SELinux is blocking connections from Amavis back into itself: no way in/out?

Running a fresh CentOS8 install here, MTA is Postfix with Amavis hooked in. I want to have Amavis inject messages from ORIGINATING (incoming submissions from port 587/Postfix through 10026/Amavis) back into Amavis (port 10024) after (internal) DKIM signing. But port 10024 has already been assigned for listening for incoming smtp connections from 25/Postfix, so I cannot add it as a sending-to port in the SELinux configuration. The messages flow: - 25/smtp -> Postfix -> smtp-amavis/10024 - 10024 -> Amavis: scan -> 10025 - 10025 -> Postfix -> delivery - 587/submission -> Postfix -> smtp-amavis/10026 - 10026 -> Amavis ORIGINATING: scan & DKIM sign -> smtp-amavis/10024 The problem I run into is that SELinux does not allow me to feed messages from the last flow back into smtp-amavis at port 10024 (Amavis to Amavis) because this port has already been assigned for receiving: [root@services amavisd]# semanage port -l | grep 1002 amavisd_recv_port_t tcp 10026, 10024 amavisd_send_port_t tcp 10027, 10025 spamd_port_t tcp 783, 10026, 10027 Interestingly, SELinux did not complain about ports 10026, 10027 already being assigned to spamd when I added then to amavisd_recv_port_t and amavisd_send_port_t respectively: [root@services amavisd]# semanage port -lC SELinux Port Type Proto Port Number amavisd_recv_port_t tcp 10026 amavisd_send_port_t tcp 10027 How can I fix this? as SELinux does not allow me to add 10024 as a sending port too: [root@services amavisd]# semanage port -a -t amavisd_send_port_t -p tcp 10024 ValueError: Port tcp/10024 already defined **Or am I going completely the wrong way with this**, and should submitted messages not be fed back into Amavis through port 10024 at all (which makes this an Amavis rather than an SELinux question)? For originally the Amavis configuration forwarded submitted messages to port 10027 for (external) DKIM signing by OpenDKIM, as you can see here: # forward to a smtpd service providing DKIM signing service #forward_method => 'smtp:[127.0.0.1]:10027', forward_method => 'smtp:[127.0.0.1]:10024', So the last flow originally was: - 10026 -> Amavis ORIGINATING: scan -> OpenDKIM@10027: sign -> delivery But OpenDKIM is not (yet) available for CentOS8 (used to be via the EPEL repo), and Amavis now supports an internal DKIM signing service that I'm trying to use. So there are two ways out I see: - configure SELinux so that it can feed DKIM-signed messages from the submission flow back into the basic smtp flow (assuming that this somewhat loopy set-up works) - keep the original Amavis configuration, which means that there will have to be a service behind port 10027 that delivers outgoing (i.e. submitted) messages Which way to go, and how to do it?