Hi,
I'm using postfix with the amavid-new spam/virus mail filter. In this type of configuration the MTA sends every processed mail to the filter daemon on one port, and receives the result of the filtering on another. The online documentation is not too clear, but the commonly used ports seem to be on the 10024-10026 range. In my setup the MTA listens on port 10026 and the filter on port 10025.
Unfortunately that means the selinux policy in Raw Hide blocks postfix startup: Oct 23 11:56:21 rousalka postfix/master[2076]: fatal: bind 127.0.0.1 port 10026: Permission denied
Therefore, I'd like to know: 1. if a port has already been allocated in the Fedora Devel targeted policy for MTA <- filter communication 2. if yes which one is it so I make my installation conformant 3. if not would it be possible to add it? I'm ready to poll the postfix/amavisd-new lists to find out what the canonical port to use would be.
Regards,
Nicolas Mailhot wrote:
Hi,
I'm using postfix with the amavid-new spam/virus mail filter. In this type of configuration the MTA sends every processed mail to the filter daemon on one port, and receives the result of the filtering on another. The online documentation is not too clear, but the commonly used ports seem to be on the 10024-10026 range. In my setup the MTA listens on port 10026 and the filter on port 10025.
Looks like these ports are used by amavisd portcon tcp 10024 system_u:object_r:amavisd_recv_port_t portcon tcp 10025 system_u:object_r:amavisd_send_port_t
And reading policy states that postfix can listen on the send port.
Are you seeing any avc messages?
Unfortunately that means the selinux policy in Raw Hide blocks postfix startup: Oct 23 11:56:21 rousalka postfix/master[2076]: fatal: bind 127.0.0.1 port 10026: Permission denied
Therefore, I'd like to know:
- if a port has already been allocated in the Fedora Devel targeted
policy for MTA <- filter communication 2. if yes which one is it so I make my installation conformant 3. if not would it be possible to add it? I'm ready to poll the postfix/amavisd-new lists to find out what the canonical port to use would be.
Regards,
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Le jeudi 27 octobre 2005 à 17:37 -0400, Daniel J Walsh a écrit :
Nicolas Mailhot wrote:
Hi,
I'm using postfix with the amavid-new spam/virus mail filter. In this type of configuration the MTA sends every processed mail to the filter daemon on one port, and receives the result of the filtering on another. The online documentation is not too clear, but the commonly used ports seem to be on the 10024-10026 range. In my setup the MTA listens on port 10026 and the filter on port 10025.
Looks like these ports are used by amavisd portcon tcp 10024 system_u:object_r:amavisd_recv_port_t portcon tcp 10025 system_u:object_r:amavisd_send_port_t
And reading policy states that postfix can listen on the send port.
Are you seeing any avc messages?
Ok, thanks, I have an old amavisd install that pre-dates FE packaging, and the amavisd/postfix doc proposed both 10024/10025 and 10025/10026 ports as good setup choices.
Since Fedora chose 10024/10025, I'll do the same here.
Regards,
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Nicolas Mailhot