2

Running a fresh CentOS8 install here, MTA is Postfix with Amavis hooked in. I want to have Amavis inject messages from ORIGINATING (incoming submissions from port 587/Postfix through 10026/Amavis) back into Amavis (port 10024) after (internal) DKIM signing. But port 10024 has already been assigned for listening for incoming smtp connections from 25/Postfix, so I cannot add it as a sending-to port in the SELinux configuration.

The messages flow:

  • 25/smtp -> Postfix -> smtp-amavis/10024
  • 10024 -> Amavis: scan -> 10025
  • 10025 -> Postfix -> delivery
  • 587/submission -> Postfix -> smtp-amavis/10026
  • 10026 -> Amavis ORIGINATING: scan & DKIM sign -> smtp-amavis/10024

The problem I run into is that SELinux does not allow me to feed messages from the last flow back into smtp-amavis at port 10024 (Amavis to Amavis) because this port has already been assigned for receiving:

[root@services amavisd]# semanage port -l | grep 1002 amavisd_recv_port_t tcp 10026, 10024 amavisd_send_port_t tcp 10027, 10025 spamd_port_t tcp 783, 10026, 10027

Interestingly, SELinux did not complain about ports 10026, 10027 already being assigned to spamd when I added then to amavisd_recv_port_t and amavisd_send_port_t respectively:

[root@services amavisd]# semanage port -lC SELinux Port Type Proto Port Number amavisd_recv_port_t tcp 10026 amavisd_send_port_t tcp 10027

How can I fix this? as SELinux does not allow me to add 10024 as a sending port too:

[root@services amavisd]# semanage port -a -t amavisd_send_port_t -p tcp 10024 ValueError: Port tcp/10024 already defined

Or am I going completely the wrong way with this, and should submitted messages not be fed back into Amavis through port 10024 at all (which makes this an Amavis rather than an SELinux question)? For originally the Amavis configuration forwarded submitted messages to port 10027 for (external) DKIM signing by OpenDKIM, as you can see here:

# forward to a smtpd service providing DKIM signing service #forward_method => 'smtp:[127.0.0.1]:10027', forward_method => 'smtp:[127.0.0.1]:10024',

So the last flow originally was:

  • 10026 -> Amavis ORIGINATING: scan -> OpenDKIM@10027: sign -> delivery

But OpenDKIM is not (yet) available for CentOS8 (used to be via the EPEL repo), and Amavis now supports an internal DKIM signing service that I'm trying to use.

So there are two ways out I see:

  • configure SELinux so that it can feed DKIM-signed messages from the submission flow back into the basic smtp flow (assuming that this somewhat loopy set-up works)
  • keep the original Amavis configuration, which means that there will have to be a service behind port 10027 that delivers outgoing (i.e. submitted) messages

Which way to go, and how to do it?

Improve this question

1 Answer 1

Reset to default
0

Turns out I oversaw the most obvious solution (following an incorrect online recipe): feed the Amavis ORIGINATING flow back into port 10025 for delivery by Postfix (thereby funnelling the 25/smtp and 587/submission flows after separate handling by Amavis). This also circumvents the SELinux issue, as there is no longer the need to feed messages from Amavis back into itself.

So the whole scheme now looks like this:

  • 25/smtp -> Postfix -> smtp-amavis/10024
  • 10024 -> Amavis: scan -> 10025
  • 10025 -> Postfix -> delivery
  • 587/submission -> Postfix -> smtp-amavis/10026
  • 10026 -> Amavis ORIGINATING: scan & DKIM sign -> 10025
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.