Re: Whitelisting mail servers

[Patrick Ben Koetter]

* Nikolaos Milas <nmi...@noa.gr>:
> On 24/11/2022 8:23 π.μ., Patrick Ben Koetter wrote:
> > I suggest to use valid DKIM signatures, if your bank sends DKIM signed
> > messages and use one or a list of policy banks to overrule (here: disable)
> > specific content classifications:
> 
> Hi Patrick and everyone who replied,
> 
> Thanks for your valuable feedback. No, unfortunately the Banks we are having
> issues with do not use DKIM signatures.
> 
> However, they are using *dedicated* mail servers, so I assume I can use
> @mynetworks to safely whitelist these. Isn't that right?

In this case use @client_ipaddr_policy instead of @mynetworks as it allows for
more fine grained control e.g. like this:

@client_ipaddr_policy = (
    [qw( 0.0.0.0/8 127.0.0.1/32 [::] [::1] )] => 'LOCALHOST',
    [qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS',
    [qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )] => 'BANK',
    [qw( 212.7.160.0/19 )] => 'SUBMISSION',
    \@mynetworks => 'MYNETS'

And then create a policy_bank that disabled the checks you'd like to disable.

#############################################################################
## POLICY BANKS: BANK
#

$policy_bank{'BANK'} = {
    bypass_spam_checks_maps => [1],
    spam_lovers_maps => [1],
};

HTH

p@rick







> 
> Regarding DMARC, I don't see amavis / spamassassin to be adjusting scoring
> using DMARC validation. Should such behavior be enabled somehow?
> 
> Patrick, for other cases with mails with DKIM signatures, please clarify:
> using @author_to_policy_bank_maps applies ONLY to valid DKIM-signed mails?
> 
> Would you suggest to also increase negative scoring of SPF_PASS (currently
> -0.1)?
> 
> Matus, you suggested to make an exception at the MTA level. I guess you mean
> something like (in Postfix):
> 
>    smtpd_recipient_restrictions = reject_invalid_hostname,
>                                    reject_unauth_pipelining,
>                                    permit_mynetworks,
>                                    permit_sasl_authenticated,
>                                    reject_unauth_destination,
>                                    check_client_access 
> hash:/etc/postfix/rbl_override,
>                              ...
> 
> where /etc/postfix/rbl_override is:
> 
>    1.2.3.4 OK
>    1.2.3.5 OK
>    mail.freemailer.tld OK
> 
> Right?
> 
> Thank you all,
> Nick

-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein