbl_what] blocked using
>>>> $rbl_domain${rbl_reason?; $rbl_reason} - contact
>>>> postmaster at humbug.org for details delay_notice_recipient =
>>>> postmaster delay_warning_time = 1h disable_dns_lookups = no
>>>> disable_vrfy_command = yes double_bounce_sender = double-bounce
>>>> duplicate_filter_limit = 1000 empty_address_recipient =
>>>> postmaster error_notice_recipient = postmaster header_checks =
>>>> pcre:/etc/postfix/header_checks.pcre header_size_limit = 204800
>>>> home_mailbox = .maildir/ hopcount_limit = 50 html_directory =
>>>> /usr/share/doc/postfix-2.2.5/html ignore_mx_lookup_error = yes
>>>> in_flow_delay = 1s inet_interfaces = all
>>>> initial_destination_concurrency = 2
>>>> invalid_hostname_reject_code = 501 line_length_limit = 4096
>>>> local_destination_concurrency_limit = 10
>>>> local_destination_recipient_limit = 1000 local_transport = no
>>>> local mail delivery mail_name = humbug Mailservices mail_owner
>>>> = postfix mailbox_command = /usr/bin/procmail
>>>> mailbox_size_limit = 0 mailq_path = /usr/bin/mailq
>>>> manpage_directory = /usr/share/man maps_rbl_reject_code = 554
>>>> max_idle = 10s max_use = 20 maximal_backoff_time = 3600s
>>>> maximal_queue_lifetime = 1d message_size_limit = 10240000
>>>> minimal_backoff_time = 60s mydestination = $myhostname,
>>>> localhost.$mydomain, $mydomain, mail.$mydomain mydomain =
>>>> humbug.org myhostname = mail.humbug.org mynetworks =
>>>> 127.0.0.0/8 newaliases_path = /usr/bin/newaliases
>>>> non_fqdn_reject_code = 504 notify_classes = resource, software
>>>> prepend_delivered_header = forward qmgr_message_active_limit =
>>>> 10000 qmgr_message_recipient_limit = 10000 queue_directory =
>>>> /var/spool/postfix queue_minfree = 603979776 queue_run_delay =
>>>> 1h readme_directory = /usr/share/doc/postfix-2.2.5/readme
>>>> reject_code = 554 relay_domains_reject_code = 554
>>>> relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
>>>> require_home_directory = no sample_directory = /etc/postfix
>>>> sendmail_path = /usr/sbin/sendmail setgid_group = postdrop
>>>> smtp_tls_note_starttls_offer = yes smtpd_banner =
>>>> mail.humbug.org ESMTP $mail_name smtpd_client_restrictions =
>>>> permit_mynetworks check_client_access
>>>> $default_database_type:/etc/postfix/rbl_checks_client_whitelist
>>>> check_sender_access
>>>> $default_database_type:/etc/postfix/rbl_checks_sender_whitelist
>>>> check_recipient_access
>>>> $default_database_type:/etc/postfix/rbl_checks_recipient_whitelist
>>>> rbl_checks permit smtpd_data_restrictions =
>>>> reject_unauth_pipelining permit smtpd_delay_reject = yes
>>>> smtpd_error_sleep_time = 1s smtpd_etrn_restrictions = reject
>>>> smtpd_helo_required = yes smtpd_helo_restrictions =
>>>> permit_mynetworks permit_sasl_authenticated
>>>> reject_invalid_hostname permit smtpd_recipient_limit =
>>>> 10000 smtpd_recipient_restrictions = permit_mynetworks
>>>> reject_unknown_recipient_domain reject_non_fqdn_recipient
>>>> permit_auth_destination permit_sasl_authenticated
>>>> check_sender_access regexp:/etc/postfix/nice_reject
>>>> reject smtpd_restriction_classes = rbl_checks
>>>> smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain =
>>>> smtpd_sasl_security_options = noanonymous
>>>> smtpd_sender_restrictions = permit_mynetworks
>>>> permit_sasl_authenticated permit smtpd_timeout = 300s
>>>> smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
>>>> smtpd_tls_cert_file = /etc/postfix/tls/newcert.pem
>>>> smtpd_tls_key_file = /etc/postfix/tls/newreq.pem
>>>> smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes
>>>> smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes
>>>> soft_bounce = no strict_rfc821_envelopes = yes swap_bangpath =
>>>> yes tls_random_source = dev:/dev/urandom transport_maps =
>>>> mysql:/etc/postfix/mysql-transport.cf transport_retry_time =
>>>> 30s undisclosed_recipients_header = To:
>>>> undisclosed-recipients:; unknown_address_reject_code = 550
>>>> unknown_client_reject_code = 550 unknown_hostname_reject_code =
>>>> 550 unknown_local_recipient_reject_code = 550
>>>> unknown_relay_recipient_reject_code = 550
>>>> unknown_virtual_alias_reject_code = 550
>>>> unknown_virtual_mailbox_reject_code = 550 virtual_transport =
>>>> virtual virtual_minimum_uid = 1000 virtual_gid_maps =
>>>> static:1000 virtual_mailbox_maps =
>>>> mysql:/etc/postfix/mysql-virtual-maps.cf virtual_alias_maps =
>>>> mysql:/etc/postfix/mysql-virtual.cf virtual_uid_maps =
>>>> static:100 virtual_mailbox_base = /home/vmail
>>>>
>>> Soweit ok. Die ein oder andere Sache sollte vielleicht noch
>>> angepasst werden. Mir ist aufgefallen, dass du in den
>>> smtpd_sender_restrictions _alles_ erlaubst: permit_mynetworks,
>>> permit_sasl_authenticated, permit. Vielleicht leer lassen :-)
>>>
>>>
>>>> Das ist etwas viel, aber ich habe schon mehrere Mailserver mit
>>>> Postfix gebaut und da sind eine Menge nuetzlicher (und weniger
>>>> nuetzlicher) Optionen, bzw. evtl. auch Leichen
>>>> zusammengekommen. :)
>>>>
>>>> Hier die ersten 30 (unkommentierten) Zeilen der amavisd.conf:
>>>>
>>>> $MYHOME = '/var/amavis'; # (default is '/var/amavis')
>>>> $mydomain = 'humbug.org'; # (no useful default)
>>>> $myhostname = 'nikster.humbug.org'; # fqdn of this host,
>>>> default by uname(3) $daemon_user = 'amavis'; # (no default;
>>>> customary: vscan or amavis) $daemon_group = 'amavis'; # (no
>>>> default; customary: vscan or amavis or sweep) $TEMPBASE =
>>>> "$MYHOME/tmp"; # prefer to keep home dir /var/amavis
>>>> clean? $db_home = "$MYHOME/db"; # DB databases
>>>> directory, default "$MYHOME/db" $helpers_home = $MYHOME; #
>>>> (defaults to $MYHOME) $ENV{TMPDIR} = $TEMPBASE; # wise to
>>>> set TMPDIR, but not obligatory $enable_db = 1; # enable use of
>>>> BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1;
>>>> # enabl $max_servers = 4; # number of pre-forked children
>>>> (default 2) $max_requests = 20; # retire a child after that
>>>> many accepts (default 10) $child_timeout=5*60; # abort child
>>>> if it does not complete each task in @local_domains_maps = (
>>>> [".$mydomain"] ); # $mydomain and its subdomains
>>>> $unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper
>>>> protocol socket
>>>>
>>> ^^^^ Diese Zeile solltest du auskommentieren. Amavis weiss sonst
>>> nicht, ob er auf einen Socket (oben) oder einen Port (s. nächste
>>> Zeile) lauschen soll. Da sollte auch was entsprechendes in den
>>> Logfiles stehen.
>>>
>>>
>>>> $inet_socket_port = 10024; # accept SMTP on this local
>>>> TCP port @inet_acl = qw(127.0.0.1 [::1]); # allow SMTP access
>>>> only from localhost IP $DO_SYSLOG = 1; #
>>>> (defaults to 0) $LOGFILE = "$MYHOME/amavis.log"; # (defaults
>>>> to empty, no log) $log_level = 0; # (defaults to 0)
>>>> $log_recip_templ = undef; # undef disables by-recipient
>>>> level-0 log entries $final_virus_destiny = D_DISCARD; #
>>>> (defaults to D_DISCARD) $final_banned_destiny = D_DISCARD;
>>>> # (defaults to D_BOUNCE) $final_spam_destiny = D_DISCARD;
>>>> # (defaults to D_BOUNCE) $final_bad_header_destiny = D_PASS;
>>>> # (defaults to D_PASS), D_BOUNCE suggested $warnspamsender = 1;
>>>> # (defaults to false (undef))
>>>>
>>> Hier ist noch eine Sache, die aber jetzt nichts mit dem Problem
>>> zu tun hat: Möchtest du über den syslogd ($DO_SYSLOG = 1;) oder
>>> in ein Logfile ($LOGFILE = "$MYHOME/amavis.log";) loggen? Beim
>>> Syslog solltest du einen Level z.B. mit $SYSLOG_LEVEL =
>>> 'mail.debug'; definieren und $LOGFILE auskommentieren.
>>>
>>> Hast du noch eben die master.cf zur Hand? Du hast gesagt, interne
>>> Mails werden gescannt, reinkommende jedoch nicht. Hast du ein
>>> paar Log-Daten hierzu?
>>>
>> Wart mal eben. Das ist nicht so ganz klar geworden. Wieso glaubst
>> du, dass Amavis keine SA-Checks bei eingehenden Mails durchführt?
>> Zum genauen Test: Setz $log_level mal auf 5, also hammermäßiges
>> Logging ;-) Im Log taucht dann unter hunderten von anderen Log eine
>> bestimmte auf Jun 7 10:13:46 root amavis[32433]: (32433-01)
>> spam_scan: score=0.87 tests=[..] Das heisst, die Mail wurde
>> gescannt. Nur werden nicht unbedingt entsprechende Header-Zeilen zu
>> der Mail hinzugefügt. Die werden erstens nur für lokale Empfänger
>> ergänzt ($mydomain in amavid.conf) und zudem nur, wenn die Score
>> höher als $sa_tag_level_deflt ist. Sollen immer Header-Zeilen
>> ergänzt werden, einfach $sa_tag_level_deflt auf undef setzen.
>> Außerdem darauf achten, dass *alle* Domains in $mydomain
>> eingetragen sind.
>>
>
>
> Danke fuer deine Tips, ich probiere das sofort wenn ich nach Hause komme.
>
Funktioniert's?
Kai
Mehr Informationen über die Mailingliste Postfixbuch-users