Travis Fraser wrote: > Thank you for the smtpd_recipient_restrictions information. I have > been using Postfix on a test network first, as you suggest. > > As far as implementing SpamAssassin with Postfix, I was looking at > Mailscanner or amavisd-new. Do you have a simpler suggestion for > calling SA from within the recipient_restrictions checks? Before I answer your post, be sure you define your e-mail requirements to meet your needs. Mailscanner/Amavisd-new all have their purpose in life, especially if you are implementing a high volume mail server that requires both AV and SA to be called for each inbound e-mail. In my case, I admin a low volume (2000+) e-mail a day postfix MTA which front-ends an Exchange server. Furthermore, virus checking is done on the Exchange server, not through postfix filtering. So implementing a product such as amavisd-new was an unnecessary overhead in my opinion. Your requirements may differ. With the above in mind, I simply call SA using postfix's builtin filtering capabilites as follows: 1) Get SA (spamd) running on your MTA first. I'll leave the details of starting and verifying SA is working properly on your system to you. 2) In /etc/mail/master.cf, add the following: filter unix - n n - 10 pipe flags=Fq user=spamassassin argv=/usr/bin/spamc -f -x -e /usr/sbin/sendmail -i -f $sender $recipient NOTE: I limit postfix to spawning 10 instances of spamc simultainiously. This meets my load requirements. Also, adjust the flags setting to meet your requirements. The call to /usr/bin/sendmail is actully the postfix supplied sendmail, not the sendmail MTA. The postfix supplied sendmail simply re-injects the scanned (filtered) e-mail back into postfix on a pipe for final delivery. 3) Add the following to /etc/postfix/main.cf smtpd_recipient_restrictions section. smtpd_recipient_restrictions = [snip...] check_recipient_access hash:/etc/postfix/filtered_domains permit 4) In /etc/postfix/filtered_domains add an entry for each of your hosted domains: mydomain1.com FILTER filter:spamassassin mydomain2.com FILTER filter:spamassassin mydomain3.com FILTER filter:spamassassin NOTE: My MTA is also a backup MX for another site, so I run spamassassin only for e-mail being delivered to the domains that I host, not for e-mail that is queued up on my MTA in a backup MX mode. Also, this stops outbound e-mail from being processed by SA, but still allows Exchange to scan outbound e-mail for viruses prior to submitting to postfix. 5) Build the /etc/postfix/filtered_domains database # postmap /etc/postfix/filtered_domains 6) Reload postfix and test. Be sure you test from an external source, not a system from your local network (mynetworks) or SA will not be called. Remember the order specified in smtpd_recipient_restrictions. If you want to test from a system on your network, move the call to check_recipient_access above mynetworks. Again, the method I present above meets my requirements. This is NOT the preferred method if you are running a high volume MTA. Especially if you need to call both SA and AV filters for each inbound e-mail on your postfix MTA. If that's the case, use amavisd-new or a product that meets your requirements to perform filtering. Steve Cowles
