Home / server / Questions / 986983
Accepted
Lasse Michael Mølgaard
Asked: 2019-10-07 12:29:52 +0800 CST

Postfix does not pass mails to Amavis, when received from Z-push

  • 772

Im kind of staring myself blind in how get ActiveSync to work correctly with my mailserver, so maybe anybody here have an idea?

The deal is mailserver is hosting four domains and I want that all sent mails have DKIM signature.

I have gotten it to work when sending via SMTP, but it fails signing when the client uses ActiveSync to send the email.

Anyway here is a diagram on how it works for SMTP:

Flowchart for mail handling in Postfix together with Amavis

Most of the magic in how Postfix descides how to identify mail sent from an authenticated user, which belongs to one of my hosted domains vs a mail from somewhere on the Internet comes from this line in /etc/postfix/main.cf:

smtpd_sender_restrictions = 
    check_sender_access regexp:/etc/postfix/tag_as_originating.re, 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, 
    check_sender_access regexp:/etc/postfix/tag_as_foreign.re

content_filter = amavis:[127.0.0.1]:10024

The content of /etc/postfix/tag_as_foreign.re:

/^/ FILTER amavis:[127.0.0.1]:10024

Amavis sent the result back to Postfix using port 10025 which is handled by /etc/postfix/master.cf with this configuration:

127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks, reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o receive_override_options=no_unknown_recipient_checks, no_header_body_checks
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes

The content of /etc/postfix/tag_as_originating.re:

/^/ FILTER amavis:[127.0.0.1]:10026

The result is sent back to Postfix using port 10027 and handled by this code in /etc/postfix/master.cf:

127.0.0.1:10027 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks, reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o receive_override_options=no_unknown_recipient_checks, no_header_body_checks
    -o smtp_send_xforward_command=yes
    -o milter_default_action=accept
    -o milter_macro_daemon_name=ORIGINATING
    -o disable_dns_lookups=yes

Finally here is the relevant lines in master.cf on how mails get introduced to Postfix in first place:

smtp      inet  n       -       y       -       -       smtpd

pickup    unix  n       -       y       60      1       pickup

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated, reject

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated, reject

I am using Z-push to handle connections via ActiveSync, but my issue is a follows:

I have noticed in the mail.log that even though stated in z-push config files that it should pass incomming mails to postfix via SMTP it still insist on putting incomming mails directly into maildrop directory which in turn is handled by Postfix pickup deamon.

From there the mail is either forwarded directly to destination address without even being DKIM signed by Amavis.

The question is: How can I get Postfix to pass mails from pickup daemon on to Amavis, so it can get a DKIM signature, before being forwarded to destination?

Is it as simple as just insert a line underneath pickup in master.cf with the text:

-o content_filter = amavis:[127.0.0.1]:10026

... or does the conflict with already existing setup? :-)

postfix

1 Answers

  1. Best Answer

    After a bit of more tweaking I finnally got it to work.

    Here is an explanation of what is going on.

    Z-push is written in PHP and what I could find on the Internet, was that PHP mail settings is controlled via php.ini.

    In php-ini-file you will be told that the only option available when sending mail is through sendmail and therefore all received mails received from Z-push will always be sent to maildrop folder, which the Postfix pickup deamon then handles.

    SMTP settings only works if installed on a Windows host.

    That is a bit stupid if you ask me, but anyway I need to take another route if I want to sign mails with DKIM signature received via ActiveSync protocol (aka from Z-push).

    I needed as suspected to add content_filter to the line following the pickup line in /etc/postfix/master.cf, but I also needed to tweak my Amavis config file a tiny bit.

    The file /etc/postfix/master.cf is basically as before, except when you go to pickup line it now states:

    amavis unix - - y - 2 smtp 
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o smtp_bind_address=

pickup    unix  n       -       y       60      1       pickup
   -o content_filter=amavis:[127.0.0.1]:10026

    I added the amavis section, since I discovered that if it is commented out then Amavis is never called. Just for completenes of everything. :-)

    In /etc/amavis/conf.d/50-user the following config is how Amavis distinquish between inbound mail from anywhere to my mail accounts vs mail sent from one of my accounts to anywhere:

    $inet_socket_port = [10024,10026];

$forward_method = 'smtp:[127.0.0.1]:10025';
$notify_method = 'smtp:[127.0.0.1]:10027';

$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
    originating => 1,
    smtpd_discard_ehlo_keywords => ['8BITMIME'],
    forward_method => 'smtp:[127.0.0.1]:10027',
};

# IP-Addresses for internal networks => load policy MYNETS
# - requires -o smtp_send_xforward_command=yes in postfix master.cf
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 
                 [::1] [FE80::]/10 [FEC0::]/10);

# Allow SMTP access from IPs in @inet_acl to amvisd SMTP Port
@inet_acl = qw( 127.0.0.1 [::1] 192.168.0.0/16 );

# DKIM
$enable_dkim_verification = 1; 
$enable_dkim_signing = 1; # load DKIM signing code
$signed_header_fields{'received'} = 0;  # turn off signing of Received
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

    Tweaking I mentioned was that before I had the following lines in /etc/amavis/conf.d/50-user:

    $forward_method = 'smtp:[127.0.0.1]:*';
$notify_method = 'smtp:[127.0.0.1]:*';

$policy_bank{'ORIGINATING'} = {
    originating => 1,
    smtpd_discard_ehlo_keywords => ['8BITMIME'],
};

    The way the * works is that whatever Amavis recieve on a port (e.g. '10025') will be replied back on a port one higher (e.g. '10026').

    What I needed was to be a little more explicit - in order to avoid confusion.

    I hope this help if there is anybody else cursing at their screen trying to get DKIM to work with Postfix and Amavis. :-)

    • 1