whitelist

Dominic Raferd dominic at timedicer.co.uk
Sat Jul 13 11:14:51 CEST 2019


On Fri, 12 Jul 2019 at 19:14, Benny Pedersen <me at junc.eu> wrote:
>
> Gregory Sloop skrev den 2019-07-12 17:55:
>
> > DR> From: header) have their SA score reduced by (typically) 4.
> >
> > DR> /etc/spamassassin/local_whitening.cf:
> > DR> describe LOCAL_WHITENING_4 Whiten known good senders
> > DR> score LOCAL_WHITENING_4 -4
> > DR> header LOCAL_WHITENING_4 From =~
> > DR> /(known\@goodname\.tld|\@good\.domain\.tld)>?\s*$/i
> >
> > DR> After any changes to this file amavis needs to reloaded.
>
> and amavisd supports dkim whitelistning, just like spamassassin does
>
> the above rules blindly whitelist forged senders
>
> spammers dreams that all do this :=)
>
> for mta stage i do not accept envelope from to be local domain at all,
> will not write books for why

The SA rule I gave is applied to From header and not to envelope
sender, and it is whitening (reducing spam score) not whitelisting
(bypassing spam checking). Those (very few of us) who use DMARC with
p=reject are protected against our domains being faked in From header
(at least to all major mail providers and anyone else who uses dmarc
checking).

Passing mails based on the combination of a whitelist of addresses
(matched against From: header) *and* DKIM verification might be neat
(details at https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-am-verify
and at https://github.com/aosm/amavisd/blob/master/amavisd/amavisd-new-2.6.6/RELEASE_NOTES,
search for @author_to_policy_bank_maps). But I hate using policy banks
in amavis as they override some critical variables and the different
syntax for settings inside policy banks is even more of a nightmare
than standard perl.

BTW, quote from amavis 2.6.6 release notes: 'white and blacklisting
now takes into account both the SMTP envelope sender address, as well
as the author address from a header section (address(es) in a 'From:'
header field). Note that whitelisting based only on a sender-specified
address is mostly useless nowadays. For a reliable whitelisting see
@author_to_policy_bank_maps below, as well as a set of whitelisting
possibilities in SpamAssassin (based on DKIM, SPF, or on Received
header fields).'


More information about the amavis-users mailing list