whitelist sender domain

Dominic Raferd dominic at timedicer.co.uk
Sun Dec 11 09:10:55 CET 2016 

I have similar setup. I too see these statements in amavis log
messages that it is RelayedOpenRelay but in fact with my setup it is
not. I think amavis is just warning you that you *may* have an open
relay. You should have postfix set so that it is not an open relay, of
course, and I don't think amavis is the best way to do this.

I use a whitelist with amavis: I have a file /etc/amavis/whitelist
which contains on each line either a comment (starting with hash #), a
full email address or just a domain, and then in
/etc/amavis/conf.d/50-user I have lines like this:

# whitelist some senders to save time and avoid false positives
# - you can list full addresses or domains, one per line
# idea from http://www.iredmail.org/forum/topic4681-iredmail-support-solved-how-to-bypass-amavisd-for-some-senders.html
# This policy will perform virus checks only.
read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);
$interface_policy{'10026'} = 'VIRUSONLY';
$policy_bank{'VIRUSONLY'} = {
    bypass_spam_checks_maps   => ['@whitelist_sender_maps'],  # don't
spam-check this mail
    bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't
banned-check this mail
    bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't
header-check this mail
};

The idea is that all mails will still be passed to amavis which will
submit them for virus check, but whitelisted sender address will not
be checked for other things.

As far as I can tell this is working fine, although I am *not* an
amavis expert. Other suggestions welcome.

Dominic

On 11 December 2016 at 06:24, Asif Iqbal <vadud3 at gmail.com> wrote:
> I am running amavid-new with postfix and I like to skip content filter for
> senders with domain example.com
>
> I do have amavisd-new setup with postfix like this where amavisd is setup as
> the content_filter globally like below
>
> # cat /etc/postfix/main.cf
>
> ...
> content_filter = amavisfeed:[127.0.0.1]:10024
> ...
>
> # cat /etc/postfix/master.cf
> ...
>
> amavisfeed unix    -       -       n        -      2     lmtp
>     -o lmtp_data_done_timeout=1200
>     -o lmtp_send_xforward_command=yes
>     -o disable_dns_lookups=yes
>     -o max_use=20
>
> 127.0.0.1:10025 inet n    -       n       -       -     smtpd
>     -o content_filter=
>     -o smtpd_delay_reject=no
>     -o smtpd_client_restrictions=permit_mynetworks,reject
>     -o smtpd_helo_restrictions=
>     -o smtpd_sender_restrictions=
>     -o smtpd_recipient_restrictions=permit_mynetworks,reject
>     -o smtpd_data_restrictions=reject_unauth_pipelining
>     -o smtpd_end_of_data_restrictions=
>     -o smtpd_restriction_classes=
>     -o mynetworks=127.0.0.0/8
>     -o smtpd_error_sleep_time=0
>     -o smtpd_soft_error_limit=1001
>     -o smtpd_hard_error_limit=1000
>     -o smtpd_client_connection_count_limit=0
>     -o smtpd_client_connection_rate_limit=0
>     -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
>     -o local_header_rewrite_clients=
>     -o smtpd_milters=
>     -o local_recipient_maps=
>     -o relay_recipient_maps=
>
> # netstat -tunlp | grep 10024
> tcp        0      0 127.0.0.1:10024             0.0.0.0:*
> LISTEN      26131/amavisd (mast
> tcp        0      0 ::1:10024                   :::*
> LISTEN      26131/amavisd (mast
>
> # netstat -tunlp | grep 10025
> tcp        0      0 127.0.0.1:10025             0.0.0.0:*
> LISTEN      28242/smtpd
>
> # ps -ef | grep 26131
> amavis   26131     1  0 05:49 ?        00:00:02 /usr/sbin/amavisd (master)
> amavis   28157 26131  0 14:22 ?        00:00:01 /usr/sbin/amavisd
> (ch6-28157-06-3)
> amavis   28322 26131  4 14:27 ?        00:00:06 /usr/sbin/amavisd
> (ch5-28322-05-7)
>
> # ps -ef | grep 28242
> postfix  28242 29732  0 14:25 ?        00:00:00 smtpd -n 127.0.0.1:10025 -t
> inet -u -o content_filter= -o smtpd_delay_reject=no -o
> smtpd_client_restrictions=permit_mynetworks,reject -o
> smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
> smtpd_recipient_restrictions=permit_mynetworks,reject -o
> smtpd_data_restrictions=reject_unauth_pipelining -o
> smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o
> mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o
> smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o
> smtpd_client_connection_count_limit=0 -o
> smtpd_client_connection_rate_limit=0 -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
> -o local_header_rewrite_clients= -o smtpd_milters= -o local_recipient_maps=
> -o relay_recipient_maps=
>
>
> And in amavisd.conf file I am using whitelist domains and email addresses
> like below
>
> # cat /etc/amavisd/amavisd.conf
>
> ...
>
> read_hash(\%whitelist_sender, '/etc/amavisd/whitelist');
> @whitelist_sender_maps = (\%whitelist_sender);
> ...
>
> $policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our
> users
>   originating => 1,  # declare that mail was submitted by our smtp client
>   allow_disclaimers => 1,  # enables disclaimer insertion if available
>   # notify administrator of locally originating malware
>   virus_admin_maps => ["virusalert\@$mydomain"],
>   spam_admin_maps  => ["virusalert\@$mydomain"],
>   warnbadhsender   => 1,
>   # forward to a smtpd service providing DKIM signing service
>   forward_method => 'smtp:[127.0.0.1]:10027',
>   # force MTA conversion to 7-bit (e.g. before DKIM signing)
>   smtpd_discard_ehlo_keywords => ['8BITMIME'],
>   bypass_spam_checks_maps => ['@whitelist_sender_maps'], # don't spam-check
> this mail
>   bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # was [1] allow
> sending any file names and types
>   bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't
> header-check this mail
>   terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS
> option
> };
>
> ...
>
> # cat /etc/amavisd/whitelist
> here at example.com
> eample.net
>
>
> How do I make sure it is working? After I configured like below, I restarted
> amavisd and postfix and I am seeing a lot of
> ``RelayedOpenRelay'' like below..
>
>
> Dec 11 01:10:02 myhost amavis[12264]: (12264-08) Passed CLEAN
> {RelayedOpenRelay}, [192.168.0.220]:51381 [192.168.0.220] <foo at example2.net>
> -> <bar at juniper.net>, Message-ID: <20161211061002.7CDF95F777 at example3.net>,
> mail_id: jTfE0zqJExAe, Hits: -1.899, size: 1920, queued_as: EB9F49ED41, 440
> ms
>
> I have not used amavisd with postfix like this before and please let me know
> how I can achieve
>
> whitelisting some of the sender addresses and sender domains and not making
> the mail server an openrelay.
>
>
> Thanks for your help!
>
>
>
>
>
>
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>

More information about the amavis-users mailing list