Pflogsumm emails through amavisd and SA hitting BAYES_99

Simon Wilson simon at simonandkate.net
Fri Apr 28 14:21:36 CEST 2017 

>>>> Hi all,
>>>>
>>>> I have pflogsumm running log summaries on my postfix install, and sending
>>>> to an address that resolves locally. All is on localhost, which is a newly
>>>> installed CentOS7 server, amavisd-new 2.10.1 from EPEL.
>>>>
>>>> The pflogsumm emails from root are triggering BAYES_99 as they go through
>>>> amavisd-new and spamassassin, and are often ending up marked as spam.
>>>>
>>>> What's the best way to ensure that those are not flagged as spam, or
>>>> potentially to whitelist them somehow?
>>>
>>> You can whitelist sender addresses, would this solve your problem? I have
>>> these lines in /etc/amavis/conf.d/50-user​:
>>>
>>> read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
>>> @whitelist_sender_maps = (\%whitelist_sender);
>>>   bypass_spam_checks_maps   => ['@whitelist_sender_maps'],  # don't
>>> spam-check this mail
>>>   bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't
>>> banned-check this mail
>>>   bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't
>>> header-check this mail
>>>
>>> File /etc/amavis/whitelist contains a line-by-line list of whitelisted
>>> addresses. To whitelist a whole domain, just precede with a dot. Examples:
>>>
>>> fred at bloggs.com
>>> .spammers-united.com
>>>
>>> HTH, Dominic
>>
>> ----- End message from Dominic Raferd <dominic at timedicer.co.uk> -----
>>
>> Thanks Dominic... it seems like a bit of a 'sledgehammer' to  
>> whitelist a sender address, when sender addresses can be spoofed.  
>> Perhaps I'm being paranoid :) Keen to hear feedback on that (the  
>> approach, not whether I am paranoid :) ).
>>
>> One thing I just noticed is that pflogsumm emails are dropped into  
>> Postfix (and thence into Amavisd) via postfix/pickup not  
>> postfix/smtpd. I wonder if there is a way there to mark emails from  
>> localhost root that are fed into postfix/pickup as being not  
>> spam-checked.
>>
>> Simon.
>>
>>  
>
> ----- End message from Simon Wilson <simon at simonandkate.net> -----
>  

OK, I've added an additional listening port for amavisd (10028),  
assigned a policy bank that bypasses spam checks, and have added the  
content_filter override to postfix's pickup service - and all works as  
planned. The pflogsumm emails no longer get spam checked. 

So my question is whether in so doing I have opened up any  
vulnerabilities that I have not thought of... I suppose I could alter  
the spam check to look for emails only sent to me... but that seems a  
little like doing something that I will later end up wondering why  
something else's not working. 

Anyone any thoughts?

Simon

amavisd.conf:

  $inet_socket_port = [10024,10026,10028];  # listen on multiple TCP ports
   
  $interface_policy{'10028'} = 'VIRUSONLY';
   
  $policy_bank{'VIRUSONLY'} = {  # mail from the pickup daemon
     originating => 1,
     bypass_spam_checks_maps   => [1],  # don't spam-check this mail
     bypass_banned_checks_maps => [1],  # don't banned-check this mail
     bypass_header_checks_maps => [1],  # don't header-check this mail
  };

 
  ___________
Simon Wilson
M: 0400 12 11 16
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20170428/3cfd33b4/attachment.html>

More information about the amavis-users mailing list