What changes does Warden make to the postfix configuration files to enable Amavis?

Important

Warden will configure postfix differently depending if you selected to install the amavisd-milter during setup. (amavisd-milter support was added as of Warden 2.03-1). When the amavisd-milter is installed Amavis will be configured as a before queue milter. When the amavisd-milter is not installed or if your operating system does not support the new amavisd-milter (Ubuntu 16) then Amavis will be configured as an after queue content filter.

Amavisd-milter Installed (Before-queue Milter - recommended)

Warden makes changes to the following lines in /etc/postfix/master.cf:

Before (lines may vary according to your servers operating system):

# SMTPS port (465)
smtps      inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes

# submission port (587) (if enabled)
submission inet  n       -       n       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

After:

# SMTPS port (465)
smtps      inet  n       -       n       -       -       smtpd
    -o smtpd_tls_wrappermode=yes
    -o milter_macro_daemon_name=SUBMISSION

# submission port (587) (if enabled)
submission inet  n       -       n       -       -       smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=may
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
    -o milter_macro_daemon_name=SUBMISSION

# postfix-reentry
127.0.0.1:10025 inet n   -       -       -       -       smtpd
    -o syslog_name=postfix-reentry
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o smtp_tls_security_level=none
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

Warden also adds the following lines in /etc/postfix/main.cf. The amavisd-mitler will be added to the start of the smtp_milters and non_smtp_milters options (Any existing milters will be listed after). It is important that the amavisd-milter be listed first (inet:127.0.0.1:10024 is the amavisd-milter).

smtpd_milters = inet:127.0.0.1:10024,inet:127.0.0.1:12768
non_smtpd_milters = inet:127.0.0.1:10024
milter_connect_macros = j {client_name} {daemon_name} v
milter_default_action = accept


Amavisd-milter is not installed (After-Queue Content Filter)

Warden makes changes to the following lines in /etc/postfix/master.cf:

Before (lines may vary according to your servers operating system):

# pickup
pickup     fifo  n       -       n       60      1       pickup

# SMTPS port (465)
smtps      inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes

# submission port (587) (if enabled)
submission inet  n       -       n       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

After:

# pickup
pickup     fifo  n       -       n       60      1       pickup
    -o content_filter=smtp-amavis:[127.0.0.1]:10027

# SMTPS port (465)
smtps      inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes -o content_filter=smtp-amavis:[127.0.0.1]:10026

# submission port (587) (if enabled)
submission inet  n       -       n       -       -       smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=may
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
    -o content_filter=smtp-amavis:[127.0.0.1]:10026

# amavis 
smtp-amavis unix -       -       -       -       2       smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
    -o smtp_tls_security_level=none

# postfix-reentry
127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o syslog_name=postfix-reentry
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
        -o smtp_tls_security_level=none

Warden also adds the following lines in /etc/postfix/main.cf:

content_filter = smtp-amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

Repair Installation

If you want the Warden installer to try and repair these files you can run the Warden installer from the command line. The installer will detect if the amavisd-milter is installed or not and should configure everything for you:

/usr/local/psa/admin/bin/modules/warden/install.sh
  • postfix, amavis, master.cf, main.cf
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How do I fix the error: Mysql Server has gone away?

When looking at the mail log of the server you see this log entry from Amavis: Aug 3 01:00:20...

How hard is it to uninstall if I do not require Warden Anti-spam and Virus Protection any more?

Uninstalling Warden is as easy as going to Extensions -> My Extensions -> Warden Anti-spam...

How can I fix the error: host 127.0.0.1[127.0.0.1] said: 552 5.3.4 Declared message size (1208029 B) exceeds size limit for recipient?

You can set the message size limit for Amavis under Settings -> Policy Settings -> Misc...

How do I fix the error: Unit is masked. when trying to start SpamAssassin?

You should not try to start the SpamAssassin service. Warden disables (masks) the SpamAssassin...

What network ports are used by Warden and need to be opened on the firewall?

All of the network based tests (Razor, Pyzor, DCC) that Warden uses must be opened on the...