# Postfix installation

## ROGA

Hi, 

I would like to install a Postfix-Server as a Mail-Gateway for my own home-network. I have a Firewall with DMZ and a internal LAN. The Postfix-Server should stay in the DMZ and Forward all Incoming Mails to the inernal Mail-Server in the LAN. Further more, the Postfix-Server should filter all Incoming Mails for viruses and spam. The Postfix-Server self does not have locally Mailboxes but he should lookup for Mailboxes via ldap on a Active-Directory Server, he only checks the Incoming mails and forward it  to the internal Mail-Server in the LAN.

My Question:

I don't know exactly, how I schould begin. The configuration of Postfix makes me a Little bit confused  :Sad:  I didn't find any example with Google, that matched my Points. 

What I have done is following:

 - Installed Gentoo on a virtual machine

 - installed Postfix with use-flag for ldap and dovecot-sasl

 - installed postfix as a systemd service

 - configured lookup tables for ldap (this works halfwards, but not as expected)

Is there anybody, who can Point me to the Right directions? How and where do I have to begin?

Thank's for any help

----------

## axl

well, for filtering out content, you need to install amavisd-new (one of the choices - which I can safely recommend) with all the perks. clam, spamassassin. razor. hold on. i'll just query the world file and post some packages you should look at.

a version of syslog, obviously. 

rar / zip. any other type of archiver application you want the spam/antivirus software to be able to read like: app-arch/rar or app-arch/zip. app-crypt/certbot for ssl certs. another discution. uhm... let me see. mail-filter/dcc, mail-filter/dspam, mail-filter/opendkim, mail-filter/postgrey, mail-filter/razor. mail-filter/spamassassin. I think that's about it. All of these work with mail-filter/amavisd-new, and mail-filter/amavisd-new works with mail-mta/postfix.

The connection between postfix and amavis is pretty simple. 

content_filter=smtp-amavis:[192.168.23.254]:10024

That is pretty much it. in main.cf, ask amavis to filter it. and amavis does that. 

the more complicated problem is delivery to an active whatever windows shit. I have mine set to cyrus-imap. 

mailbox_transport = lmtp:192.168.23.254:2003 (this is cyrus-imap)

(opendkim)

smtpd_milters = inet:192.168.23.254:8891

non_smtpd_milters = inet:192.168.23.254:8891

(postgrey)

check_policy_service inet:192.168.23.254:10030

all of these lines are config options for main.cf for postfix. research them on google. 

Again, sorry I can't help for final storage solution, which is "mailbox_transport".

----------

## ROGA

axl,

thank you very much for your advices. 

I understand, for the content filtering I have to emerge amavis-new and spamassassin. But first, I will have to bring up a running postfix System that can receive all Mails for my own Domain and push it further to my internal Mail-Server (and yes, at the Moment it is a sh..t Windows-Server with hmailserver, but I would like to change this to postfix too)

So first, I would like to configure postfix in that way, that postfix looks for recipients via ldap and when those do not exist, postfix sould not accept the incoming smtp connection. At the other hand, If a recipient exist, postfix should accept the mail and forward it to the internal Mail-Server. 

If this works, at the next step, I would like to intergrate content filtering with amavis-new and spamassassin.

But for my first goal, how do I have to configure postfix, so postfix is responsable to relay mails for my own domain. I don't want to have locally mailboxes on the postfix-server for my internal users. Postfix should mails queued, if it does not reached the finale destination to delevery mails.

In my main.cf I have set:

```
myhostname = mailgw.i-doit.ch

mydomain = i-doit.ch

inet_interfaces = $myhostname, localhost

mydestination = $myhostname, localhost.$mydomain, localhost

mynetworks = 172.16.XYZ.0/24,192.168.XYZ.0/24, 127.0.0.0/8
```

Is this enough for my first goal? How can I tell Postfix, how it can reached my internal mail server for mail delivery?

Do I have to set the alias_map Parameter too? So far as I understand, this is only for the local delivery Agent and I don't want to have local users.

So for the purpose of rejection mail for unknown relay users, I have set this Parameter in the main.cf too:

```
relay_recipient_maps = ldap:/etc/postfix/relay_recipients.cf
```

The file relay_recipients.cf look like following:

```
# Directory settings

domain = i-doit.ch

server_host = 192.168.XYZ.10

search_base = OU=HomeLAN,DC=i-doit,DC=ch

version = 3

# User Binding

bind = yes

bind_dn = CN=ADSearchUser,CN=Users,DC=i-doit,DC=ch

bind_pw = ADSearchUser

# Filter

query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))

leaf_result_attribute = proxyAddresses

result_attribute = mail

```

with following command I can do a succesfully ldap query on the cli:

```
postmap -q roland.gantenbein@i-doit.ch ldap:/etc/postfix/relay_recipients.cf

SMTP:roland.gantenbein@i-doit.ch,smtp:rga@los-incas.ch,SMTP:Roland.Gantenbein@los-incas.ch,roland.gantenbein@i-doit.ch
```

the same query with a non-exist user give me nothing back.

```
postmap -q someone.somewhere@i-doit.ch ldap:/etc/postfix/relay_recipients.cf
```

but when I make a test with Telnet, postfix accept every mail address in the to field

```
220 mailgw.i-doit.ch ESMTP Postfix

ehlo smtp.foo.bar.com

250-mailgw.i-doit.ch

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250-DSN

250-SMTPUTF8

250 CHUNKING

mail from:someone.somewhere@foo.bar.com

250 2.1.0 Ok

rcpt to: someone@i-doit.ch

250 2.1.5 Ok 

```

Is there anybody who can help me further at that point?

[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]

----------

## nativemad

Hi

I guess you will need $mydomain within the mydestinatin statement.

Then you'll need to configure smtpd_recipient_restrictions properly. I guess reject_unlisted_recipient is the one you need here, but I would google for examples of a secure config!

I also guess that you need to set the relay_domains and relay_host to send mails to the win server.

Alias_map shouldn't be necessary here.

HTH, cheers

----------

## ROGA

Hi nativemad,

thank's for your advices.

With google's help I found a configuration example that meets more or less my needs. I found it here

/etc/postfix/main.cf looks now like this:

```
myhostname = mailgw.i-doit.ch

mydomain = i-doit.ch

inet_interfaces = $myhostname, localhost

mydestination =

local_recipient_maps =

mynetworks = 127.0.0.0/8, 172.16.XYZ.0/24, 192.168.XYZ.0/24

parent_domain_matches_subdomains =  debug_peer_list, smtpd_access_maps

relay_domains = i-doit.ch,los-incas.ch

#relay_recipient_maps = ldap:/etc/postfix/relay_recipients.cf

relay_recipient_maps = hash:/etc/postfix/recipients

smtpd_relay_restrictions = permit_mynetworks,

 relay_recipient_maps,

 reject_unauth_destination

local_transport = error:local mail delivery is disabled

transport_maps = hash:/etc/postfix/transport

```

The Problem now is, that when I activate relay_recipient_maps with ldap lookups, it doesn't work for me  :Sad:  Only when I create the file recipients as following with

```
roland.gantenbein@i-doit.ch            x

rga@i-doit.ch                                 x

roland.gantenbein@los-incas.ch       x

rga@los-incas.ch                            x

```

and than on the cli do

```
postmap hash:/etc/postfix/relay_recipients.cf
```

to create the corresponding db-file recipients.db then it works.

Why does ldap not working?

Please help!! It make's me crazy!!!

ADDENDUM:

I found out, why ldap not is working as expected. So when I make a ldap query, it only works with one mail address although I have more than one there. 

I have three Attributes with the Name proxyAdresses like that:

```
proxyAddresses smtp:roland.gantenbein@i-doit.ch

proxyAddresses smtp:rga@los-incas.ch

proxyAddresses smtp:rga@i-doit.ch
```

And only with the first entry, (roland.gantenbein@i-doit.ch) the ldap query matched but I only tested allways with rga@i-doit.ch because it was Shorter to write it. 

So, I have to find a way, to receive exactly that one mail address, that matched, but I have no clue how I have to do that  :Sad: 

I Keep  searching …

[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]

----------

## alamahant

Have you used the proper USE flags when emerging postfix and openldap?

Please have a look at this:

[url]

http://www.postfix.org/LDAP_README.html

[/url]

But kindly allow me the question if this is your home lan why would you need an ldap server to store the persons info?.

It would be much easier to configure 5-10 virtual mailboxes on you postfix server..

 :Smile: Last edited by alamahant on Wed Jul 31, 2019 12:44 am; edited 1 time in total

----------

## nativemad

I guess you are still using the already posted relay_recipients.cf.

There you showed with the postmap command, that your proxyAddress attribute in ldap holds multiple comma separated smtp:addresses.

The query filter on the other hand only looks for one address within the field without wildcards......try

```
query_filter = (&(obejctclass=person)(proxyAddresses=*smtp:%s*))
```

----------

## ROGA

@alamahant

Yes, I think I have emerged Postfix with the proper USE Flags, so Postfix himself with ldap support does working.

Why I Need ldap is simple. At the Moment, I have a Windows Server with hmailserver as Mail-Server.This Server is configured, up and running and the users email-addresses still are stored in the Active-Directory. In a later time, I would like to Change this Server with a new Postfix Server, but not now. I first will build a Mail Gateway, that act only as a filter for all Incoming Mails and at last I also would like to learn more About Postfix.

But I give you right, at the end, it's easier to build a Postfix Mail-Server with 5 -10 virtual Mailboxes. That's my Goal as well  :Smile: 

----------

## ROGA

@nativemad,

I tried your suggestion but without success.

I'm not a ldap guru and do not know much of such ldap queries. I've made some Tests and found out, that it does not make a difference if I use the Asterix (*) in the query_filter or not. 

my relay_recipients.cf Looks like before but with your suggestions:

LDAP-Query:

```
# Directory settings

domain = i-doit.ch

server_host = 192.168.xyz.10

search_base = OU=HomeLAN,DC=i-doit,DC=ch

version = 3

# User Binding

bind = yes

bind_dn = CN=ADSearchUser,CN=Users,DC=i-doit,DC=ch

bind_pw = ADSearchUser

# Filter

query_filter = (&(objectclass=person)(proxyAddresses=*smtp:%s*))

leaf_result_attribute = proxyAddresses

result_attribute = mail

```

The test gave me:

Result:

```
postmap -q roland.gantenbein@i-doit.ch ldap:/etc/postfix/relay_recipients.cf

SMTP:roland.gantenbein@i-doit.ch,smtp:rga@los-incas.ch,SMTP:Roland.Gantenbein@los-incas.ch,roland.gantenbein@i-doit.ch

```

and without Asterix (*) the same result:

LDAP-Query:

```
# Directory settings

domain = i-doit.ch

server_host = 192.168.xyz.10

search_base = OU=HomeLAN,DC=i-doit,DC=ch

version = 3

# User Binding

bind = yes

bind_dn = CN=ADSearchUser,CN=Users,DC=i-doit,DC=ch

bind_pw = ADSearchUser

# Filter

query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))

leaf_result_attribute = proxyAddresses

result_attribute = mail

```

Result:

```
postmap -q roland.gantenbein@i-doit.ch ldap:/etc/postfix/relay_recipients.cf

SMTP:roland.gantenbein@i-doit.ch,smtp:rga@los-incas.ch,SMTP:Roland.Gantenbein@los-incas.ch,roland.gantenbein@i-doit.ch

```

as next, I was wondering if it makes a difference when I comment out the line leaf_result_attribute = proxyAddresses. Yes, it' does! The result than is only one address.

LDAP-Query:

```
# Directory settings

domain = i-doit.ch

server_host = 192.168.xyz.10

search_base = OU=HomeLAN,DC=i-doit,DC=ch

version = 3

# User Binding

bind = yes

bind_dn = CN=ADSearchUser,CN=Users,DC=i-doit,DC=ch

bind_pw = ADSearchUser

# Filter

query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))

#leaf_result_attribute = proxyAddresses

result_attribute = mail

```

Result:

```
postmap -q roland.gantenbein@i-doit.ch ldap:/etc/postfix/relay_recipients.cf

roland.gantenbein@i-doit.ch

```

In this moment now I realized that I actually had two return values! leaf_return_attribute = and return_attribute =. I found out, that in this case, the return value is coming from the ldap attribute mail and his value was roland.gantenbein@i-doit.ch without the leading smtp:. That's not what I want. I want the value from the attribute proxyAddresses. I don't know the difference between "leaf_result_attribute =" and "result_attribute ="  so that's why I commented out the "leaf_result_attribute =" and replaced "result_attribute = mail" with "result_attribute = proxyAddresses" and that was the result:

LDAP-Query:

```
# Directory settings

domain = i-doit.ch

server_host = 192.168.xyz.10

search_base = OU=HomeLAN,DC=i-doit,DC=ch

version = 3

# User Binding

bind = yes

bind_dn = CN=ADSearchUser,CN=Users,DC=i-doit,DC=ch

bind_pw = ADSearchUser

# Filter

query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))

#leaf_result_attribute = proxyAddresses

result_attribute = proxyAddresses

```

Result:

```
postmap -q roland.gantenbein@i-doit.ch ldap:/etc/postfix/relay_recipients.cf

SMTP:roland.gantenbein@i-doit.ch,smtp:rga@los-incas.ch,SMTP:Roland.Gantenbein@los-incas.ch

```

So far so good. Now I have only three return values that's not quite  perfect yet! I don't like to have all mail addresses as return values. How can I retrieve only that one that matched to my query?

But after this I also would like to test with another mail address of my.

```
postmap -q roland.gantenbein@los-incas.ch ldap:/etc/postfix/relay_recipients.cf

```

But in this case no result no value came back! Why? What's going wrong here?

So my Question: How can I retrieve only that mail address that matched to my query and why I couldn't query other proxyAddresses Attributes?

Is there anybody who knows About ldap queries?

Helps are very welcome  :Smile: 

----------

## nativemad

As it is one attribute, you can't filter out single values of it with a simple ldap filter afaik. These things should be done via result_format

I guess it should not matter which attribute you return, as long as it gives a result - an x as result would be enough, as you can see with the db-file instead of ldap. That would mean that the result_attribute is not that important at all!?

Add "debuglevel = 5" in your virtual_mailbox_maps.cf to generate some useful logs.

...If you want to get rid of the mailserver on win anyway, you could also use local delivery to dovecot that is much better documented than relaying and would be your goal anyway. Then use fetchmail to get the mails via pop3 from dovecot and feed it via smtp to the win-mail-server.   :Wink: 

----------

## ROGA

Hi nativemad,

 *Quote:*   

> As it is one attribute, you can't filter out single values of it with a simple ldap filter afaik.

 

My LDAP-Browser shows me that proxyAdresses are multiple Attributes not a single one or do I missinterpreted the LDAP-Browser? There are colums like this:

```
Attribute                Value                                    Type                   Size

proxyAddresses           smtp:roland.gantenbein@i-doit.ch         Text                    32

proxyAddresses           smtp:rga@los-incas.ch                    Text                    21

proxyAddresses           smtp:roland.gantenbein@los-incas.ch      Text                    35

name                     Roland Gantenbein                        Text                    17     
```

 *Quote:*   

> I guess it should not matter which attribute you return, as long as it gives a result - an x as result would be enough, as you can see with the db-file instead of ldap. That would mean that the result_attribute is not that important at all!? 

 

Ok, I think you got Right! That makes sens! But why do the other mail addresses not match? I have received no result when I'm querying for rga@los-incas.ch or roland.gantenbein@los-incas.ch or rga@i-doit.ch. This I actually do not understand.

 *Quote:*   

> Add "debuglevel = 5" in your virtual_mailbox_maps.cf to generate some useful logs. 

 

I don't have a virtual_mailbox_maps.cf file. For what is this?

 *Quote:*   

> ...If you want to get rid of the mailserver on win anyway, you could also use local delivery to dovecot that is much better documented than relaying and would be your goal anyway. Then use fetchmail to get the mails via pop3 from dovecot and feed it via smtp to the win-mail-server

 

later yes, but now my goal is to build a mail gateway server with content filtering and anti Virus protection. So this constalation I can use for other szenarios as well.

So I have to Keep searching more for my solution (that will be a hardtime for me)

If you have more hints for me, you're welcome  :Smile: 

----------

## nativemad

Ah sorry, my fault, I looked it up on my config and forgot that your file is named differently... Actually, you can set that debuglevel option on all your desired ldap map files!  :Wink: 

Good catch with the proxyAddresses! That changes quite a bit!

It could also be that the ldap result needs to be the email address that got requested. That would be a bit different to the behaviour of the filedb and would also mean that the "result_attribute" only works in the examples with the "mail" attribute, as they always just have a single proxyAddress attribute - and only test for that one!

This would then mean that you of course need to filter the single proxyAddress attribute that matches, and without the smtp: prefix!

```

query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))

result_format = smtp:[%s]

result_attribute = proxyAddresses
```

I would try that with the debug option set... Maybe you'll see what's going on.

I guess I need some vacations soon!   :Rolling Eyes: 

----------

## ROGA

Hi nativemad,

 *Quote:*   

> I guess I need some vacations soon!

 

Thanks for your patience, I hope that I'm not responsable for this   :Wink: 

I have new insights  :Smile: 

First, the debug-option was helping me, to find out if postmap or postfix are working proper. I saw, postmap doesn't run, when I was querying for mail addresses for the Domain los-incas.ch. The reason  was the following. In the file relay_recipients.cf I had to add the additional domainname los-incas.ch for my other email addresses. Without this, postmap or postfix doesn't make nothing when I make queryies to @los-incas.ch!

```
# Directory settings

domain = i-doit.ch,los-incas.ch

server_host = 192.168.241.201

search_base = OU=HomeLAN,DC=i-doit,DC=ch

version = 3

# User Binding

bind = yes

bind_dn = CN=ADSearchUser,CN=Users,DC=i-doit,DC=ch

bind_pw = ADSearchUser

# Filter

query_filter = proxyAddresses=smtp:%s

result_attribute = mail
```

As you said, it doesn't matter, which value be returned by result_attribute. In my case, I used the attribute mail  as return value. This means, that when the query is success, the return value always will be the same. Now the query for valid recipients does work for me! 

Now, the next step would be to forward or relay the incoming mails to my internal mail server (windows hmailserver). If this works, I will try to implement amavis-new and spamassassin.

----------

## C5ace

ROGA:

I run my own mail server for internal and external mail users. My setup:

External mail server name : mail.c5ace.com

Internal domain: itw.lan

ISP's DNS server A and PTR records point mail.c5ace.com to 220.245.219.18 (static IP address of my ADSL modem/NAT router with build in port forwarding). DMZ is disabled.

Mail server local IP address: 192.168.0.103 (itw.lan).

The relevant mail ports are forwarded to 220.245.219.18. 

The server itself is Debian 9 with ISPconfig (www.ispconfig.org) installed with mail, DNS and Webserver enabled. ISPconfig should also work on top of a Gentoo server. 

Installation insructions for Debian and others: www.ispconfig.org/documentation.

www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/

Take your time to read this. 

Detailed configuration is available in their EUR 5.00 / 400 page user manual. www.ispconfig.org/documentation/user-manual/

My mail users can access their IMAP or POP3 mailbox and send mail from within the LAN and and anywhere in the world using their Linux or Windows mail clients or webmail.

----------

## ROGA

Postfix now is working with amavis-new. But I have a strange behavior. I want that unknown smtp connections are rejected but it seems not to be working.  :Sad: 

This is my main.cf :

```
compatibility_level = 2

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

#header_checks = pcre:/etc/postfix/header_checks

#body_checks = pcre:/etc/postfix/body_checks

smtpd_helo_required = yes

smtpd_client_restrictions =.

    reject_unknown_client_hostname,

    reject_unknown_reverse_client_hostname,

    warn_if_reject reject_unknown_reverse_client_hostname

smtpd_helo_restrictions =.

    reject_non_fqdn_sender,.

    reject_non_fqdn_hostname,

    reject_invalid_hostname,

    reject_unknown_sender_domain

smtpd_recipient_restrictions =.

    permit_mynetworks,

    reject_unauth_destination,

    reject_non_fqdn_recipient,

    reject_rbl_client cbl.abuseat.org,

    reject_rbl_client dnsbl.sorbs.net,

    reject_rbl_client zen.spamhaus.org,

    reject_rbl_client bl.spamcop.net

#    reject_rbl_client sbl-xbl.spamhaus.org,

smtpd_sender_restrictions =.

    reject_unknown_client_hostname,

    reject_unknown_reverse_client_hostname,

    reject_unknown_sender_domain,

    warn_if_reject reject_unverified_sender

content_filter = amavis:[127.0.0.1]:10024

local_transport = error:local mail delivery is disabled

transport_maps = hash:/etc/postfix/transport

unknown_local_recipient_reject_code = 550
```

I've tried various options like smtpd_client_restrictions = reject_unknown_client_hostname or smtpd_sender_restrictions = reject_unknown_client_hostname, but nothing seems to work.

In my Log I see always:

```
Aug 05 12:04:36 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 220 mailgw.i-doit.ch ESMTP Postfix

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: < unknown[185.137.111.5]: EHLO User

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: match_list_match: unknown: no match

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: match_list_match: 185.137.111.5: no match

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 250-mailgw.i-doit.ch

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 250-PIPELINING

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 250-SIZE 10240000

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 250-VRFY

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 250-ETRN

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 250-ENHANCEDSTATUSCODES

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 250-8BITMIME

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 250-DSN

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 250-SMTPUTF8

Aug 05 12:04:37 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 250 CHUNKING

Aug 05 12:04:38 mailgw postfix/smtpd[4917]: < unknown[185.137.111.5]: RSET

Aug 05 12:04:38 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 250 2.0.0 Ok

Aug 05 12:04:39 mailgw postfix/smtpd[4917]: < unknown[185.137.111.5]: AUTH LOGIN

Aug 05 12:04:39 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 502 5.5.1 Error: command not implemented

Aug 05 12:04:40 mailgw postfix/smtpd[4917]: < unknown[185.137.111.5]: QUIT

Aug 05 12:04:40 mailgw postfix/smtpd[4917]: > unknown[185.137.111.5]: 221 2.0.0 Bye
```

I expected, that postfix would reject a unknown connection, but it doesn't do.  :Sad: 

Please, can someone help me! I don't know, how can I achieve that

----------

## ROGA

@C5ace,

Thank's for your advices.

ISPConfig could be a alternative for managing a postfix server with amavis-new etc. but I think, it's not really simple to install on a gentoo box. Gentoo isn't official supported and I couldn't find a howto for my needs. So, better I stay with my old school config files and learn a little bit more.   :Wink: 

Thanks anyway

----------

## C5ace

My /etc/postfix/main.cf:

```
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first

# line of that file to be used as the name.  The Debian default

# is /etc/mailname.

#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

biff = no

# appending .domain is the MUA's job.

append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters

smtpd_tls_cert_file = /etc/postfix/smtpd.cert

smtpd_tls_key_file = /etc/postfix/smtpd.key

smtpd_use_tls = yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

# information on enabling SSL in the smtp client.

myhostname = server-2.itw.lan

alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases

alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases

myorigin = /etc/mailname

mydestination = server-2.itw.lan, localhost, localhost.localdomain

relayhost =

mynetworks = 127.0.0.0/8 [::1]/128

mailbox_command = procmail -a "$EXTENSION"

mailbox_size_limit = 0

recipient_delimiter = +

inet_interfaces = all

html_directory = /usr/share/doc/postfix/html

virtual_alias_domains =

virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf

virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf

virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf

virtual_mailbox_base = /var/vmail

virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf

virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf

inet_protocols = all

smtpd_sasl_auth_enable = yes

broken_sasl_auth_clients = yes

smtpd_sasl_authenticated_header = yes

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf

smtpd_tls_security_level = may

transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf

relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf

relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps

 $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocat

ed_maps $transport_maps $mynetworks $smtpd_sender_login_maps

smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated

, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re

smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf

smtpd_client_message_rate_limit = 100

maildrop_destination_concurrency_limit = 1

maildrop_destination_recipient_limit = 1

virtual_transport = dovecot

header_checks = regexp:/etc/postfix/header_checks

mime_header_checks = regexp:/etc/postfix/mime_header_checks

nested_header_checks = regexp:/etc/postfix/nested_header_checks

body_checks = regexp:/etc/postfix/body_checks

owner_request_special = no

smtp_tls_security_level = may

dovecot_destination_recipient_limit = 1

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

content_filter = amavis:[127.0.0.1]:10024

receive_override_options = no_address_mappings

message_size_limit = 0

# smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

smtpd_tls_protocols = !SSLv2,!SSLv3

smtp_tls_protocols = !SSLv2,!SSLv3

sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf

smtpd_restriction_classes = greylisting

greylisting = check_policy_service inet:127.0.0.1:10023

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invali

d_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/

blacklist_helo

smtpd_tls_exclude_ciphers = RC4, aNULL

smtp_tls_exclude_ciphers = RC4, aNULL

```

My /etc/postfix/master.cf:

```
#

# Postfix master process configuration file.  For details on the format

# of the file, see the master(5) manual page (command: "man 5 master").

#

# Do not forget to execute "postfix reload" after editing this file.

#

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

# ==========================================================================

smtp      inet  n       -       -       -       -       smtpd

#smtp      inet  n       -       -       -       1       postscreen

#smtpd     pass  -       -       -       -       -       smtpd

#dnsblog   unix  -       -       -       -       0       dnsblog

#tlsproxy  unix  -       -       -       -       0       tlsproxy

submission inet n       -       -       -       -       smtpd

  -o syslog_name=postfix/submission

  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

smtps     inet  n       -       -       -       -       smtpd

  -o syslog_name=postfix/smtps

  -o smtpd_tls_wrappermode=yes

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#628       inet  n       -       -       -       -       qmqpd

pickup    fifo  n       -       -       60      1       pickup

cleanup   unix  n       -       -       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

#qmgr     fifo  n       -       n       300     1       oqmgr

tlsmgr    unix  -       -       -       1000?   1       tlsmgr

rewrite   unix  -       -       -       -       -       trivial-rewrite

bounce    unix  -       -       -       -       0       bounce

defer     unix  -       -       -       -       0       bounce

trace     unix  -       -       -       -       0       bounce

verify    unix  -       -       -       -       1       verify

flush     unix  n       -       -       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

proxywrite unix -       -       n       -       1       proxymap

smtp      unix  -       -       -       -       -       smtp

relay     unix  -       -       -       -       -       smtp

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       -       -       -       showq

error     unix  -       -       -       -       -       error

retry     unix  -       -       -       -       -       error

discard   unix  -       -       -       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       -       -       -       lmtp

anvil     unix  -       -       -       -       1       anvil

scache    unix  -       -       -       -       1       scache

#

# ====================================================================

# Interfaces to non-Postfix software. Be sure to examine the manual

# pages of the non-Postfix software to find out what options it wants.

#

# Many of the following services use the Postfix pipe(8) delivery

# agent.  See the pipe(8) man page for information about ${recipient}

# and other message envelope options.

# ====================================================================

#

# maildrop. See the Postfix MAILDROP_README file for details.

# Also specify in main.cf: maildrop_destination_recipient_limit=1

#

maildrop  unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}

#

#

# ====================================================================

#

# Recent Cyrus versions can use the existing "lmtp" master.cf entry.

#

# Specify in cyrus.conf:

#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4

#

# Specify in main.cf one or more of the following:

#  mailbox_transport = lmtp:inet:localhost

#  virtual_transport = lmtp:inet:localhost

#

# ====================================================================

# 

# Cyrus 2.1.5 (Amos Gouaux)

# Also specify in main.cf: cyrus_destination_recipient_limit=1

# 

#cyrus     unix  -       n       n       -       -       pipe

#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

# 

# ====================================================================

# Old example of delivery via Cyrus.

# 

#old-cyrus unix  -       n       n       -       -       pipe

#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

#

# ====================================================================

#

# 

# See the Postfix UUCP_README file for configuration details.

# 

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

#   

# Other external delivery methods.

# 

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient

scalemail-backend unix  -       n       n       -       2       pipe

  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

mailman   unix  -       n       n       -       -       pipe

  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

  ${nexthop} ${user}

dovecot   unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

amavis unix - - - - 2 smtp

        -o smtp_data_done_timeout=1200

        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd

        -o content_filter=

        -o local_recipient_maps=

        -o relay_recipient_maps=

        -o smtpd_restriction_classes=

        -o smtpd_client_restrictions=

        -o smtpd_helo_restrictions=

        -o smtpd_sender_restrictions=

        -o smtpd_recipient_restrictions=permit_mynetworks,reject

        -o mynetworks=127.0.0.0/8

        -o strict_rfc821_envelopes=yes

        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

127.0.0.1:10027 inet n - n - - smtpd

        -o content_filter=

        -o local_recipient_maps=

        -o relay_recipient_maps=

        -o smtpd_restriction_classes=

        -o smtpd_client_restrictions=

        -o smtpd_helo_restrictions=

        -o smtpd_sender_restrictions=

        -o smtpd_recipient_restrictions=permit_mynetworks,reject

        -o mynetworks=127.0.0.0/8

        -o strict_rfc821_envelopes=yes

        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

        -o smtp_send_xforward_command=yes

         -o milter_default_action=accept

        -o milter_macro_daemon_name=ORIGINATING

        -o disable_dns_lookups=yes
```

The above may provide you with some pointers to your problem.

Edit:

I used to run a few years back iredmail as Gentoo mail server in VirtualBox.

https://www.howtoforge.com/build-a-free-full-featured-mail-server-on-gentoo-linux-with-iredmail

----------

## freke

 *ROGA wrote:*   

> Postfix now is working with amavis-new. But I have a strange behavior. I want that unknown smtp connections are rejected but it seems not to be working. 
> 
> This is my main.cf :
> 
> ```
> ...

 

Are those spurios dots I see? - do they cause trouble?

 *Quote:*   

> 
> 
> ```
> smtpd_client_restrictions =.
> 
> ...

 

```
    reject_unknown_reverse_client_hostname,

    warn_if_reject reject_unknown_reverse_client_hostname
```

I don't know how postfix behaves when doing both reject and warn_if_reject

My relevant main.cf-part

```
smtpd_helo_required = yes

smtpd_client_restrictions =

        check_client_access hash:/etc/postfix/maps/access_client

        warn_if_reject reject_unknown_reverse_client_hostname

smtpd_helo_restrictions =

        warn_if_reject reject_invalid_helo_hostname

        reject_non_fqdn_helo_hostname

smtpd_sender_restrictions =

        warn_if_reject reject_unknown_sender_domain

        reject_non_fqdn_sender

smtpd_relay_restrictions =

        permit_mynetworks

        permit_sasl_authenticated

        reject_unauth_destination

smtpd_recipient_restrictions =

        check_sender_access hash:/etc/postfix/maps/sender_access

        permit_mynetworks

        permit_sasl_authenticated

        reject_unknown_recipient_domain

        reject_non_fqdn_recipient

        check_recipient_access hash:/etc/postfix/maps/recipient

        check_policy_service inet:mail.vlh.dk:10030

        check_policy_service inet:mail.vlh.dk:12525

        check_policy_service unix:private/policyd-spf

smtpd_data_restrictions =

        reject_unauth_pipelining
```

----------

## ROGA

Hi freke,

thank's for your help!

I removed the spurious dots. They came from the midnight commander (mc). I found out, that they do not make troubles, because after the changes postfix still does not reject the unknown connections. I also commented out  all the warn_if_reject_unknown_reverse_client_hostname in my main.cf buts still have no luck.

Am I correct in the assumption that Postfix must immediately terminate the connection with unknown hosts? As example what I see in my log, when I make a Telnet connection to postfix is:

Telenet session:

```
telnet mail.i-doit.ch 25

220 mail.los-incas.ch ESMTP

```

Postfix Log:

```
Aug 06 08:42:59 mailgw postfix/smtpd[13121]: connection established

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: master_notify: status 0

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: name_mask: resource

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: name_mask: software

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: connect from unknown[217.192.91.138]

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: match_list_match: unknown: no match

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: match_list_match: 217.192.91.138: no match

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: match_list_match: unknown: no match

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: match_list_match: 217.192.91.138: no match

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: smtp_stream_setup: maxtime=300 enable_deadline=0

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: match_hostname: smtpd_client_event_limit_exceptions: unknown ~? 127.0.0.0/8

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: match_hostaddr: smtpd_client_event_limit_exceptions: 217.192.91.138 ~? 127.0.0.0/8

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: match_hostname: smtpd_client_event_limit_exceptions: unknown ~? 172.16.241.0/24

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: match_hostaddr: smtpd_client_event_limit_exceptions: 217.192.91.138 ~? 172.16.241.0/24

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: match_hostname: smtpd_client_event_limit_exceptions: unknown ~? 192.168.241.0/24

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: match_hostaddr: smtpd_client_event_limit_exceptions: 217.192.91.138 ~? 192.168.241.0/24

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: match_list_match: unknown: no match

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: match_list_match: 217.192.91.138: no match

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: send attr request = connect

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: send attr ident = smtp:217.192.91.138

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: private/anvil: wanted attribute: status

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: input attribute name: status

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: input attribute value: 0

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: private/anvil: wanted attribute: count

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: input attribute name: count

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: input attribute value: 1

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: private/anvil: wanted attribute: rate

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: input attribute name: rate

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: input attribute value: 1

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: private/anvil: wanted attribute: (list terminator)

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: input attribute name: (end)

Aug 06 08:42:59 mailgw postfix/smtpd[13121]: > unknown[217.192.91.138]: 220 mailgw.i-doit.ch ESMTP Postfix

```

You can see in the last line unknown[217.192.91.138] …. but the connection is not rejected and my telenet connection still is up. Should Postfix not disconnect immediately the session?

I also had implemented the option: 

```
smtpd_helo_restrictions = 

        reject_non_fqdn_helo_hostname 

```

After that, I sended the command ehlo User to postfix. 

Telnet session.

```
220 mail.i-doit.ch ESMTP

ehlo User

250-mail.i-doit.ch

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250-DSN

250-SMTPUTF8

250 CHUNKING
```

As you can see here in the first line I sended the command helo, which isn't a fqdn: 

Postfix log:

```
Aug 06 08:46:00 mailgw postfix/smtpd[13121]: < unknown[217.192.91.138]: ehlo User

Aug 06 08:46:00 mailgw postfix/smtpd[13121]: match_list_match: unknown: no match

Aug 06 08:46:00 mailgw postfix/smtpd[13121]: match_list_match: 217.192.91.138: no match

Aug 06 08:46:00 mailgw postfix/smtpd[13121]: > unknown[217.192.91.138]: 250-mailgw.i-doit.ch

Aug 06 08:46:00 mailgw postfix/smtpd[13121]: > unknown[217.192.91.138]: 250-PIPELINING

Aug 06 08:46:00 mailgw postfix/smtpd[13121]: > unknown[217.192.91.138]: 250-SIZE 10240000

Aug 06 08:46:00 mailgw postfix/smtpd[13121]: > unknown[217.192.91.138]: 250-VRFY

Aug 06 08:46:00 mailgw postfix/smtpd[13121]: > unknown[217.192.91.138]: 250-ETRN

Aug 06 08:46:00 mailgw postfix/smtpd[13121]: > unknown[217.192.91.138]: 250-ENHANCEDSTATUSCODES

Aug 06 08:46:00 mailgw postfix/smtpd[13121]: > unknown[217.192.91.138]: 250-8BITMIME

Aug 06 08:46:00 mailgw postfix/smtpd[13121]: > unknown[217.192.91.138]: 250-DSN

Aug 06 08:46:00 mailgw postfix/smtpd[13121]: > unknown[217.192.91.138]: 250-SMTPUTF8

Aug 06 08:46:00 mailgw postfix/smtpd[13121]: > unknown[217.192.91.138]: 250 CHUNKING

```

and the connection still is up  :Sad: 

Who knows more about Postfix and this behavior with rejecting connections ... What do I make wrong? Can anybody point me to the right direction?

Help is really, really welcome   :Wink: 

----------

## freke

Can't test on my server before after work (6 hours-ish) but found this:

https://serverfault.com/questions/583171/postfix-does-not-reject-wrong-client-and-helo-name

Do you have smtpd_delay_reject = yes (seems from the link to be the default), that seems to change behaviour

 *Quote:*   

> Ok, the test case was wrong. Respectively I was not aware of the the smtpd_delay_reject option which is by default set to yes. With this option postifx does not check the restriction right after each command but waits with all checks until HELO, MAIL FROM and RCPT TO commands received. See http://www.postfix.org/postconf.5.html#smtpd_delay_reject

 

 *Quote:*   

> smtpd_delay_reject (default: yes)
> 
> Wait until the RCPT TO command before evaluating $smtpd_client_restrictions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait until the ETRN command before evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions.
> 
> This feature is turned on by default because some clients apparently mis-behave when the Postfix SMTP server rejects commands before RCPT TO.
> ...

 

----------

## ROGA

Hi freke,

You're really great!! 

Thats exactly the reason, why postfix does not reject hosts immediately as I expected. Now, it seems to work, but I saw, that postfix tells me, that he reject the host indeed, but the connection futher still persists. Is this behaviour ok or can we change it, so that postfix disconnect the session?

----------

## freke

It seems to keep the connection open till the client issue a quit (or maybe there's also an timeout?) - but for me appearently doesn't accept anything but 'quit', other commends gives access denied.

But I found this - https://serverfault.com/questions/645450/tell-postfix-to-close-connection-right-after-relay-access-denied

Seems like if you set

```
smtpd_hard_error_limit = 1
```

Postfix will disconnect the session if any error is encountered. (default value is 20 I believe).

----------

## ROGA

Hi freke,

thank you very much! That's exactly what I want!   :Wink: 

In your link that you posted was descibed:

 *Quote:*   

> The bad news is we can't filter which error that triggered smtpd_hard_error_limit.

 

But when you put in the main.cf the line smtpd_soft_error_limit = 1 bevor smtpd_hard_error_limit = 1 then postfix would log the reason for disconnection. That works great!!

main.cf

```
#

smtpd_soft_error_limit = 1

smtpd_hard_error_limit = 1
```

Telnet session:

```

telnet mail.i-doit.ch 25

220 mail.i-doit.ch ESMTP 

ehlo User 

504 5.5.2 <user:> Helo command rejected: need fully-qualified hostname

421 4.7.0 mailgw.i-doit.ch error: too many errors

Connection closed by foreign host.
```

Postfix Log:

```
Aug 06 14:30:46 mailgw postfix/smtpd[3427]: connect from mail.erz-technet.ch[212.243.177.250]

Aug 06 14:30:54 mailgw postfix/smtpd[3427]: NOQUEUE: reject: EHLO from mail.erz-technet.ch[212.243.177.250]: 504 5.5.2 <user>: Helo command rejected: need fully-qualified hostname; proto=SMTP helo=<user>

Aug 06 14:30:54 mailgw postfix/smtpd[3427]: too many errors after EHLO from mail.erz-technet.ch[212.243.177.250]

Aug 06 14:30:54 mailgw postfix/smtpd[3427]: disconnect from mail.erz-technet.ch[212.243.177.250] ehlo=0/1 commands=0/1
```

btw: do you use amavis-new with clamav in your gentoo-box? The reason why I'm asking is, because I have errors in my log-file. I have made a test with a email + eicar (test-Virus) and the output of my log shows this:

```
Aug 06 15:11:59 mailgw amavis[2896]: (02896-02) ClamAV-clamd: Connecting to socket  /var/run/clamav/clamd.ctl

Aug 06 15:11:59 mailgw amavis[2896]: (02896-02) new socket by IO::Socket::UNIX to /var/run/clamav/clamd.ctl, timeout set to 10

Aug 06 15:11:59 mailgw amavis[2896]: (02896-02) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.ctl: Permission denied

Aug 06 15:11:59 mailgw amavis[2896]: (02896-02) get_deadline ask_daemon_internal - deadline in 480.0 s, set to 288.000 s

Aug 06 15:11:59 mailgw amavis[2896]: (02896-02) prolong_timer ask_daemon_internal: timer 288, was 10, deadline in 480.0 s

Aug 06 15:11:59 mailgw amavis[2896]: (02896-02) ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.ctl, retrying (1)

Aug 06 15:11:59 mailgw amavis[2896]: (02896-02) ClamAV-clamd: sleeping for 1 s

Aug 06 15:12:00 mailgw amavis[2896]: (02896-02) get_deadline ask_daemon_internal_connect - deadline in 479.0 s, set to 10.000 s

Aug 06 15:12:00 mailgw amavis[2896]: (02896-02) prolong_timer ask_daemon_internal_connect: timer 10, was 287, deadline in 479.0 s

Aug 06 15:12:00 mailgw amavis[2896]: (02896-02) ClamAV-clamd: Connecting to socket  /var/run/clamav/clamd.ctl, retry #1

Aug 06 15:12:00 mailgw amavis[2896]: (02896-02) new socket by IO::Socket::UNIX to /var/run/clamav/clamd.ctl, timeout set to 10

Aug 06 15:12:00 mailgw amavis[2896]: (02896-02) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.ctl: Permission denied

Aug 06 15:12:00 mailgw amavis[2896]: (02896-02) get_deadline ask_daemon_internal - deadline in 479.0 s, set to 288.000 s

Aug 06 15:12:00 mailgw amavis[2896]: (02896-02) prolong_timer ask_daemon_internal: timer 288, was 10, deadline in 479.0 s

Aug 06 15:12:00 mailgw amavis[2896]: (02896-02) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.ctl, retrying (2)

Aug 06 15:12:00 mailgw amavis[2896]: (02896-02) ClamAV-clamd: sleeping for 6 s

Aug 06 15:12:01 mailgw postfix/smtpd[3462]: disconnect from mail.erz-technet.ch[212.243.177.250] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

```

there seems to be a problem with the unix socket. I tried many things to resolve this issue but nothing worked. It's very strang  :Sad:  Why can amavis not connect to the clamav-socket???? I'm on gentoo with systemd, can this be the reason?

Do you know that problem or can you give me a hint?

----------

## freke

I know nothing about systemd-behaviour at all - is the .ctl-file the socket-file?

In my OpenRC-configuration with amavis-new and clamd, the socket-file is in /var/run/amavis/clamd.sock (set in /etc/clamd.conf)

```
LocalSocket /var/run/amavis/clamd.sock
```

should probably match your relevant part in /etc/amavisd.conf

```
['ClamAV-clamd',

  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/amavis/clamd.sock"],
```

Also in my /etc/clamd.conf I have

```
User amavis
```

so that amavis-neew have permission to access the socket.

----------

## ROGA

Hi freke,

thank you for you quick answer.

 *Quote:*   

>  is the .ctl-file the socket-file? 

 

Yep!

I have tried to rename the socket file to clamd.sock but that was not the issue. In both config files (amavis.conf and clamd.conf) the file name for the socket is the same.

And also the username in clamd.conf for the daemon is equal like yours.

So, I think it must be an issue with systemd Service or sockets. I will investigate more and maybe,  I'll find something ...

Thank you so much for your help and time.

----------

## freke

Hi,

Apart from making sure that /var/run/clamav/clamd.ctl is indeed owned by amavis

```
ls -l /var/run/clamav/clamd.ctl
```

(if that's the user you're using for amavis-new? - /etc/amavisd.conf)

```
$daemon_user  = 'amavis';     # (no default;  customary: vscan or amavis), -u

$daemon_group = 'amavis';     # (no default;  customary: vscan or amavis), -g

```

I haven't got any ideas.

----------

