I thought I'd chime in here - because this topic often comes up and IMO, the details are often not clear.
You can whitelist for spam. You CAN NOT whitelist for BAD_FILES [attachments that you don't trust.] Yes, it's true that you can't trust the "from" address in that white-listing. However, it's pretty unusual for a spammer to successfully forge the "from" address simply to try to get around your spam block - so I generally think this "risk" is more a theoretical risk than an actual one. [And yes, I do understand why it bothers people - I just think it's something that bothers us from a "principle" standpoint - not from a true realized problem outcome.] I do use the SA technique Dominic outlines - though I generally use it in the other direction - mainly forcing some TLD's to get higher spam scores. But that doesn't fix mail attachment issues. The only built-in options are generally block everything or block nothing - which isn't so great. Since it's pretty dang hard to break users [not just mine, but the rest of the world's users too] from using email to send files back and forth, and since I don't want attachment free-for-all on my client networks - I decided I had to find a way to use Amavis to block attachments, but still allow some attachments to get through. I have, for one of my clients, implemented a whitelist that DOES allow you to whitelist BAD_FILES. In short, rather than try to put code into Amavis, I wrote a script that parses the quarantine notice the admin gets when a BAD_FILE is quarantined. [Grab the notice out of a mailbox and once it's processed, remove it.] This was a number of years ago - and maintenance of Amavis was pretty sketch. I didn't think I'd be able to get code into Amavis [and even if I could, my coding is so ugly, I'd be embarrassed to submit it anyway!] :) So, I decided on an external script I run every 5m. It essentially parses the sender address, sender/MTA IP, recipient address, and file type. I have a small text file with the white-list details. If the sender-address/IP+recipient-address+file-type all match one of the existing whitelist entries, then we'll simply release the quarantined email to the original destination. And like above, it's susceptible to sender address forgery. [But knowing the combination isn't trivial - you have to match sender+recipient+file-type. And in every case I can, I don't use sender addresses, if I can properly identify the MTA IP/host-name - which can't be trivially forged.] A forgery hasn't ever happened that I'm aware of. [Though that doesn't mean that it couldn't, or never will. But I suspect there are easier ways to get your exploit inside any organization - so it seems like a reasonable risk.] Anyway - it's allowed us to let users [both inside and outside our organization] do what they've always done [e.g. Send this word attachment via email to Bill...] while not allowing everything, and just hoping AV will save your sorry behind. [Or quarantining everything and being the go-fer and releasing attachments manually all hours of night and day.] Anyway - just wanted to pipe up and offer some additional details and possible options, should you need them. -Greg DR> On Thu, 11 Jul 2019 at 22:10, Bob D <[email protected]> wrote: >> Do you really wish to bypass virus checks via amavis ? >> Is Spamassassin used ? >> You can whitelist in Spamassassin via /etc/spamassassin/local.cf and append >> lines like: >> whitelist_from *@whitelistdomain.whatever >> this bypasses spamassassin checks only for those addresses. >> I use this and it works fine. >> If you want to bypass amavis checks without bypassing virus checks, here is >> one way to do it: >> https://forum.iredmail.org/topic4681-iredmail-support-solved-how-to-bypass-amavisd-for-some-senders.html >> Regards >> On 7/11/19 3:38 PM, Curtis Vaughan wrote: >> I have been unable for a very long time now to figure out how to >> whitelist certain email address or domains. >> I have found several different blogs/help sites that "provide" an answer, >> but none of them have ever worked. >> Creating whitelists for postfix that referred to by main.cf definitely >> haven't worked. Another "solution" involved including a line in main.cf >> that basically tried to bypass amavis. >> Anyhow, I feel I'm approaching the solution in either case the wrong way >> as they concentrate on postfix and not amavis. >> Hopefully someone can't point me in the right direction? >> Thanks! >> I'm using postfix with amavis on ubuntu. DR> In answer to OP, you can whitelist sender addresses in amavis by DR> setting (e.g. in /etc/amavis/conf.d/50-user): DR> @whitelist_sender_maps = ( read_hash('/etc/amavis/whitelist') ); DR> and then create your file /etc/amavis/whitelist which lists email DR> addresses or domains to be whitelisted. They are still scanned for DR> viruses but not for spam scoring. DR> BUT... amavis identifies the address by matching the envelope sender DR> OR the From: header sender. So (in theory) a spammer can easily fake DR> the envelope sender and get whitelisted. DR> So I've now given up using this and instead I use a form of DR> 'whitening' where emails from whitelisted senders (identified only by DR> From: header) have their SA score reduced by (typically) 4. DR> /etc/spamassassin/local_whitening.cf: DR> describe LOCAL_WHITENING_4 Whiten known good senders DR> score LOCAL_WHITENING_4 -4 DR> header LOCAL_WHITENING_4 From =~ DR> /(known\@goodname\.tld|\@good\.domain\.tld)>?\s*$/i DR> After any changes to this file amavis needs to reloaded. -- Gregory Sloop, Principal: Sloop Network & Computer Consulting Voice: 503.251.0452 x82 EMail: [email protected] http://www.sloop.net ---
