Release spam without whitelist 127.0.0.1 default

Questions and answers about how to do stuff
Post Reply
Trikke
Posts: 2
Joined: 13 Jul 2018 12:33

Release spam without whitelist 127.0.0.1 default

Post by Trikke » 13 Jul 2018 12:52

I've been playing around with EFA (latest) for the past few weeks, and plan to deploy it in production soon. I like it.

My final set-up is a bit weird. It has another MTA in front of postfix.
So myMTA listens on 25, receives, passes on to postfix (listening on 2525) on the same box, Maiscanner does stuff, then on to finalMTA.
This works very well, and allows me to have myMTA do address validation at FinalMTA before accepting. There are more motivations for having myMTA in stead of postfix in front, but this is certainly an important one.

Only 1 caveat/hurdle is left: I can't whitelist 127.0.0.1 default, as all mail now reaches postfix from 127.0.0.1.
Without this whitelist, releasing a spam triggers Mailscanner on the released message, which then get tagged as spam, and sent to quarantine again.

So I'm looking for a - here comes the word - workaround here: avoid scanning a released message, without the required 127.0.0.1 default whitelist.

Patrick Sneyers
BE

User avatar
shawniverson
Posts: 2559
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: Release spam without whitelist 127.0.0.1 default

Post by shawniverson » 13 Jul 2018 18:49

I would probably set up a second lo interface, and have postfix listen on it instead.

Then you could have the whitelist on 127.0.0.1, and have another postfix worker working on 127.0.0.2
Version 3.0.2.6 released! Update now to keep your eFa secure!

Trikke
Posts: 2
Joined: 13 Jul 2018 12:33

Re: Release spam without whitelist 127.0.0.1 default

Post by Trikke » 17 Jul 2018 14:17

I couldn't get postfix to listen on that (although telnet 127.0.0.2 2525 did answer, with postfix on inet_interfaces = all). I'm not too familiar with CentOS, so maybe I created a half-baked lo:10.
postfix: fatal: parameter inet_interfaces: no local interface found for 127.0.0.2

But I figured, there is en0 with a LAN IP and a hostname, so why not use that? So now postfix listens on LAN_IP 2525. Whitelisted the FQDN of the box in EFA.
Bingo.
Thank you for putting me in the right direction.

2 more config changes:
EFA: Ignore the first "Received: "
/etc/MailScanner/MailScanner.conf

Code: Select all

# When working out from IP address the message was sent from,
# Any number > 1 ==> use the first IP address contained in the n-th
#                    "Received:" header starting from the top of the email
#                    message's headers.
Read IP Address From Received Header = 2
OpenDmarc: defaults to "ignore 127.0.0.1", so create an empty /etc/opendmarc/ignore.hosts
/etc/opendmarc.conf

Code: Select all

##  Specifies the path to a file that contains a list of hostnames, IP
##  addresses, and/or CIDR expressions identifying hosts whose SMTP
##  connections are to be ignored by the filter.  If not specified, defaults
##  to "127.0.0.1" only.
IgnoreHosts /etc/opendmarc/ignore.hosts
I'm sure another pitfall is looking for me, but for now, all is well.
Tx again, Patrick

Post Reply