Postfix/Amavis: Outgoing and Incoming through filter.

For future reference, the answer was a postfix configuration setting:

non_smtpd_milters =

The postfix content filtering setting (content_filter) does not seem to apply to non-smtpd traffic, such as that sent by Unix accounts or PHP mail() script.

Actually this is wrong. From Stef on the mailing list changing the message body is not implemented via milter interface:

Have a look at the following documentation:
– http://www.amavis.org/README.postfix.html
– http://www.postfix.org/FILTER_README.html [Advanced content filter example]

A quick run through the config files [this is a quick cut-and-paste from my config files; beware that the port numbers might not match the above documents]:

/etc/amavisd.conf

1
2
3
4
5
6
7
8
9
10
11
$notify_method  = 'smtp:[127.0.0.1]:10025';

$forward_method = 'smtp:[127.0.0.1]:10025';



$inet_socket_port = [10024, 10026];



$interface_policy{'10026'} = 'ORIGINATING';



$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users

  originating => 1,  # declare that mail was submitted by our smtp client

  allow_disclaimers => 1,  # enables disclaimer insertion if available

}

/etc/postfix/master.cf

1
2
smtp      inet  n       -       n       -       -       smtpd

  -o content_filter = smtp-amavis:[127.0.0.1]:10024

[ you can also have the above config_filter configuration in /etc/postfix/main.cf as a default setting.
The options below override the defaults in main.cf ]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
smtp-amavis unix -      -       n       -       4       smtp

  -o smtp_data_done_timeout=1200

  -o smtp_send_xforward_command=yes

  -o disable_dns_lookups=yes

  -o max_use=20

  -o smtp_generic_maps=

localhost:10025 inet n  -       n       -       -       smtpd

  -o content_filter=

  -o local_recipient_maps=

  -o relay_recipient_maps=

  -o smtpd_delay_reject=no

  -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128

  -o smtpd_authorized_xclient_hosts=127.0.0.0/8,[::1]/128

  -o smtpd_client_restrictions=permit_mynetworks,reject

  -o smtpd_helo_restrictions=

  -o smtpd_sender_restrictions=

  -o smtpd_recipient_restrictions=permit_mynetworks,reject

  -o smtpd_data_restrictions=reject_unauth_pipelining

  -o smtpd_end_of_data_restrictions=

  -o smtpd_restriction_classes=

  -o mynetworks=127.0.0.0/8,[::1]/128

  -o smtpd_error_sleep_time=0

  -o smtpd_soft_error_limit=1001

  -o smtpd_hard_error_limit=1000

  -o smtpd_client_connection_count_limit=0

  -o smtpd_client_connection_rate_limit=0

  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

  -o local_header_rewrite_clients=

submission inet n       -       n       -       -       smtpd

  -o syslog_name=postfix/submission

  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

  -o content_filter=smtp-amavis:[127.0.0.1]:10026

pickup    unix  n       -       n       60      1       pickup

  -o content_filter=smtp-amavis:[127.0.0.1]:10026

Quick comments:
– incoming e-mail enters on port 25; with the “content-filter” option, it is sent to a mavis on port 10024
– amavis scans, tags, quarantines, … — if mail goes through, it goes to (postfix) port 10025 (this is done with the “$forward_method” in amavisd.conf)
– postfix (listening on port 10025) delivers the e-mail

• outgoing e-mail should enter on the submission port [587] or delivered with the pickup service (“local e-mail”).
• postfix forwards this e-mail to amavis on port 10026 (!)
• the configuration of amavis is changed because of a “policy bank”
• again, amavis forwards e-mail to postfix on port 10025
• postfix (listening on port 10025) delivers e-mail