Problems whitelisting senders in Amavis-new

Question

I've a CentOS6 server with Amavis 2.9.1 + Postfix 2.6.6 + clamav 0.99 that I use as mail relay (aka mail gateway), with network set as follow: eth0 (10.10.132.104) as external inteface eth1 (10.10.133.104) as internal interface (where it delivers mail to internal users, or outgoing mails come from)

I installed postfix with following master.cf (I paste only rilevant parts):

#smtp   inet    n       -       y       -       -       smtpd
10.10.133.104:smtp      inet    n       -       y       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o cleanup_service_name=no-headerchecks
  -o content_filter=
127.0.0.1:smtp  inet    n       -       y       -       -       smtpd
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o cleanup_service_name=no-headerchecks
   -o content_filter=
10.10.132.104:smtp      inet    n       -       y       -       -       smtpd

127.0.0.1:10025 inet n    -       y       -       -     smtpd
   -o content_filter=
   -o smtpd_delay_reject=no
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_data_restrictions=reject_unauth_pipelining
   -o smtpd_end_of_data_restrictions=
   -o smtpd_restriction_classes=
   -o mynetworks=127.0.0.0/8,10.0.0.0/8
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o smtpd_client_connection_count_limit=0
   -o smtpd_client_connection_rate_limit=0
   -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
   -o local_header_rewrite_clients=
   -o smtpd_milters=
   -o local_recipient_maps=
   -o relay_recipient_maps=
….
….
amavisfeed unix    -       -       n        -      2     lmtp
   -o lmtp_data_done_timeout=1200
   -o lmtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
   -o max_use=20

In other hands, amavis at the moment only acts in mails incoming from external network. In main.cf, amavisfeed is specified as filter default:

...
content_filter=amavisfeed:[127.0.0.1]:10024
...

My main purpose, in amavis, is to block all (in addition to viruses, bad headers, etc..) banned files, including .zip and .rar, but some senders exception.

So, in my amavis.conf, I changed $banned_filename_re, adding a line so it reads:

  qr'^\.(zip|rar)$'i,                            # block zip and rar type 

The block works fine, until I use some “bypass_” filter in order to avoid block when some mails are incoming from some senders. Using the following policy bank (For instance, my domain is “test.mydomain.com”):

read_hash(\%whitelist_sender, '/etc/amavisd/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);

$interface_policy{'10024'} = 'EXTERNAL';

# regular incoming mail, originating from anywhere (usually from outside)
$policy_bank{'EXTERNAL'} = {
  # # just use global settings, no special overrides
  log_level => 4,
  auth_required_release => 0,  # do not require secret_id for amavisd-release
   bypass_banned_checks_maps => [[qw( recip1@example.com user@libero.it user@test.mydomain.com )]],
};

Now suppose that external user “user@libero.it” sends a mail to my internal user “user@test.mydomain.com” with a .zip attachment. It passes successfully, but BECAUSE RECIPIENT IS MATCHED (and not the SENDER) .. : From the log:

….
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) dkim: public key s=s2014 d=libero.it k=rsa, 2048-bit key
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) dkim: VALID Author+Sender+MailFrom signature by d=libero.it, From:
<user@libero.it>, a=rsa-sha256, c=relaxed/relaxed, s=s2014, i=@libero.it
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) Original mail size: 5472196; quota set to: 524288000 bytes (fmin=5,
fmax=500, qmin=102400, qmax=524288000)
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) Checking: xeO-t6yJ68dS EXTERNAL [212.48.25.196] <user@libero.it>-> <user@test.mydomain.com>
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) 2822.From: <user@libero.it>
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup_acl(user@test.mydomain.com) matches key ".test.mydomain.com", result=1
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup [local_domains] => true,  "user@test.mydomain.com" matches, result="1", matching_key=".test.mydomain.com"
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup [bypass_virus_checks] => undef, "user@test.mydomain.com" does not match
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup_acl(user@test.mydomain.com) matches key "user@test.mydomain.com", result=1
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup => true,  "user@test.mydomain.com" matches, result="1", matching_key="user@test.mydomain.com"
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) lookup [bypass_spam_checks] => undef, "user@test.mydomain.com" does not match
Mar 16 14:58:57 test-mailgw amavis[10230]: (10230-01) Extracting mime components from a file

Infact, if I change the bypass_banned_checks_maps line, so to read:

   bypass_banned_checks_maps => [[qw( recip1@example.com user@libero.it )]],

and I resend the same mail, the sender is not whitelisted, and the mail is blocked (BANNED and BOUNCED) and quarantined:

…...
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) Checking: lCsEqup1nnwy EXTERNAL [212.48.25.196] <user@libero.it> 
-> <user@test.mydomain.com>
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) 2822.From: <user@libero.it>
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup_acl(user@test.mydomain.com) matches key ".test.mydomain.com", result=1
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup [local_domains] => true, "user@test.mydomain.com" matches, result="1", matching_key=".test.mydomain.com"
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup [bypass_virus_checks] => undef, "user@test.mydomain.com" does not match
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup_acl(user@test.mydomain.com), no match
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup => undef, "user@test.mydomain.com" does not match
Mar 16 15:14:57 test-mailgw amavis[10611]: (10611-01) lookup [bypass_spam_checks] => undef, "user@test.mydomain.com" does not match
…...
Mar 16 15:14:58 test-mailgw postfix/lmtp[10620]: 64B778287E: to=<user@test.mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.1, delays=0.63/0.01/0.01/1.4, dsn=2.5.0, status=sent (250 2.5.0 Ok <user@test.mydomain.com>, DSN was sent (554 5.7.0 Bounce, id=10611-01 - BANNED: .pdf,joomla_15_quickstart.pdf))
Mar 16 15:14:58 test-mailgw postfix/qmgr[631]: 64B778287E: removed
…….

Becuase, substantially, it keeps on checking the recipient’s mail address, instead of the sender one ….

And now, one more weirder and weirder behaviour! If I change my EXTERNAL policy_bank, using read_hash from a whitelist include file, where I write an address per line, so to have:

• my /etc/amavisd/whitelist file that reads as follow:

  user1@externaldomain1.tld externaldomain2.tld

• and my amavisd.conf’s policy bank as follow:

  …... read_hash(\%whitelist_sender, '/etc/amavisd/whitelist'); @whitelist_sender_maps = (\%whitelist_sender);

  $interface_policy{'10024'} = 'EXTERNAL';

  $policy_bank{'EXTERNAL'} = { log_level => 5, auth_required_release => 0, # do not require secret_id for amavisd-release bypass_banned_checks_maps => ['@whitelist_sender_maps'],
  }; ….

And I send the same mail of previous example (external “user@libero.it” to my internal “user@test.mydomain.com” ), I get:

…...
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) Checking: S6fD-MRTCySL EXTERNAL [212.48.25.196] <user@libero.it> -> <user@test.mydomain.com>
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) 2822.From: <user@libero.it>
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup_acl(user@test.mydomain.com) matches key ".test.mydomain.com", result=1
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup [local_domains] => true,  "user@test.mydomain.com" matches, result="1",matching_key=".test.mydomain.com"
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup [bypass_virus_checks] => undef, "user@test.mydomain.com" does not match
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup: (scalar) matches, result="@whitelist_sender_maps"
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup => true, "user@test.mydomain.com" matches, result="@whitelist_sender_maps", matching_key="(constant:@whitelist_sender_maps)"
Mar 16 15:36:32 test-mailgw amavis[11088]: (11088-01) lookup [bypass_spam_checks] => undef, "user@test.mydomain.com" does not match
…..

… the mail passes as Clean, and arrives to its destination. (In addition, why “result=”@whitelist_sender_maps” ?)

Could anybody help me, and suggest me where and why I’m mistaking???

Thanks in advance for any help. Gabo

Answer 1

It seems it is not possible to do this in amavis alone. An alternative would be to use a separate policy bank where checking for banned file names is disabled, and let Postfix direct emails from whitelisted sender addresses to that policy bank.

A basic implementation could be done as follows:

Add the following to amavisd.conf:

$interface_policy{'10026'} = 'NOBANNED';

$policy_bank{'NOBANNED'} = {
  # # just use global settings, no special overrides
  log_level => 4,
  auth_required_release => 0,
  bypass_banned_checks_maps => [1],
};

Create a file /etc/postfix/whitelist_filter, with contents like:

whitelisted@sender.com  FILTER smtp:[127.0.0.1]:10026

Create the hash file for this file:

postmap hash:/etc/postfix/whitelist_filter

And add the line

check_client_access hash:/etc/postfix/whitelist_filter

somewhere in the smtpd_recipient_restrictions in /etc/postfix/main.cf.