1

After Amavis sends a message to $spam_admin, how do I get Postfix to apply the address rewriting in virtual_alias_maps before handing the message off to my local delivery agent?

I've had Amavis + Spamassassin + Postfix working for a while, marking messages as spam but still passing them through. That's working fine. I've now decided to discard messages, but have Amavis tell me about the messages its quarantining.

When Amavis finds spam, it discards the message, quarantines it, and sends an email to postmaster@example.com to let me know. That email seems to go straight into Postfix's pipe queue and is immediately handed off to Dovecot.

The trouble is, all users here use virtual mailboxes, and there isn't one for postmaster (Postfix's virtual_alias_maps forwards it to an actual user).

How do I persaude Amavis and/or Postfix to reroute the messages to postmaster to where they should be?

/etc/postfix/main.cf:

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

# Spam and virus filtering
content_filter=smtp-amavis:[127.0.0.1]:10024

virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_base = /var/vmail
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

virtual_alias_maps = hash:/etc/postfix/valiases

/etc/postfix/master.cf:

# Sending to Amavis
smtp-amavis unix        -       -       n       -       2       smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20
  -o receive_override_options=no_address_mappings

# Returning from Amavis
127.0.0.1:10025 inet    n       -       n       -       -       smtpd
  -o content_filter=
  -o receive_override_options=no_address_mappings
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings

/etc/postfix/valiases:

# Many lines including...
postmaster@example.com           neil@example.com

/etc/aliases

postmaster:    root
clamav: root
amavis: root

root:   neil@example.com

/etc/amavis-new/conf.d/20-debian_defaults:

$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
$final_banned_destiny     = D_REJECT;   # D_REJECT when front-end MTA
$final_spam_destiny       = D_DISCARD;

$enable_dkim_verification = 1; # was disabled to prevent warning

$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
$spam_admin  = "postmaster\@$mydomain"; # due to D_DISCARD default

A chunk of Posfix logs, handling a spam message.

Nov 10 13:56:24 ogedei postfix/smtpd[23759]: connect from app-count.trade[89.33.194.137]
Nov 10 13:56:25 ogedei policyd-spf[23763]: WARNING: Deprecated Config Option defaultSeedOnly in use in: /etc/postfix-policyd-spf-python/policyd-spf.conf
Nov 10 13:56:25 ogedei policyd-spf[23763]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=89.33.194.137; helo=app-count.trade; envelope-from=mail@app-count.trade; receiver=<UNKNOWN>
Nov 10 13:56:25 ogedei postfix/smtpd[23759]: 754591BCE541: client=app-count.trade[89.33.194.137]
Nov 10 13:56:25 ogedei postfix/cleanup[23764]: 754591BCE541: message-id=<MzgzNzgzNzYyNw==.3cfa6259a4253b9a20a00391147df21d@app-count.trade>
Nov 10 13:56:25 ogedei opendmarc[2635]: 754591BCE541: app-count.trade pass
Nov 10 13:56:25 ogedei postfix/qmgr[10881]: 754591BCE541: from=<mail@app-count.trade>, size=16920, nrcpt=4 (queue active)
Nov 10 13:56:25 ogedei postfix/smtpd[23759]: disconnect from app-count.trade[89.33.194.137] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 10 13:56:29 ogedei postfix/smtpd[23770]: connect from localhost[127.0.0.1]
Nov 10 13:56:29 ogedei postfix/smtpd[23770]: 0FE5C1BCE542: client=localhost[127.0.0.1]
Nov 10 13:56:29 ogedei postfix/cleanup[23764]: 0FE5C1BCE542: message-id=<SARsXNTL3HzvT9@ogedei.example.com>
Nov 10 13:56:29 ogedei postfix/qmgr[10881]: 0FE5C1BCE542: from=<postmaster@example.com>, size=5335, nrcpt=1 (queue active)
Nov 10 13:56:29 ogedei postfix/smtpd[23770]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 10 13:56:29 ogedei amavis[22288]: (22288-02) Blocked SPAM {DiscardedInbound,DiscardedOpenRelay,Quarantined}, [89.33.194.137]:44522 [89.33.194.137] <mail@app-count.trade> -> <neil.mkrpg@example.com>, quarantine: R/spam-RsXNTL3HzvT9.gz, Queue-ID: 754591BCE541, Message-ID: <MzgzNzgzNzYyNw==.3cfa6259a4253b9a20a00391147df21d@app-count.trade>, mail_id: RsXNTL3HzvT9, Hits: 11.685, size: 17029, 3257 ms
Nov 10 13:56:29 ogedei postfix/smtp[23765]: 754591BCE541: to=<neil.mkrpg@example.com>, orig_to=<hello@mk-rpg.org.uk>, relay=127.0.0.1[127.0.0.1]:10024, delay=4, delays=0.7/0.01/0.13/3.2, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=22288-02 - spam)
Nov 10 13:56:29 ogedei postfix/qmgr[10881]: 754591BCE541: removed
Nov 10 13:56:29 ogedei postfix/pipe[23771]: 0FE5C1BCE542: to=<postmaster@example.com>, relay=dovecot, delay=0.3, delays=0.04/0/0/0.26, dsn=5.1.1, status=bounced (user unknown)
Nov 10 13:56:29 ogedei postfix/cleanup[23764]: 59C7C1BCE541: message-id=<20201110135629.59C7C1BCE541@mail.example.com>
Nov 10 13:56:29 ogedei postfix/bounce[23773]: 0FE5C1BCE542: sender non-delivery notification: 59C7C1BCE541
Nov 10 13:56:29 ogedei postfix/qmgr[10881]: 59C7C1BCE541: from=<>, size=7267, nrcpt=1 (queue active)
Nov 10 13:56:29 ogedei postfix/qmgr[10881]: 0FE5C1BCE542: removed
Nov 10 13:56:29 ogedei postfix/pipe[23771]: 59C7C1BCE541: to=<neil@example.com>, orig_to=<postmaster@example.com>, relay=dovecot, delay=0.56, delays=0.42/0/0/0.15, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 10 13:56:29 ogedei postfix/qmgr[10881]: 59C7C1BCE541: removed
Neil Smith
  • 111
  • 2
  • So you want the notices to go to the user that the discarded spam was addressed to? I thought Amavis had that configuration option available. But wouldn't that be as intrusive as the spam itself? Maybe I'm not understanding. – David Watson Nov 10 '20 at 18:18
  • That was one example. I'm both an admin and user of the server. There are other users and, with my admin hat on, I want to be notified of quarantined mail to them. It's easier for me to have them go the same Dovecot-powered mailbox and I can sort them with Sieve or something. Hope that clarifies things! – Neil Smith Nov 10 '20 at 19:08

1 Answers1

0

After some more poking, I think I have the answer. The issue is the receive_override_options=no_address_mappings option in the "returning from Amavis" block of Postfix's master.cf.

First of all, I had receive_override_options specified twice. Oops!

To fix the problem, I removed the no_address_mappings option from receive_override_options. As far as I can tell, this option is recommended purely for efficiency: addresses are rewritten before messages are passed to Amavis, so why rewrite them again when they come back? Most of the time, that's fine. But when Amavis generates new messages (such as quarantine reports), the destination address on that new message may need to be changed.

When I drop the no_address_mappings option, quarantine notification messages to postmaster@example.com (as generated by Amavis) get their addresses rewritten as I wanted.

Problem solved!

Modified section of /etc/postfix/master.cf below:

# Returning from Amavis
127.0.0.1:10025 inet    n       -       n       -       -       smtpd
  -o content_filter=
  # -o receive_override_options=no_address_mappings
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  # -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
Neil Smith
  • 111
  • 2