Clearing contents_category from a custom hook?

Mark Martinec Mark.Martinec+amavis at
Tue Feb 28 15:21:42 CET 2012


> I've written a custom whitelist-hook in the custom's file, where a
> whitelist-file is loaded, and matched against both body and envelope from
> addresses.
> ( I know that a whitelist metodh is only supposed to match against the
> envelope address, but then I'd just as well use amavis' own whitelist
> function, but since it's an requirement from the users that they can
> whitelist both body and envelope addresses, I have to do it this way )

The white/black-listing in amavisd was based only on envelope sender
address in versions older than 2.6.0.  Starting with 2.6.0, both the envelope
and the author address are taken into account.

amavisd-new-2.6.0 release notes:


- white and blacklisting now takes into account both the SMTP envelope
  sender address, as well as the author address from a header section
  (address(es) in a 'From:' header field). Note that whitelisting
  based only on a sender-specified address is mostly useless nowadays.
  For a reliable whitelisting see @author_to_policy_bank_maps below,
  as well as a set of whitelisting possibilities in SpamAssassin (based
  on DKIM, SPF, or on Received header fields);

> But in the case, where there is a banned file attached to an email from a
> whitelisted address, the email is banned anyway.

Whitelisting based on information provided by the sender may be
acceptable for low-risk decisions like spam filtering, but should
not be used to bypass banning or virus checks. Use DKIM-based
whitelisting for such purpose:

amavisd-new-2.6.0 release notes:

- loading of policy banks based on valid DKIM-signed author's address
  can be used for reliable whitelisting, for bypassing banned checks, etc.


- a new configuration variable @author_to_policy_bank_maps (also a member
  of policy banks) is a list of lookup tables (typically only a hash-type
  lookup table is used), which maps author addresses(es) (each address in
  a 'From:' header field - typically only one) to one or more policy bank
  names (a comma-separated list of names).

  A match can only occur if a valid DKIM author domain signature or a valid
  DKIM third-party signature is found, so in as much as one can trust the
  signing domain, loading of arbitrary policy banks can be safe, offering
  a flexibility of whitelisting against spam (absolute or just contributing
  score points), bypassing of checks (banned, virus, bad-header), using
  less restrictive banned rules for certain senders, by-sender routing,
  turning quarantining/archiving on/off, and other tricks offered by the
  existing policy bank loading mechanisms.

  When a message has a valid DKIM (or DomainKeys) author domain signature
  (i.e. when a 'From:' address matches a signing identity according to DKIM
  (RFC 4871) or DomainKeys (RFC 4870) rules), a lookup key is an unchanged
  author address and the usual lookup rules apply (README.lookups - hash

  When a valid third-party signature is found, a lookup key (author address)
  is extended by a '/@' and a lowercased signing domain, as shown in the
  example below.

  The semantics is very similar to a whitelist_from_dkim feature in
  SpamAssassin, but is more flexible as is allows any dynamic amavisd
  setting to be changed depending on author address, not just skipping
  of spam checks.

  A few examples of a SpamAssassin's whitelist_from_dkim (as in
  along with equivalent amavisd @author_to_policy_bank_maps entries follow.

  To whitelist any From address with a domain when a message
  has a valid author domain signature (i.e. a signature by the same domain):
    SA:  whitelist_from_dkim  *
    am:  '' => 'WHITELIST',
  which is equivalent to a lengthy but redundant:
    SA:  whitelist_from_dkim  *
    am:  '' => 'WHITELIST',

  Similar to above, but applies to subdomains of carrying
  a valid author domain signature (i.e. signature BY THE SAME SUBDOMAIN):
    SA:  whitelist_from_dkim  *@*
    am:  '' => 'WHITELIST',
  Note that in amavisd hash lookups a '' implies a parent
  domain '' too, while in SpamAssassin and in Postfix maps
  a parent domain needs its own entry if desired.

  To whitelist From addresses from subdomains of which carry
  a valid third-party signature of its parent domain:
    SA:  whitelist_from_dkim  *@*
    am: '' => 'WHITELIST',

  To whitelist any From address as long as a message has a valid DKIM
  or DomainKeys signature by, i.e. a third-party signature.
  Typical for mailing lists or discussion groups which sign postings.
    SA:  whitelist_from_dkim  *@*
    am:  './' => 'WHITELIST',

  Here is a complete example that can be included in amavisd.conf:

  @author_to_policy_bank_maps = ( {
  # 'user1 at'   => 'WHITELIST,NOBANNEDCHECK',
    ''                => 'WHITELIST',
    ''              => 'WHITELIST',
    '' => 'WHITELIST',
    ''                  => 'WHITELIST',
    ''                  => 'WHITELIST',
    ''                  => 'WHITELIST',
    ''                  => 'WHITELIST',
    '' => 'WHITELIST',
    ''            => 'WHITELIST',
    ''              => 'WHITELIST',  # author domain signatures
    './'            => 'WHITELIST',  # 3rd-party sign. by
    ''  => 'WHITELIST',
    ''=> 'WHITELIST',
    ''               => 'WHITELIST',
    ''                => 'WHITELIST',
    ''             => 'WHITELIST',
    ''                => 'WHITELIST',
    ''                 => 'WHITELIST',
    ''                => 'WHITELIST',
    ''        => 'WHITELIST',
    ''         => 'WHITELIST',
    '' => 'WHITELIST',
    ''            => 'MILD_WHITELIST',
    ''               => 'MILD_WHITELIST',
    ''           => 'MILD_WHITELIST',
    './'      => 'MILD_WHITELIST',
    './'       => 'MILD_WHITELIST',
    './'     => 'MILD_WHITELIST',
    './'       => 'MILD_WHITELIST',
    ''            => 'MILD_WHITELIST',
    ''               => 'MILD_WHITELIST',
    'dailyhoroscope at' => 'MILD_WHITELIST',
  } );

  $policy_bank{'MILD_WHITELIST'} = {
    score_sender_maps => [ { '.' => [-1.8] } ],

  $policy_bank{'WHITELIST'} = {
    bypass_spam_checks_maps => [1],
    spam_lovers_maps => [1],

  $policy_bank{'NOVIRUSCHECK'} = {
    bypass_decode_parts => 1,
    bypass_virus_checks_maps => [1],
    virus_lovers_maps => [1],

  $policy_bank{'NOBANNEDCHECK'} = {
    bypass_banned_checks_maps => [1],
    banned_files_lovers_maps  => [1],

> I'd like to reset the contents_category to CC_CLEAN in the case where my
> own whitelist has cleared the email. Is that possible?
> I'm able to get the current status of the email from per_recip_data and
> contents_category, where I can see that the email has been flagged in
> CC_CLEAN and CC_BANNED ( 1 and 8 ).

Something like this should do:


    for my $r (@{$msginfo->per_recip_data}) {


More information about the amavis-users mailing list