whitelist

[Gregory Sloop]

I thought I'd chime in here - because this topic often comes up and IMO, the details are often not clear.

You can whitelist for spam.
You CAN NOT whitelist for BAD_FILES [attachments that you don't trust.]

Yes, it's true that you can't trust the "from" address in that white-listing. However, it's pretty unusual for a spammer to successfully forge the "from" address simply to try to get around your spam block - so I generally think this "risk" is more a theoretical risk than an actual one. [And yes, I do understand why it bothers people - I just think it's something that bothers us from a "principle" standpoint - not from a true realized problem outcome.]

I do use the SA technique Dominic outlines - though I generally use it in the other direction - mainly forcing some TLD's to get higher spam scores. 

But that doesn't fix mail attachment issues. The only built-in options are generally block everything or block nothing - which isn't so great.

Since it's pretty dang hard to break users [not just mine, but the rest of the world's users too] from using email to send files back and forth, and since I don't want attachment free-for-all on my client networks - I decided I had to find a way to use Amavis to block attachments, but still allow some attachments to get through.

I have, for one of my clients, implemented a whitelist that DOES allow you to whitelist BAD_FILES.
In short, rather than try to put code into Amavis, I wrote a script that parses the quarantine notice the admin gets when a BAD_FILE is quarantined. [Grab the notice out of a mailbox and once it's processed, remove it.]

This was a number of years ago - and maintenance of Amavis was pretty sketch. I didn't think I'd be able to get code into Amavis [and even if I could, my coding is so ugly, I'd be embarrassed to submit it anyway!] :) So, I decided on an external script I run every 5m.

It essentially parses the sender address, sender/MTA IP, recipient address, and file type.
I have a small text file with the white-list details.

If the sender-address/IP+recipient-address+file-type all match one of the existing whitelist entries, then we'll simply release the quarantined email to the original destination.

And like above, it's susceptible to sender address forgery. [But knowing the combination isn't trivial - you have to match sender+recipient+file-type. And in every case I can, I don't use sender addresses, if I can properly identify the MTA IP/host-name - which can't be trivially forged.]

A forgery hasn't ever happened that I'm aware of. [Though that doesn't mean that it couldn't, or never will. But I suspect there are easier ways to get your exploit inside any organization - so it seems like a reasonable risk.]

Anyway - it's allowed us to let users [both inside and outside our organization] do what they've always done [e.g. Send this word attachment via email to Bill...] while not allowing everything, and just hoping AV will save your sorry behind. [Or quarantining everything and being the go-fer and releasing attachments manually all hours of night and day.]

Anyway - just wanted to pipe up and offer some additional details and possible options, should you need them.

-Greg


DR> On Thu, 11 Jul 2019 at 22:10, Bob D <bob at inter-control.com> wrote:

>> Do you really wish to bypass virus checks via amavis ?
>> Is Spamassassin used ?
>> You can whitelist in Spamassassin via /etc/spamassassin/local.cf and append lines like:
>> whitelist_from  *@whitelistdomain.whatever
>> this bypasses spamassassin checks only for those addresses.
>> I use this and it works fine.
>> If you want to bypass amavis checks without bypassing virus checks, here is one way to do it:
>> https://forum.iredmail.org/topic4681-iredmail-support-solved-how-to-bypass-amavisd-for-some-senders.html
>> Regards

>> On 7/11/19 3:38 PM, Curtis Vaughan wrote:

>> I have been unable for a very long time now to figure out how to
>> whitelist certain email address or domains.
>> I have found several different blogs/help sites that "provide" an answer,
>> but none of them have ever worked.
>> Creating whitelists for postfix that referred to by main.cf definitely
>> haven't worked. Another "solution" involved including a line in main.cf
>> that basically tried to bypass amavis.
>> Anyhow, I feel I'm approaching the solution in either case the wrong way
>> as they concentrate on postfix and not amavis.
>> Hopefully someone can't point me in the right direction?
>> Thanks!

>> I'm using postfix with amavis on ubuntu.

DR> In answer to OP, you can whitelist sender addresses in amavis by
DR> setting (e.g. in /etc/amavis/conf.d/50-user):

DR> @whitelist_sender_maps = ( read_hash('/etc/amavis/whitelist') );

DR> and then create your file /etc/amavis/whitelist which lists email
DR> addresses or domains to be whitelisted. They are still scanned for
DR> viruses but not for spam scoring.

DR> BUT... amavis identifies the address by matching the envelope sender
DR> OR the From: header sender. So (in theory) a spammer can easily fake
DR> the envelope sender and get whitelisted.

DR> So I've now given up using this and instead I use a form of
DR> 'whitening' where emails from whitelisted senders (identified only by
DR> From: header) have their SA score reduced by (typically) 4.

DR> /etc/spamassassin/local_whitening.cf:
DR> describe LOCAL_WHITENING_4 Whiten known good senders
DR> score LOCAL_WHITENING_4 -4
DR> header LOCAL_WHITENING_4 From =~
DR> /(known\@goodname\.tld|\@good\.domain\.tld)>?\s*$/i

DR> After any changes to this file amavis needs to reloaded.

-- 
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x82
EMail: gregs at sloop.net
http://www.sloop.net
---
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20190712/aefa16cd/attachment.html>