0

Some days ago i was reading some docs about amavis and decided to fine tune its configuration. As i'm new to amavis i probably setted some statements in the wrong way so last days i've been recieving emails from paypal payments to postmaster mail box. As i established the following settings it looks like amavis is doing what it is told.

$virus_admin               = "postmaster\@$mydomain";   # notifications recip.
$mailfrom_notify_admin     = "postmaster\@$mydomain";   # notifications sender
$mailfrom_notify_recip     = "postmaster\@$mydomain";   # notifications sender
$mailfrom_notify_spamadmin = "postmaster\@$mydomain";  # notifications sender
$mailfrom_to_quarantine    = ''; # null return path; uses original sender if undef

Now i'm wondering if those emails has been wrongly classified as spam/virus by amavis or if just has been sent to me because i told amavis to?

Also i'm not able to find a deffinition for the previous settings so i'm not sure at all what those notification settings mean, neither if exists more notification settings which i should asjust?

Here's a sample of mail.log when amavis sends an email to postmaster. It loks liek there's no virus at all.

https://gist.github.com/sibok/d798d43b78c023cb33de

Thanks a lot, hope someone can point me to the right notification settings so i'm not breaking the right amavis flow but also i'm able to get a copy of incoming/outgoing emails at postmaster classified as spam/virus.

Thanks

peris
  • 508
  • 2
  • 9
  • 27

1 Answers1

1

Based on your maillog, looks like email from paypal was intended to two recipients, here the snippet to confirm that fact.

Apr  1 10:11:44 we postfix/qmgr[31630]: 97D784243D: from=<member@paypal.de>, size=16783, nrcpt=2 (queue active)
Apr  1 10:11:48 we amavis[28478]: (28478-04) Passed CLEAN {RelayedInbound}, [173.0.84.228]:34952 [173.0.84.228] <member@paypal.de> -> <reciever@example-reciever.com>,<postmaster@example.com>, Queue-ID: 97D784243D, Message-ID: <1396339889.10892@paypal.com>, mail_id: Lm7rRD54sUSa, Hits: -11.569, size: 17069, queued_as: 90A3A4364C, dkim_sd=pp-dkim1:paypal.de, 4154 ms
Apr  1 10:11:48 we postfix/smtp[31983]: 97D784243D: to=<reciever@example-reciever.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=18, delays=14/0.01/0/4.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 90A3A4364C)
Apr  1 10:11:48 we postfix/smtp[31983]: 97D784243D: to=<postmaster@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=18, delays=14/0.01/0/4.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 90A3A4364C)
  • At first line, nrcpt=2 meaning the email was intended to two recipients
  • At second line, the two recipients was revealed <member@paypal.de> -> <reciever@example-reciever.com>,<postmaster@example.com>
  • At third and fourth line, there are logs that postfix successfully inject the email to amavis (an re-injected with queue id 90A3A4364C)

So, your claim that amavis who send that message is wrong.

So, if you want to get a copy of incoming/outgoing emails classified as spam/virus, set the virus_admin and spam_admin. Here the snippet of how the classification works taken from this page.

# Here is an overall picture (sequence of events) of how pieces fit together
# (only virus controls are shown, spam controls work the same way):
#
#   bypass_virus_checks? ==> PASS
#   no viruses?   ==> PASS
#   log virus     if $log_templ is nonempty
#   quarantine    if $virus_quarantine_to is nonempty
#   notify admin  if $virus_admin (lookup) nonempty
#   notify recips if $warnvirusrecip and (recipient is local or $warn_offsite)
#   add address extensions if adding extensions is enabled and virus will pass
#   send (non-)delivery notifications
#      to sender if DSN needed (BOUNCE or ($warn_virus_sender and D_PASS))
#   virus_lovers or final_destiny==D_PASS  ==> PASS
#   DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)
#
# Equivalent flow diagram applies for spam checks.
# If a virus is detected, spam checking is skipped entirely.
masegaloeh
  • 18,236
  • 10
  • 57
  • 106