Re: Pflogsumm emails through amavisd and SA hitting BAYES_99

[Simon Wilson]

----- Message from Simon Wilson <si...@simonandkate.net> ---------
    Date: Fri, 28 Apr 2017 21:43:31 +1000
    From: Simon Wilson <si...@simonandkate.net>
Reply-To: si...@simonandkate.net
 Subject: Re: Pflogsumm emails through amavisd and SA hitting BAYES_99
      To: amavis-users@amavis.org

----- Message from Dominic Raferd <domi...@timedicer.co.uk> ---------
   Date: Fri, 28 Apr 2017 11:55:03 +0100
   From: Dominic Raferd <domi...@timedicer.co.uk>
Subject: Re: Pflogsumm emails through amavisd and SA hitting BAYES_99
     To: amavis-users@amavis.org


On 28 April 2017 at 11:34, Simon Wilson <si...@simonandkate.net> wrote:

Hi all,

I have pflogsumm running log summaries on my postfix install, and sending
to an address that resolves locally. All is on localhost, which is a newly
installed CentOS7 server, amavisd-new 2.10.1 from EPEL.

The pflogsumm emails from root are triggering BAYES_99 as they go through
amavisd-new and spamassassin, and are often ending up marked as spam.

What's the best way to ensure that those are not flagged as spam, or
potentially to whitelist them somehow?


You can whitelist sender addresses, would this solve your problem? I have
these lines in /etc/amavis/conf.d/50-user​:

read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);
   bypass_spam_checks_maps   => ['@whitelist_sender_maps'],  # don't
spam-check this mail
   bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't
banned-check this mail
   bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't
header-check this mail

File /etc/amavis/whitelist contains a line-by-line list of whitelisted
addresses. To whitelist a whole domain, just precede with a dot. Examples:

f...@bloggs.com
.spammers-united.com

HTH, Dominic


----- End message from Dominic Raferd <domi...@timedicer.co.uk> -----

Thanks Dominic... it seems like a bit of a 'sledgehammer' to  
whitelist a sender address, when sender addresses can be spoofed.  
Perhaps I'm being paranoid :) Keen to hear feedback on that (the  
approach, not whether I am paranoid :) ).

One thing I just noticed is that pflogsumm emails are dropped into  
Postfix (and thence into Amavisd) via postfix/pickup not  
postfix/smtpd. I wonder if there is a way there to mark emails from  
localhost root that are fed into postfix/pickup as being not  
spam-checked.

Simon.


--
Simon Wilson
M: 0400 12 11 16


----- End message from Simon Wilson <si...@simonandkate.net> -----


Google found me this:

http://verchick.com/mecham/public_html/spam/bypassing.html#11

Describes either setting postfix/pickup to completely bypass amavisd,  
or to set a less restrictive amavisd policy bank.

I'll explore and see how it goes.

Simon

--
Simon Wilson
M: 0400 12 11 16