Whitelisting mail servers

Patrick Ben Koetter p at sys4.de
Wed Dec 7 17:17:36 CET 2022 

Nikolaos!

* Nikolaos Milas <nmilas at noa.gr>:
> On 28/11/2022 6:12 μ.μ., Patrick Ben Koetter wrote:
> > In this case use @client_ipaddr_policy instead of @mynetworks as it allows for
> > more fine grained control e.g. like this:
> > 
> > @client_ipaddr_policy = (
> >      [qw( 0.0.0.0/8 127.0.0.1/32 [::] [::1] )] => 'LOCALHOST',
> >      [qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS',
> >      [qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )] => 'BANK',
> >      [qw( 212.7.160.0/19 )] => 'SUBMISSION',
> >      \@mynetworks => 'MYNETS'
> > 
> > And then create a policy_bank that disabled the checks you'd like to disable.
> > 
> > #############################################################################
> > ## POLICY BANKS: BANK
> > #
> > 
> > $policy_bank{'BANK'} = {
> >      bypass_spam_checks_maps => [1],
> >      spam_lovers_maps => [1],
> > };
> 
> Hi Patrick,
> 
> If I remember right, policy banks get triggered only using particular
> methods; so, in this case, to implement the above (or any other similar
> policy bank), we would need to configure amavis to listen to a different
> port and route such traffic from postfix to amavis to that port. Isn't that
> right?

Nope. amavis ist Perl. There is more than one way to do it. ;-) (SCNR)

amavis may use various triggers to load additional policy_banks. You may use
an entry port like you suggested, or use an IP address like I suggested in my
previous post or even use a valid DKIM signature associated with a particular
senderdomain as trigger to load a policy_bank.


> If so, then it seems to me that the above approach wouldn't help; I would
> think that it is more straightforward to filter the traffic we want in
> postfix and redirect it to a "global" amavis port where we have disabled
> spam processing, as we already currently do, by listening on port 10028:


You any of the triggers I mentioned to load the BYPASS policy_bank if the
trigger exists (some still don't DKIM sign their messages). Here's an example
that extends your example:

$inet_socket_port = [10024,10028];  # listen on multiple TCP ports

# amavis entry socket trigger
$interface_policy{'10028'} = 'BYPASS';

# sender IP trigger
# If the MX for bankofgreece.gr sends the message then also load BYPASS policy
@client_ipaddr_policy = (
    [qw( 195.64.172.67 )] => 'BYPASS',
    \@mynetworks => 'MYNETS'

# Verified DKIM signature trigger
# If bankofgreece.gr sends a message containing a valid bankofgreece.gr DKIM
# signature
@author_to_policy_bank_maps = ( {
    'bankofgreece.gr'  => 'BYPASS'
} );

$policy_bank{'BYPASS'} = {  # those configured to send mail to port 10028
   bypass_virus_checks_maps  => [1],  # don't virus-check this mail
   bypass_spam_checks_maps   => [1],  # don't spam-check this mail
   bypass_banned_checks_maps => [1],  # don't banned-check this mail
   bypass_header_checks_maps => [1],  # don't header-check this mail
};

> In order to use the 'BANK' policy_bank, we would need to listen to e.g.
> 10029 etc...

Nope. ;-)

> If I don't understand right, please correct me.

I did. Was it understandable?

Best,

p at rick

-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the amavis-users mailing list