whitelist sender domain

Dominic Raferd dominic at timedicer.co.uk
Mon Feb 26 17:34:49 CET 2018 

On 21 February 2018 at 10:21, Martin Johannes Dauser
<mdauser at cs.sbg.ac.at> wrote:
>
> On Sat, 2018-02-17 at 09:49 +0000, Dominic Raferd wrote:
> > On 16 February 2018 at 21:05, Dauser Martin Johannes
> > <mdauser at cs.sbg.ac.at> wrote:
> > > Well this topic is quite old, still when searching for hard
> > > whitelisting with amavisd-new you'll find this solution on
> > > different
> > > sites.
> > >
> > > Dominic Raferd wrote on Dec 11 2016
> > >
> > >     I use a whitelist with amavis: I have a file
> > > /etc/amavis/whitelist
> > >     which contains on each line either a comment (starting with
> > > hash #),
> > >     full email address or just a domain, and then in
> > >     /etc/amavis/conf.d/50-user I have lines like this:
> > >
> > >     # whitelist some senders to save time and avoid false positives
> > >     # - you can list full addresses or domains, one per line
> > >     # idea from http://www.iredmail.org/forum/topic4681-iredmail-su
> > > pport
> > >     -solved-how-to-bypass-amavisd-for-some-senders.html
> > >     # This policy will perform virus checks only.
> > >     read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
> > >     @whitelist_sender_maps = (\%whitelist_sender);
> > >
> > >     $interface_policy{'10026'} = 'VIRUSONLY';
> > >     $policy_bank{'VIRUSONLY'} = {
> > >         bypass_spam_checks_maps   => [    '@whitelist_sender_maps']
> > > ,
> > >     bypass_banned_checks_maps => ['@whitelist_sender_maps'],
> > >     bypass_header_checks_maps => ['@whitelist_sender_maps'],
> > > };
> > >
> > >
> > > The problem is, I've got the impression that this policy_bank is
> > > set
> > > wrong and doesn't serve the intended purpose to whitelist SENDERS
> > > --
> > > neither incoming nor outgoing. Actually it seems to state nonsense.
> > > Here are my thoughts and I gladly accept corrections:
> > >
> > > To make it more clearly I moved the bypass_spam_checks_maps out of
> > > the
> > > hash/associative array:
> > >
> > >     @bypass_spam_maps = (    '@whitelist_sender_maps')    ;
> > >
> > > + First, and this took for me a while to fully realise, @*_maps
> > > just
> > > tells the subroutine 'lookup' where and with which method (SQL,
> > > LDAP,
> > > hash, access control list, regexp, constant) it should search. [1]
> > >
> > > + Second, if it is not stated otherwise it searches for the
> > > RECIPIENT's
> > > envelope address. And I couldn't find anywhere that this very map
> > > is
> > > meant to search for senders:
> > >
> > > Documentation for whitelisting [2] is talking about senders but
> > > only in
> > > conjunction with the lookup tables @whitelist_sender_maps,
> > > @blacklist_sender_maps and
> > > $per_recip_blacklist_sender_lookup_tables.
> > >
> > > But the same Document [3] states: "Using configuration variables
> > > @bypass_virus_checks_maps, @bypass_banned_checks_maps,
> > > @bypass_header_checks_maps and @bypass_spam_checks_maps each
> > > RECIPIENT
> > > ... may suggest that certain tests are not needed ... . Although
> > > the
> > > @bypass_*_checks_maps PERTAIN TO INDIVIDUAL RECIPIENTS, ...
> > > Suggestion
> > > by some of the RECIPIENTS that certain check ... is to be bypassed
> > > ...
> > > does not guarantee the test will not be performed. "
> > >
> > > So you can't set whitelisted senders with @bypass_*_maps.
> > >
> > > + Third, looking at my code line above @bypass_spam_maps is an
> > > array/"list" containing one member, which is a STRING '@whitelist_s
> > > ende
> > > r_maps'. This means the subroutine interprets this as a constant
> > > and
> > > returns this very string '@whitelist_sender_maps' as a value, which
> > > doesn't make any sense in this context as it is neither an email
> > > address nor a domain. -- Perl itself won't complain as the syntax
> > > is
> > > still correct and there won't be a hit ever.
> > >
> > >     @bypass_spam_maps = (\%whitelist_sender);
> > >
> > > or within the policy bank I guess:
> > >
> > >     bypass_spam_maps => [\%whitelist_sender],
> > >
> > > would search for email addresses within the file
> > > /etc/amavis/whitelist,
> > > I think. But as noted at my second point, those are sender
> > > addresses,
> > > not the expected recipients.
> > >
> > >
> > > Ah, global hard whitelisting of senders. How might it be done then.
> > > (Be
> > > aware of the caveats of whitelisting!)
> > >
> > >     read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
> > >     @whitelist_sende
> > >     r_maps = (\%whitelist_sender);
> > >
> > > And content of /etc/amavis/whitelist:
> > >
> > >     some.trustworthy at doma.in      #full email address
> > >     some.trustworthy@         #full local part
> > >     in.domain.we.trust        #full email domain
> > >     .we.trust                 #accepting sub domains
> > >
> > >
> > > It should even be possible to set a sender whitelist within a
> > > policy
> > > bank:
> > >
> > >     $policy_bank{'WHITELIST'} = {
> > >         whitelist_sender_maps => [
> > > read_hash('/etc/amavis/whitelist') ],
> > >     }
> > >
> > >
> > > As already noted, these are my thoughts and I gladly accept
> > > corrections.
> > >
> > > Martin Johannes Dauser
> > >
> > >
> > > 1 https://www.ijs.si/software/amavisd/README.lookups.txt
> > >
> > > 2 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#wblist
> > >
> > > 3 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#checks
> >
> > I defer to your greater understanding of amavis and perl, but at a
> > practical level the whitelist settings that I suggested above do work
> > for me.
>
> That's no surprise to me as the first lines of your proposal do the
> work, whereas @bypass_banned_checks_maps within your policy bank
> probably does nothing but consuming a little bit of CPU time ;D
>
> I successfully use now:
>
> read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
>
>
> $policy_bank{'INCOMMING'} = {
>     # set incomming mails as NOT-originating
>     originating                 => 0,
>
>     # mails from trusted envelope senders
>     # are whitelisted by Spamassassin
>     whitelist_sender_maps       => [ \%whitelist_sender ],
>
>     ...
> };
>
> And /etc/amavis/whitelist just contains one full email address.

Thanks, I believe you are correct. I have now updated my 50-user.conf to this:
$interface_policy{'10024'} = 'INCOMING';
$policy_bank{'INCOMING'} = {
  whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ],
};

and when an email comes through from a sender in whitelist I see these
headers are added, provided I have $sa_tag_level_deflt set
sufficiently low (e.g. -14):
X-Spam-Score: 0
X-Spam-Status: No, score=x tagged_above=-14 required=4 WHITELISTED
tests=[] autolearn=unavailable

More information about the amavis-users mailing list