Discussion:
whitelist sender domain
Asif Iqbal
2016-12-11 06:24:03 UTC
Permalink
I am running amavid-new with postfix and I like to skip content filter for
senders with domain example.com

I do have amavisd-new setup with postfix like this where amavisd is setup
as the content_filter globally like below

# cat /etc/postfix/main.cf

...
content_filter = amavisfeed:[127.0.0.1]:10024
...

# cat /etc/postfix/master.cf
...

amavisfeed unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=

# netstat -tunlp | grep 10024
tcp 0 0 127.0.0.1:10024 0.0.0.0:*
LISTEN 26131/amavisd (mast
tcp 0 0 ::1:10024 :::*
LISTEN 26131/amavisd (mast

# netstat -tunlp | grep 10025
tcp 0 0 127.0.0.1:10025 0.0.0.0:*
LISTEN 28242/smtpd

# ps -ef | grep 26131
amavis 26131 1 0 05:49 ? 00:00:02 /usr/sbin/amavisd (master)
amavis 28157 26131 0 14:22 ? 00:00:01 /usr/sbin/amavisd
(ch6-28157-06-3)
amavis 28322 26131 4 14:27 ? 00:00:06 /usr/sbin/amavisd
(ch5-28322-05-7)

# ps -ef | grep 28242
postfix 28242 29732 0 14:25 ? 00:00:00 smtpd -n
127.0.0.1:10025 -t inet -u -o content_filter= -o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject -o
smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
smtpd_data_restrictions=reject_unauth_pipelining -o
smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o
mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o
smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o
smtpd_client_connection_count_limit=0 -o
smtpd_client_connection_rate_limit=0 -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients= -o smtpd_milters= -o
local_recipient_maps= -o relay_recipient_maps=


And in amavisd.conf file I am using whitelist domains and email
addresses like below

# cat /etc/amavisd/amavisd.conf

...

read_hash(\%whitelist_sender, '/etc/amavisd/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);
...

$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
# forward to a smtpd service providing DKIM signing service
forward_method => 'smtp:[127.0.0.1]:10027',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_spam_checks_maps => ['@whitelist_sender_maps'], # don't
spam-check this mail
bypass_banned_checks_maps => ['@whitelist_sender_maps'], # was [1]
allow sending any file names and types
bypass_header_checks_maps => ['@whitelist_sender_maps'], # don't
header-check this mail
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
};

...

# cat /etc/amavisd/whitelist
***@example.com
eample.net


How do I make sure it is working? After I configured like below, I
restarted amavisd and postfix and I am seeing a lot of
``RelayedOpenRelay'' like below..


Dec 11 01:10:02 myhost amavis[12264]: (12264-08) Passed CLEAN
{RelayedOpenRelay}, [192.168.0.220]:51381 [192.168.0.220] <***@example2.net>
-> <***@juniper.net>, Message-ID: <***@example3.net>,
mail_id: jTfE0zqJExAe, Hits: -1.899, size: 1920, queued_as: EB9F49ED41, 440
ms

I have not used amavisd with postfix like this before and please let
me know how I can achieve

whitelisting some of the sender addresses and sender domains and not
making the mail server an openrelay.


Thanks for your help!





Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Dominic Raferd
2016-12-11 08:10:55 UTC
Permalink
I have similar setup. I too see these statements in amavis log
messages that it is RelayedOpenRelay but in fact with my setup it is
not. I think amavis is just warning you that you *may* have an open
relay. You should have postfix set so that it is not an open relay, of
course, and I don't think amavis is the best way to do this.

I use a whitelist with amavis: I have a file /etc/amavis/whitelist
which contains on each line either a comment (starting with hash #), a
full email address or just a domain, and then in
/etc/amavis/conf.d/50-user I have lines like this:

# whitelist some senders to save time and avoid false positives
# - you can list full addresses or domains, one per line
# idea from http://www.iredmail.org/forum/topic4681-iredmail-support-solved-how-to-bypass-amavisd-for-some-senders.html
# This policy will perform virus checks only.
read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);
$interface_policy{'10026'} = 'VIRUSONLY';
$policy_bank{'VIRUSONLY'} = {
bypass_spam_checks_maps => ['@whitelist_sender_maps'], # don't
spam-check this mail
bypass_banned_checks_maps => ['@whitelist_sender_maps'], # don't
banned-check this mail
bypass_header_checks_maps => ['@whitelist_sender_maps'], # don't
header-check this mail
};

The idea is that all mails will still be passed to amavis which will
submit them for virus check, but whitelisted sender address will not
be checked for other things.

As far as I can tell this is working fine, although I am *not* an
amavis expert. Other suggestions welcome.

Dominic
Post by Asif Iqbal
I am running amavid-new with postfix and I like to skip content filter for
senders with domain example.com
I do have amavisd-new setup with postfix like this where amavisd is setup as
the content_filter globally like below
# cat /etc/postfix/main.cf
...
content_filter = amavisfeed:[127.0.0.1]:10024
...
# cat /etc/postfix/master.cf
...
amavisfeed unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=
# netstat -tunlp | grep 10024
tcp 0 0 127.0.0.1:10024 0.0.0.0:*
LISTEN 26131/amavisd (mast
tcp 0 0 ::1:10024 :::*
LISTEN 26131/amavisd (mast
# netstat -tunlp | grep 10025
tcp 0 0 127.0.0.1:10025 0.0.0.0:*
LISTEN 28242/smtpd
# ps -ef | grep 26131
amavis 26131 1 0 05:49 ? 00:00:02 /usr/sbin/amavisd (master)
amavis 28157 26131 0 14:22 ? 00:00:01 /usr/sbin/amavisd
(ch6-28157-06-3)
amavis 28322 26131 4 14:27 ? 00:00:06 /usr/sbin/amavisd
(ch5-28322-05-7)
# ps -ef | grep 28242
postfix 28242 29732 0 14:25 ? 00:00:00 smtpd -n 127.0.0.1:10025 -t
inet -u -o content_filter= -o smtpd_delay_reject=no -o
smtpd_client_restrictions=permit_mynetworks,reject -o
smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
smtpd_data_restrictions=reject_unauth_pipelining -o
smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o
mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o
smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o
smtpd_client_connection_count_limit=0 -o
smtpd_client_connection_rate_limit=0 -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients= -o smtpd_milters= -o local_recipient_maps=
-o relay_recipient_maps=
And in amavisd.conf file I am using whitelist domains and email addresses
like below
# cat /etc/amavisd/amavisd.conf
...
read_hash(\%whitelist_sender, '/etc/amavisd/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);
...
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
warnbadhsender => 1,
# forward to a smtpd service providing DKIM signing service
forward_method => 'smtp:[127.0.0.1]:10027',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
this mail
sending any file names and types
header-check this mail
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
};
...
# cat /etc/amavisd/whitelist
eample.net
How do I make sure it is working? After I configured like below, I restarted
amavisd and postfix and I am seeing a lot of
``RelayedOpenRelay'' like below..
Dec 11 01:10:02 myhost amavis[12264]: (12264-08) Passed CLEAN
mail_id: jTfE0zqJExAe, Hits: -1.899, size: 1920, queued_as: EB9F49ED41, 440
ms
I have not used amavisd with postfix like this before and please let me know
how I can achieve
whitelisting some of the sender addresses and sender domains and not making
the mail server an openrelay.
Thanks for your help!
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Dusan Obradovic
2016-12-11 09:33:20 UTC
Permalink
How do I make sure it is working? After I configured like below, I restarted amavisd and postfix and I am seeing a lot of
``RelayedOpenRelay'' like below..
You should configure @local_domains_maps and @mynetworks, for amavisd to be able to distinguish {RelayedInbound} and {RelayedOutbound} traffic.

@local_domains_maps = ( [ ".example.com" ] );
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
Dominic Raferd
2016-12-11 14:00:32 UTC
Permalink
Post by Dusan Obradovic
How do I make sure it is working? After I configured like below, I restarted amavisd and postfix and I am seeing a lot of
``RelayedOpenRelay'' like below..
@local_domains_maps = ( [ ".example.com" ] );
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
Thanks for the tip Dusan, I've implemented that.
Gregory Sloop
2016-12-11 17:45:39 UTC
Permalink
This post might be inappropriate. Click to display it.
Dauser Martin Johannes
2018-02-16 21:05:30 UTC
Permalink
This post might be inappropriate. Click to display it.
Dominic Raferd
2018-02-17 09:49:40 UTC
Permalink
On 16 February 2018 at 21:05, Dauser Martin Johannes
Post by Dauser Martin Johannes
Well this topic is quite old, still when searching for hard
whitelisting with amavisd-new you'll find this solution on different
sites.
Dominic Raferd wrote on Dec 11 2016
I use a whitelist with amavis: I have a file /etc/amavis/whitelist
which contains on each line either a comment (starting with hash #),
full email address or just a domain, and then in
# whitelist some senders to save time and avoid false positives
# - you can list full addresses or domains, one per line
# idea from http://www.iredmail.org/forum/topic4681-iredmail-support
-solved-how-to-bypass-amavisd-for-some-senders.html
# This policy will perform virus checks only.
read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);
$interface_policy{'10026'} = 'VIRUSONLY';
$policy_bank{'VIRUSONLY'} = {
};
The problem is, I've got the impression that this policy_bank is set
wrong and doesn't serve the intended purpose to whitelist SENDERS --
neither incoming nor outgoing. Actually it seems to state nonsense.
To make it more clearly I moved the bypass_spam_checks_maps out of the
@bypass_spam_maps = ( '@whitelist_sender_maps') ;
tells the subroutine 'lookup' where and with which method (SQL, LDAP,
hash, access control list, regexp, constant) it should search. [1]
+ Second, if it is not stated otherwise it searches for the RECIPIENT's
envelope address. And I couldn't find anywhere that this very map is
Documentation for whitelisting [2] is talking about senders but only in
@blacklist_sender_maps and $per_recip_blacklist_sender_lookup_tables.
But the same Document [3] states: "Using configuration variables
@bypass_virus_checks_maps, @bypass_banned_checks_maps,
@bypass_header_checks_maps and @bypass_spam_checks_maps each RECIPIENT
... may suggest that certain tests are not needed ... . Although the
@bypass_*_checks_maps PERTAIN TO INDIVIDUAL RECIPIENTS, ... Suggestion
by some of the RECIPIENTS that certain check ... is to be bypassed ...
does not guarantee the test will not be performed. "
r_maps'. This means the subroutine interprets this as a constant and
doesn't make any sense in this context as it is neither an email
address nor a domain. -- Perl itself won't complain as the syntax is
still correct and there won't be a hit ever.
@bypass_spam_maps = (\%whitelist_sender);
bypass_spam_maps => [\%whitelist_sender],
would search for email addresses within the file /etc/amavis/whitelist,
I think. But as noted at my second point, those are sender addresses,
not the expected recipients.
Ah, global hard whitelisting of senders. How might it be done then. (Be
aware of the caveats of whitelisting!)
read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sende
r_maps = (\%whitelist_sender);
in.domain.we.trust #full email domain
.we.trust #accepting sub domains
It should even be possible to set a sender whitelist within a policy
$policy_bank{'WHITELIST'} = {
whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ],
}
As already noted, these are my thoughts and I gladly accept
corrections.
Martin Johannes Dauser
1 https://www.ijs.si/software/amavisd/README.lookups.txt
2 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#wblist
3 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#checks
I defer to your greater understanding of amavis and perl, but at a
practical level the whitelist settings that I suggested above do work
for me.
Martin Johannes Dauser
2018-02-21 10:21:39 UTC
Permalink
Post by Dominic Raferd
On 16 February 2018 at 21:05, Dauser Martin Johannes
Post by Dauser Martin Johannes
Well this topic is quite old, still when searching for hard
whitelisting with amavisd-new you'll find this solution on
different
sites.
Dominic Raferd wrote on Dec 11 2016
    I use a whitelist with amavis: I have a file
/etc/amavis/whitelist
    which contains on each line either a comment (starting with
hash #),
    full email address or just a domain, and then in
    # whitelist some senders to save time and avoid false positives
    # - you can list full addresses or domains, one per line
    # idea from http://www.iredmail.org/forum/topic4681-iredmail-su
pport
    -solved-how-to-bypass-amavisd-for-some-senders.html
    # This policy will perform virus checks only.
    read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
    $interface_policy{'10026'} = 'VIRUSONLY';
    $policy_bank{'VIRUSONLY'} = {
,
};
The problem is, I've got the impression that this policy_bank is set
wrong and doesn't serve the intended purpose to whitelist SENDERS --
neither incoming nor outgoing. Actually it seems to state nonsense.
To make it more clearly I moved the bypass_spam_checks_maps out of the
tells the subroutine 'lookup' where and with which method (SQL, LDAP,
hash, access control list, regexp, constant) it should search. [1]
+ Second, if it is not stated otherwise it searches for the
RECIPIENT's
envelope address. And I couldn't find anywhere that this very map is
Documentation for whitelisting [2] is talking about senders but only in
@blacklist_sender_maps and
$per_recip_blacklist_sender_lookup_tables.
But the same Document [3] states: "Using configuration variables
@bypass_virus_checks_maps, @bypass_banned_checks_maps,
@bypass_header_checks_maps and @bypass_spam_checks_maps each
RECIPIENT
... may suggest that certain tests are not needed ... . Although the
@bypass_*_checks_maps PERTAIN TO INDIVIDUAL RECIPIENTS, ...
Suggestion
by some of the RECIPIENTS that certain check ... is to be bypassed ...
does not guarantee the test will not be performed. "
ende
r_maps'. This means the subroutine interprets this as a constant and
doesn't make any sense in this context as it is neither an email
address nor a domain. -- Perl itself won't complain as the syntax is
still correct and there won't be a hit ever.
    bypass_spam_maps => [\%whitelist_sender],
would search for email addresses within the file
/etc/amavis/whitelist,
I think. But as noted at my second point, those are sender
addresses,
not the expected recipients.
Ah, global hard whitelisting of senders. How might it be done then. (Be
aware of the caveats of whitelisting!)
    read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
    r_maps = (\%whitelist_sender);
    in.domain.we.trust        #full email domain
    .we.trust                 #accepting sub domains
It should even be possible to set a sender whitelist within a policy
    $policy_bank{'WHITELIST'} = {
        whitelist_sender_maps => [
read_hash('/etc/amavis/whitelist') ],
    }
As already noted, these are my thoughts and I gladly accept
corrections.
Martin Johannes Dauser
1 https://www.ijs.si/software/amavisd/README.lookups.txt
2 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#wblist
3 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#checks
I defer to your greater understanding of amavis and perl, but at a
practical level the whitelist settings that I suggested above do work
for me.
That's no surprise to me as the first lines of your proposal do the
work, whereas @bypass_banned_checks_maps within your policy bank
probably does nothing but consuming a little bit of CPU time ;D

I successfully use now:

read_hash(\%whitelist_sender, '/etc/amavis/whitelist');


$policy_bank{'INCOMMING'} = {
# set incomming mails as NOT-originating
originating                 => 0,

# mails from trusted envelope senders
# are whitelisted by Spamassassin
whitelist_sender_maps       => [ \%whitelist_sender ],

...
};

And /etc/amavis/whitelist just contains one full email address.
Dominic Raferd
2018-02-26 16:34:49 UTC
Permalink
On 21 February 2018 at 10:21, Martin Johannes Dauser
Post by Martin Johannes Dauser
Post by Dominic Raferd
On 16 February 2018 at 21:05, Dauser Martin Johannes
Post by Dauser Martin Johannes
Well this topic is quite old, still when searching for hard
whitelisting with amavisd-new you'll find this solution on
different
sites.
Dominic Raferd wrote on Dec 11 2016
I use a whitelist with amavis: I have a file
/etc/amavis/whitelist
which contains on each line either a comment (starting with hash #),
full email address or just a domain, and then in
# whitelist some senders to save time and avoid false positives
# - you can list full addresses or domains, one per line
# idea from http://www.iredmail.org/forum/topic4681-iredmail-su
pport
-solved-how-to-bypass-amavisd-for-some-senders.html
# This policy will perform virus checks only.
read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);
$interface_policy{'10026'} = 'VIRUSONLY';
$policy_bank{'VIRUSONLY'} = {
,
};
The problem is, I've got the impression that this policy_bank is set
wrong and doesn't serve the intended purpose to whitelist SENDERS --
neither incoming nor outgoing. Actually it seems to state nonsense.
To make it more clearly I moved the bypass_spam_checks_maps out of the
@bypass_spam_maps = ( '@whitelist_sender_maps') ;
tells the subroutine 'lookup' where and with which method (SQL, LDAP,
hash, access control list, regexp, constant) it should search. [1]
+ Second, if it is not stated otherwise it searches for the RECIPIENT's
envelope address. And I couldn't find anywhere that this very map is
Documentation for whitelisting [2] is talking about senders but only in
@blacklist_sender_maps and
$per_recip_blacklist_sender_lookup_tables.
But the same Document [3] states: "Using configuration variables
@bypass_virus_checks_maps, @bypass_banned_checks_maps,
@bypass_header_checks_maps and @bypass_spam_checks_maps each RECIPIENT
... may suggest that certain tests are not needed ... . Although the
@bypass_*_checks_maps PERTAIN TO INDIVIDUAL RECIPIENTS, ... Suggestion
by some of the RECIPIENTS that certain check ... is to be bypassed ...
does not guarantee the test will not be performed. "
ende
r_maps'. This means the subroutine interprets this as a constant and
doesn't make any sense in this context as it is neither an email
address nor a domain. -- Perl itself won't complain as the syntax is
still correct and there won't be a hit ever.
@bypass_spam_maps = (\%whitelist_sender);
bypass_spam_maps => [\%whitelist_sender],
would search for email addresses within the file
/etc/amavis/whitelist,
I think. But as noted at my second point, those are sender
addresses,
not the expected recipients.
Ah, global hard whitelisting of senders. How might it be done then. (Be
aware of the caveats of whitelisting!)
read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sende
r_maps = (\%whitelist_sender);
in.domain.we.trust #full email domain
.we.trust #accepting sub domains
It should even be possible to set a sender whitelist within a policy
$policy_bank{'WHITELIST'} = {
whitelist_sender_maps => [
read_hash('/etc/amavis/whitelist') ],
}
As already noted, these are my thoughts and I gladly accept
corrections.
Martin Johannes Dauser
1 https://www.ijs.si/software/amavisd/README.lookups.txt
2 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#wblist
3 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#checks
I defer to your greater understanding of amavis and perl, but at a
practical level the whitelist settings that I suggested above do work
for me.
That's no surprise to me as the first lines of your proposal do the
probably does nothing but consuming a little bit of CPU time ;D
read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
$policy_bank{'INCOMMING'} = {
# set incomming mails as NOT-originating
originating => 0,
# mails from trusted envelope senders
# are whitelisted by Spamassassin
whitelist_sender_maps => [ \%whitelist_sender ],
...
};
And /etc/amavis/whitelist just contains one full email address.
Thanks, I believe you are correct. I have now updated my 50-user.conf to this:
$interface_policy{'10024'} = 'INCOMING';
$policy_bank{'INCOMING'} = {
whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ],
};

and when an email comes through from a sender in whitelist I see these
headers are added, provided I have $sa_tag_level_deflt set
sufficiently low (e.g. -14):
X-Spam-Score: 0
X-Spam-Status: No, score=x tagged_above=-14 required=4 WHITELISTED
tests=[] autolearn=unavailable
Dominic Raferd
2018-03-21 14:35:50 UTC
Permalink
Post by Dominic Raferd
$interface_policy{'10024'} = 'INCOMING';
$policy_bank{'INCOMING'} = {
whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ],
};
Note that this whitelisting technique works on the address given in the
'From:' header​, not the envelope sender (aka Return-Path).

Each address in /etc/amavis/whitelist (one per line, comments and blank
lines are ignored) can be whole email address, domain only, or domain
preceded by dot in which case it matches emails from domain *and* any
subdomains:

# example amavis whitelist file

amavis-***@amavis.org
.currys.co.uk
zpg.co.uk

​After updating the file you (probably - untested) have to reload amavis
for it to take account of the changes.​ If you have systemd:
systemctl reload-or-restart amavis
Martin Johannes Dauser
2018-03-21 16:44:44 UTC
Permalink
Regarding that whitelist_sender_maps would work on 'From:' header, not
the envelope sender, I can not comply!
I set buxdehu.de in whitelist 
Then I telnet to my mailserver 
$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.cs.sbg.ac.at ESMTP Postfix (RHEL/GNU)
EHLO mail.cs.sbg.ac.at
250-mail.cs.sbg.ac.at
250-PIPELINING
250-SIZE 52428800
250-VRFY
250-ETRN
250-STARTTLS
250-XFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:<***@buxdehu.de>
250 2.1.0 Ok
RCPT TO:<***@cs.sbg.ac.at>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
FROM: ***@la.la
SUBJECT: testmail


test
.
250 2.0.0 Ok: queued as 31F66200A4D2
QUIT
And I get X-spam-status: No, score=x required=6 WHITELISTED tests=[]
So at least in my setup it's the envelope sender which is observed.
A failure of mine in the previous posts was, that I used quotes within
the files for whitelisting.Thats's a baaad idea.
Best regardsMartin Johannes Dauser
Post by Dominic Raferd
Post by Dominic Raferd
$interface_policy{'10024'} = 'INCOMING';
$policy_bank{'INCOMING'} = {
  whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ],
};
 
Note that this whitelisting technique works on the address given in
the 'From:' header, not the envelope sender (aka Return-Path).
Each address in /etc/amavis/whitelist (one per line, comments and
blank lines are ignored) can be whole email address, domain only, or
domain preceded by dot in which case it matches emails from domain
# example amavis whitelist file
After updating the file you (probably - untested) have to reload
amavis for it to take account of the changes. If you have
systemd:systemctl reload-or-restart amavis
Dominic Raferd
2018-03-21 17:44:31 UTC
Permalink
Regarding that whitelist_sender_maps would work on 'From:' header, not the
envelope sender, I can not comply!
I set buxdehu.de in whitelist
Then I telnet to my mailserver
$ *telnet localhost 25*
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.cs.sbg.ac.at ESMTP Postfix (RHEL/GNU)
*EHLO mail.cs.sbg.ac.at <http://mail.cs.sbg.ac.at>*
250-mail.cs.sbg.ac.at
250-PIPELINING
250-SIZE 52428800
250-VRFY
250-ETRN
250-STARTTLS
250-XFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
250 2.1.0 Ok
250 2.1.5 Ok
*DATA*
354 End data with <CR><LF>.<CR><LF>
*SUBJECT: testmail*
*test*
*.*
250 2.0.0 Ok: queued as 31F66200A4D2
*QUIT*
And I get
X-spam-status: No, score=x required=6 WHITELISTED tests=[]
So at least in my setup it's the envelope sender which is observed.
A failure of mine in the previous posts was, that I used quotes within the
files for whitelisting.
Thats's a baaad idea.
Best regards
Martin Johannes Dauser
$interface_policy{'10024'} = 'INCOMING';
$policy_bank{'INCOMING'} = {
whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ],
};
Note that this whitelisting technique works on the address given in the
'From:' header, not the envelope sender (aka Return-Path).
Each address in /etc/amavis/whitelist (one per line, comments and blank
lines are ignored) can be whole email address, domain only, or domain
preceded by dot in which case it matches emails from domain *and* any
# example amavis whitelist file
.currys.co.uk
zpg.co.uk
After updating the file you (probably - untested) have to reload amavis
systemctl reload-or-restart amavis
​Interesting but in my setup it is definitely the From: header that is
compared, I have numerous examples, and I cannot find a single
counter-example (where an email is whitelisted and the whitelist can only
be because of the envelope sender).​ I guess there must be some subtle
difference in our setup?

Continue reading on narkive:
Loading...