Whitelisting mail servers

Nikolaos Milas nmilas at noa.gr
Wed Dec 7 12:18:22 CET 2022 

On 28/11/2022 6:12 μ.μ., Patrick Ben Koetter wrote:
> In this case use @client_ipaddr_policy instead of @mynetworks as it allows for
> more fine grained control e.g. like this:
>
> @client_ipaddr_policy = (
>      [qw( 0.0.0.0/8 127.0.0.1/32 [::] [::1] )] => 'LOCALHOST',
>      [qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS',
>      [qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )] => 'BANK',
>      [qw( 212.7.160.0/19 )] => 'SUBMISSION',
>      \@mynetworks => 'MYNETS'
>
> And then create a policy_bank that disabled the checks you'd like to disable.
>
> #############################################################################
> ## POLICY BANKS: BANK
> #
>
> $policy_bank{'BANK'} = {
>      bypass_spam_checks_maps => [1],
>      spam_lovers_maps => [1],
> };

Hi Patrick,

If I remember right, policy banks get triggered only using particular 
methods; so, in this case, to implement the above (or any other similar 
policy bank), we would need to configure amavis to listen to a different 
port and route such traffic from postfix to amavis to that port. Isn't 
that right?

If so, then it seems to me that the above approach wouldn't help; I 
would think that it is more straightforward to filter the traffic we 
want in postfix and redirect it to a "global" amavis port where we have 
disabled spam processing, as we already currently do, by listening on 
port 10028:

$inet_socket_port = [10024,10028];  # listen on multiple TCP ports

$interface_policy{'10028'} = 'BYPASS';

$policy_bank{'BYPASS'} = {  # those configured to send mail to port 10028
    bypass_virus_checks_maps  => [1],  # don't virus-check this mail
    bypass_spam_checks_maps   => [1],  # don't spam-check this mail
    bypass_banned_checks_maps => [1],  # don't banned-check this mail
    bypass_header_checks_maps => [1],  # don't header-check this mail
};

In order to use the 'BANK' policy_bank, we would need to listen to e.g. 
10029 etc...

If I don't understand right, please correct me.

Thanks,
Nick

More information about the amavis-users mailing list