whitelist sender domain

Dauser Martin Johannes mdauser at cs.sbg.ac.at
Fri Feb 16 22:05:30 CET 2018 

Well this topic is quite old, still when searching for hard
whitelisting with amavisd-new you'll find this solution on different
sites.

Dominic Raferd wrote on Dec 11 2016

    I use a whitelist with amavis: I have a file /etc/amavis/whitelist
    which contains on each line either a comment (starting with hash #),
    full email address or just a domain, and then in
    /etc/amavis/conf.d/50-user I have lines like this:

    # whitelist some senders to save time and avoid false positives
    # - you can list full addresses or domains, one per line
    # idea from http://www.iredmail.org/forum/topic4681-iredmail-support
    -solved-how-to-bypass-amavisd-for-some-senders.html
    # This policy will perform virus checks only.
    read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
    @whitelist_sender_maps = (\%whitelist_sender);

    $interface_policy{'10026'} = 'VIRUSONLY';
    $policy_bank{'VIRUSONLY'} = {
        bypass_spam_checks_maps   => [    '@whitelist_sender_maps'],
    bypass_banned_checks_maps => ['@whitelist_sender_maps'],
    bypass_header_checks_maps => ['@whitelist_sender_maps'],
};


The problem is, I've got the impression that this policy_bank is set
wrong and doesn't serve the intended purpose to whitelist SENDERS --
neither incoming nor outgoing. Actually it seems to state nonsense.
Here are my thoughts and I gladly accept corrections:
 
To make it more clearly I moved the bypass_spam_checks_maps out of the
hash/associative array:

    @bypass_spam_maps = (    '@whitelist_sender_maps')    ;

+ First, and this took for me a while to fully realise, @*_maps just
tells the subroutine 'lookup' where and with which method (SQL, LDAP,
hash, access control list, regexp, constant) it should search. [1]

+ Second, if it is not stated otherwise it searches for the RECIPIENT's
envelope address. And I couldn't find anywhere that this very map is
meant to search for senders: 

Documentation for whitelisting [2] is talking about senders but only in
conjunction with the lookup tables @whitelist_sender_maps,
@blacklist_sender_maps and $per_recip_blacklist_sender_lookup_tables.

But the same Document [3] states: "Using configuration variables
@bypass_virus_checks_maps, @bypass_banned_checks_maps,
@bypass_header_checks_maps and @bypass_spam_checks_maps each RECIPIENT
... may suggest that certain tests are not needed ... . Although the
@bypass_*_checks_maps PERTAIN TO INDIVIDUAL RECIPIENTS, ... Suggestion
by some of the RECIPIENTS that certain check ... is to be bypassed ...
does not guarantee the test will not be performed. "

So you can't set whitelisted senders with @bypass_*_maps.

+ Third, looking at my code line above @bypass_spam_maps is an
array/"list" containing one member, which is a STRING '@whitelist_sende
r_maps'. This means the subroutine interprets this as a constant and
returns this very string '@whitelist_sender_maps' as a value, which
doesn't make any sense in this context as it is neither an email
address nor a domain. -- Perl itself won't complain as the syntax is
still correct and there won't be a hit ever.

    @bypass_spam_maps = (\%whitelist_sender);

or within the policy bank I guess:

    bypass_spam_maps => [\%whitelist_sender],

would search for email addresses within the file /etc/amavis/whitelist,
I think. But as noted at my second point, those are sender addresses,
not the expected recipients.


Ah, global hard whitelisting of senders. How might it be done then. (Be
aware of the caveats of whitelisting!)

    read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
    @whitelist_sende
    r_maps = (\%whitelist_sender);

And content of /etc/amavis/whitelist:

    some.trustworthy at doma.in      #full email address
    some.trustworthy@         #full local part
    in.domain.we.trust        #full email domain
    .we.trust                 #accepting sub domains


It should even be possible to set a sender whitelist within a policy
bank:

    $policy_bank{'WHITELIST'} = {
        whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ],
    }


As already noted, these are my thoughts and I gladly accept
corrections.

Martin Johannes Dauser


1 https://www.ijs.si/software/amavisd/README.lookups.txt

2 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#wblist
 
3 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#checks

More information about the amavis-users mailing list