×

policy_bank => CLIENTWHITELIST

posted on December 27, 2018 by

Gary,

u nicely suggested me to use policy_bank to white list some ips that i trust;
i would allow senders fromt that ip to send mail with zip attach closed with
password

i put my ip into white list:

amavis_client_whitelist:
151.38.3.123 FILTER smtp-amavis:[127.0.0.1]:10026

and i issued: postmap /etc/postfix/amavis_client_whitelist

in postfix main.cf i have:

smtpd_recipient_restrictions =
reject_multi_recipient_bounce
permit_mynetworks
reject_unauth_destination
check_helo_access pcre:/etc/postfix/helo_checks
check_policy_service inet:127.0.0.1:60000
check_client_access hash:/etc/postfix/amavis_client_whitelist

coming to amavis conf,
in my debian conf i have put into: /etc/amavis/conf.d/50-user

$inet_socket_port = [10024, 10026]; # change from original setting

$interface_policy{‘10026’} = ‘CLIENTWHITELIST’; # add this setting

$policy_bank{‘CLIENTWHITELIST’} = { # mail originating from trusted servers
bypass_spam_checks_maps => [1], # don’t spam-check
bypass_virus_checks_maps => [1],
final_virus_destiny => D_PASS,
final_spam_destiny => D_PASS, # insure spam passes
};

restart postfix and amavis, when i try to send a mail with zip passworded i
get into mail.log:

Apr 19 17:21:36 mailgw1 amavis[5186]: (05186-05) Blocked INFECTED
(Encrypted.Zip), [151.38.3.123] <?@adsl-123-3.38-151.net24.it> ->
<maumar@evinco.it>, Message-ID
: <200604191721.30805.maumar@datalogica.com>, mail_id: qFAaLs1cbXZh, Hits: -,
605 ms
Apr 19 17:21:36 mailgw1 postfix/smtp[5177]: 8A55C37CB0: to=<maumar@xxxx.it>,
relay=127.0.0.1[127.0.0.1], delay=18, status=sent (250 2.5.0 Ok, id=05186-05,
BOUNC
E)
Apr 19 17:21:36 mailgw1 postfix/smtpd[5182]: disconnect from
localhost.localdomain[127.0.0.1]
Apr 19 17:21:36 mailgw1 postfix/qmgr[20428]: 8A55C37CB0: removed
Apr 19 17:21:36 mailgw1 postfix/local[5221]: 203FC37CE7:
to=<virusadmin@mailgw1.cost.it>, relay=local, delay=0, status=sent (delivered
to command: procmail -a “$E
XTENSION”)
Apr 19 17:21:36 mailgw1 postfix/qmgr[20428]: 203FC37CE7: removed

 

Is 151.38.3.123 also listed in ‘mynetworks’ in main.cf?
If so, you will have to move
check_client_access hash:/etc/postfix/amavis_client_whitelist
ahead of ‘permit_mynetworks’.

If you don’t want to block banned files, you may also want to add:

bypass_banned_checks_maps => [1],
final_banned_destiny => D_PASS,

to your policy bank.

Just FYI, here is an example where you can also limit who
can receive this type of file:

$policy_bank{‘CLIENTWHITELIST’} = {
bypass_spam_checks_maps => [[qw( maumar@example.it )]],
bypass_banned_checks_maps => [[qw( maumar@example.it )]],
bypass_virus_checks_maps => [[qw( maumar@example.it )]],
spam_lovers_maps => [[qw( maumar@example.it )]],
banned_files_lovers_maps => [[qw( maumar@example.it )]],
virus_lovers_maps => [[qw( maumar@example.it )]],
};

To further debug this, set $log_level to 5 and try to send the message
again, you will be looking to see if the CLIENTWHITELIST policy bank
is used.

 

i would add whitelisting for receivers, too;
my /etc/amavis/conf.d/50-user is this:
http://paste.debian.net/10181

i would add to this file :
@banned_files_lovers_maps => ( [qw( maumar@cost.it )]);

what i would get is that no mail with attachment zipped and password encrypted will ever blocked:
http://paste.debian.net/10182

i have added the line this way:
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
@banned_files_lovers_maps => ( [qw( maumar@cost.it )]);
$inet_socket_port = [10024, 10026]; # change from original setting
[…]

but still mail is blocked;
$interface_policy{‘10026’} = ‘CLIENTWHITELIST’;
this way ‘CLIENTWHITELIST’ is applied to $interface_policy{‘10026’}

now, how can i apply ‘CLIENTWHITELIST’ to a mail address or an entire domain?

ou are talking about two different things here. The CLIENTWHITELIST
allows certain clients (machines that are sending mail to you) bypass
spam/virus/banned checks.

If I’m not mistaken, amavisd-new will allow encrypted zip files to
pass. The sample you provided was not delivered because is is INFECTED
with a virus, not because it was banned. To allow spam/virus/banned
files to a recipient (or domain), you could do something like this:

@bypass_virus_checks_maps = ( [qw( usr@example.com )] );
@virus_lovers_maps = ( [qw( usr@example.com )] );
@bypass_spam_checks_maps = ( [qw( usr@example.com )] );
@spam_lovers_maps = ( [qw( usr@example.com )] );
@bypass_banned_checks_maps = ( [qw( usr@example.com )] );
@banned_files_lovers_maps = ( [qw( usr@example.com )] );
@bypass_header_checks_maps = ( [qw( usr@example.com )] );
@bad_header_lovers_maps = ( [qw( usr@example.com )] );

but since in this case these are all identical, you could
instead set only one of them, and then use that variable to
assign all the others:

@bad_header_lovers_maps = ( [qw( usr@example.com )] );

@bypass_virus_checks_maps =
@virus_lovers_maps =
@bypass_spam_checks_maps =
@spam_lovers_maps =
@bypass_banned_checks_maps =
@banned_files_lovers_maps =
@bypass_header_checks_maps = @bad_header_lovers_maps;