bypass amavisd after OK from policy daemon?

Franz Schwartau franz at electromail.org
Tue Aug 6 10:58:21 CEST 2013


Hi Patrick!

On Tue, Aug 06, 2013 at 08:37:09AM +0200, Patrick Ben Koetter wrote:
> * Franz Schwartau <franz at electromail.org>:
> > Hi Noel,
> > 
> > thanks for your answer.
> > 
> > On 05.08.2013 18:31, Noel Jones wrote:
> > > On 8/5/2013 10:42 AM, Franz Schwartau wrote:
> > >> Dear list,
> > >>
> > >> I configured postfix to use amavisd as a SMTP proxy (smtpd_proxy_filter). Now I'd like to skip amavisd if a policy daemon called in smtpd_recipient_restrictions returns OK.
> > >>
> > >> Has anyone any idea how to accomplish this?
> > >>
> > >> As far as I unterstood postfix' restrictions there is no "final" OK skipping any further checks.
> > > 
> > > The insurmountable problem is that amavisd is called before the
> > > policy server is ever run.
> > > Any bypass will need to be in amavisd itself.
> > > 
> > > The built-in bypass mechanisms in amavisd-new are the various
> > > bypass* and *lovers parameters. If they can't do what you want,
> > > custom code will be needed.
> > 
> > I'm aware of the fact that amavisd is run before the policy daemon if
> > configured as a smtpd_proxy_filter. This is why I asked "Is there any
> > way to flag anything so amavisd skips it's checks?"
> > 
> > The only way I found so far is to set an extra header in postfix via
> > PREPEND. This extra header can be evaluted by spamassassin setting a
> > very low score. Unfortunatly this doesn't cover virus or bad header checks.
> > 
> > amavisd's bypass and lovers maps are for recipients, only.
> > 
> > Any idea how amavisd can be configured to skip checks if an extra header
> > is set?
> 
> Not unless you add (read: program) a custom class.
> 
> What problem do you need to solve? Maybe we can use a different approach.

Basically I'd like to skip any further checks based on a result of a policy daemon.

I use smtpd_recipient_restrictions to ask a policy server using check_policy_service. This policy server implements black- and whitelisting in dependency of the recipient domain. The parameters for black- or whitelisting are stored in a SQL database. The parameters can be of all types (client name, client address, hello parameter, sender, recipient). If some parameter is whitelisted amavisd shouldn't perform any checks.

BTW. I know SMTP is a multi recipient protocol. Black- and whitelisting can be complicated. But please don't let us discuss it here. Maybe I have to use another call to a policy daemon in smtpd_data_restrictions to solve multiple recipient problems.

So I'm looking for a possibility to skip checks within amavisd based on some critera, e. g. special header is present, external file based on queue id is present.

	Best regards
		Franz


More information about the amavis-users mailing list