[AMaViS-user] Amavisd-new in a separate machine
Justin Kim
I just have a quick question.
I wanted to offload amavis to a separate machine.
I was using postfix+mysql+amavis for virtual domain and virtual user setup.
I tried to setup a new amavis server then I thought I could easily offload
amavis part from my original postfix server.
But I get
Sep 6 15:19:04 postfixmailserver postfix/smtp[6288]: connect to
10.150.150.1[10.150.150.1]: Connection refused (port 10024)
The IP for amavis server is 10.150.150.1.
I made hosts file to point that amavis server directly from my postfix
server.
I think I am missing some configuration.
Can someone help me please?
Thank you in advance.
Justin
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaVi...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Mark Martinec
> I wanted to offload amavis to a separate machine. [...]
> Sep 6 15:19:04 postfixmailserver postfix/smtp[6288]: connect to
> 10.150.150.1[10.150.150.1]: Connection refused (port 10024)
amavisd.conf:
$inet_socket_bind = undef;
@inet_acl = qw( 127.0.0.1 [::1] 10.150.150.0/24 );
amavisd.conf-sample tells:
# SMTP SERVER (INPUT) access control
# - do not allow free access to the amavisd SMTP port !!!
#
# when MTA is at the same host, use the following (one or the other or both):
#$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface
# (default is '127.0.0.1')
@inet_acl = qw(127.0.0.1 [::1]); # allow SMTP access only from localhost IP
# (default is qw(127.0.0.1 [::1]) )
# when MTA (one or more) is on a different host, use the following:
#@inet_acl = qw(127.0.0.0/8 [::1] 10.1.0.1 10.1.0.2); # adjust list as needed
#$inet_socket_bind = undef; # bind to all IP interfaces if undef
Mark
Justin Kim
> > Sep 6 15:19:04 postfixmailserver postfix/smtp[6288]: connect to
> > 10.150.150.1[10.150.150.1]: Connection refused (port 10024)
>
> amavisd.conf:
>
> $inet_socket_bind = undef;
> @inet_acl = qw( 127.0.0.1 [::1] 10.150.150.0/24 );
>
>
>
> amavisd.conf-sample tells:
>
> # SMTP SERVER (INPUT) access control
> # - do not allow free access to the amavisd SMTP port !!!
> #
> # when MTA is at the same host, use the following (one or the
> other or both):
> #$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback
> interface
> # (default is '127.0.0.1')
> @inet_acl = qw(127.0.0.1 [::1]); # allow SMTP access only from
> localhost IP
> # (default is qw(127.0.0.1 [::1]) )
>
> # when MTA (one or more) is on a different host, use the following:
> #@inet_acl = qw(127.0.0.0/8 [::1] 10.1.0.1 10.1.0.2); # adjust
> list as needed
> #$inet_socket_bind = undef; # bind to all IP interfaces if undef
>
> Mark
Thank you Mark,
I really appreciate your reply.
Now I think the connection is established. But I don't think the amavis
server is passing the messages back to my original postfix server (port
10025)
I get
Sep 6 16:10:33 amavis1 amavis[29474]: (29474-01) (!)rw_loop read failed:
Connection refused
Sep 6 16:10:33 amavis1 amavis[29474]: (29474-01) (!)FWD via SMTP:
<jus...@orbs.com> -> <jus...@orbs.com>, 451 4.5.0 From
MTA([127.0.0.1]:10025) during fwd-connect (Negative greeting: at (eval 42)
line 442, <GEN5> line 233.): id=29474-01
Sep 6 16:10:33 amavis1 amavis[29474]: (29474-01) Blocked MTA-BLOCKED, LOCAL
[10.100.7.7] <jus...@orbs.com> -> <jus...@orbs.com>, Message-ID:
<00a701c7f0da$e8ba2ac0$0707640a@justinkim1>, mail_id: 2u9tlUoBjNvA,
Hits: -1.439, size: 8747, 245 ms
And I set the /etc/amavisd.conf
# OTHER MORE COMMON SETTINGS (defaults may suffice):
# $myhostname = 'host.example.com'; # must be a fully-qualified domain
name!
# $notify_method = 'smtp:[127.0.0.1]:10025';
# $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter!
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS;
# $os_fingerprint_method = 'p0f:127.0.0.1:2345'; # to query p0f-analyzer.pl
Should I uncomment notify method and others too?
Thank you,
Justin
Clifton Royston
That's because it has no way to know that's what you want?
You need to look closely at the config lines you quote below:
> Sep 6 16:10:33 amavis1 amavis[29474]: (29474-01) (!)rw_loop read failed:
> Connection refused
> Sep 6 16:10:33 amavis1 amavis[29474]: (29474-01) (!)FWD via SMTP:
> <jus...@orbs.com> -> <jus...@orbs.com>, 451 4.5.0 From
> MTA([127.0.0.1]:10025) during fwd-connect (Negative greeting: at (eval 42)
> line 442, <GEN5> line 233.): id=29474-01
..
> And I set the /etc/amavisd.conf
>
>
> # OTHER MORE COMMON SETTINGS (defaults may suffice):
>
> # $myhostname = 'host.example.com'; # must be a fully-qualified domain
> name!
>
> # $notify_method = 'smtp:[127.0.0.1]:10025';
> # $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter!
So instead of 127.0.0.1, set these to the IP address where you
actually want to send it. Forward_method is for delivering the mail,
set this to the IP address of your Postfix server. (Notify is for
sending NDRs, so this also needs to point to a valid postfix server.)
Also, to forestall another round of trouble, before you change this
you should check your Postfix server's master.cf and make sure that
it has a listener on port 10025 and that it's bound to the reachable IP
address you're using, not to 127.0.0.1. (Otherwise amavisd will try to
reach the correct server, but find it is not listening.)
-- Clifton
--
Clifton Royston -- clif...@iandicomputing.com / clif...@lava.net
President - I and I Computing * http://www.iandicomputing.com/
Custom programming, network design, systems and network consulting services
Justin Kim
Thanks Clifton,
I used correct forward method and I think I am still missing amavis
configuration.
I cannot find a correct documentation or google search.
I must be searching in the wrong place. :(
Can someone help to finalize my configuration please?
------------------------------------------------------------------------------------------------
From /etc/amavisd.conf
# OTHER MORE COMMON SETTINGS (defaults may suffice):
# $myhostname = 'amavis1.websitedynamics.com'; # must be a
fully-qualified domain name!
$notify_method = '[10.150.10.7]:10025';
$forward_method = '[10.150.10.7]:10025'; # set to undef with milter!
#$forward_method = 'smtp:[10.150.10.7]:10025'; # set to undef with milter!
#$notify_method = $forward_method;
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS;
# $os_fingerprint_method = 'p0f:127.0.0.1:2345'; # to query p0f-analyzer.pl
-----------------------------------------------------------------------------------------
From maillog:
Sep 6 20:59:58 amavis1 amavis[3498]: (03498-01) (!!)TROUBLE: recipient
not done: <jus...@orbs.com>
Sep 6 20:59:58 amavis1 amavis[3498]: (03498-01) (!!)TROUBLE in
check_mail, but must continue (1): delivery-notification FAILED: Assert
failed: 0, , at /usr/sbin/amavisd line 6848, <GEN5> line 56.
Sep 6 20:59:58 amavis1 amavis[3498]: (03498-01) (!!)TROUBLE in
process_request: TROUBLE: (MISCONFIG?) not all recipients done,
forward_method is: [10.150.10.7]:10025 at (eval 41) line 761, <GEN5>
line 56.
Sep 6 20:59:58 amavis1 amavis[3498]: (03498-01) (!)Requesting process
rundown after fatal error
Sep 6 20:59:58 amavis1 amavis[3498]: (03498-01) (!)TempDir removal:
tempdir is to be PRESERVED: /var/amavis/tmp/amavis-20070906T205958-03498
Noel Jones
>
> # OTHER MORE COMMON SETTINGS (defaults may suffice):
>
> # $myhostname = 'amavis1.websitedynamics.com'; # must be a
> fully-qualified domain name!
>
> $notify_method = '[10.150.10.7]:10025';
> $forward_method = '[10.150.10.7]:10025'; # set to undef with milter!
You forgot the smtp: tag on the above, but just remove the two lines
above since they're wrong and the next two are correct.
> #$forward_method = 'smtp:[10.150.10.7]:10025'; # set to undef with milter!
> #$notify_method = $forward_method;
The above two lines are correct, but commented out. Just remove
the leading # to activate them, and restart amavisd-new.
--
Noel Jones
Justin Kim
>> # $myhostname = 'amavis1.websitedynamics.com'; # must be a
>> fully-qualified domain name!
>>
>> $notify_method = '[10.150.10.7]:10025';
>> $forward_method = '[10.150.10.7]:10025'; # set to undef with milter!
>>
>
> You forgot the smtp: tag on the above, but just remove the two lines
> above since they're wrong and the next two are correct.
>
>
>> #$forward_method = 'smtp:[10.150.10.7]:10025'; # set to undef with milter!
>> #$notify_method = $forward_method;
>>
>
> The above two lines are correct, but commented out. Just remove
> the leading # to activate them, and restart amavisd-new.
>
I got it working. :)
Okay it gets more and more tricky.
I guess that is because I am just starting to learn some of these from
scratch.
I would like to have my amavis1 server to serve as main spam filter.
And for some reason if amavis1 is down, how can I configure postfix
server to use it's localhost amavis to filter spams?
It was already configure to do intensive spam filtering on localhost.
I just wanted offload spam filtering to another dedicated server.
my original /etc/postfix/master.cf shows:
smtp inet n - n - 150 smtpd
#
amavis unix - - n - 12 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
#
127.0.0.1:10025 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
And with the new amavis1 server, my new /etc/postfix/master.cf shows :
smtp inet n - n - 150 smtpd
#
amavis unix - - n - 12 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
#
10.150.10.7:10025 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=10.0.0.0/8
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8,10.0.0.0/8
-o strict_rfc821_envelopes=yes
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
#
Noel Jones
>Okay it gets more and more tricky.
>I guess that is because I am just starting to learn some of these from
>scratch.
>I would like to have my amavis1 server to serve as main spam filter.
>And for some reason if amavis1 is down, how can I configure postfix
>server to use it's localhost amavis to filter spams?
Yes, this is possible.
>amavis unix - - n - 12 smtp
> -o smtp_data_done_timeout=1200
> -o smtp_send_xforward_command=yes
> -o disable_dns_lookups=yes
add to the above:
-o smtp_fallback_relay=amavis[127.0.0.1]:10024
--
Noel Jones
Justin Kim
> >I just made one change on master.cf
> >Instead of using smtp_fallback_relay, I used just fallback_relay:
> >
> > amavis unix - - n - 12 smtp
> > -o smtp_data_done_timeout=1200
> > -o smtp_send_xforward_command=yes
> > -o disable_dns_lookups=yes
> >
> >I am usgin RHEL 4 and the postfix version that is shipped with it.
> >Postfix-2.2.10
> >I don't know if that is the cause. Well it works fine. Thank you.
>
> Sorry, I forgot RedHat supplied antique
> software. smtp_fallback_relay is the name for that parameter since 2005.
>
> >I have another question. I want to make few whitelist. Can you help?
> >I want one domain to be whitelisted from spam filtering when sending out.
> >All the emails destined to that domain still has to be scanned
> but I would
> >like to bypass outgoing messages from specific domains. How can
> I do this?
>
> Have them submit mail to an alternate postfix smtp listener that has
> -o content_filter=
> ie. an empty value to disable the content filter completely.
>
>
> >Thank you,
> >
> >Justin
>
> --
> Noel Jones
>
Thanks,
I am seeing some problem. I think it is related to the number of processes.
In my postfix server, I set
----------------------------------------------------------------------------
--------------------------
/etc/postfix/main.cf:
default_destination_concurrency_limit = 20
default_process_limit = 150
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_limit = 1000
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination reject_unknown_sender_domain
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated
smtpd_timeout = 60s
And in my amavisd.conf in a separate machine
----------------------------------------------------------------------------
-------------------------
/etc/amavisd.conf:
$max_servers = 12
----------------------------------------------------------------------------
-------------------------
I didn't quiet understand how to configure my server to its best form.
What is the reasonable numbers between amavis max_servers,
default_destination_concurrency_limit and default_process_limit in postfix.
When I use my postfix server to scan everything (amavis in localhost) the
emails are delivered instantly. But when I use the separate spam filtering
(separate machine for Amavis) then I see delays on delivering messages. And
Huge backlog on active queue in postfix server.
Can someone help me?
Thank you,
Justin.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/