<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>@All</p>
<p>Using amavis in a pre-queue setup is the best you can do in MTA
to MTA traffic. It is effective, stable and carefree.<br>
</p>
<p>We've (sys4) been using amavis in pre-queue setup on mail
plattforms – performance clusters – that do more than 900
msg/second and in more than 15 years there hasn't been one
incident related to anything related to a pre-queue setup.</p>
<p>I do recommend to integrate amavis as MILTER in Postfix, since
that gives the greatest flexibility to combine amavis with other
MILTERs. Running it as smtpd_proxy_filter by Postfix design limits
its ability to integrate with other tools – MITLTERs won't be able
to "see" the body, which mostly makes them useless.</p>
<p>p@rick</p>
<p><br>
</p>
<p>P.S.<br>
Any pre-queue process will introduce a noticable delay. This is
imposed by the scan process itself. It is the same delay you have
in post-queue – its just that now you get to "see" in SMTP
sessions. Clients won't bother. The typical client timeout is 600
second. That's ten minutes a client will wait for your amavis
setup to get the job done. If it hasn't finished by then you have
a problem – no matter if you are using a pre- or a post-queue
setup.<br>
</p>
<div class="moz-cite-prefix">Am 12.07.19 um 20:10 schrieb Dino
Edwards:<br>
</div>
<blockquote type="cite"
cite="mid:2cffb8589cd04c2c8e1f4ab2e3d3bbe3@mydirectmail.net">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<title>Re: whitelist</title>
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Gregory,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
don’t have direct experience, since I’ve never used it that
way.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Additionally,
as far as I understand, the Postfix Before-Queue setup is
not recommended for amavisd-new since there is a risk of
mail loss if amavis fails among other things and I’ve had it
fail before with some message that amavis simply didn’t like
(Russian language emails)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Any
particular reason why you use it that way?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Gregory Sloop [<a class="moz-txt-link-freetext" href="mailto:gregs@sloop.net">mailto:gregs@sloop.net</a>]
<br>
<b>Sent:</b> Friday, July 12, 2019 1:48 PM<br>
<b>To:</b> Dino Edwards
<a class="moz-txt-link-rfc2396E" href="mailto:dino.edwards@mydirectmail.net"><dino.edwards@mydirectmail.net></a>; Curtis Vaughan
<a class="moz-txt-link-rfc2396E" href="mailto:curtis@npc-usa.com"><curtis@npc-usa.com></a>; <a class="moz-txt-link-abbreviated" href="mailto:amavis-users@amavis.org">amavis-users@amavis.org</a><br>
<b>Subject:</b> Re: whitelist<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Courier New"">Dino...<br>
<br>
IIRC the following doesn't work if Amavis is set in postfix
as a pre-accept filter, right?<br>
[It seems I looked at doing it this way, but since we use
Amavis as a pre MTA-accpet filter, this wasn't even an
option. Just wanting to confirm...]<br>
<br>
-Greg<br>
<br>
<b><span style="color:maroon">DE> Here's how to do it
with BONUS blacklist:<br>
<br>
DE> In postfix /etc/postfix/main.cf set the following
for whitelist senders:<br>
<br>
DE> smtpd_sender_restrictions = check_sender_access<br>
DE> hash:/etc/postfix/amavis_senderbypass<br>
<br>
DE> In the /etc/postfix/amavis_senderbypass file
enter email<br>
DE> addresses and/or domains you wish to whitelist
(one per line) as follows:<br>
<br>
</span></b></span><a href="mailto:bob@example.com"
moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Courier
New"">DE> bob@example.com</span></a><b><span
style="font-size:9.0pt;font-family:"Courier
New";color:maroon"> FILTER amavis:[127.0.0.1]:10030<br>
DE> example2.com FILTER amavis:[127.0.0.1]:10030<br>
<br>
DE> Ensure you postmap the file and reload postfix<br>
<br>
DE> In Amavis /etc/amavis/conf/50_user set the
following to whitelist<br>
DE> recipients (ensure port 10030 is available in your
system):<br>
<br>
DE> $inet_socket_port = [10021, 10030];<br>
<br>
DE> # This policy will bypass ALL checks.<br>
DE> read_hash(\%whitelist_sender,
'/etc/amavis/white.lst');<br>
DE> @whitelist_sender_maps = (\%whitelist_sender);<br>
<br>
<br>
<br>
DE> $interface_policy{'10030'} = 'BYPASSALLCHECKS';<br>
DE> $policy_bank{'BYPASSALLCHECKS'} = { # mail from the
pickup daemon<br>
DE> log_level => 5,<br>
DE> bypass_spam_checks_maps =>
['@whitelist_sender_maps'], # don't spam-check this mail<br>
DE> bypass_banned_checks_maps =>
['@whitelist_sender_maps'], # don't banned-check this
mail<br>
DE> bypass_header_checks_maps =>
['@whitelist_sender_maps'], # don't header-check this
mail<br>
DE> bypass_virus_checks_maps =>
['@whitelist_sender_maps'], # don't virus-check this mail<br>
DE> };<br>
<br>
<br>
DE> In /etc/amavis/white.lst enter the the SAME senders
and/or<br>
DE> domains as you set in the
/etc/postfix/amavis_senderbypass file<br>
DE> from above but without the "FILTER
amavis:[127.0.0.1]:10030" part as follows (one per line):<br>
<br>
</span></b><a href="mailto:bob@example.com"
moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Courier
New"">DE> bob@example.com</span></a>
<br>
<b><span style="font-size:9.0pt;font-family:"Courier
New";color:maroon">DE> example2.com
<br>
<br>
DE> So basically this tells postfix that any sender
matching the list<br>
DE> to inject to Amavis at port 10030 and then Amavis
has an interface<br>
DE> policy at 10030 where it takes action according to
the policy<br>
DE> settings. You can adjust the Amavis policy as you
see fit. In the<br>
DE> example above, it bypasses ALL checks (spam,
banned, header and virus) checks.<br>
<br>
DE> Here's the blacklist (much simpler)<br>
<br>
DE> In /etc/amavis/conf/50_user set the following:<br>
<br>
DE> # Blacklist Senders<br>
DE>
@blacklist_sender_maps=(read_hash(\%blacklist_sender,
'/etc/amavis/black.lst'));<br>
<br>
DE> And populate /etc/amavis/black.lst with senders you
wish to block.<br>
<br>
DE> There is also a way to do a sender to recipient
block/allow but<br>
DE> that only bypasses spam checks and it's a bit more
complicated to<br>
DE> set. I can send you info on that if you want.<br>
<br>
DE> Thanks<br>
<br>
<br>
<br>
DE> -----Original Message-----<br>
DE> From: amavis-users<br>
DE> [<a
href="mailto:amavis-users-bounces+dino.edwards=mydirectmail.net@amavis.org"
moz-do-not-send="true">mailto:amavis-users-bounces+dino.edwards=mydirectmail.net@amavis.org</a>]
On Behalf Of Curtis Vaughan<br>
DE> Sent: Thursday, July 11, 2019 4:38 PM<br>
DE> To: </span></b><a
href="mailto:amavis-users@amavis.org" moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Courier
New"">amavis-users@amavis.org</span></a><br>
<b><span style="font-size:9.0pt;font-family:"Courier
New";color:maroon">DE> Subject: whitelist<br>
<br>
DE> I have been unable for a very long time now to
figure out how to<br>
DE> whitelist certain email address or domains. <br>
DE> I have found several different blogs/help sites
that "provide" an<br>
DE> answer, but none of them have ever worked. <br>
DE> Creating whitelists for postfix that referred to by
main.cf<br>
DE> definitely haven't worked. Another "solution"
involved including a<br>
DE> line in main.cf that basically tried to bypass
amavis.<br>
DE> Anyhow, I feel I'm approaching the solution in
either case the<br>
DE> wrong way as they concentrate on postfix and not
amavis. <br>
DE> Hopefully someone can't point me in the right
direction?<br>
DE> Thanks!<br>
<br>
DE> I'm using postfix with amavis on ubuntu. <br>
<br>
<br>
</span></b><i><span
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:silver">--
<br>
Gregory Sloop, Principal: Sloop Network & Computer
Consulting<br>
Voice: 503.251.0452 x82<br>
EMail: </span></i><a href="mailto:gregs@sloop.net"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">gregs@sloop.net</span></a><br>
<a href="http://www.sloop.net" moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">http://www.sloop.net</span></a><br>
<i><span
style="font-family:"Arial",sans-serif;color:silver">---</span></i><o:p></o:p></p>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
[*] sys4 AG
<a class="moz-txt-link-freetext" href="https://sys4.de">https://sys4.de</a>, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
</pre>
</body>
</html>