install_amavis.sh: change to 'Post-Queue' setting.

install_amavis.sh

@@ -4923,36 +4923,50 @@ else
 fi
 
 
+## - Provide an 'After-queue filter' (classic content filter):
+## -
+## -    - The external sender communicates with port 25.
+## -    - Postfix accepts the email and initially places it in the queue.
+## -    - Postfix then forwards the email to Amavis (10024).
+## -    - Amavis returns it to Postfix (typically on 10025).
+## -
+## - Advantage:
+## -   Port 25 is 'normal Postfix SMTP'
+## -      ->  Milters (OpenDMARC/OpenDKIM verify) access port 25 cleanly
+## -      -> DMARC reject happens in the SMTP dialog (if you set it up that way
+## -         and the checks pass 'pre-queue')
+## -
+## - Disadvantage:
+## -    Some types of rejections may no longer happen 'before queue', but only later
+## -    (depending on the type of check)
+## -
+## -
 ## - Set up /etc/postfix/master
 ## -
-## - Forward emails to amavis using "Pre-Queue" Option smtpd_proxy_filter
+## - Forward emails to amavis using "After-Queue-Filter" Option content_filter
 ## -
-## - edit /etc/postfix/master.cf and add flags for "smtpd_proxy_filter" (to
-## - forward to amavis service on localhost port 10024) and for "content_filter"
-## - (to avoid rechecking by "Post-Queue" content_filter) to smtp service
+## - edit /etc/postfix/master.cf and add flags for "content_filter" (to
+## - forward to amavis service on localhost port 10024)
 ## -
 ## -    smtp      inet  n       -       -       -       -       smtpd
-## -       -o smtpd_proxy_filter=127.0.0.1:10024
-## -       -o content_filter=
+## -       -o content_filter=amavisfeed:[127.0.0.1]:10024
 ## -
-## - take care, that, in case NOT to reject, amavis fowards the mail to the
-## - MTA (Postfix) for delivering. To avoid loops in checking, install a
-## - (Postfix) smtpd service on a local Port (10025) without checking anymore
+## - !! Noticw !!
+## -  - take care localhost:10025 has empty 'content_filter'
 ## -
-## - to do this edit /etc/postfix/master.cf and add service:
-## -
-## -    localhost:10025  inet  n       -       -       -       -       smtpd
-## -       -o content_filter=
-## -       -o smtpd_proxy_filter=
-## -       -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-## -       -o smtpd_client_restrictions=
-## -       -o smtpd_helo_restrictions=
-## -       -o smtpd_sender_restrictions=
-## -       -o smtpd_recipient_restrictions=permit_mynetworks,reject
-## -       -o smtpd_data_restrictions=
-## -       -o mynetworks=127.0.0.0/8,[::1]/128,<$_ipv4_address/32>
-## -       -o receive_override_options=no_unknown_recipient_checks
+## -  localhost:10025  inet  n       -       y       -       -       smtpd
+## -     -o content_filter=
+## -     -o smtpd_proxy_filter=
+## -     -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
+## -     -o smtpd_client_restrictions=
+## -     -o smtpd_helo_restrictions=
+## -     -o smtpd_sender_restrictions=
+## -     -o smtpd_recipient_restrictions=permit_mynetworks,reject
+## -     -o smtpd_data_restrictions=
+## -     -o mynetworks=127.0.0.0/8,[::1]/128
+## -     -o receive_override_options=no_unknown_recipient_checks
 ## -
+## -  - take care not to have 'content_filter' set im main.cf
 postfix_master_cf="/etc/postfix/master.cf"
 echo ""
 echononl "   Backup file \"${postfix_master_cf}\""
@@ -5004,10 +5018,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
       _found=true
       cat >> $postfix_master_cf << EOF
 smtp      inet  n       -       y       -       -       smtpd
-   -o smtpd_proxy_filter=127.0.0.1:10024
-   -o content_filter=
-   -o smtpd_milters=
-   -o non_smtpd_milters=
+   -o content_filter=amavisfeed:[127.0.0.1]:10024
 EOF
       if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
          cat >> $postfix_master_cf << EOF
@@ -5031,7 +5042,8 @@ localhost:10025  inet  n       -       y       -       -       smtpd
 EOF
          if [[-n "$(which opendmarc)" ]] ; then
             cat >> $postfix_master_cf << EOF
-   -o smtpd_milters=local:/opendmarc/opendmarc.sock
+   # IMPORTANT: no opendmarc here!
+   #-o smtpd_milters=local:/opendmarc/opendmarc.sock
 EOF
          fi
          cat >> $postfix_master_cf << EOF
@@ -5047,8 +5059,7 @@ EOF
       _found=true
       cat >> $postfix_master_cf << EOF
 ${additional_smtp_port}      inet  n       -       y       -       -       smtpd
-   -o smtpd_proxy_filter=127.0.0.1:10024
-   -o content_filter=
+   -o content_filter=amavisfeed:[127.0.0.1]:10024
 EOF
       if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
          cat >> $postfix_master_cf << EOF
@@ -5073,11 +5084,9 @@ EOF
       if [[ -n "$(which opendkim)"  ]] ; then
          cat >> $postfix_master_cf << EOF
    -o smtpd_milters=local:/opendkim/opendkim.sock
+   -o milter_macro_daemon_name=ORIGINATING
 EOF
       fi
-      cat >> $postfix_master_cf << EOF
-   #-o milter_macro_daemon_name=ORIGINATING
-EOF
 		if ! $smtps_present ; then
 			if ! $localhost_10025_present ; then
 				cat >> $postfix_master_cf << EOF
@@ -5095,12 +5104,10 @@ localhost:10025  inet  n       -       y       -       -       smtpd
 EOF
             if [[ -n "$(which opendmarc)" ]] ; then
                cat >> $postfix_master_cf << EOF
-   -o smtpd_milters=local:/opendmarc/opendmarc.sock
+   # IMPORTANT: no opendmarc here!
+   #-o smtpd_milters=local:/opendmarc/opendmarc.sock
 EOF
             fi
-            cat >> $postfix_master_cf << EOF
-   #-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32
-EOF
 			fi
 
 			if ! $amavisfeed_present ; then
@@ -5130,11 +5137,9 @@ EOF
       if [[ -n "$(which opendkim)"  ]] ; then
          cat >> $postfix_master_cf << EOF
    -o smtpd_milters=local:/opendkim/opendkim.sock
+   -o milter_macro_daemon_name=ORIGINATING
 EOF
       fi
-      cat >> $postfix_master_cf << EOF
-   #-o milter_macro_daemon_name=ORIGINATING
-EOF
 
 		if ! $localhost_10025_present ; then
 			cat >> $postfix_master_cf << EOF
@@ -5152,12 +5157,10 @@ localhost:10025  inet  n       -       y       -       -       smtpd
 EOF
          if [[ -n "$(which opendmarc)" ]] ; then
             cat >> $postfix_master_cf << EOF
-   -o smtpd_milters=local:/opendmarc/opendmarc.sock
+   # IMPORTANT: no opendmarc here!
+   #-o smtpd_milters=local:/opendmarc/opendmarc.sock
 EOF
           fi
-         cat >> $postfix_master_cf << EOF
-   #-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32
-EOF
 		fi
 
 		if ! $amavisfeed_present ; then
@@ -5191,12 +5194,10 @@ localhost:10025  inet  n       -       y       -       -       smtpd
 EOF
       if [[ -n "$(which opendmarc)" ]] ; then
          cat >> $postfix_master_cf << EOF
-   -o smtpd_milters=local:/opendmarc/opendmarc.sock
+   # IMPORTANT: no opendmarc here!
+   #-o smtpd_milters=local:/opendmarc/opendmarc.sock
 EOF
       fi
-      cat >> $postfix_master_cf << EOF
-   #-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32
-EOF
       continue
    fi
 

install_opendkim.sh

@@ -726,6 +726,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
       _found=false
       if ! echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*local:/opendkim/opendkim.sock\s*$" ; then
          echo "   -o smtpd_milters=local:/opendkim/opendkim.sock" >> "$tmp_master_file"
+         echo "   -o milter_macro_daemon_name=ORIGINATING" >> "$tmp_master_file"
          _changed=true
          continue
       fi

install_opendmarc.sh

@@ -876,87 +876,6 @@ EOF
 fi
 
 
-echo ""
-
-
-# - Prevent Postfix from setting the DMARC Header twice (one befor
-# - and one after processing amavis
-# -
-# - To disable milter processing after amavis, add to your master.cf in
-# - the after-amavis section:
-# -    127.0.0.1:10025 inet    n       -       -       -       -       smtpd
-# -       [...]
-# -       -o smtpd_milters=
-# -
-# - If you want to run the milter after amavis, set in main.cf
-# -    smtpd_milters=
-# - to an empty string and add the smtpd_milters configuration to master.cf
-# - (after-section amavis) instead:
-# -    -o smtpd_milters=local:/opendmarc/opendmarc.sock
-# -
-echononl "   Backup file '/etc/postfix/master.cf'.."
-cp -a /etc/postfix/master.cf /etc/postfix/master.cf.${backup_date} 2> $log_file
-if [[ $? -eq 0 ]] ; then
-   echo_ok
-else
-   echo_failed
-   error "$(cat $log_file)"
-fi
-
-echononl "   Adjust /etc/postfix/master.cf. Set DMARC after sending throuh AmaVIS.."
-_found=false
-_changed=false
-tmp_master_file="/tmp/postfix_master.cf"
-> $tmp_master_file
-while IFS='' read -r _line || [[ -n $_line ]] ; do
-
-   if $_found && ! echo "$_line" | grep -i -q -E "^\s*-o" 2> /dev/null ; then
-      echo "   -o smtpd_milters=local:/opendmarc/opendmarc.sock" >> "$tmp_master_file"
-      _changed=true
-      _found=false
-   fi
-
-   if $_found && echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*" ; then
-      _found=false
-      if ! echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*local:/opendmarc/opendmarc.sock\s*$" ; then
-         echo "   -o smtpd_milters=local:/opendmarc/opendmarc.sock" >> "$tmp_master_file"
-         _changed=true
-         continue
-      fi
-
-   fi
-
-   if echo "$_line" | grep -i -q -E "^\s*(localhost|127.0.0.1):10025\s+inet\s+" 2> /dev/null ; then
-      _found=true
-   fi
-
-   echo "$_line" >> "$tmp_master_file"
-
-done < "/etc/postfix/master.cf"
-
-if $_changed ; then
-   cp $tmp_master_file /etc/postfix/master.cf 2> $log_file
-   postfix_needs_restart=true
-   if [[ $? -eq 0 ]] ; then
-      echo_ok
-   else
-      echo_failed
-      error "$(cat $log_file)"
-   fi
-else
-   echo_skipped
-   info "Postfix (master.cf) was not changed - seems already be configured right."
-   echononl "   Delete previosly saved file '/etc/postfix/master.cf'.."
-   rm /etc/postfix/master.cf.$backup_date 2> $log_file
-   if [[ $? -eq 0 ]] ; then
-      echo_ok
-   else
-      echo_failed
-      error "$(cat $log_file)"
-   fi
-fi
-rm -f $tmp_master_file
-
 echo ""
 
 echononl "   Enable OpenDMARC Service"