<html><head><title>Re: whitelist</title>
</head>
<body>
<span style=" font-family:'Courier New'; font-size: 9pt;">I thought I'd chime in here - because this topic often comes up and IMO, the details are often not clear.<br>
<br>
You can whitelist for spam.<br>
You CAN NOT whitelist for BAD_FILES [attachments that you don't trust.]<br>
<br>
Yes, it's true that you can't trust the "from" address in that white-listing. However, it's pretty unusual for a spammer to successfully forge the "from" address simply to try to get around your spam block - so I generally think this "risk" is more a theoretical risk than an actual one. [And yes, I do understand why it bothers people - I just think it's something that bothers us from a "principle" standpoint - not from a true realized problem outcome.]<br>
<br>
I do use the SA technique Dominic outlines - though I generally use it in the other direction - mainly forcing some TLD's to get higher spam scores. <br>
<br>
But that doesn't fix mail attachment issues. The only built-in options are generally block everything or block nothing - which isn't so great.<br>
<br>
Since it's pretty dang hard to break users [not just mine, but the rest of the world's users too] from using email to send files back and forth, and since I don't want attachment free-for-all on my client networks - I decided I had to find a way to use Amavis to block attachments, but still allow some attachments to get through.<br>
<br>
I have, for one of my clients, implemented a whitelist that DOES allow you to whitelist BAD_FILES.<br>
In short, rather than try to put code into Amavis, I wrote a script that parses the quarantine notice the admin gets when a BAD_FILE is quarantined. [Grab the notice out of a mailbox and once it's processed, remove it.]<br>
<br>
This was a number of years ago - and maintenance of Amavis was pretty sketch. I didn't think I'd be able to get code into Amavis [and even if I could, my coding is so ugly, I'd be embarrassed to submit it anyway!] :) So, I decided on an external script I run every 5m.<br>
<br>
It essentially parses the sender address, sender/MTA IP, recipient address, and file type.<br>
I have a small text file with the white-list details.<br>
<br>
If the sender-address/IP+recipient-address+file-type all match one of the existing whitelist entries, then we'll simply release the quarantined email to the original destination.<br>
<br>
And like above, it's susceptible to sender address forgery. [But knowing the combination isn't trivial - you have to match sender+recipient+file-type. And in every case I can, I don't use sender addresses, if I can properly identify the MTA IP/host-name - which can't be trivially forged.]<br>
<br>
A forgery hasn't ever happened that I'm aware of. [Though that doesn't mean that it couldn't, or never will. But I suspect there are easier ways to get your exploit inside any organization - so it seems like a reasonable risk.]<br>
<br>
Anyway - it's allowed us to let users [both inside and outside our organization] do what they've always done [e.g. Send this word attachment via email to Bill...] while not allowing everything, and just hoping AV will save your sorry behind. [Or quarantining everything and being the go-fer and releasing attachments manually all hours of night and day.]<br>
<br>
Anyway - just wanted to pipe up and offer some additional details and possible options, should you need them.<br>
<br>
-Greg<br>
<br>
<br>
<span style=" color: #800000;"><b>DR> On Thu, 11 Jul 2019 at 22:10, Bob D <</b></span></span><a style=" font-family:'courier new'; font-size: 9pt;" href="mailto:bob@inter-control.com">bob@inter-control.com</a><span style=" font-family:'courier new'; font-size: 9pt; color: #800000;"><b>> wrote:<br>
<br>
>> Do you really wish to bypass virus checks via amavis ?<br>
>> Is Spamassassin used ?<br>
>> You can whitelist in Spamassassin via /etc/spamassassin/local.cf and append lines like:<br>
>> whitelist_from *@whitelistdomain.whatever<br>
>> this bypasses spamassassin checks only for those addresses.<br>
>> I use this and it works fine.<br>
>> If you want to bypass amavis checks without bypassing virus checks, here is one way to do it:<br>
</b></span><a style=" font-family:'courier new'; font-size: 9pt;" href="https://forum.iredmail.org/topic4681-iredmail-support-solved-how-to-bypass-amavisd-for-some-senders.html">>> https://forum.iredmail.org/topic4681-iredmail-support-solved-how-to-bypass-amavisd-for-some-senders.html</a><br>
<span style=" font-family:'courier new'; font-size: 9pt; color: #800000;"><b>>> Regards<br>
<br>
>> On 7/11/19 3:38 PM, Curtis Vaughan wrote:<br>
<br>
>> I have been unable for a very long time now to figure out how to<br>
>> whitelist certain email address or domains.<br>
>> I have found several different blogs/help sites that "provide" an answer,<br>
>> but none of them have ever worked.<br>
>> Creating whitelists for postfix that referred to by main.cf definitely<br>
>> haven't worked. Another "solution" involved including a line in main.cf<br>
>> that basically tried to bypass amavis.<br>
>> Anyhow, I feel I'm approaching the solution in either case the wrong way<br>
>> as they concentrate on postfix and not amavis.<br>
>> Hopefully someone can't point me in the right direction?<br>
>> Thanks!<br>
<br>
>> I'm using postfix with amavis on ubuntu.<br>
<br>
DR> In answer to OP, you can whitelist sender addresses in amavis by<br>
DR> setting (e.g. in /etc/amavis/conf.d/50-user):<br>
<br>
DR> @whitelist_sender_maps = ( read_hash('/etc/amavis/whitelist') );<br>
<br>
DR> and then create your file /etc/amavis/whitelist which lists email<br>
DR> addresses or domains to be whitelisted. They are still scanned for<br>
DR> viruses but not for spam scoring.<br>
<br>
DR> BUT... amavis identifies the address by matching the envelope sender<br>
DR> OR the From: header sender. So (in theory) a spammer can easily fake<br>
DR> the envelope sender and get whitelisted.<br>
<br>
DR> So I've now given up using this and instead I use a form of<br>
DR> 'whitening' where emails from whitelisted senders (identified only by<br>
DR> From: header) have their SA score reduced by (typically) 4.<br>
<br>
DR> /etc/spamassassin/local_whitening.cf:<br>
DR> describe LOCAL_WHITENING_4 Whiten known good senders<br>
DR> score LOCAL_WHITENING_4 -4<br>
DR> header LOCAL_WHITENING_4 From =~<br>
DR> /(known\@goodname\.tld|\@good\.domain\.tld)>?\s*$/i<br>
<br>
DR> After any changes to this file amavis needs to reloaded.<br>
<br>
</b><span style=" font-family:'arial'; font-size: 8pt; color: #c0c0c0;"><i>-- <br>
Gregory Sloop, Principal: Sloop Network & Computer Consulting<br>
Voice: 503.251.0452 x82<br>
EMail: </i></span></span><a style=" font-family:'arial';" href="mailto:gregs@sloop.net">gregs@sloop.net</a><br>
<a style=" font-family:'arial';" href="http://www.sloop.net">http://www.sloop.net</a><br>
<span style=" font-family:'arial'; color: #c0c0c0;"><i>---</body></html>