How to whitelist domain on amavis

amavis

i have some troubles recieving mails from specific domains. My server recieves mails from gmail for example no problem. Tried a bunch of guides to whitelist sender domain but still get the same message in the log. Can you help me fix this? Already tried to whitelist (read hash method) and by manual adding the domain with negative score in amavisd.conf.in. No success.

This is message from the log

Oct 10 16:55:45 mail postfix/smtpd[31680]: NOQUEUE: filter: RCPT from smtp-senderdomain.com[10.10.10.10]: <sendermail@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<sendermail@domain.com> to=<mymail@mydomain.com> proto=ESMTP helo=<smtp-out.senderdomain.com>
    Oct 10 16:55:45 mail postfix/smtpd[31680]: NOQUEUE: filter: RCPT from smtp-out.senderdomain.com[10.10.10.10]: <sender@senderdomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<sendermail@domain.com> to=<mymail@mydomain.com> proto=ESMTP helo=<smtp-out.senderdomain.com>
    Oct 10 16:55:46 mail postfix/smtpd[31680]: 5E01FA5EA9: client=smtp-out.senderdomain.com[10.10.10.10]

this is postconf -n

address_verify_negative_refresh_time = 10m
address_verify_poll_count = ${stress?3}${stress:5}
address_verify_poll_delay = 3s
address_verify_positive_refresh_time = 12h
alias_maps = lmdb:/etc/aliases
allow_mail_to_commands =
allow_mail_to_files =
always_add_missing_headers = yes
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
broken_sasl_auth_clients = yes
canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-canonical.cf
command_directory = /opt/zimbra/common/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /opt/zimbra/common/libexec
data_directory = /opt/zimbra/data/postfix/data
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_process_limit = 100
delay_warning_time = 0h
header_checks =
hopcount_limit = 50
html_directory = no
import_environment =
in_flow_delay = 1s
inet_protocols = ipv4
lmdb_map_size = 16777216
lmtp_connection_cache_destinations =
lmtp_connection_cache_time_limit = 4s
lmtp_host_lookup = dns
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_ciphers = export
lmtp_tls_exclude_ciphers =
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_security_level = may
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /opt/zimbra/common/sbin/mailq
manpage_directory = /opt/zimbra/common/share/man
max_use = 100
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
message_size_limit = 10240000
meta_directory = /opt/zimbra/common/conf
milter_command_timeout = 30s
milter_connect_timeout = 30s
milter_content_timeout = 300s
milter_default_action = tempfail
minimal_backoff_time = 300s
mydestination = localhost
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/24
mynetworks_style = subnet
newaliases_path = /opt/zimbra/common/sbin/newaliases
non_smtpd_milters =
notify_classes = resource, software
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = ignore
postscreen_cache_cleanup_interval = 12h
postscreen_cache_retention_time = 7d
postscreen_command_count_limit = 20
postscreen_dnsbl_action = ignore
postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
postscreen_dnsbl_min_ttl = 60s
postscreen_dnsbl_reply_map =
postscreen_dnsbl_sites =
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_ttl = 1h
postscreen_dnsbl_whitelist_threshold = 0
postscreen_greet_action = ignore
postscreen_greet_ttl = 1d
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = no
postscreen_pipelining_ttl = 30d
postscreen_upstream_proxy_protocol =
postscreen_watchdog_timeout = 10s
postscreen_whitelist_interfaces = static:all
propagate_unmatched_extensions = canonical
queue_directory = /opt/zimbra/data/postfix/spool
queue_run_delay = 300s
readme_directory = no
recipient_delimiter =
relayhost =
sample_directory = /opt/zimbra/common/conf
sender_canonical_maps =
sendmail_path = /opt/zimbra/common/sbin/sendmail
setgid_group = postdrop
shlib_directory = no
smtp_cname_overrides_servername = no
smtp_dns_support_level = enabled
smtp_fallback_relay =
smtp_generic_maps =
smtp_helo_name = $myhostname
smtp_sasl_auth_enable = no
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_security_options = noplaintext,noanonymous
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_ciphers = export
smtp_tls_dane_insecure_mx_policy = dane
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_protocols =
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_transport_rate_delay = $default_transport_rate_delay
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_auth_rate_limit = 0
smtpd_client_port_logging = no
smtpd_client_restrictions = reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions =
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_milters =
smtpd_proxy_timeout = 100s
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_reverse_client rhsbl.sorbs.net, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_sender bl.spamcop.net, permit
smtpd_reject_unlisted_recipient = no
smtpd_reject_unlisted_sender = no
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sender_login_maps =
smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re
smtpd_soft_error_limit = 10
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtpd_tls_ciphers = export
smtpd_tls_dh1024_param_file = /opt/zimbra/conf/dhparam.pem
smtpd_tls_exclude_ciphers =
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = no
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtputf8_enable = no
tls_append_default_CA = no
transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
unknown_local_recipient_reject_code = 550
unverified_recipient_defer_code = 250
virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
virtual_alias_expansion_limit = 10000
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
virtual_transport = error

this is main.cf

# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
# debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
#       PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
#       echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
#       >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen sesssion, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
#       PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
#       -dmS $process_name gdb $daemon_directory/$process_name
#       $process_id & sleep 1

# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
# sendmail_path = /opt/zimbra/common/sbin/sendmail

# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
# newaliases_path = /opt/zimbra/common/sbin/newaliases

# mailq_path: The full pathname of the Postfix mailq command.  This
# is the Sendmail-compatible mail queue listing command.
# mailq_path = /opt/zimbra/common/sbin/mailq

# setgid_group: The group for mail submission and queue management
# commands.  This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
# setgid_group = postdrop

# html_directory: The location of the Postfix HTML documentation.
# html_directory = no

# manpage_directory: The location of the Postfix on-line manual pages.
# manpage_directory = /opt/zimbra/common/share/man

# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
# sample_directory = /opt/zimbra/common/conf

# readme_directory: The location of the Postfix README files.
# readme_directory = no inet_protocols = ipv4

#
# Zimbra changes.
#

virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf

virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf

virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf

virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf

virtual_transport = error

canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-canonical.cf

transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf

# If (email domain name == host name), we don't want $myhostname in
# mydestination for testing purposes. mydestination = localhost

# Disable NIS which is in the default alias_maps = lmdb:/etc/aliases

# for security... allow_mail_to_commands = allow_mail_to_files =

smtpd_helo_required = yes

smtpd_client_restrictions = reject_unauth_pipelining

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_reverse_client rhsbl.sorbs.net, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_sender bl.spamcop.net, permit

broken_sasl_auth_clients = yes

smtpd_use_tls = yes smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key smtpd_tls_loglevel = 1 smtputf8_enable = no

meta_directory = /opt/zimbra/common/conf shlib_directory = no postscreen_dnsbl_min_ttl = 60s in_flow_delay = 1s postscreen_dnsbl_whitelist_threshold = 0 postscreen_command_count_limit = 20 smtp_dns_support_level = enabled smtpd_sasl_security_options = noanonymous address_verify_positive_refresh_time = 12h postscreen_pipelining_ttl = 30d default_process_limit = 100 smtpd_tls_ask_ccert = no smtpd_tls_ccert_verifydepth = 9 smtpd_error_sleep_time = 1s lmtp_tls_security_level = may smtp_tls_CApath = smtpd_reject_unlisted_sender = no hopcount_limit = 50 address_verify_poll_delay = 3s lmtp_host_lookup = dns lmtp_tls_loglevel = 0 smtpd_banner = $myhostname ESMTP $mail_name lmtp_tls_ciphers = export postscreen_greet_action = ignore smtp_sasl_security_options = noplaintext,noanonymous postscreen_blacklist_action = ignore smtp_tls_ciphers = export postscreen_pipelining_enable = no delay_warning_time = 0h bounce_queue_lifetime = 5d smtpd_tls_auth_only = yes local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated postscreen_watchdog_timeout = 10s postscreen_access_list = permit_mynetworks mailbox_size_limit = 0 notify_classes = resource, software bounce_notice_recipient = postmaster lmtp_tls_protocols = !SSLv2, !SSLv3 smtp_sasl_auth_enable = no mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/24 message_size_limit = 10240000 smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtp_helo_name = $myhostname address_verify_poll_count = ${stress?3}${stress:5} maximal_queue_lifetime = 5d postscreen_whitelist_interfaces = static:all smtp_tls_loglevel = 0 myhostname = mail.mydomain.com smtpd_sasl_auth_enable = yes postscreen_dnsbl_reply_map = virtual_alias_expansion_limit = 10000 postscreen_non_smtp_command_ttl = 30d smtpd_client_port_logging = no relayhost = postscreen_greet_ttl = 1d smtp_sasl_password_maps = smtpd_tls_CAfile = smtpd_tls_security_level = may postscreen_bare_newline_enable = no import_environment = max_use = 100 milter_content_timeout = 300s minimal_backoff_time = 300s postscreen_dnsbl_sites = recipient_delimiter = unverified_recipient_defer_code = 250 postscreen_upstream_proxy_protocol = postscreen_non_smtp_command_action = drop smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 postscreen_dnsbl_ttl = 1h smtp_tls_mandatory_ciphers = medium smtpd_sender_login_maps = lmtp_connection_cache_destinations = content_filter = smtp-amavis:[127.0.0.1]:10024 queue_run_delay = 300s lmtp_tls_mandatory_ciphers = medium smtp_generic_maps = milter_connect_timeout = 30s milter_default_action = tempfail address_verify_negative_refresh_time = 10m lmtp_tls_exclude_ciphers = smtpd_end_of_data_restrictions = smtp_tls_security_level = may smtpd_tls_mandatory_ciphers = medium postscreen_non_smtp_command_enable = no lmtp_tls_CAfile = lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 postscreen_bare_newline_action = ignore postscreen_cache_retention_time = 7d smtpd_milters = smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re smtp_tls_protocols = !SSLv2, !SSLv3 smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_tls_CApath = smtpd_soft_error_limit
= 10 postscreen_dnsbl_action = ignore postscreen_pipelining_action = enforce smtp_transport_rate_delay = $default_transport_rate_delay smtp_fallback_relay = lmtp_tls_CApath = smtp_cname_overrides_servername = no postscreen_dnsbl_threshold = 1 postscreen_bare_newline_ttl = 30d smtpd_proxy_timeout = 100s smtpd_tls_dh1024_param_file = /opt/zimbra/conf/dhparam.pem postscreen_cache_cleanup_interval = 12h propagate_unmatched_extensions
= canonical smtp_sasl_mechanism_filter = milter_command_timeout = 30s smtpd_client_auth_rate_limit = 0 non_smtpd_milters = smtpd_tls_ciphers
= export lmdb_map_size = 16777216 smtpd_sasl_authenticated_header = no smtpd_hard_error_limit = 20 maximal_backoff_time = 4000s smtp_tls_CAfile = smtpd_reject_unlisted_recipient = no smtpd_tls_protocols = !SSLv2, !SSLv3 tls_append_default_CA = no smtp_tls_dane_insecure_mx_policy = dane smtp_tls_mandatory_protocols = postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h sender_canonical_maps = smtpd_tls_received_header = no always_add_missing_headers = yes lmtp_connection_cache_time_limit = 4s smtpd_tls_exclude_ciphers = smtpd_helo_required = yes

Best Answer

Please note that depending on your distribution of amavisd-new, the files below may be within /etc/amavisd/ parent folder instead of /etc/amavis/ per below. Make sure you note the location in case it's different from below.

Unless you are already using /etc/amavis/conf.d/50-user for overrides, create a new /etc/amavis/conf.d/99-overrides file. The number part of filename is important - the name part meaningless. "99-" will be read in last. You may wish to move any overrides you may have already added to 50-user to this new file. (50-user can get overwritten by amavisd-new package updates.)

To setup a global whitelist add this to your Amavis configuration file described and/or created above:

# These are up to you. 
$sa_tag_level_deflt  = -9999;
$sa_tag2_level_deflt = 5.5; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 5.5; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
$sa_spam_subject_tag = "**Spam** ";
$final_spam_destiny=D_PASS;
$final_virus_destiny=D_DISCARD;
$final_bad_header_destiny=D_BOUNCE;

# Setup basic global whitelist/pb

read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);

$interface_policy{'10026'} = 'VIRUSONLYCHECK';
$policy_bank{'VIRUSONLYCHECK'} = { # mail from the pickup daemon
    bypass_spam_checks_maps   => ['@whitelist_sender_maps'],  # don't spam-check this mail
    bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't banned-check this mail
    bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't header-check this mail
};

Then create a /etc/amavis/whitelist file.

Add your emails or domains to this file like so - nothing else - 1 per line:

someone@example.com
cleandomain1.com
myfriend@an-otherwise-bad-domain.net
cleandomain2.com
someoneelse@example.net

Restart the amavisd process. Have someone added to whitelist test it. You can also bypass virus checks by adding bypass_virus_checks_maps line to policy bank above using same format shown and testing the whole thing with GTUBE virus test signature. Obviously, you should either D_DISCARD viruses (no whitelist), or quarantine away from user folders when not testing. Also, please read the docs for details on any of directives used above. There are plenty more.

Also please note if you "D_PASS" on final_spam_destiny (or any others), you would want it to probably go to a users junk/spam folder. This is answered elsewhere.

Best Answer

Related Solutions

Amavis-new whitelist

Amavis and SpamAssassin won’t mark junk email as spam in second domain

Related Topic