u nicely suggested me to use policy_bank to white list some ips that i trust;
i would allow senders fromt that ip to send mail with zip attach closed with

i put my ip into white list:

amavis_client_whitelist: FILTER smtp-amavis:[]:10026

and i issued: postmap /etc/postfix/amavis_client_whitelist

in postfix main.cf i have:

smtpd_recipient_restrictions =
check_helo_access pcre:/etc/postfix/helo_checks
check_policy_service inet:
check_client_access hash:/etc/postfix/amavis_client_whitelist

coming to amavis conf,
in my debian conf i have put into: /etc/amavis/conf.d/50-user

$inet_socket_port = [10024, 10026]; # change from original setting

$interface_policy{‘10026’} = ‘CLIENTWHITELIST’; # add this setting

$policy_bank{‘CLIENTWHITELIST’} = { # mail originating from trusted servers
bypass_spam_checks_maps => [1], # don’t spam-check
bypass_virus_checks_maps => [1],
final_virus_destiny => D_PASS,
final_spam_destiny => D_PASS, # insure spam passes

restart postfix and amavis, when i try to send a mail with zip passworded i
get into mail.log:

Apr 19 17:21:36 mailgw1 amavis[5186]: (05186-05) Blocked INFECTED
(Encrypted.Zip), [] <?@adsl-123-3.38-151.net24.it> ->
<maumar@evinco.it>, Message-ID
: <200604191721.30805.maumar@datalogica.com>, mail_id: qFAaLs1cbXZh, Hits: -,
605 ms
Apr 19 17:21:36 mailgw1 postfix/smtp[5177]: 8A55C37CB0: to=<maumar@xxxx.it>,
relay=[], delay=18, status=sent (250 2.5.0 Ok, id=05186-05,
Apr 19 17:21:36 mailgw1 postfix/smtpd[5182]: disconnect from
Apr 19 17:21:36 mailgw1 postfix/qmgr[20428]: 8A55C37CB0: removed
Apr 19 17:21:36 mailgw1 postfix/local[5221]: 203FC37CE7:
to=<virusadmin@mailgw1.cost.it>, relay=local, delay=0, status=sent (delivered
to command: procmail -a “$E
Apr 19 17:21:36 mailgw1 postfix/qmgr[20428]: 203FC37CE7: removed


Is also listed in ‘mynetworks’ in main.cf?
If so, you will have to move
check_client_access hash:/etc/postfix/amavis_client_whitelist
ahead of ‘permit_mynetworks’.

If you don’t want to block banned files, you may also want to add:

bypass_banned_checks_maps => [1],
final_banned_destiny => D_PASS,

to your policy bank.

Just FYI, here is an example where you can also limit who
can receive this type of file:

$policy_bank{‘CLIENTWHITELIST’} = {
bypass_spam_checks_maps => [[qw( maumar@example.it )]],
bypass_banned_checks_maps => [[qw( maumar@example.it )]],
bypass_virus_checks_maps => [[qw( maumar@example.it )]],
spam_lovers_maps => [[qw( maumar@example.it )]],
banned_files_lovers_maps => [[qw( maumar@example.it )]],
virus_lovers_maps => [[qw( maumar@example.it )]],

To further debug this, set $log_level to 5 and try to send the message
again, you will be looking to see if the CLIENTWHITELIST policy bank
is used.


i would add whitelisting for receivers, too;
my /etc/amavis/conf.d/50-user is this:

i would add to this file :
@banned_files_lovers_maps => ( [qw( maumar@cost.it )]);

what i would get is that no mail with attachment zipped and password encrypted will ever blocked:

i have added the line this way:
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
@banned_files_lovers_maps => ( [qw( maumar@cost.it )]);
$inet_socket_port = [10024, 10026]; # change from original setting

but still mail is blocked;
$interface_policy{‘10026’} = ‘CLIENTWHITELIST’;
this way ‘CLIENTWHITELIST’ is applied to $interface_policy{‘10026’}

now, how can i apply ‘CLIENTWHITELIST’ to a mail address or an entire domain?

ou are talking about two different things here. The CLIENTWHITELIST
allows certain clients (machines that are sending mail to you) bypass
spam/virus/banned checks.

If I’m not mistaken, amavisd-new will allow encrypted zip files to
pass. The sample you provided was not delivered because is is INFECTED
with a virus, not because it was banned. To allow spam/virus/banned
files to a recipient (or domain), you could do something like this:

@bypass_virus_checks_maps = ( [qw( usr@example.com )] );
@virus_lovers_maps = ( [qw( usr@example.com )] );
@bypass_spam_checks_maps = ( [qw( usr@example.com )] );
@spam_lovers_maps = ( [qw( usr@example.com )] );
@bypass_banned_checks_maps = ( [qw( usr@example.com )] );
@banned_files_lovers_maps = ( [qw( usr@example.com )] );
@bypass_header_checks_maps = ( [qw( usr@example.com )] );
@bad_header_lovers_maps = ( [qw( usr@example.com )] );

but since in this case these are all identical, you could
instead set only one of them, and then use that variable to
assign all the others:

@bad_header_lovers_maps = ( [qw( usr@example.com )] );

@bypass_virus_checks_maps =
@virus_lovers_maps =
@bypass_spam_checks_maps =
@spam_lovers_maps =
@bypass_banned_checks_maps =
@banned_files_lovers_maps =
@bypass_header_checks_maps = @bad_header_lovers_maps;