whitelist sender domain

Martin Johannes Dauser mdauser at cs.sbg.ac.at
Wed Feb 21 11:21:39 CET 2018 

On Sat, 2018-02-17 at 09:49 +0000, Dominic Raferd wrote:
> On 16 February 2018 at 21:05, Dauser Martin Johannes
> <mdauser at cs.sbg.ac.at> wrote:
> > Well this topic is quite old, still when searching for hard
> > whitelisting with amavisd-new you'll find this solution on
> > different
> > sites.
> > 
> > Dominic Raferd wrote on Dec 11 2016
> > 
> >     I use a whitelist with amavis: I have a file
> > /etc/amavis/whitelist
> >     which contains on each line either a comment (starting with
> > hash #),
> >     full email address or just a domain, and then in
> >     /etc/amavis/conf.d/50-user I have lines like this:
> > 
> >     # whitelist some senders to save time and avoid false positives
> >     # - you can list full addresses or domains, one per line
> >     # idea from http://www.iredmail.org/forum/topic4681-iredmail-su
> > pport
> >     -solved-how-to-bypass-amavisd-for-some-senders.html
> >     # This policy will perform virus checks only.
> >     read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
> >     @whitelist_sender_maps = (\%whitelist_sender);
> > 
> >     $interface_policy{'10026'} = 'VIRUSONLY';
> >     $policy_bank{'VIRUSONLY'} = {
> >         bypass_spam_checks_maps   => [    '@whitelist_sender_maps']
> > ,
> >     bypass_banned_checks_maps => ['@whitelist_sender_maps'],
> >     bypass_header_checks_maps => ['@whitelist_sender_maps'],
> > };
> > 
> > 
> > The problem is, I've got the impression that this policy_bank is
> > set
> > wrong and doesn't serve the intended purpose to whitelist SENDERS
> > --
> > neither incoming nor outgoing. Actually it seems to state nonsense.
> > Here are my thoughts and I gladly accept corrections:
> > 
> > To make it more clearly I moved the bypass_spam_checks_maps out of
> > the
> > hash/associative array:
> > 
> >     @bypass_spam_maps = (    '@whitelist_sender_maps')    ;
> > 
> > + First, and this took for me a while to fully realise, @*_maps
> > just
> > tells the subroutine 'lookup' where and with which method (SQL,
> > LDAP,
> > hash, access control list, regexp, constant) it should search. [1]
> > 
> > + Second, if it is not stated otherwise it searches for the
> > RECIPIENT's
> > envelope address. And I couldn't find anywhere that this very map
> > is
> > meant to search for senders:
> > 
> > Documentation for whitelisting [2] is talking about senders but
> > only in
> > conjunction with the lookup tables @whitelist_sender_maps,
> > @blacklist_sender_maps and
> > $per_recip_blacklist_sender_lookup_tables.
> > 
> > But the same Document [3] states: "Using configuration variables
> > @bypass_virus_checks_maps, @bypass_banned_checks_maps,
> > @bypass_header_checks_maps and @bypass_spam_checks_maps each
> > RECIPIENT
> > ... may suggest that certain tests are not needed ... . Although
> > the
> > @bypass_*_checks_maps PERTAIN TO INDIVIDUAL RECIPIENTS, ...
> > Suggestion
> > by some of the RECIPIENTS that certain check ... is to be bypassed
> > ...
> > does not guarantee the test will not be performed. "
> > 
> > So you can't set whitelisted senders with @bypass_*_maps.
> > 
> > + Third, looking at my code line above @bypass_spam_maps is an
> > array/"list" containing one member, which is a STRING '@whitelist_s
> > ende
> > r_maps'. This means the subroutine interprets this as a constant
> > and
> > returns this very string '@whitelist_sender_maps' as a value, which
> > doesn't make any sense in this context as it is neither an email
> > address nor a domain. -- Perl itself won't complain as the syntax
> > is
> > still correct and there won't be a hit ever.
> > 
> >     @bypass_spam_maps = (\%whitelist_sender);
> > 
> > or within the policy bank I guess:
> > 
> >     bypass_spam_maps => [\%whitelist_sender],
> > 
> > would search for email addresses within the file
> > /etc/amavis/whitelist,
> > I think. But as noted at my second point, those are sender
> > addresses,
> > not the expected recipients.
> > 
> > 
> > Ah, global hard whitelisting of senders. How might it be done then.
> > (Be
> > aware of the caveats of whitelisting!)
> > 
> >     read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
> >     @whitelist_sende
> >     r_maps = (\%whitelist_sender);
> > 
> > And content of /etc/amavis/whitelist:
> > 
> >     some.trustworthy at doma.in      #full email address
> >     some.trustworthy@         #full local part
> >     in.domain.we.trust        #full email domain
> >     .we.trust                 #accepting sub domains
> > 
> > 
> > It should even be possible to set a sender whitelist within a
> > policy
> > bank:
> > 
> >     $policy_bank{'WHITELIST'} = {
> >         whitelist_sender_maps => [
> > read_hash('/etc/amavis/whitelist') ],
> >     }
> > 
> > 
> > As already noted, these are my thoughts and I gladly accept
> > corrections.
> > 
> > Martin Johannes Dauser
> > 
> > 
> > 1 https://www.ijs.si/software/amavisd/README.lookups.txt
> > 
> > 2 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#wblist
> > 
> > 3 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#checks
> 
> I defer to your greater understanding of amavis and perl, but at a
> practical level the whitelist settings that I suggested above do work
> for me.

That's no surprise to me as the first lines of your proposal do the
work, whereas @bypass_banned_checks_maps within your policy bank
probably does nothing but consuming a little bit of CPU time ;D

I successfully use now:

read_hash(\%whitelist_sender, '/etc/amavis/whitelist');


$policy_bank{'INCOMMING'} = {
    # set incomming mails as NOT-originating
    originating                 => 0,

    # mails from trusted envelope senders
    # are whitelisted by Spamassassin
    whitelist_sender_maps       => [ \%whitelist_sender ],

    ...
};

And /etc/amavis/whitelist just contains one full email address.

More information about the amavis-users mailing list