On 21 February 2018 at 10:21, Martin Johannes Dauser <mdau...@cs.sbg.ac.at> wrote: > > On Sat, 2018-02-17 at 09:49 +0000, Dominic Raferd wrote: > > On 16 February 2018 at 21:05, Dauser Martin Johannes > > <mdau...@cs.sbg.ac.at> wrote: > > > Well this topic is quite old, still when searching for hard > > > whitelisting with amavisd-new you'll find this solution on > > > different > > > sites. > > > > > > Dominic Raferd wrote on Dec 11 2016 > > > > > > I use a whitelist with amavis: I have a file > > > /etc/amavis/whitelist > > > which contains on each line either a comment (starting with > > > hash #), > > > full email address or just a domain, and then in > > > /etc/amavis/conf.d/50-user I have lines like this: > > > > > > # whitelist some senders to save time and avoid false positives > > > # - you can list full addresses or domains, one per line > > > # idea from http://www.iredmail.org/forum/topic4681-iredmail-su > > > pport > > > -solved-how-to-bypass-amavisd-for-some-senders.html > > > # This policy will perform virus checks only. > > > read_hash(\%whitelist_sender, '/etc/amavis/whitelist'); > > > @whitelist_sender_maps = (\%whitelist_sender); > > > > > > $interface_policy{'10026'} = 'VIRUSONLY'; > > > $policy_bank{'VIRUSONLY'} = { > > > bypass_spam_checks_maps => [ '@whitelist_sender_maps'] > > > , > > > bypass_banned_checks_maps => ['@whitelist_sender_maps'], > > > bypass_header_checks_maps => ['@whitelist_sender_maps'], > > > }; > > > > > > > > > The problem is, I've got the impression that this policy_bank is > > > set > > > wrong and doesn't serve the intended purpose to whitelist SENDERS > > > -- > > > neither incoming nor outgoing. Actually it seems to state nonsense. > > > Here are my thoughts and I gladly accept corrections: > > > > > > To make it more clearly I moved the bypass_spam_checks_maps out of > > > the > > > hash/associative array: > > > > > > @bypass_spam_maps = ( '@whitelist_sender_maps') ; > > > > > > + First, and this took for me a while to fully realise, @*_maps > > > just > > > tells the subroutine 'lookup' where and with which method (SQL, > > > LDAP, > > > hash, access control list, regexp, constant) it should search. [1] > > > > > > + Second, if it is not stated otherwise it searches for the > > > RECIPIENT's > > > envelope address. And I couldn't find anywhere that this very map > > > is > > > meant to search for senders: > > > > > > Documentation for whitelisting [2] is talking about senders but > > > only in > > > conjunction with the lookup tables @whitelist_sender_maps, > > > @blacklist_sender_maps and > > > $per_recip_blacklist_sender_lookup_tables. > > > > > > But the same Document [3] states: "Using configuration variables > > > @bypass_virus_checks_maps, @bypass_banned_checks_maps, > > > @bypass_header_checks_maps and @bypass_spam_checks_maps each > > > RECIPIENT > > > ... may suggest that certain tests are not needed ... . Although > > > the > > > @bypass_*_checks_maps PERTAIN TO INDIVIDUAL RECIPIENTS, ... > > > Suggestion > > > by some of the RECIPIENTS that certain check ... is to be bypassed > > > ... > > > does not guarantee the test will not be performed. " > > > > > > So you can't set whitelisted senders with @bypass_*_maps. > > > > > > + Third, looking at my code line above @bypass_spam_maps is an > > > array/"list" containing one member, which is a STRING '@whitelist_s > > > ende > > > r_maps'. This means the subroutine interprets this as a constant > > > and > > > returns this very string '@whitelist_sender_maps' as a value, which > > > doesn't make any sense in this context as it is neither an email > > > address nor a domain. -- Perl itself won't complain as the syntax > > > is > > > still correct and there won't be a hit ever. > > > > > > @bypass_spam_maps = (\%whitelist_sender); > > > > > > or within the policy bank I guess: > > > > > > bypass_spam_maps => [\%whitelist_sender], > > > > > > would search for email addresses within the file > > > /etc/amavis/whitelist, > > > I think. But as noted at my second point, those are sender > > > addresses, > > > not the expected recipients. > > > > > > > > > Ah, global hard whitelisting of senders. How might it be done then. > > > (Be > > > aware of the caveats of whitelisting!) > > > > > > read_hash(\%whitelist_sender, '/etc/amavis/whitelist'); > > > @whitelist_sende > > > r_maps = (\%whitelist_sender); > > > > > > And content of /etc/amavis/whitelist: > > > > > > some.trustwor...@doma.in #full email address > > > some.trustworthy@ #full local part > > > in.domain.we.trust #full email domain > > > .we.trust #accepting sub domains > > > > > > > > > It should even be possible to set a sender whitelist within a > > > policy > > > bank: > > > > > > $policy_bank{'WHITELIST'} = { > > > whitelist_sender_maps => [ > > > read_hash('/etc/amavis/whitelist') ], > > > } > > > > > > > > > As already noted, these are my thoughts and I gladly accept > > > corrections. > > > > > > Martin Johannes Dauser > > > > > > > > > 1 https://www.ijs.si/software/amavisd/README.lookups.txt > > > > > > 2 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#wblist > > > > > > 3 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#checks > > > > I defer to your greater understanding of amavis and perl, but at a > > practical level the whitelist settings that I suggested above do work > > for me. > > That's no surprise to me as the first lines of your proposal do the > work, whereas @bypass_banned_checks_maps within your policy bank > probably does nothing but consuming a little bit of CPU time ;D > > I successfully use now: > > read_hash(\%whitelist_sender, '/etc/amavis/whitelist'); > > > $policy_bank{'INCOMMING'} = { > # set incomming mails as NOT-originating > originating => 0, > > # mails from trusted envelope senders > # are whitelisted by Spamassassin > whitelist_sender_maps => [ \%whitelist_sender ], > > ... > }; > > And /etc/amavis/whitelist just contains one full email address.
Thanks, I believe you are correct. I have now updated my 50-user.conf to this: $interface_policy{'10024'} = 'INCOMING'; $policy_bank{'INCOMING'} = { whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ], }; and when an email comes through from a sender in whitelist I see these headers are added, provided I have $sa_tag_level_deflt set sufficiently low (e.g. -14): X-Spam-Score: 0 X-Spam-Status: No, score=x tagged_above=-14 required=4 WHITELISTED tests=[] autolearn=unavailable