whitelist sender domain

Dominic Raferd dominic at timedicer.co.uk
Sat Feb 17 10:49:40 CET 2018


On 16 February 2018 at 21:05, Dauser Martin Johannes
<mdauser at cs.sbg.ac.at> wrote:
> Well this topic is quite old, still when searching for hard
> whitelisting with amavisd-new you'll find this solution on different
> sites.
>
> Dominic Raferd wrote on Dec 11 2016
>
>     I use a whitelist with amavis: I have a file /etc/amavis/whitelist
>     which contains on each line either a comment (starting with hash #),
>     full email address or just a domain, and then in
>     /etc/amavis/conf.d/50-user I have lines like this:
>
>     # whitelist some senders to save time and avoid false positives
>     # - you can list full addresses or domains, one per line
>     # idea from http://www.iredmail.org/forum/topic4681-iredmail-support
>     -solved-how-to-bypass-amavisd-for-some-senders.html
>     # This policy will perform virus checks only.
>     read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
>     @whitelist_sender_maps = (\%whitelist_sender);
>
>     $interface_policy{'10026'} = 'VIRUSONLY';
>     $policy_bank{'VIRUSONLY'} = {
>         bypass_spam_checks_maps   => [    '@whitelist_sender_maps'],
>     bypass_banned_checks_maps => ['@whitelist_sender_maps'],
>     bypass_header_checks_maps => ['@whitelist_sender_maps'],
> };
>
>
> The problem is, I've got the impression that this policy_bank is set
> wrong and doesn't serve the intended purpose to whitelist SENDERS --
> neither incoming nor outgoing. Actually it seems to state nonsense.
> Here are my thoughts and I gladly accept corrections:
>
> To make it more clearly I moved the bypass_spam_checks_maps out of the
> hash/associative array:
>
>     @bypass_spam_maps = (    '@whitelist_sender_maps')    ;
>
> + First, and this took for me a while to fully realise, @*_maps just
> tells the subroutine 'lookup' where and with which method (SQL, LDAP,
> hash, access control list, regexp, constant) it should search. [1]
>
> + Second, if it is not stated otherwise it searches for the RECIPIENT's
> envelope address. And I couldn't find anywhere that this very map is
> meant to search for senders:
>
> Documentation for whitelisting [2] is talking about senders but only in
> conjunction with the lookup tables @whitelist_sender_maps,
> @blacklist_sender_maps and $per_recip_blacklist_sender_lookup_tables.
>
> But the same Document [3] states: "Using configuration variables
> @bypass_virus_checks_maps, @bypass_banned_checks_maps,
> @bypass_header_checks_maps and @bypass_spam_checks_maps each RECIPIENT
> ... may suggest that certain tests are not needed ... . Although the
> @bypass_*_checks_maps PERTAIN TO INDIVIDUAL RECIPIENTS, ... Suggestion
> by some of the RECIPIENTS that certain check ... is to be bypassed ...
> does not guarantee the test will not be performed. "
>
> So you can't set whitelisted senders with @bypass_*_maps.
>
> + Third, looking at my code line above @bypass_spam_maps is an
> array/"list" containing one member, which is a STRING '@whitelist_sende
> r_maps'. This means the subroutine interprets this as a constant and
> returns this very string '@whitelist_sender_maps' as a value, which
> doesn't make any sense in this context as it is neither an email
> address nor a domain. -- Perl itself won't complain as the syntax is
> still correct and there won't be a hit ever.
>
>     @bypass_spam_maps = (\%whitelist_sender);
>
> or within the policy bank I guess:
>
>     bypass_spam_maps => [\%whitelist_sender],
>
> would search for email addresses within the file /etc/amavis/whitelist,
> I think. But as noted at my second point, those are sender addresses,
> not the expected recipients.
>
>
> Ah, global hard whitelisting of senders. How might it be done then. (Be
> aware of the caveats of whitelisting!)
>
>     read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
>     @whitelist_sende
>     r_maps = (\%whitelist_sender);
>
> And content of /etc/amavis/whitelist:
>
>     some.trustworthy at doma.in      #full email address
>     some.trustworthy@         #full local part
>     in.domain.we.trust        #full email domain
>     .we.trust                 #accepting sub domains
>
>
> It should even be possible to set a sender whitelist within a policy
> bank:
>
>     $policy_bank{'WHITELIST'} = {
>         whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ],
>     }
>
>
> As already noted, these are my thoughts and I gladly accept
> corrections.
>
> Martin Johannes Dauser
>
>
> 1 https://www.ijs.si/software/amavisd/README.lookups.txt
>
> 2 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#wblist
>
> 3 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#checks

I defer to your greater understanding of amavis and perl, but at a
practical level the whitelist settings that I suggested above do work
for me.


More information about the amavis-users mailing list