Postfix & Amavis - Use UNIX Soket for Communication

Question

I currently using a complex mailserver setup using Postfix, Dovecot, Amavis and Spamassassin.

Everything works fine but I want to improve the Postfix-Amavis-Communication. At the moment, postfix will send all mails to localhost:10024 which is the amavis service. After all checks a modified version is sent back to localhost:10025 which is a postfix service for recieving amavis mails.

My idea: UNIX SOCKETS (Because of security reasons; not important why)

So I configured amavis to spawn an unix socket in /run/amavis/amavis.socket.

And I changed this:

amavis-forward:[127.0.0.1]:10024` to `amavis-forward:unix:/run/amavis/amavis.sock

But then I get this error:

Jan  5 13:55:23 server postfix/smtp[1447]: fatal: unknown service: /run/amavis/amavis.sock/tcp
Jan  5 13:55:24 server postfix/qmgr[1254]: warning: private/amavis-forward socket: malformed response
Jan  5 13:55:24 server postfix/qmgr[1254]: warning: transport amavis-forward failure -- see a previous warning/fatal/panic logfile record for the problem description

So the mail status is set to status=deferred (unknown mail transport error).

master.cf:

 ...
 # Amavis
 amavis-forward   unix    -       -       -       -       2       smtp
    -o smtp_tls_security_level=none
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
 ...

Over :10024 anything works fine. How can I solve it?

Answer 1

This is the solution for a communication of amavis to postfix over unix socket. It is the second half of masegaloeh's answer.

First, you have to modify the /var/spool/postfix/amavis directory:

chmod 770 /var/spool/postfix/amavis
chown amavis:postfix /var/spool/postfix/amavis

The idea behind that: Postfix will create a unix socket smtpd service in this directory. The problem is that you have define that in the master.cf as ../amavis/amavis-accept - - - 2 smtpd but then postfix will search the pid file in pid/unix...amavis/amavis-accept which does not work.
So we have to use a workaround:

Create a link to the amavis directory:

cd /var/spool/postfix/public
ln -s ../amavis amavis

After that the pid file directory has to be prepared:

cd /var/spool/postfix/pid
mkdir unix.amavis
chown root:root unix.amavis
chmod 700 unix.amavis

Now we have to configure the smtpd service to accept the mail (master.cf):

amavis/amavis-accept     unix    n       -       -       -       -       smtpd
    -o smtpd_tls_security_level=none
    -o cleanup_service_name=amaviscleanup
    -o mynetworks=127.0.0.0/8
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_unknown_recipient_checks

Now configure amavis in amavisd.conf or the config file of your os:

$forward_method = 'smtp:/var/spool/postfix/amavis/amavis-accept';

---

HOW IT WORKS

The mail is forwarded to amavis which you can see in the first half of masegaloeh's answer. Then amavis send it back to the unix socket with smtp.

The problem was postfix. You have to create a unix socket which amavis can access without adding amavis to postmap or postfix group. So I first used ../amavis/amavis-accept so the socket is successfully created. But postfix creates a pid file and it uses this name. As an unix socket postfix use pid/unix. + services name which was pid/unix.../amavis/amavis-accept.

So I created this link in the public folder and so postfix can create the socket (set permissions of the amavis directory) and I only need amavis/amavis-accept in the master.cf.

With this configuration, the pid file is pid/unix.amavis/amavis.accept. For that I only had to create the unix.amavis directory and because of unix.amavisand not unix...amavis it matches the style of the pid directory a bit.

LMTP does not work for me!

Answer 2

Disclaimer: this is half answer because I can use socket when postfix -> amavis but I can't use it when amavis -> postfix. See the explanation in end of this answer.

To use socket, you should use LMTP instead of SMTP to deliver email from postfix to amavis.

As NickW said above, you need to put the amavis socket inside the Postfix queue directory. In this answer I assume that postfix queue directory is /var/spool/postfix/.

Create directory to hold amavis socket

mkdir /var/spool/postfix/amavis/
chmod 750 /var/spool/postfix/amavis/
chown amavis:amavis /var/spool/postfix/amavis/

Add postfix user in amavis group

usermod -G amavis postfix

Configuration in amavisd.conf

# for socket, it should reside in /var/spool/postfix
$unix_socketname = "/var/spool/postfix/amavis/amavisd.sock";

# set permission so amavis group can access this socket
$unix_socket_mode = 0660;

# Replace $interface_policy{'SOCK'} = 'AM.PDP';

$interface_policy{'SOCK'} = 'mysock';
$policy_bank{'mysock'} = {
   protocol => 'LMTP',
   auth_required_release => 0, # don't require secret-id for release
};

Postfix main.cf

content_filter = amavis-forward:unix:amavis/amavisd.sock

Postfix master.cf

# Amavis
amavis-forward   unix    -       -       -       -       2       lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

The result

amais postfix/smtpd[13393]: connect from localhost[127.0.0.1]
amais postfix/smtpd[13393]: 4E0B82340F: client=localhost[127.0.0.1]
amais postfix/cleanup[13359]: 4E0B82340F: message-id=<20150106070245.4E0B82340F@example.net>
amais postfix/qmgr[13352]: 4E0B82340F: from=<root@example.net>, size=344, nrcpt=1 (queue active)
amais postfix/smtpd[13363]: connect from localhost[127.0.0.1]
amais postfix/smtpd[13363]: 6081E2340B: client=localhost[127.0.0.1]
amais postfix/cleanup[13359]: 6081E2340B: message-id=<20150106070245.4E0B82340F@example.net>
amais postfix/qmgr[13352]: 6081E2340B: from=<root@example.net>, size=688, nrcpt=1 (queue active)
amais postfix/smtpd[13363]: disconnect from localhost[127.0.0.1]
amais postfix/local[13365]: 6081E2340B: to=<root@example.net>, orig_to=<koala@example.net>, relay=local, delay=0.01, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
amais postfix/qmgr[13352]: 6081E2340B: removed
amais amavis[13113]: (13113-03) Passed CLEAN {RelayedInbound}, mysock <root@example.net> -> <koala@example.net>, Message-ID: <20150106070245.4E0B82340F@example.net>, mail_id: MLZDzoda7siu, Hits: -, size: 344, queued_as: 6081E2340B, 90 ms
amais postfix/lmtp[13361]: 4E0B82340F: to=<koala@example.net>, relay=example.net[amavis/amavisd.sock], delay=0.11, delays=0.01/0/0.01/0.09, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6081E2340B)
amais postfix/qmgr[13352]: 4E0B82340F: removed

---

For amavis -> postfix transport, it controlled by parameter forward_method. I don't familiar with this configuration except with smtp. In the example in this page, apparently protocol supported by this parameter is pipe, smtp, and bsmtp. Also, based on postfix architecture, postfix only accept email either from smtpd, qmqmd, or sendmail.