Adam, > I've done an upgrade of mailserver from debian etch (amavisd-new > 2.4.2-6.1) to lenny (2.6.1.dfsg-1). > > In amavis I use hard whitelisting of a domains (mydomain.cz) and emails. > In lenny it seems amavis changed its behaviour (?) and is whitelisting on > both MAIL FROM (i.e. Retrun-Path) and From: from mail body. In > documentation I found it should only use MAIL FROM:
I'll need to update that info on the web page. > With my collegue, we studied the 2.4 and 2.6 behaviour and it is obvious > this is really an undocumented change in amavis behaviour. We identified > the code that causes this - it is in "sub white_black_list($$$$$)" right > at the beginning, and there is no option to switch it off. The change is documented in release notes: amavisd-new-2.6.0 release notes COMPATIBILITY WITH 2.5.4 - white and blacklisting now takes into account both the SMTP envelope sender address, as well as the author address from a header section (address(es) in a 'From:' header field). Note that whitelisting based only on a sender-specified address is mostly useless nowadays. For a reliable whitelisting see @author_to_policy_bank_maps below, as well as a set of whitelisting possibilities in SpamAssassin (based on DKIM, SPF, or on Received header fields); > Whitelisting on MAIL FROM is ok, as postfix refuses mails with > mydomain.cz in MAIL FROM as the sender out of mydomain.cz is > not allowed to send such emails. > There are only two ways around - patch amavis or disable whitelist for > your domain. This of course means all your internal mails will be passing > thru SA... Instead of relying on whitelisting, which is pretty much useless nowadays for most situations (your usage is an exception, but read on), I think your goal is to skip spam checking for mail originating from your site. So your mailer already understands the mail direction (needs it to properly execute your ban on mydomain.cz from outside). A natural extension of this is to pass this information to amavisd, and let it load a policy bank for messages from inside. In that policy bank you can disable spam checks entirely, or turn on whitelisting. For simple sites where all originating mail comes from internal hosts it suffices to rely on @mynetworks and use a policy bank with a hard-wired name 'MYNETS'. For sites where some or all of their users are authenticated roaming users, this requires some MTA setting, so that a mail submitted by such users comes to amavisd on a different TCP port that other incoming mail. Then a dedicated policy bank can be attached to that port. The cleanest way to do it is to have a completely separate mailer dedicated to mail submission only. For other possibilities see: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks and http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-postfix-dual-path for some guidelines. Mark ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
