problems with whitelisting

Dominic Raferd dominic at timedicer.co.uk
Thu Mar 24 18:41:46 CET 2022 

On 24/03/2022 17:13, hiller wrote:
> Dear list,
>
> i have installed amavisd-new version 2.11.0. I have problems with whitelisting.
> I have googled around and none of the soltions worked.
> I amavisd.conf i did:
>
> read_hash(\%whitelist_sender, '/etc/amavisd.whitelist_ext'),
> @whitelist_sender_maps = (\%whitelist_sender),
>
> /etc/amavisd.whitelist_ext contains:
> .gooddomain.com
> friend at nospammer.org
>
> This does not work. Mails from the good addresses are still spamchecked, bannedchecked and headerchecked.
>
> This also does not work:
> @whitelist_sender_maps = (['.gooddomain.com', 'friend at nospammer.org']);
>
>
> Also this does not work either:
> read_hash(\%whitelist_sender, '/etc/amavisd.whitelist_ext');
> @whitelist_sender_maps = (\%whitelist_sender);
>
> $interface_policy{'10024'} = 'VIRUSONLY';
> $policy_bank{'VIRUSONLY'} = { # mail from the pickup daemon
>   bypass_spam_checks_maps => ['@whitelist_sender_maps'], # don't spam-check this mail
>   bypass_banned_checks_maps => ['@whitelist_sender_maps'], # don't banned-check this mail
>   bypass_header_checks_maps => ['@whitelist_sender_maps'], # don't header-check this mail
> };
>
> For me bypass_*_checks_maps seems to be a global on/off switch. With this method i do whitelist any address, no matter of the contents of /etc/amavisd.whitelist_ext.
>
> These are the definition of the ports:
> # 10024 = outside email - check, don't sign
> # 10026 = inside email - check & sign
> # 10028 = mailman - sign only; email was checked on delivery
> $inet_socket_port = [10024, 10026, 10028];  # listen on multiple TCP ports

This should work:

@whitelist_sender_maps = ( read_hash('/etc/amavisd.whitelist_ext') );

But it may not be applied to mail inside policy banks, I am not sure. I 
avoid policy banks.

Note that amavis whitelisting applies *both* to the From: address *and* 
to the Envelope Sender i.e. if *either* one matches, the mail passes. 
This is not very wise IMO but it is how it is coded (same as for 
blacklisting, where it makes more sense).

I think a better approach than amavis whitelist is to reduce SA scoring 
for 'From:' addresses where appropriate.

More information about the amavis-users mailing list