# Postfix & DSPAM

## hardaur

Good afternoon all!

  Having a little, but very frustrating difficulty.  I have a situation where my configuraiton is sending outgoing mail back to itself.  I'm traditionally a sendmail guy, so I'm kind of at a loss.  

  The situation is this.  My mail machine is ganges.  I connect to SMTP on ganges and send an email to an external network.  So, mail from: gander@mydomain.com to gander@anotherdomain.org.  With the way my postfix, amavisd and dspam are configured, it's putting outgoing mail through the checks meant for incoming mail (amavisd, and dspam) and as such it's ending up back in my local cyrus-imap mailboxes.  I know this is something stupid, but I'm unable to see it at the moment.  Below are my postfix configs: 

main.conf

 *Quote:*   

> 
> 
> # Global Postfix configuration file. This file lists only a subset
> 
> # of all 300+ parameters. See the postconf(5) manual page for a
> ...

 

master.conf

 *Quote:*   

> 
> 
> #smtp      inet  n       -       n       -       -       smtpd
> 
> #smtps    inet  n       -       n       -       -       smtpd
> ...

 

And my dspam.conf

 *Quote:*   

> 
> 
> ## $Id: dspam.conf.in,v 1.2 2004/11/12 16:29:19 jonz Exp $
> 
> ## dspam.conf -- DSPAM configuration file
> ...

 

ebuilds/version

 *Quote:*   

> 
> 
> [ebuild   R   ] mail-filter/dspam-3.4_beta3  -debug -large-domain +mysql -neural -oci8 -postgres -sqlite 0 kB 
> 
> [ebuild   R   ] mail-mta/postfix-2.1.5-r2  +ipv6 +ldap -mailwrapper -mbox +mysql* +pam* -postgres +sasl (-selinux) +ssl -vda 0 kB 
> ...

 

Does anybody see anything silly that I'm doing.  I can logically work out what's going on, but am having trouble translating that into configs.

Thanks!!!!

G

----------

## steveb

can you post the config again, but this time use the code tag instead of the quote tag?

cheers

SteveB

----------

## hardaur

Reposting configs, all other text remains the same : b

main.cf

```

# Global Postfix configuration file. This file lists only a subset

# of all 300+ parameters. See the postconf(5) manual page for a

# complete list.

#

# The general format of each line is: parameter = value. Lines

# that begin with whitespace continue the previous line. A value can

# contain references to other $names or ${name}s.

#

# NOTE - CHANGE NO MORE THAN 2-3 PARAMETERS AT A TIME, AND TEST IF

# POSTFIX STILL WORKS AFTER EVERY CHANGE.

# SOFT BOUNCE

#

# The soft_bounce parameter provides a limited safety net for

# testing.  When soft_bounce is enabled, mail will remain queued that

# would otherwise bounce. This parameter disables locally-generated

# bounces, and prevents the SMTP server from rejecting mail permanently

# (by changing 5xx replies into 4xx replies). However, soft_bounce

# is no cure for address rewriting mistakes or mail routing mistakes.

#

#soft_bounce = no

# LOCAL PATHNAME INFORMATION

#

# The queue_directory specifies the location of the Postfix queue.

# This is also the root directory of Postfix daemons that run chrooted.

# See the files in examples/chroot-setup for setting up Postfix chroot

# environments on different UNIX systems.

#

queue_directory = /var/spool/postfix

# The command_directory parameter specifies the location of all

# postXXX commands.

#

command_directory = /usr/sbin

# The daemon_directory parameter specifies the location of all Postfix

# daemon programs (i.e. programs listed in the master.cf file). This

# directory must be owned by root.

#

daemon_directory = /usr/lib/postfix

# QUEUE AND PROCESS OWNERSHIP

#

# The mail_owner parameter specifies the owner of the Postfix queue

# and of most Postfix daemon processes.  Specify the name of a user

# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS

# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.  In

# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED

# USER.

#

mail_owner = postfix

# The default_privs parameter specifies the default rights used by

# the local delivery agent for delivery to external file or command.

# These rights are used in the absence of a recipient user context.

# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.

#

#default_privs = nobody

# INTERNET HOST AND DOMAIN NAMES

# 

# The myhostname parameter specifies the internet hostname of this

# mail system. The default is to use the fully-qualified domain name

# from gethostname(). $myhostname is used as a default value for many

# other configuration parameters.

#

myhostname = ganges.mydomain.com

#myhostname = virtual.domain.tld

# The mydomain parameter specifies the local internet domain name.

# The default is to use $myhostname minus the first component.

# $mydomain is used as a default value for many other configuration

# parameters.

#

mydomain = mydomain.com

# SENDING MAIL

# 

# The myorigin parameter specifies the domain that locally-posted

# mail appears to come from. The default is to append $myhostname,

# which is fine for small sites.  If you run a domain with multiple

# machines, you should (1) change this to $mydomain and (2) set up

# a domain-wide alias database that aliases each user to

# user@that.users.mailhost.

#

# For the sake of consistency between sender and recipient addresses,

# myorigin also specifies the default domain name that is appended

# to recipient addresses that have no @domain part.

#

#myorigin = $myhostname

myorigin = $mydomain

# RECEIVING MAIL

# The inet_interfaces parameter specifies the network interface

# addresses that this mail system receives mail on.  By default,

# the software claims all active interfaces on the machine. The

# parameter also controls delivery of mail to user@[ip.address].

#

# See also the proxy_interfaces parameter, for network addresses that

# are forwarded to us via a proxy or network address translator.

#

# Note: you need to stop/start Postfix when this parameter changes.

#

#inet_interfaces = all

#inet_interfaces = $myhostname

#inet_interfaces = $myhostname, localhost

# The proxy_interfaces parameter specifies the network interface

# addresses that this mail system receives mail on by way of a

# proxy or network address translation unit. This setting extends

# the address list specified with the inet_interfaces parameter.

#

# You must specify your proxy/NAT addresses when your system is a

# backup MX host for other domains, otherwise mail delivery loops

# will happen when the primary MX host is down.

#

#proxy_interfaces =

#proxy_interfaces = 1.2.3.4

# The mydestination parameter specifies the list of domains that this

# machine considers itself the final destination for.

#

# These domains are routed to the delivery agent specified with the

# local_transport parameter setting. By default, that is the UNIX

# compatible delivery agent that lookups all recipients in /etc/passwd

# and /etc/aliases or their equivalent.

#

# The default is $myhostname + localhost.$mydomain.  On a mail domain

# gateway, you should also include $mydomain.

#

# Do not specify the names of virtual domains - those domains are

# specified elsewhere (see VIRTUAL_README).

#

# Do not specify the names of domains that this machine is backup MX

# host for. Specify those names via the relay_domains settings for

# the SMTP server, or use permit_mx_backup if you are lazy (see

# STANDARD_CONFIGURATION_README).

#

# The local machine is always the final destination for mail addressed

# to user@[the.net.work.address] of an interface that the mail system

# receives mail on (see the inet_interfaces parameter).

#

# Specify a list of host or domain names, /file/name or type:table

# patterns, separated by commas and/or whitespace. A /file/name

# pattern is replaced by its contents; a type:table is matched when

# a name matches a lookup key (the right-hand side is ignored).

# Continue long lines by starting the next line with whitespace.

#

# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".

#

#mydestination = $myhostname, localhost.$mydomain, localhost

#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,

#   mail.$mydomain, www.$mydomain, ftp.$mydomain

# REJECTING MAIL FOR UNKNOWN LOCAL USERS

#

# The local_recipient_maps parameter specifies optional lookup tables

# with all names or addresses of users that are local with respect

# to $mydestination, $inet_interfaces or $proxy_interfaces.

#

# If this parameter is defined, then the SMTP server will reject

# mail for unknown local users. This parameter is defined by default.

#

# To turn off local recipient checking in the SMTP server, specify

# local_recipient_maps = (i.e. empty).

#

# The default setting assumes that you use the default Postfix local

# delivery agent for local delivery. You need to update the

# local_recipient_maps setting if:

#

# - You define $mydestination domain recipients in files other than

#   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.

#   For example, you define $mydestination domain recipients in    

#   the $virtual_mailbox_maps files.

#

# - You redefine the local delivery agent in master.cf.

#

# - You redefine the "local_transport" setting in main.cf.

#

# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"

#   feature of the Postfix local delivery agent (see local(8)).

#

# Details are described in the LOCAL_RECIPIENT_README file.

#

# Beware: if the Postfix SMTP server runs chrooted, you probably have

# to access the passwd file via the proxymap service, in order to

# overcome chroot restrictions. The alternative, having a copy of

# the system passwd file in the chroot jail is just not practical.

#

# The right-hand side of the lookup tables is conveniently ignored.

# In the left-hand side, specify a bare username, an @domain.tld

# wild-card, or specify a user@domain.tld address.

# 

#local_recipient_maps = unix:passwd.byname $alias_maps

#local_recipient_maps = proxy:unix:passwd.byname $alias_maps

#local_recipient_maps =

# The unknown_local_recipient_reject_code specifies the SMTP server

# response code when a recipient domain matches $mydestination or

# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty

# and the recipient address or address local-part is not found.

#

# The default setting is 550 (reject mail) but it is safer to start

# with 450 (try again later) until you are certain that your

# local_recipient_maps settings are OK.

#

unknown_local_recipient_reject_code = 550

# TRUST AND RELAY CONTROL

# The mynetworks parameter specifies the list of "trusted" SMTP

# clients that have more privileges than "strangers".

#

# In particular, "trusted" SMTP clients are allowed to relay mail

# through Postfix.  See the smtpd_recipient_restrictions parameter

# in postconf(5).

#

# You can specify the list of "trusted" network addresses by hand

# or you can let Postfix do it for you (which is the default).

#

# By default (mynetworks_style = subnet), Postfix "trusts" SMTP

# clients in the same IP subnetworks as the local machine.

# On Linux, this does works correctly only with interfaces specified

# with the "ifconfig" command.

# 

# Specify "mynetworks_style = class" when Postfix should "trust" SMTP

# clients in the same IP class A/B/C networks as the local machine.

# Don't do this with a dialup site - it would cause Postfix to "trust"

# your entire provider's network.  Instead, specify an explicit

# mynetworks list by hand, as described below.

#  

# Specify "mynetworks_style = host" when Postfix should "trust"

# only the local machine.

# 

#mynetworks_style = class

#mynetworks_style = subnet

#mynetworks_style = host

# Alternatively, you can specify the mynetworks list by hand, in

# which case Postfix ignores the mynetworks_style setting.

#

# Specify an explicit list of network/netmask patterns, where the

# mask specifies the number of bits in the network part of a host

# address.

#

# You can also specify the absolute pathname of a pattern file instead

# of listing the patterns here. Specify type:table for table-based lookups

# (the value on the table right-hand side is not used).

#

#mynetworks = 168.100.189.0/28, 127.0.0.0/8

#mynetworks = $config_directory/mynetworks

#mynetworks = hash:/etc/postfix/network_table

# The relay_domains parameter restricts what destinations this system will

# relay mail to.  See the smtpd_recipient_restrictions description in

# postconf(5) for detailed information.

#

# By default, Postfix relays mail

# - from "trusted" clients (IP address matches $mynetworks) to any destination,

# - from "untrusted" clients to destinations that match $relay_domains or

#   subdomains thereof, except addresses with sender-specified routing.

# The default relay_domains value is $mydestination.

# 

# In addition to the above, the Postfix SMTP server by default accepts mail

# that Postfix is final destination for:

# - destinations that match $inet_interfaces or $proxy_interfaces,

# - destinations that match $mydestination

# - destinations that match $virtual_alias_domains,

# - destinations that match $virtual_mailbox_domains.

# These destinations do not need to be listed in $relay_domains.

# 

# Specify a list of hosts or domains, /file/name patterns or type:name

# lookup tables, separated by commas and/or whitespace.  Continue

# long lines by starting the next line with whitespace. A file name

# is replaced by its contents; a type:name table is matched when a

# (parent) domain appears as lookup key.

#

# NOTE: Postfix will not automatically forward mail for domains that

# list this system as their primary or backup MX host. See the

# permit_mx_backup restriction description in postconf(5).

#

#relay_domains = $mydestination

# INTERNET OR INTRANET

# The relayhost parameter specifies the default host to send mail to

# when no entry is matched in the optional transport(5) table. When

# no relayhost is given, mail is routed directly to the destination.

#

# On an intranet, specify the organizational domain name. If your

# internal DNS uses no MX records, specify the name of the intranet

# gateway host instead.

#

# In the case of SMTP, specify a domain, host, host:port, [host]:port,

# [address] or [address]:port; the form [host] turns off MX lookups.

#

# If you're connected via UUCP, see also the default_transport parameter.

#

#relayhost = $mydomain

#relayhost = [gateway.my.domain]

#relayhost = [mailserver.isp.tld]

#relayhost = uucphost

#relayhost = [an.ip.add.ress]

# REJECTING UNKNOWN RELAY USERS

#

# The relay_recipient_maps parameter specifies optional lookup tables

# with all addresses in the domains that match $relay_domains.

#

# If this parameter is defined, then the SMTP server will reject

# mail for unknown relay users. This feature is off by default.

#

# The right-hand side of the lookup tables is conveniently ignored.

# In the left-hand side, specify an @domain.tld wild-card, or specify

# a user@domain.tld address.

# 

#relay_recipient_maps = hash:/etc/postfix/relay_recipients

# INPUT RATE CONTROL

#

# The in_flow_delay configuration parameter implements mail input

# flow control. This feature is turned on by default, although it

# still needs further development (it's disabled on SCO UNIX due

# to an SCO bug).

# 

# A Postfix process will pause for $in_flow_delay seconds before

# accepting a new message, when the message arrival rate exceeds the

# message delivery rate. With the default 100 SMTP server process

# limit, this limits the mail inflow to 100 messages a second more

# than the number of messages delivered per second.

# 

# Specify 0 to disable the feature. Valid delays are 0..10.

# 

#in_flow_delay = 1s

# ADDRESS REWRITING

#

# The ADDRESS_REWRITING_README document gives information about

# address masquerading or other forms of address rewriting including

# username->Firstname.Lastname mapping.

# ADDRESS REDIRECTION (VIRTUAL DOMAIN)

#

# The VIRTUAL_README document gives information about the many forms

# of domain hosting that Postfix supports.

# "USER HAS MOVED" BOUNCE MESSAGES

#

# See the discussion in the ADDRESS_REWRITING_README document.

# TRANSPORT MAP

#

# See the discussion in the ADDRESS_REWRITING_README document.

# ALIAS DATABASE

#

# The alias_maps parameter specifies the list of alias databases used

# by the local delivery agent. The default list is system dependent.

#

# On systems with NIS, the default is to search the local alias

# database, then the NIS alias database. See aliases(5) for syntax

# details.

# 

# If you change the alias database, run "postalias /etc/aliases" (or

# wherever your system stores the mail alias file), or simply run

# "newaliases" to build the necessary DBM or DB file.

#

# It will take a minute or so before changes become visible.  Use

# "postfix reload" to eliminate the delay.

#

#alias_maps = dbm:/etc/aliases

#alias_maps = hash:/etc/aliases

#alias_maps = hash:/etc/aliases, nis:mail.aliases

#alias_maps = netinfo:/aliases

# The alias_database parameter specifies the alias database(s) that

# are built with "newaliases" or "sendmail -bi".  This is a separate

# configuration parameter, because alias_maps (see above) may specify

# tables that are not necessarily all under control by Postfix.

#

#alias_database = dbm:/etc/aliases

#alias_database = dbm:/etc/mail/aliases

#alias_database = hash:/etc/aliases

#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases

# ADDRESS EXTENSIONS (e.g., user+foo)

#

# The recipient_delimiter parameter specifies the separator between

# user names and address extensions (user+foo). See canonical(5),

# local(8), relocated(5) and virtual(5) for the effects this has on

# aliases, canonical, virtual, relocated and .forward file lookups.

# Basically, the software tries user+foo and .forward+foo before

# trying user and .forward.

#

#recipient_delimiter = +

# DELIVERY TO MAILBOX

#

# The home_mailbox parameter specifies the optional pathname of a

# mailbox file relative to a user's home directory. The default

# mailbox file is /var/spool/mail/user or /var/mail/user.  Specify

# "Maildir/" for qmail-style delivery (the / is required).

#

#home_mailbox = Mailbox

#home_mailbox = Maildir/

 

# The mail_spool_directory parameter specifies the directory where

# UNIX-style mailboxes are kept. The default setting depends on the

# system type.

#

#mail_spool_directory = /var/mail

#mail_spool_directory = /var/spool/mail

# The mailbox_command parameter specifies the optional external

# command to use instead of mailbox delivery. The command is run as

# the recipient with proper HOME, SHELL and LOGNAME environment settings.

# Exception:  delivery for root is done as $default_user.

#

# Other environment variables of interest: USER (recipient username),

# EXTENSION (address extension), DOMAIN (domain part of address),

# and LOCAL (the address localpart).

#

# Unlike other Postfix configuration parameters, the mailbox_command

# parameter is not subjected to $parameter substitutions. This is to

# make it easier to specify shell syntax (see example below).

#

# Avoid shell meta characters because they will force Postfix to run

# an expensive shell process. Procmail alone is expensive enough.

#

# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN

# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.

#

#mailbox_command = /some/where/procmail

#mailbox_command = /some/where/procmail -a "$EXTENSION"

# The mailbox_transport specifies the optional transport in master.cf

# to use after processing aliases and .forward files. This parameter

# has precedence over the mailbox_command, fallback_transport and

# luser_relay parameters.

#

# Specify a string of the form transport:nexthop, where transport is

# the name of a mail delivery transport defined in master.cf.  The

# :nexthop part is optional. For more details see the sample transport

# configuration file.

#

# NOTE: if you use this feature for accounts not in the UNIX password

# file, then you must update the "local_recipient_maps" setting in

# the main.cf file, otherwise the SMTP server will reject mail for    

# non-UNIX accounts with "User unknown in local recipient table".

#

#mailbox_transport = lmtp:unix:/file/name

#mailbox_transport = cyrus

# The fallback_transport specifies the optional transport in master.cf

# to use for recipients that are not found in the UNIX passwd database.

# This parameter has precedence over the luser_relay parameter.

#

# Specify a string of the form transport:nexthop, where transport is

# the name of a mail delivery transport defined in master.cf.  The

# :nexthop part is optional. For more details see the sample transport

# configuration file.

#

# NOTE: if you use this feature for accounts not in the UNIX password

# file, then you must update the "local_recipient_maps" setting in

# the main.cf file, otherwise the SMTP server will reject mail for    

# non-UNIX accounts with "User unknown in local recipient table".

#

#fallback_transport = lmtp:unix:/file/name

#fallback_transport = cyrus

#fallback_transport =

# The luser_relay parameter specifies an optional destination address

# for unknown recipients.  By default, mail for unknown@$mydestination,

# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned

# as undeliverable.

#

# The following expansions are done on luser_relay: $user (recipient

# username), $shell (recipient shell), $home (recipient home directory),

# $recipient (full recipient address), $extension (recipient address

# extension), $domain (recipient domain), $local (entire recipient

# localpart), $recipient_delimiter. Specify ${name?value} or

# ${name:value} to expand value only when $name does (does not) exist.

#

# luser_relay works only for the default Postfix local delivery agent.

#

# NOTE: if you use this feature for accounts not in the UNIX password

# file, then you must specify "local_recipient_maps =" (i.e. empty) in

# the main.cf file, otherwise the SMTP server will reject mail for    

# non-UNIX accounts with "User unknown in local recipient table".

#

#luser_relay = $user@other.host

#luser_relay = $local@other.host

#luser_relay = admin+$local

  

# JUNK MAIL CONTROLS

# 

# The controls listed here are only a very small subset. The file

# SMTPD_ACCESS_README provides an overview.

# The header_checks parameter specifies an optional table with patterns

# that each logical message header is matched against, including

# headers that span multiple physical lines.

#

# By default, these patterns also apply to MIME headers and to the

# headers of attached messages. With older Postfix versions, MIME and

# attached message headers were treated as body text.

#

# For details, see "man header_checks".

#

#header_checks = regexp:/etc/postfix/header_checks

# FAST ETRN SERVICE

#

# Postfix maintains per-destination logfiles with information about

# deferred mail, so that mail can be flushed quickly with the SMTP

# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".

# See the ETRN_README document for a detailed description.

# 

# The fast_flush_domains parameter controls what destinations are

# eligible for this service. By default, they are all domains that

# this server is willing to relay mail to.

# 

#fast_flush_domains = $relay_domains

# SHOW SOFTWARE VERSION OR NOT

#

# The smtpd_banner parameter specifies the text that follows the 220

# code in the SMTP server's greeting banner. Some people like to see

# the mail version advertised. By default, Postfix shows no version.

#

# You MUST specify $myhostname at the start of the text. That is an

# RFC requirement. Postfix itself does not care.

#

#smtpd_banner = $myhostname ESMTP $mail_name

#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

# PARALLEL DELIVERY TO THE SAME DESTINATION

#

# How many parallel deliveries to the same user or domain? With local

# delivery, it does not make sense to do massively parallel delivery

# to the same user, because mailbox updates must happen sequentially,

# and expensive pipelines in .forward files can cause disasters when

# too many are run at the same time. With SMTP deliveries, 10

# simultaneous connections to the same domain could be sufficient to

# raise eyebrows.

# 

# Each message delivery transport has its XXX_destination_concurrency_limit

# parameter.  The default is $default_destination_concurrency_limit for

# most delivery transports. For the local delivery agent the default is 2.

#local_destination_concurrency_limit = 2

#default_destination_concurrency_limit = 20

# DEBUGGING CONTROL

#

# The debug_peer_level parameter specifies the increment in verbose

# logging level when an SMTP client or server host name or address

# matches a pattern in the debug_peer_list parameter.

#

debug_peer_level = 2

# The debug_peer_list parameter specifies an optional list of domain

# or network patterns, /file/name patterns or type:name tables. When

# an SMTP client or server host name or address matches a pattern,

# increase the verbose logging level by the amount specified in the

# debug_peer_level parameter.

#

#debug_peer_list = 127.0.0.1

#debug_peer_list = some.domain

# The debugger_command specifies the external command that is executed

# when a Postfix daemon program is run with the -D option.

#

# Use "command .. & sleep 5" so that the debugger can attach before

# the process marches on. If you use an X-based debugger, be sure to

# set up your XAUTHORITY environment variable before starting Postfix.

#

debugger_command =

    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

    xxgdb $daemon_directory/$process_name $process_id & sleep 5

# If you don't have X installed on the Postfix machine, try:

# debugger_command =

#   PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;

#   echo where) | gdb $daemon_directory/$process_name $process_id 2>&1

#   >$config_directory/$process_name.$process_id.log & sleep 5

# INSTALL-TIME CONFIGURATION INFORMATION

#

# The following parameters are used when installing a new Postfix version.

# 

# sendmail_path: The full pathname of the Postfix sendmail command.

# This is the Sendmail-compatible mail posting interface.

# 

sendmail_path = /usr/sbin/sendmail

# newaliases_path: The full pathname of the Postfix newaliases command.

# This is the Sendmail-compatible command to build alias databases.

#

newaliases_path = /usr/bin/newaliases

# mailq_path: The full pathname of the Postfix mailq command.  This

# is the Sendmail-compatible mail queue listing command.

# 

mailq_path = /usr/bin/mailq

# setgid_group: The group for mail submission and queue management

# commands.  This must be a group name with a numerical group ID that

# is not shared with other accounts, not even with the Postfix account.

#

setgid_group = postdrop

# html_directory: The location of the Postfix HTML documentation.

#

html_directory = no

# manpage_directory: The location of the Postfix on-line manual pages.

#

manpage_directory = /usr/share/man

# sample_directory: The location of the Postfix sample configuration files.

# This parameter is obsolete as of Postfix 2.1.

#

sample_directory = /etc/postfix

# readme_directory: The location of the Postfix README files.

#

readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

## GDAGDA below this point

#DSPAM

mailbox_command = /usr/bin/dspam --deliver=innocent --user $USER -m %u

transport_maps = regexp:/etc/postfix/transport_regexp,

   hash:/etc/postfix/transport.domain

dspam_distination_recipient_limit=1

dspam-add_destination_recipient_limit=1

dspam-fp_destinateion_recipient_limit=1

#SASL Auth Config

smtpd_sasl_auth_enable = yes

broken_sasl_auth_clients = yes

smtpd_sasl_security_options = noanonymous

#LDAP Recipiet config

local_recipient_maps = ldap:am

am_server_host = ldap.mydomain.com

am_server_port = 389

am_bind = no

am_search_base = ou=Users,o=mydomain.com,dc=mydomain,dc=com

am_query_filter = (mail=%s)

am_result_attribute = mail

#Restrictions/Permissions

smtpd_recipient_restrictions = permit_mynetworks,

   permit_sasl_authenticated, reject_unauth_destination

#TLS config

smtpd_use_tls = yes

smtpd_tls_key_file = /etc/ssl/postfix/postfix_key.pem

smtpd_tls_cert_file = /etc/ssl/postfix/postfix_signed_cert.pem

smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem

```

master.cf

```

#

# Postfix master process configuration file.  Each logical line 

# describes how a Postfix daemon program should be run. 

#

# A logical line starts with non-whitespace, non-comment text.

# Empty lines and whitespace-only lines are ignored, as are comment 

# lines whose first non-whitespace character is a `#'.  

# A line that starts with whitespace continues a logical line.

#

# The fields that make up each line are described below. A "-" field

# value requests that a default value be used for that field.

#

# Service: any name that is valid for the specified transport type

# (the next field).  With INET transports, a service is specified as

# host:port.  The host part (and colon) may be omitted. Either host

# or port may be given in symbolic form or in numeric form. Examples

# for the SMTP server:  localhost:smtp receives mail via the loopback

# interface only; 10025 receives mail on port 10025.

#

# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain

# sockets, "fifo" for named pipes.

#

# Private: whether or not access is restricted to the mail system.

# Default is private service.  Internet (inet) sockets can't be private.

#

# Unprivileged: whether the service runs with root privileges or as

# the owner of the Postfix system (the owner name is controlled by the

# mail_owner configuration variable in the main.cf file). Only the

# pipe, virtual and local delivery daemons require privileges.

#

# Chroot: whether or not the service runs chrooted to the mail queue

# directory (pathname is controlled by the queue_directory configuration

# variable in the main.cf file). Presently, all Postfix daemons can run

# chrooted, except for the pipe, virtual and local delivery daemons.

# The proxymap server can run chrooted, but doing so defeats most of

# the purpose of having that service in the first place.

# The files in the examples/chroot-setup subdirectory describe how

# to set up a Postfix chroot environment for your type of machine.

#

# Wakeup time: automatically wake up the named service after the

# specified number of seconds. A ? at the end of the wakeup time

# field requests that wake up events be sent only to services that

# are actually being used.  Specify 0 for no wakeup. Presently, only

# the pickup, queue manager and flush daemons need a wakeup timer.

#

# Max procs: the maximum number of processes that may execute this

# service simultaneously. Default is to use a globally configurable

# limit (the default_process_limit configuration parameter in main.cf).

# Specify 0 for no process count limit.

#

# Command + args: the command to be executed. The command name is

# relative to the Postfix program directory (pathname is controlled by

# the daemon_directory configuration variable). Adding one or more

# -v options turns on verbose logging for that service; adding a -D

# option enables symbolic debugging (see the debugger_command variable

# in the main.cf configuration file). See individual command man pages

# for specific command-line options, if any.

#

# General main.cf options can be overridden for specific services.

# To override one or more main.cf options, specify them as arguments

# below, preceding each option by "-o".  There must be no whitespace

# in the option itself (separate multiple values for an option by

# commas).

#

# In order to use the "uucp" message tranport below, set up entries

# in the transport table.

#

# In order to use the "cyrus" message transport below, configure it

# in main.cf as the mailbox_transport.

#

# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.

# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.

#

# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.

#

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

# ==========================================================================

#smtp      inet  n       -       n       -       -       smtpd

#smtps    inet  n       -       n       -       -       smtpd

#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

#submission   inet    n       -       n       -       -       smtpd

#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_etrn_restrictions=reject

#628      inet  n       -       n       -       -       qmqpd

pickup    fifo  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

#qmgr     fifo  n       -       n       300     1       oqmgr

#tlsmgr   fifo  -       -       n       300     1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

smtp      unix  -       -       n       -       -       smtp

relay     unix  -       -       n       -       -       smtp

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

#

# Interfaces to non-Postfix software. Be sure to examine the manual

# pages of the non-Postfix software to find out what options it wants.

#

# maildrop. See the Postfix MAILDROP_README file for details.

#

maildrop  unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

#

# The Cyrus deliver program has changed incompatibly, multiple times.

#

old-cyrus unix  -       n       n       -       -       pipe

  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

# Cyrus 2.1.5 (Amos Gouaux)

# Also specify in main.cf: cyrus_destination_recipient_limit=1

cyrus     unix  -       n       n       -       -       pipe

  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

## GDAGDA Below

smtp      inet   n   -   n   -   -   smtpd

     -o content_filter=smtp-amavis:[127.0.0.1]:10024

smtp-amavis   unix   -   -   n   -   2   lmtp

   -o smtp_send_xforward_command=yes

127.0.0.1:10025   inet   n   -   n   -   -   smtpd

   -o cleanup_service_name=pre-cleanup

   -o content_filter=dspam:dummy

   -o local_recipient_maps=

   -o relay_recipient_maps=

   -o smtpd_restriction_classes=

   -o smtpd_client_restrictions=

   -o smtpd_helo_restrictions=

   -o smtpd_sender_restrictions=

   -o smtpd_recipient_restrictions=permit_mynetworks,reject

   -o mynetworks=127.0.0.0/8

   -o strict_rfc821_envelopes=yes

   -o smtpd_error_sleep_time=0

   -o smtpd_soft_error_limit=1001

   -o smtp_hard_error_limit=1000

127.0.0.1:10026   inet   n   -   n   -   -   smtpd

   -o local_recipient_maps=

   -o relay_recipient_maps=

   -o smtpd_restriction_classes=

   -o smtpd_client_restrictions=

   -o smtpd_helo_restrictions=

   -o smtpd_sender_restrictions=

   -o smtpd_recipient_restrictions=permit_mynetworks,reject

   -o mynetworks=127.0.0.0/8

   -o strict_rfc821_envelopes=yes

   -o smtpd_error_sleep_time=0

   -o smtpd_soft_error_limit=1001

   -o smtpd_hard_error_limit=1000

dspam                unix   -   n   n   -   -   pipe

   flags=Rhq user=dspam argv=/usr/bin/dspam --mode=teft --deliver=innocent,spam

   --feature=chained,noise --user ${recipient} -f ${sender} -e %u 

                                                                                                     

dspam-add            unix   -   n   n   -   -   pipe

   flags=Rhq user=dspam argv=/usr/bin/dspam --mode=teft --user ${user}@${nexthop}

   --class=spam     --source=error -f ${sender} -m %u --deliver=spam

dspam-fp             unix   -   n   n   -   -   pipe

   flags=Rhq user=dspam argv=/usr/bin/dspam  --mode=teft --user ${user}@${nexthop}

   --class=innocent --source=error -f ${sender} -m %u --deliver=innocent

cleanup      unix   n   -   n   -   0   cleanup

   -o header_checks=

   -o mime_header_checks=

   -o nested_header_checks=

   -o body_checks=

pre-cleanup   unix   n   -   n   -   0   cleanup

   -o canonical_maps=

   -o sender_canonical_maps=

   -o recipient_canonical_maps=

   -o masquerade_domains=

   -o virtual_alias_maps=

   -o always_bcc=

   -o sender_bcc_maps=

   -o recipient_bcc_maps=

local      unix   -   n   n   -   -   local

   -o content_filter=

   -o myhostname=localhost

   -o local_recipient_maps=

   -o relay_recipient_maps=

   -o mynetworks=127.0.0.0/8

   -o mynetworks_style=host

   -o smtpd_restriction_classes=

   -o smtpd_client_restrictions=

   -o smtpd_helo_restrictions=

   -o smtpd_sender_restrictions=

   -o smtpd_recipient_restrictions=permit_mynetworks,reject

```

dspam.conf

```

## $Id: dspam.conf.in,v 1.2 2004/11/12 16:29:19 jonz Exp $

## dspam.conf -- DSPAM configuration file

##

#

# DSPAM Home: Specifies the base directory to be used for DSPAM storage

#

Home /etc/mail/dspam

#

# Trusted Delivery Agent: Specifies the local delivery agent DSPAM should call 

# when delivering mail as a trusted user. Use %u to specify the user DSPAM is 

# processing mail for. It is generally a good idea to allow the MTA to specify 

# the pass-through arguments at run-time, but they may also be specified here.

#

# Most operating system defaults:

#TrustedDeliveryAgent "/usr/bin/procmail"       # Linux

#TrustedDeliveryAgent "/usr/bin/mail"           # Solaris

#TrustedDeliveryAgent "/usr/libexec/mail.local" # FreeBSD

#TrustedDeliveryAgent "/usr/bin/procmail"       # Cygwin

#

# Other popular configurations:

TrustedDeliveryAgent /usr/lib/cyrus/deliver %u   # Cyrus

#TrustedDeliveryAgent "/bin/maildrop"      # Maildrop

#TrustedDeliveryAgent "/usr/local/sbin/exim -oMr spam-scanned $u" # Exim

#

#TrustedDeliveryAgent "/usr/bin/procmail"

#

# Untrusted Delivery Agent: Specifies the local delivery agent and arguments

# DSPAM should use when delivering mail and running in untrusted user mode.

# Because DSPAM will not allow pass-through arguments to be specified to 

# untrusted users, all arguments should be specified here. Use %u to specify

# the user DSPAM is processing mail for. This configuration parameter is only 

# necessary if you plan on allowing untrusted processing.

#

#UntrustedDeliveryAgent "/usr/bin/procmail -d %u"

#

# Quarantine Agent: DSPAM's default behavior is to quarantine all mail it 

# thinks is spam. If you wish to override this behavior, you may specify

# a quarantine agent which will be called with all messages DSPAM thinks is

# spam. Use %u to specify the user DSPAM is processing mail for.

#

#QuarantineAgent   "/usr/bin/procmail -d spam"

#

# OnFail: What to do if local delivery or quarantine should fail. If set

# to "unlearn", DSPAM will unlearn the message prior to exiting with an

# un successful return code. The default option, "error" will not unlearn

# the message but return the appropriate error code. The unlearn option

# is use-ful on some systems where local delivery failures will cause the

# message to be requeued for delivery, and could result in the message

# being processed multiple times. During a very large failure, however, 

# this could cause a significant load increase.

#

OnFail error

# Trusted Users: Only the users specified below will be allowed to perform

# administrative functions in DSPAM such as setting the active user and

# accessing tools. All other users attempting to run DSPAM will be restricted;

# their uids will be forced to match the active username and they will not be

# able to specify delivery agent privileges or use tools.

#

Trust root

Trust mail

Trust mailnull 

Trust smmsp

Trust daemon

Trust dspam

Trust postfix

Trust nobody

#Trust majordomo

#

# Debugging: Enables debugging for some or all users. IMPORTANT: DSPAM must

# be compiled with debug support in order to use this option. DSPAM should

# never be running in production with debug active unless you are 

# troubleshooting problems.

#

# DebugOpt: One or more of: process, classify, spam, fp, inoculation, corpus

#   process     standard message processing

#   classify    message classification using --classify

#   spam        error correction of missed spam

#   fp          error correction of false positives

#   inoculation message inoculations (source=inoculation)

#   corpus      corpusfed messages (source=corpus)

#

#Debug *

#Debug bob bill

#

#DebugOpt process spam fp

#

# Training Mode: The default training mode to use for all operations, when

# one has not been specified on the commandline or in the user's preferences.

# Acceptable values are: toe, tum, teft, notrain

#

TrainingMode teft

#

# Features: Specify features to activate by default; can also be specified

# on the commandline. See the documentation for a list of available features.

# If _any_ features are specified on the commandline, these are ignored.

#

#Feature sbph

Feature chained

Feature tb=4

Feature whitelist

Feature noise

#

# Algorithms: Specify the statistical algorithms to use, overriding any

# defaults configured in the build. The options are:

#    graham      Graham-Bayesian ("A Plan for Spam")

#    burton      Burton-Bayesian (SpamProbe)

#    robinson    Robinson's Geometric Mean Test (Obsolete)

#    chi-square  Fisher-Robinson's Chi-Square Algorithm

#

# You may have multiple algorithms active simultaneously, but it is strongly

# recommended that you group Bayesian algorithms with other Bayesian

# algorithms, and any use of Chi-Square remain exclusive.

#

# Don't mess with this unless you know what you're doing

#

#Algorithm chi-square

Algorithm graham burton

#

# PValue: Specify the technique used for calculating PValues, overriding any

# defaults configured in the build. These options are:

#    graham      Graham's Technique ("A Plan for Spam")

#    robinson    Robinson's Technique 

#

# Unlike algorithms, you may only have one of these defined. Use of the

# chi-square algorithm automatically changes this to robinson.

#

# Don't mess with this unless you know what you're doing.

#

#PValue robinson

PValue graham

#

# Preferences: Specify any preferences to set by default, unless otherwise

# overridden by the user (see next section) or a default.prefs file.

# If user or default.prefs are found, none of these preferences are

# loaded.

#

Preference "spamAction=quarantine"

Preference "signatureLocation=message"   # 'message' or 'headers'

Preference "showFactors=on"

#Preference "spamAction=tag"

#Preference "spamSubject=SPAM"

#

# Overrides: Specifies the user preferences which may override configuration

# and commandline defaults. Any other preferences supplied by an untrusted user

# will be ignored.

#

#AllowOverride trainingMode

AllowOverride spamAction spamSubject

AllowOverride statisticalSedation

AllowOverride enableBNR

AllowOverride enableWhitelist

#AllowOverride signatureLocation

AllowOverride showFactors

AllowOverride optIn optOut

AllowOverride whitelistThreshold

#

# Storage driver settings: Specific to a particular storage driver. Uncomment

# the configuration specific to your installation, if applicable.

#

#MySQLServer    /var/lib/mysql/mysql.sock

#MySQLPort

#MySQLUser      dspam

#MySQLPass      changeme

#MySQLDb        dspam

#MySQLCompress  true

#PgSQLServer    127.0.0.1

#PgSQLPort      5432

#PgSQLUser      dspam

#PgSQLPass      changeme

#PgSQLDb        dspam

#OraServer       "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=127.0.0.1)(PORT=1521))(CONNECT_DATA=(SID=PROD)))"

#OraUser         dspam

#OraPass         changeme

#OraSchema       dspam

#SQLitePragma   "synchronous = OFF"

#

# Optionally, you can specify storage profiles, and specify the server to

# use on the commandline with --profile. For example:

#

#Profile DECAlpha

#MySQLServer.DECAlpha   10.0.0.1

#MySQLPort.DECAlpha     3306

#MySQLUser.DECAlpha     dspam

#MySQLPass.DECAlpha     changeme

#MySQLDb.DECAlpha       dspam

#MySQLCompress.DECAlpha true

#

#Profile Sun420R

#MySQLServer.Sun420R    10.0.0.2

#MySQLPort.Sun420R      3306

#MySQLUser.Sun420R      dspam

#MySQLPass.Sun420R      changeme

#MySQLDb.Sun420R        dspam

#MySQLCompress.Sun420R  false

#

#DefaultProfile DECAlpha

#

# Ignored headers: If DSPAM is behind other tools which may add a header to

# incoming emails, it may be beneficial to ignore these headers - especially

# if they are coming from another spam filter. If you are _not_ using one of

# these tools, however, leaving the appropriate headers commented out will

# allow DSPAM to use them as telltale signs of forged email.

#

IgnoreHeader X-Spam-Status

IgnoreHeader X-Spam-Scanned

IgnoreHeader X-Virus-Scanner-Result

#

# Notifications: Enable the sending of notification emails to users (first

# message, quarantine full, etc.)

#

Notifications   on

#

# Purge configuration: Set dspam_clean purge default options, if not otherwise

# specified on the commandline

#

PurgeSignatures 14          # Stale signatures

PurgeNeutral    30          # Tokens with neutralish probabilities

PurgeUnused     60          # Unused tokens

PurgeHapaxes    15          # Tokens with less than 5 hits (hapaxes)

PurgeHits1S   10          # Tokens with only 1 spam hit

PurgeHits1I   10          # Tokens with only 1 innocent hit

#

# Purge configuration for SQL-based installations using purge.sql

#

#PurgeSignature   off # Specified in purge.sql

#PurgeNeutral   30

#PurgeUnused    off # Specified in purge.sql

#PurgeHapaxes   off # Specified in purge.sql

#PurgeHits1S    off # Specified in purge.sql

#PurgeHits1I    off # Specified in purge.sql

#

# Local Mail Exchangers: Used for source address tracking, tells DSPAM which

# mail exchangers are local and therefore should be ignored in the Received:

# header when tracking the source of an email. Note: you should use the address

# of the host as appears between brackets [ ] in the Received header.

#

LocalMX 127.0.0.1

#

# Logging: Disabling logging for users will make usage graphs unavailable to

# them. Disabling system logging will make admin graphs unavailable.

#

SystemLog on

UserLog   on

#

# TrainPristine: for systems where the original message remains server side 

# and can therefore be presented in pristine format for retraining. This option

# will cause DSPAM to cease all writing of signatures and DSPAM headers to the 

# message, and deliver the message in as pristine format as possible. This mode

# REQUIRES that the original message in its pristine format (as of delivery) 

# be presented for retraining, as in the case of webmail, imap, or other 

# applications where the message is actually kept server-side during reading, 

# and is preserved. DO NOT use this switch unless the original message can be 

# presented for retraining with the ORIGINAL HEADERS and NO MODIFICATIONS.

#

#TrainPristine on

#

# Opt: in or out; determines DSPAM's default filtering behavior. If this value

# is set to in, users must opt-in to filtering by dropping a .dspam file in

# /var/dspam/opt-in/user.dspam (or if you have homedirs configured, a .dspam

# folder in their home directory).  The default is opt-out, which means all

# users will be filtered unless a .nodspam file is dropped in

# /var/dspam/opt-out/user.nodspam

#

Opt out

#

# TrackSources: specify which (if any) source addresses to track and report

# them to syslog (mail.info). This is useful if you're running a firewall or

# blacklist and would like to use this information. Spam reporting also drops

# SBL blacklist files (see http://www.nuclearelephant.com/projects/sbl/). 

#

#TrackSources spam nonspam

#

# ParseToHeaders: When retraining, it's possible to set up a wildcard such

# as *@spam.yourdomain.com to intercept all missed spam. If you do this,

# you'll need to enable this option so that the username is assigned based

# on the To: address of the message; for example spam-bob will assign the

# username to bob.

#

#ParseToHeaders on

#

# Broken MTA Options: Some MTAs don't support the proper functionality

# necessary. In these cases you can activate certain features in DSPAM to

# compensate. 'returnCodes' causes DSPAM to return an exit code of 99 if

# the message is spam, 0 if not, or a negative code if an error has occured.

# Specifying 'case' causes DSPAM to force the input usernames to lowercase.

# Spceifying 'lineStripping' causes DSPAM to strip ^M's from messages passed

# in.

#

#Broken returnCodes

#Broken case

#Broken lineStripping

## EOF

UntrustedDeliveryAgent /usr/lib/cyrus/deliver %u

MySQLServer    /var/run/mysqld/mysqld.sock

MySQLPort

MySQLUser      dspam

MySQLPass     24521345q3qwe509

MySQLDb        spamgone

MySQLCompress  true

```

Hopefully that helps, I've not paid attention to notice any difference before.

G

----------

## steveb

phhhuu... there are many stuff to clean up.

i will just start with one issue and then in later posts continue.

1) lmtp does not need any smtp commands:

```
smtp-amavis   unix   -   -   n   -   2   lmtp 

   -o smtp_send_xforward_command=yes
```

--> delete the -o smtp_sender_xforward_command=y

it is not needed with lmtp.

2) in main.cf you don't need the "mailbox_command" since you are anyway going "smtp -> amavis -> dspam" the additional mailbox_command is really not needed.

that's for the moment. i see other stuff, but for now i think i stop.

cheers

SteveB

----------

## hardaur

Excellent info, thanks.  And feel free to continue, I'm all for learning the "right" way to do this stuff!

Thanks,

G

----------

## steveb

okay... next one:

1) if i read that right, then you use cyrus as imapd. please change the argv argument in master from:

```
cyrus     unix  -       n       n       -       -       pipe 

  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
```

to

```
cyrus     unix  -       n       n       -       -       pipe 

  user=cyrus argv=/usr/lib/cyrus/deliver -e -r ${sender} -m ${extension} ${user}
```

2) it looks like you are using mysql to store the dspam data. please remark in dspam.conf the following entry:

```
# 

# Purge configuration: Set dspam_clean purge default options, if not otherwise 

# specified on the commandline 

# 

PurgeSignatures 14          # Stale signatures 

PurgeNeutral    30          # Tokens with neutralish probabilities 

PurgeUnused     60          # Unused tokens 

PurgeHapaxes    15          # Tokens with less than 5 hits (hapaxes) 

PurgeHits1S   10          # Tokens with only 1 spam hit 

PurgeHits1I   10          # Tokens with only 1 innocent hit
```

and unmark the following one:

```
# 

# Purge configuration for SQL-based installations using purge.sql 

# 

#PurgeSignature   off # Specified in purge.sql 

#PurgeNeutral   30 

#PurgeUnused    off # Specified in purge.sql 

#PurgeHapaxes   off # Specified in purge.sql 

#PurgeHits1S    off # Specified in purge.sql 

#PurgeHits1I    off # Specified in purge.sql
```

okay... will post next issues soon.

cheers

SteveB

----------

## j-m

Please don´t post config file comments next time... This is huge and I really don´t want to wade through it...  :Sad: 

----------

## hardaur

Steve,

  I did make the change to get rid of "-o smtp_send_xforward_command=yes", and the mailbox_command in main.  Also made the change to cyrus in master, but the current config is for dspam to forward to cyrus, so postfix shouldn't touch it.  Finally got rid of the extra smtp entries in master.  Made the changes in dspam.conf, but as I'm just starting to get this put together, I haven't tweaked it yet (been running dspam forever, just not postfix/sasl/cyrus-imap).

  So I still am able to receive just fine, sends to amavisd, sends to dspam, dspam sends to cyrus-imap and it gets to the users mailbox.  Still having problems with outgoing mail looping back though (where it should just hit postfix and get relayed, it's hitting postfix and being viewed as incoming).  

  Very helpful info so far, thank you!

G

P.S.  j-m  Yeah, I had that conflict when I posted, can't stand comments in posts myself.  Figured to err on the side of being thorough this time though to avoid having to repost.

----------

## steveb

Okay... let us continue with your config.

1) Can you please post the content of:

```
/etc/postfix/transport_regexp 

/etc/postfix/transport.domain
```

I ask this, because you say you have a loop in your Postfix configuration, but without the transport tables it is not so easy to know what the problem is.

2) Another isse is the network configuration in main.cf. You have nowhere specified what mynetwork is. If I am allowed to modify your main.cf, then I would do it that way (I just quickly did that. Maybe I have some typos in it):

```
#-[GDAGDA]---------------------------------

myhostname            = ganges.mydomain.com

mydomain            = mydomain.com

myorigin            = $myhostname

mydestination            = localhost,

               localhost.localdomain,

               $myhostname,

               localhost.$mydomain,

               $mydomain

mynetworks_style         = class

mynetworks            = aaa.bbb.ccc.ddd/ee,

               192.168.0.0/24,

               127.0.0.0/8

inet_interfaces            = all

masquerade_domains         = $mydomain

#------------------------------------------

am_server_host            = ldap.mydomain.com

am_server_port            = 389

am_bind               = no

am_search_base            = ou=Users,o=mydomain.com,dc=mydomain,dc=com

am_query_filter            = (mail=%s)

am_result_attribute         = mail

#------------------------------------------

unknown_local_recipient_reject_code   = 550

home_mailbox            = .maildir/

#------------------------------------------

smtpd_delay_reject         = yes

smtpd_helo_required         = yes

disable_vrfy_command         = yes

strict_rfc821_envelopes         = yes

smtpd_delay_reject         = yes

#------------------------------------------

alias_database            = hash:/etc/mail/aliases

alias_maps            = hash:/etc/mail/aliases,

               ldap:am

local_recipient_maps         = proxy:unix:passwd.byname,

               $alias_maps

transport_maps            = regexp:/etc/postfix/transport_regexp,

               hash:/etc/postfix/transport.domain

#------------------------------------------

smtpd_data_restrictions         = reject_unauth_pipelining,

               permit

smtpd_recipient_restrictions      = permit_mynetworks,

               permit_sasl_authenticated,

               permit_tls_clientcerts,

               reject_invalid_hostname,

               reject_non_fqdn_hostname,

               reject_non_fqdn_sender,

               reject_non_fqdn_recipient,

               reject_unknown_sender_domain,

               reject_unknown_recipient_domain,

               reject_unauth_destination,

               reject_rbl_client ix.dnsbl.manitu.net,

               reject_rbl_client sbl-xbl.spamhaus.org,

               reject_rbl_client list.dsbl.org,

               reject_rbl_client relays.ordb.org,

               permit

#------------------------------------------

smtpd_use_tls            = yes

#smtpd_tls_auth_only         = yes

smtpd_tls_key_file         = /etc/ssl/postfix/postfix_key.pem

smtpd_tls_cert_file         = /etc/ssl/postfix/postfix_signed_cert.pem

smtpd_tls_CAfile         = /etc/ssl/postfix/cacert.pem

smtpd_tls_loglevel         = 3

smtpd_tls_received_header      = yes

smtpd_tls_session_cache_timeout      = 3600s

tls_random_source         = dev:/dev/urandom

smtpd_sasl_auth_enable         = yes

smtpd_sasl2_auth_enable         = yes

smtpd_sasl_security_options      = noanonymous

broken_sasl_auth_clients      = yes

smtpd_sasl_local_domain         =

#------------------------------------------

smtp_use_tls            = yes

smtp_tls_note_starttls_offer      = yes

## smtp_sasl_password_maps      = hash:/etc/postfix/saslpass

#------------------------------------------

mailbox_transport         = lmtp:unix:/var/imap/socket/lmtp

fallback_transport         = lmtp:unix:/var/imap/socket/lmtp

fallback_relay            = 192.168.0.1

#------------------------------------------

default_destination_concurrency_limit   = 10

local_destination_concurrency_limit   = 1

lmtp_destination_concurrency_limit   = $default_destination_concurrency_limit

relay_destination_concurrency_limit   = $default_destination_concurrency_limit

smtp_destination_concurrency_limit   = $default_destination_concurrency_limit

virtual_destination_concurrency_limit   = $default_destination_concurrency_limit

maildrop_destination_recipient_limit   = $default_destination_concurrency_limit

cyrus_destination_concurrency_limit   = 1

#------------------------------------------

dspam_distination_recipient_limit   = 1

dspam-add_destination_recipient_limit   = 1

dspam-fp_destinateion_recipient_limit   = 1

#------------------------------------------

max_use               = 10

#------------------------------------------

owner_request_special         = no

recipient_delimiter         = +

#------------------------------------------

lmtp_cache_connection         = NO

#------------------------------------------
```

You need to change "aaa.bbb.ccc.ddd/ee" to your network configuration (aka: ip-address/netmask but in cdir notation) and if you are multihomed (aka: private network) then you need to change "192.168.0.0/24" to your configuration (could be another network then the one I posted). And if you have another SMTP server where you could relay in case of trouble, then please change the line "fallback_relay = 192.168.0.1" to your address (could be a dns name or an ip address in []).

cheers

SteveB

----------

## hardaur

Here's the transport.domain and transport.regexp

Tranport.domain

```

mydomain.com smtp:192.168.0.5

```

transport.regexp

```

/^.*@spam.(.*)$/        dspam-add:${1}

/^.*@ham.(.*)$/         dspam-del:${1}

```

I'll work on those changes you suggested above (gonna have to read and learn as I go, some new stuff there).

Thanks again!!!

P.S.  hehe, nice. . .my next task was to figure out how to do the RBLs. . .thanks!

----------

## steveb

 *hardaur wrote:*   

> P.S.  hehe, nice. . .my next task was to figure out how to do the RBLs. . .thanks!

 if you want more, then you can have them:

```
reject_rbl_client ix.dnsbl.manitu.net

reject_rbl_client sbl-xbl.spamhaus.org

reject_rbl_client list.dsbl.org

reject_rbl_client relays.ordb.org

reject_rbl_client opm.blitzed.org

reject_rbl_client cbl.abuseat.org

reject_rbl_client dul.dnsbl.sorbs.net

reject_rbl_client bl.spamcop.net

reject_rbl_client list.dsbl.org

reject_rbl_client cbl.abuseat.org

reject_rbl_client dnsbl.njabl.org

reject_rbl_client sbl-xbl.spamhaus.org

reject_rbl_client relays.ordb.org

reject_rbl_client dnsbl.ahbl.org

reject_rbl_client dnsbl.sorbs.net

reject_rbl_client relays.visi.com

reject_rbl_client opm.blitzed.org

reject_rbl_client dul.dnsbl.sorbs.net

reject_rbl_client l2.spews.dnsbl.sorbs.net

reject_rbl_client dynablock.njabl.org

reject_rbl_client dun.dnsrbl.net

reject_rbl_client spam.dnsrbl.net

reject_rhsbl_client blackhole.securitysage.com

reject_rhsbl_sender blackhole.securitysage.com

reject_rhsbl_client rhsbl.ahbl.org

reject_rhsbl_sender rhsbl.ahbl.org

reject_rhsbl_client rhsbl.sorbs.net

reject_rhsbl_sender rhsbl.sorbs.net

reject_rhsbl_client block.rhs.mailpolice.com

reject_rhsbl_sender block.rhs.mailpolice.com

reject_rhsbl_client dynamic.rhs.mailpolice.com

reject_rhsbl_sender dynamic.rhs.mailpolice.com

reject_rhsbl_client bogusmx.rfc-ignorant.org

reject_rhsbl_sender bogusmx.rfc-ignorant.org

reject_rhsbl_client dsn.rfc-ignorant.org

reject_rhsbl_sender dsn.rfc-ignorant.org

reject_rhsbl_client abuse.rfc-ignorant.org

reject_rhsbl_sender abuse.rfc-ignorant.org

reject_rhsbl_client postmaster.rfc-ignorant.org

reject_rhsbl_sender postmaster.rfc-ignorant.org
```

remember that here less is often more! don't use all of them. be carefull with your selection!

cheers

SteveB

----------

## hardaur

Typically I've just used spamhaus and spamcop, I haven't seen any significant better results using more.  Did the transport.domain and transport_regexp give anymore hint on my stupid loop.  Starting to get pretty frustrating.  

Here's another description of the problem just to try and provide more info. . .

Outside user to inside user (works fine):

remote user MUA -> remote MTA -> local MTA -> local amavisd ->clamav->local MTA (as I understand it, get's confusing here)->dspam->cyrus->local user MUA

Inside user to outside user (broken)

local user MUA -> local MTA -> local amavisd (here's where it should just be sending to remote MTA, I think) -> clamav -> local MTA (as I understand it)->dspam->cyrus->local user MUA

So if I'm sending from gander@mydomain.com to an external account, for instance, gander@another.domain.edu, there are no errors, but gander@mydomain.com receives the mail, not gander@another.domain.edu.  Another way of saying it, is that it's treating all mail the same *shrug*  The local MTA mentioned above is the postfix I'm trying to get configured.

I'm sure it's simple and stupid, but I'll be damned if I can find it (being a newb to postfix).

G

----------

## steveb

 *hardaur wrote:*   

> Typically I've just used spamhaus and spamcop, I haven't seen any significant better results using more.  Did the transport.domain and transport_regexp give anymore hint on my stupid loop.  Starting to get pretty frustrating.  
> 
> Here's another description of the problem just to try and provide more info. . .
> 
> Outside user to inside user (works fine):
> ...

 okay... please edit your transport.domain to:

```
mydomain.com smtp:[192.168.0.5]
```

btw: why do you transfer your own domain to 192.168.0.5? Is there any reason for that? Is your Postfixruning on 192.168.0.5? If so, then you don't need at all to set the transport for your own domain. You need to set then something like virtual, cyrus, local, maildrop, etc... but not another smtp server address if Postfix is responsable for that domain.

and your transport.regexp to (see the extra \. after ham/spam? and if i look at your master.cf then i see nowhere a dspam-del service! only dspam-fp.):

```
/^.*@spam\.(.*)$/  dspam-add:${1}

/^.*@ham\.(.*)$/   dspam-fp:${1}
```

maybe a better/safer solution would be:

```
/^(.*)@spam\.([\w.-]+\.[\w.-]+)$/  dspam-add:${2}

/^(.*)@ham\.([\w.-]+\.[\w.-]+)$/   dspam-fp:${2}
```

or another way of doing it:

```
if /^.*@(ham|spam)\.(mydomain\.com)$/

/^(hardaur|steveb|user1|user2)@spam\.(.*)$/   dspam-add:${2}

/^(hardaur|steveb|user1|user2)@ham\.(.*)$/   dspam-fp:${2}

endif
```

cheers

SteveB

----------

## hardaur

Ok, I FINALLY know EXACTLY where my problem is, can't figure out how to solve it though.

in master.cf where I'm sending to dspam as a content_filter:

```

127.0.0.1:10025 inet    n       -       n       -       -       smtpd

        -o content_filter=dspam:dummy

        -o local_recipient_maps=

        -o relay_recipient_maps=

        -o smtpd_restriction_classes=

        -o smtpd_client_restrictions=

        -o smtpd_helo_restrictions=

        -o smtpd_sender_restrictions=

        -o smtpd_recipient_restrictions=permit_mynetworks,reject

        -o mynetworks=127.0.0.0/8

        -o strict_rfc821_envelopes=yes

        -o smtpd_error_sleep_time=0

        -o smtpd_soft_error_limit=1001

        -o smtpd_hard_error_limit=1000

        -o smtpd_client_connection_count_limit=0

        -o smtpd_client_connection_rate_limit=0

        -o receive_override_options=no_header_body_checks

dspam           unix    -       n       n       -       -       pipe

        flags=Rhq user=dspam argv=/usr/bin/dspam --user %u --deliver=innocent --mode=teft --feature=chained,noise,whitelist ${user}

```

it sends to dspam on EVERY incoming message (whether from local net or external net).  Then in my dspam.conf, it delivers to cyrus-imap:

```

TrustedDeliveryAgent /usr/lib/cyrus/deliver %u  # Cyrus

```

So no matter what, any and all mail is getting dropped to cyrus-imap, even mail that should be relayed out to an external network.  So the question becomes, how do I get postfix to only deliver to dspam on mail that's incoming from an external network, otherwise it skips dspam?

G

----------

## steveb

 *hardaur wrote:*   

> Ok, I FINALLY know EXACTLY where my problem is, can't figure out how to solve it though.
> 
> in master.cf where I'm sending to dspam as a content_filter:
> 
> ```
> ...

 Adding multiple instances of the smtpd service? aaa.bbb.ccc.ddd is the external ip and vvv.xxx.yyy.zzz is the internal one:

```
aaa.bbb.ccc.ddd:smtp      inet  n       -       n       -       -       smtpd

   -o content_filter=smtp-amavis:[127.0.0.1]:10024

   -o cleanup_service_name=pre-cleanup

vvv.xxx.yyy.zzz:smtp        inet  n       -       n       -       -       smtpd
```

DSPAM should anyway not have anything to deliver when Postfix sends mail. Outbound is complete another issue. But Inbound should go to Amavis and then to DSPAM.

cheers

SteveB

----------

## Ateo

I have an off-topic question concerning transport.regexp... Does each line get processed, in order and the first match wins?

I currently /./ FILTER dspam:dspam which works fine for inbound mail dspam scanning. But I wanted to add a 'spam-learn' and 'ham-learn' services to report spam/ham. Would something like this work?

```
/^(.*)@spam\.([\w.-]+\.[\w.-]+)$/  dspam-add:${2}

/^(.*)@ham\.([\w.-]+\.[\w.-]+)$/   dspam-fp:${2}

/./ FILTER dspam:dspam
```

This is [obviously] so users can forward their spam/ham for retraining (the first 2) and if no match (ie: a new message from the internet), send to dspam and process for normal filtering and delivery to original recipient.

I do need to ask since I am new with adding content filter services... but what does the ${2} in dspam-add:${2} represent?

Thanks

----------

## steveb

 *Ateo wrote:*   

> I do need to ask since I am new with adding content filter services... but what does the ${2} in dspam-add:${2} represent?

 The ${2} is the result from the regex. Everything matched inside brackets is numbered. So ${2} represents the second bracket.

But to be honest:

It would be more easy to let DSPAM handle the FP/FN. If I remember right, then you use PGSQL. Look at this part from my dspam.conf:

```
#

# ParseToHeaders: In lieu of setting up individual aliases for each user,

# DSPAM can be configured to automatically parse the To: address for spam and

# false positive forwards. From there, it can be configured to either set the

# DSPAM user based on the username specified in the header and/or change the

# training class and source accordingly. The options below can be used to

# customize most common types of header parsing behavior to avoid the need for

# multiple aliases, or if using LMTP, aliases entirely..

#

# ParseToHeader: Parse the To: headers of an incoming message. This must be

#                set to 'on' to use either of the following features.

#

# ChangeModeOnParse: Automatically change the class (to spam or innocent)

#   depending on whether spam- or notspam- was specified, and change the source

#   to 'error'. This is convenient if you're not using aliases at all, but

#   are delivering via LMTP.

#

# ChangeUserOnParse: Automatically change the username to match that specified

#   in the To: header. For example, spam-bob@domain.tld will set the username

#   to bob, ignoring any --user passed in. This may not always be desirable if

#   you are using virtual email addresses as usernames. Options:

#     on or user        take the portion before the @ sign only

#     full              take everything after the initial {spam,notspam}-.

#

ParseToHeaders on

ChangeModeOnParse on

ChangeUserOnParse full
```

I think this is more elegant. I personally use mostly the WebUI. Some customers using Outlook are using this method as well. I just have set two buttons in their Outlook to report marked Spam/Ham. For another customer (he is using IBM Domino/Notes) I have written two action buttons doing +/- the same. The big difference is, that I don't send the complete message in Notes. I just send the DSPAM signature and the subject. That's all I send. Ahh... And I change the subject (clearing/adding the tag (depending what action is choosen)) and I change the X-DSPAM-Result header. And for another customer I have written a Perl script which is sitting on his Postfix server and filters the FN/FP depending on the recipient address. The Perl script is doing +/- the same as the above commands except that it allows to report FN/FP and it allows to corpusfy Spam/Ham messages. And it allows to do that globally (one global user db) or on a per user base.

As you see: There are many roads to rome.

cheers

SteveB

----------

