HOWTO setup Postfix to do Domainbased AV/SPAM Scanning.
by Timo Proescholdt (proescho@informatik.uni-muenchen.de)

The Programms used in my environment are postfix, 
amavisd-new (with spam-assassin and sophos/sofie antivirus).


PREFACE.

While setting up our new Email System, we ( RBG at the
department of computer sience universtiy of munich (puh..))
where looking for a possibility to implement a domainbased
AV & SPAM tagging system due to load balancing reasons.
While accepting mails for all our domains on our primary 
mail hub, the SPAM and AV tagging (amvisd-new), 
should be done locally only for a small subset of these domains. 

First ist seamed only to be possible by 
	a) setting up a second (tagging) postfix instance 
		(working with an explicit transportmap entry,
		pointing to the second instance.
	b) using the @bypass_virus_checks_acl entry in amavisd.conf
		(to skip tagging for domains to be scanned on annother server)


both approaches have disadvantages, the first mainly because of
the administrative overhead to attend to a set of second configuation
files, the second has massive performance and availability detriments.



At the end we discovered a way to achieve our goal using the
smtpd_recipient_restrictions = check_recipient_access configuration
switch.

This short HOWTO describes howto setup postfix in a way that it acceppts
mails for a set of local/non-local domains und involves amavisd-new
for a subset of these, while delivering the others as usual (untagged).

1.)	Install Postfix as usual.
	Install Amavisd-new 


2.)	Setup Postfix to accept mail for your domains.

		relay_domains = hash:/etc/postfix/relay_domains

	let amavisd listen to port 10024  (amavisd.conf)
		$inet_socket_port = 10024; 
	let amavisd forward processed mail to local port 10025
		$forward_method = 'smtp:127.0.0.1:10025'; 

	Create an additional postifx listener on port 10025 (master.cf)
	The smtpd_recipient_restrictions parameter is the most important parameter
	here.

	127.0.0.1:10025 inet n  -       n       -       -       smtpd
		-o content_filter=
		-o local_recipient_maps=
		-o smtpd_recipient_restrictions=permit_mynetworks,reject #IMPORTANT
		-o smtpd_sender_restrictions=
		-o mynetworks=127.0.0.0/8
		-o canonical_maps=


	Create an additional postfix transport to deliver mail to amavisd-new.
	May be done with lmtp or smtp. Check out the latest versions of postfix
	and amavisd-new to be shure that lmtp works without trouble.

	lmtp-amavis     unix    -       -       -       -       4       lmtp
		-o smtp_data_done_timeout=1200
		-o disable_dns_lookups=yes
		

	Configure Postfix to look into the /etc/postfix/tagged_domains table. (main.cf)
	Set smtpd_recipient_restrictions to at least

	smtpd_recipient_restrictions =
		check_recipient_access hash:/etc/postfix/tagged_domains,\
		permit_mynetworks,\
		#[your stuff] \
		reject_unauth_destination

	our setup looks like this
	smtpd_recipient_restrictions = \
		check_recipient_access hash:/etc/postfix/tagged_domains, \
		permit_sasl_authenticated,\
		permit_mynetworks,\
		reject_non_fqdn_recipient,\
		reject_unauth_destination

	Setup /etc/postfix/tagged_domains to contain an an entry like

		first-domain.informatik.uni-muenchen.de		FILTER lmtp-amavis:[127.0.0.1]:10024

	for each domain that should be processed by amavisd.
	Note that you DO NOT need to set up the content-filter configuration switch.

	make the changes visible to postfix with an
		postmap tagged_domains
		postfix reload

3.)	Testing

	Send email via telnet to several domains.
	You should see the following line appear in your maillog when a mail 
	to at least one recipient with a domain part mathing tagged_domains arrives.

		Recipient address triggers FILTER lmtp-amavis:[127.0.0.1]:10024

to be continued...

comments welcome (to proescho@informatik.uni-muenchen.de)