On 16 February 2018 at 21:05, Dauser Martin Johannes <[email protected]> wrote: > Well this topic is quite old, still when searching for hard > whitelisting with amavisd-new you'll find this solution on different > sites. > > Dominic Raferd wrote on Dec 11 2016 > > I use a whitelist with amavis: I have a file /etc/amavis/whitelist > which contains on each line either a comment (starting with hash #), > full email address or just a domain, and then in > /etc/amavis/conf.d/50-user I have lines like this: > > # whitelist some senders to save time and avoid false positives > # - you can list full addresses or domains, one per line > # idea from http://www.iredmail.org/forum/topic4681-iredmail-support > -solved-how-to-bypass-amavisd-for-some-senders.html > # This policy will perform virus checks only. > read_hash(\%whitelist_sender, '/etc/amavis/whitelist'); > @whitelist_sender_maps = (\%whitelist_sender); > > $interface_policy{'10026'} = 'VIRUSONLY'; > $policy_bank{'VIRUSONLY'} = { > bypass_spam_checks_maps => [ '@whitelist_sender_maps'], > bypass_banned_checks_maps => ['@whitelist_sender_maps'], > bypass_header_checks_maps => ['@whitelist_sender_maps'], > }; > > > The problem is, I've got the impression that this policy_bank is set > wrong and doesn't serve the intended purpose to whitelist SENDERS -- > neither incoming nor outgoing. Actually it seems to state nonsense. > Here are my thoughts and I gladly accept corrections: > > To make it more clearly I moved the bypass_spam_checks_maps out of the > hash/associative array: > > @bypass_spam_maps = ( '@whitelist_sender_maps') ; > > + First, and this took for me a while to fully realise, @*_maps just > tells the subroutine 'lookup' where and with which method (SQL, LDAP, > hash, access control list, regexp, constant) it should search. [1] > > + Second, if it is not stated otherwise it searches for the RECIPIENT's > envelope address. And I couldn't find anywhere that this very map is > meant to search for senders: > > Documentation for whitelisting [2] is talking about senders but only in > conjunction with the lookup tables @whitelist_sender_maps, > @blacklist_sender_maps and $per_recip_blacklist_sender_lookup_tables. > > But the same Document [3] states: "Using configuration variables > @bypass_virus_checks_maps, @bypass_banned_checks_maps, > @bypass_header_checks_maps and @bypass_spam_checks_maps each RECIPIENT > ... may suggest that certain tests are not needed ... . Although the > @bypass_*_checks_maps PERTAIN TO INDIVIDUAL RECIPIENTS, ... Suggestion > by some of the RECIPIENTS that certain check ... is to be bypassed ... > does not guarantee the test will not be performed. " > > So you can't set whitelisted senders with @bypass_*_maps. > > + Third, looking at my code line above @bypass_spam_maps is an > array/"list" containing one member, which is a STRING '@whitelist_sende > r_maps'. This means the subroutine interprets this as a constant and > returns this very string '@whitelist_sender_maps' as a value, which > doesn't make any sense in this context as it is neither an email > address nor a domain. -- Perl itself won't complain as the syntax is > still correct and there won't be a hit ever. > > @bypass_spam_maps = (\%whitelist_sender); > > or within the policy bank I guess: > > bypass_spam_maps => [\%whitelist_sender], > > would search for email addresses within the file /etc/amavis/whitelist, > I think. But as noted at my second point, those are sender addresses, > not the expected recipients. > > > Ah, global hard whitelisting of senders. How might it be done then. (Be > aware of the caveats of whitelisting!) > > read_hash(\%whitelist_sender, '/etc/amavis/whitelist'); > @whitelist_sende > r_maps = (\%whitelist_sender); > > And content of /etc/amavis/whitelist: > > [email protected] #full email address > some.trustworthy@ #full local part > in.domain.we.trust #full email domain > .we.trust #accepting sub domains > > > It should even be possible to set a sender whitelist within a policy > bank: > > $policy_bank{'WHITELIST'} = { > whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ], > } > > > As already noted, these are my thoughts and I gladly accept > corrections. > > Martin Johannes Dauser > > > 1 https://www.ijs.si/software/amavisd/README.lookups.txt > > 2 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#wblist > > 3 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#checks
I defer to your greater understanding of amavis and perl, but at a practical level the whitelist settings that I suggested above do work for me.
