<html><head><title>Re: whitelist</title>
</head>
<body>
<span style=" font-family:'Courier New'; font-size: 9pt;">Yeah, I know the warnings about using it as pre-accept...<br>
I have an OMD/Naemon monitor watching it, so I'll know ASAP if it does fail though - so I'm reasonably OK with that. [And it hasn't ever failed in the multiple years I've had it set that way - though it's a pretty small site - perhaps 150-200 users.]<br>
<br>
Essentially the reasons for pre-accept are:<br>
<br>
1) Lower volume of mail to handle, if we drop spam/viruses etc, all before they're actually accepted by the MTA.<br>
<br>
2) While I love SA, I do really like the option to simply bounce [not accept] high SA scored mail. The only way to do that is pre-accept. Not accepting it at all simply means that my users have less spam [even if it's marked as spam] to deal with in the mailbox. [That's a HUGE win for users - the difference last time I checked was massive. But that's been years ago - so it's possible the ratios are different now - but I don't really think so.]<br>
<br>
3) Related to #2. <br>
I *HATE* quarantining things. Not that I mind personally; but as a sysadmin, if there's anything that can block mail, you [as the sysadmin] are going to be blamed when someone doesn't get their mail. So, the less I can do where the system holds mail the better. I'd far rather reject a few pieces of legit mail and generate bounces than quarantine them and, over time, get people so they always suspect the mail system when something doesn't show up. I can simply say - the mail server NEVER holds mail that doesn't include attachments. Ever. If Sam's mail isn't here, you should check with Sam. :) [We are quarantining mail with attachments, so there's that - but lets not talk about that very loudly, ok?! :) ]<br>
<br>
In general, I want to make most decisions about what/how I'm going to mail before accepting it. We do use RBL's in postfix pre-accept and those are immensely helpful. But the additional decisions in Amavis and SA have far more utility before the MTA gives a 200 accept response. [For example, IIRC, we reject 95% of spam [that got past the RBL's] pre-accept. Thus we only have to deal with 5% of the remaining amount in a mailbox. It's a similar story with attachments. That's huge. Disk-space, Disk I/O, CPU performance [not so acute these days with excess CPU, really, but still], etc.<br>
<br>
And with attachments - having very few actually show up, means that users have less opportunity to open something they shouldn't.<br>
It helps that the on-site sysadmin is pretty vigilant and available to handle user queries about attachments they're not certain of - but not allowing them through somewhat blindly is certainly a big piece.<br>
<br>
I'm sure there are other reasons I prefer pre-accept - but those are the ones that first come to mind.<br>
And I've been just incredibly happy with Amavis running this way - even though it's has potential problems. [We'd be easier to DOS, for example.]<br>
<br>
In practical use, it's been far better than any other solution I've seen, other than something like a paid Barracuda box. [Even then, I'm not sure it would be all that much better.]<br>
<br>
-Greg<br>
<br>
</span><table>
<tr>
<td width=2 bgcolor= #0000ff><br>
</td>
<td> <br>
<span style=" font-family:'times new roman'; font-size: 11pt; color: #1f497d;">Gregory,<br>
<br>
I don’t have direct experience, since I’ve never used it that way. <br>
<br>
Additionally, as far as I understand, the Postfix Before-Queue setup is not recommended for amavisd-new since there is a risk of mail loss if amavis fails among other things and I’ve had it fail before with some message that amavis simply didn’t like (Russian language emails)<br>
<br>
Any particular reason why you use it that way?<br>
<br>
<br>
<span style=" color: #000000;"><b>From:</b> Gregory Sloop [mailto:gregs@sloop.net] <br>
<b>Sent:</b> Friday, July 12, 2019 1:48 PM<br>
<b>To:</b> Dino Edwards <dino.edwards@mydirectmail.net>; Curtis Vaughan <curtis@npc-usa.com>; amavis-users@amavis.org<br>
<b>Subject:</b> Re: whitelist<br>
<br>
<span style=" font-size: 9pt;">Dino...<br>
<br>
IIRC the following doesn't work if Amavis is set in postfix as a pre-accept filter, right?<br>
[It seems I looked at doing it this way, but since we use Amavis as a pre MTA-accpet filter, this wasn't even an option. Just wanting to confirm...]<br>
<br>
-Greg<br>
<br>
<span style=" color: #800000;"><b>DE> Here's how to do it with BONUS blacklist:<br>
<br>
DE> In postfix /etc/postfix/main.cf set the following for whitelist senders:<br>
<br>
DE> smtpd_sender_restrictions = check_sender_access<br>
DE> hash:/etc/postfix/amavis_senderbypass<br>
<br>
DE> In the /etc/postfix/amavis_senderbypass file enter email<br>
DE> addresses and/or domains you wish to whitelist (one per line) as follows:<br>
<br>
</b></span></span></span></span><a style=" font-family:'times new roman'; font-size: 9pt;" href="mailto:bob@example.com">DE> bob@example.com</a><span style=" font-family:'times new roman'; font-size: 9pt; color: #800000;"><b> FILTER amavis:[127.0.0.1]:10030<br>
DE> example2.com FILTER amavis:[127.0.0.1]:10030<br>
<br>
DE> Ensure you postmap the file and reload postfix<br>
<br>
DE> In Amavis /etc/amavis/conf/50_user set the following to whitelist<br>
DE> recipients (ensure port 10030 is available in your system):<br>
<br>
DE> $inet_socket_port = [10021, 10030];<br>
<br>
DE> # This policy will bypass ALL checks.<br>
DE> read_hash(\%whitelist_sender, '/etc/amavis/white.lst');<br>
DE> @whitelist_sender_maps = (\%whitelist_sender);<br>
<br>
<br>
<br>
DE> $interface_policy{'10030'} = 'BYPASSALLCHECKS';<br>
DE> $policy_bank{'BYPASSALLCHECKS'} = { # mail from the pickup daemon<br>
DE> log_level => 5,<br>
DE> bypass_spam_checks_maps => ['@whitelist_sender_maps'], # don't spam-check this mail<br>
DE> bypass_banned_checks_maps => ['@whitelist_sender_maps'], # don't banned-check this mail<br>
DE> bypass_header_checks_maps => ['@whitelist_sender_maps'], # don't header-check this mail<br>
DE> bypass_virus_checks_maps => ['@whitelist_sender_maps'], # don't virus-check this mail<br>
DE> };<br>
<br>
<br>
DE> In /etc/amavis/white.lst enter the the SAME senders and/or<br>
DE> domains as you set in the /etc/postfix/amavis_senderbypass file<br>
DE> from above but without the "FILTER amavis:[127.0.0.1]:10030" part as follows (one per line):<br>
<br>
</b></span><a style=" font-family:'times new roman'; font-size: 9pt;" href="mailto:bob@example.com">DE> bob@example.com</a> <br>
<span style=" font-family:'times new roman'; font-size: 9pt; color: #800000;"><b>DE> example2.com <br>
<br>
DE> So basically this tells postfix that any sender matching the list<br>
DE> to inject to Amavis at port 10030 and then Amavis has an interface<br>
DE> policy at 10030 where it takes action according to the policy<br>
DE> settings. You can adjust the Amavis policy as you see fit. In the<br>
DE> example above, it bypasses ALL checks (spam, banned, header and virus) checks.<br>
<br>
DE> Here's the blacklist (much simpler)<br>
<br>
DE> In /etc/amavis/conf/50_user set the following:<br>
<br>
DE> # Blacklist Senders<br>
DE> @blacklist_sender_maps=(read_hash(\%blacklist_sender, '/etc/amavis/black.lst'));<br>
<br>
DE> And populate /etc/amavis/black.lst with senders you wish to block.<br>
<br>
DE> There is also a way to do a sender to recipient block/allow but<br>
DE> that only bypasses spam checks and it's a bit more complicated to<br>
DE> set. I can send you info on that if you want.<br>
<br>
DE> Thanks<br>
<br>
<br>
<br>
DE> -----Original Message-----<br>
DE> From: amavis-users<br>
DE> [</b></span><a style=" font-family:'times new roman'; font-size: 9pt; font-weight: bold;" href="mailto:amavis-users-bounces+dino.edwards=mydirectmail.net@amavis.org">mailto:amavis-users-bounces+dino.edwards=mydirectmail.net@amavis.org</a><span style=" font-family:'times new roman'; font-size: 9pt; color: #800000;"><b>] On Behalf Of Curtis Vaughan<br>
DE> Sent: Thursday, July 11, 2019 4:38 PM<br>
DE> To: </b></span><a style=" font-family:'times new roman'; font-size: 9pt;" href="mailto:amavis-users@amavis.org">amavis-users@amavis.org</a><br>
<span style=" font-family:'times new roman'; font-size: 9pt; color: #800000;"><b>DE> Subject: whitelist<br>
<br>
DE> I have been unable for a very long time now to figure out how to<br>
DE> whitelist certain email address or domains. <br>
DE> I have found several different blogs/help sites that "provide" an<br>
DE> answer, but none of them have ever worked. <br>
DE> Creating whitelists for postfix that referred to by main.cf<br>
DE> definitely haven't worked. Another "solution" involved including a<br>
DE> line in main.cf that basically tried to bypass amavis.<br>
DE> Anyhow, I feel I'm approaching the solution in either case the<br>
DE> wrong way as they concentrate on postfix and not amavis. <br>
DE> Hopefully someone can't point me in the right direction?<br>
DE> Thanks!<br>
<br>
DE> I'm using postfix with amavis on ubuntu. <br>
<br>
<br>
</b><span style=" font-size: 8pt; color: #c0c0c0;"><i>-- <br>
Gregory Sloop, Principal: Sloop Network & Computer Consulting<br>
Voice: 503.251.0452 x82<br>
EMail: </i></span></span><a style=" font-family:'times new roman'; font-size: 12pt;" href="mailto:gregs@sloop.net">gregs@sloop.net</a><br>
<a style=" font-family:'times new roman'; font-size: 12pt;" href="http://www.sloop.net">http://www.sloop.net</a><br>
<span style=" font-family:'times new roman'; font-size: 12pt; color: #c0c0c0;"><i>---</td>
</tr>
</table>
<br><br>
<span style=" font-family:'arial'; color: #c0c0c0;"><i>-- <br>
Gregory Sloop, Principal: Sloop Network & Computer Consulting<br>
Voice: 503.251.0452 x82<br>
EMail: </i></span><a style=" font-family:'arial';" href="mailto:gregs@sloop.net">gregs@sloop.net</a><br>
<a style=" font-family:'arial';" href="http://www.sloop.net">http://www.sloop.net</a><br>
<span style=" font-family:'arial'; color: #c0c0c0;"><i>---</body></html>