Bypass amavisd-new scanning - Postfix integration
There is a disclaimer for this document located at http://verchick.com/mecham/public_html/spam/.
This 'How do I bypass amavisd-new?' topic comes up often on both the Postfix and the amavisd-new mailing lists. While
it appears there should be a simple answer, and often there is, it
must first be determined exactly what the mail administrator is trying to accomplish. This
document is designed to give you some idea of different ways different problems can
be solved, so the solutions here are not necessarily designed to be used verbatim.
This document assumes amavisd-new is used as an 'after queue' content filter
as described in
http://www.ijs.si/software/amavisd/README.postfix.txt and
you are using amavisd-new version 2.0.0 or newer and Postfix 2.0 or newer.
It also assumes you know when a
Postfix map needs to be postmap'ed. I illustrate the use of hash: for some tables;
your system may use a different data type (like dbm:). Let me start by defining a few terms:
-
spamfilter: The server we are talking about, the Postfix/amavisd-new (e)smtp server.
-
client: A computer that connects to our spamfilter (typically via TCP/IP).
This can be another email server, or any other computer or device (typically with an
IP address) that wants to send mail to, or through, our spamfilter.
-
sender: the email address the sending machine gives in the MAIL FROM: command - the
envelope sender. When I talk about senders, I'm usually referring to senders who are not
in domains we control, and they are sending mail to recipients that are in domains we control.
It may be worth mentioning that in Postfix, content_filter and FILTER are mechanisms
used to override a given message's transport. All recipients of the message are affected.
It is not acceptable to use the FILTER mechanism in a check_recipient_access map to attempt
to override the transport for a particular recipient when there is a possibility
a message for that recipient may also be addressed to other recipients.
The result would be all of those recipients are filtered, whether they are listed
in the map or not.
When the FILTER mechanism is used in an access map (I show some examples later),
the result is DUNNO, so processing does continue on to the next restriction (if any).
I think of it as a selector switch that acts on a given message's transport. The actual
act of transporting a message to a destination comes later in Postfix' processing of the message.
Amavisd-new policy banks are intended to be used to alter the processing of a
given message depending on the client or sender. There are many per-recipient controls that
can also be used in amavisd-new to alter the processing of a message for a given recipient.
Lookup tables (either static, SQL or LDAP) are provided as a means of determining certain
things such as "does this recipient want to bypass spam checks?" or "is this recipient a
spam lover?" or "at what score does this recipient wish to mark a message as spam?".
I only give one example of recipient based bypassing (using static maps) and would direct
you to amavisd.conf-sample, README.sql, README.ldap, LDAP.schema, and README.lookups
supplied with the amavisd-new source code for more examples of recipient based controls.
I will illustrate bypassing spam checks, banned checks, and bad
header checks (and provide a few examples of bypassing amavisd-new altogether).
You can add virus checks, or remove other checks as required. There is something to
consider when using client/sender based bypassing. In amavisd-new each
recipient can be configured to receive malware or not. Bypassing amavisd-new
(entirely or via policy banks) may override the personal policies of recipients in
hosted domains. This type of bypassing opens up the possibility that malware may be sent
to recipients that do not desire it. More
often than not, overriding recipients' policies is precisely the desired behavior. For
example: if you use the MYNETS policy bank to bypass banned file checks, use of this
policy bank may give internal users the ability to send each other (and also remote domains)
banned files, regardless of the local recipients' policies. The internal users may want
this ability. If their personal policy states that they do not desire
spam/banned_files/viruses, they still maintain this policy for mail sent from outside
MYNETS. However, in cases where a server is hosting a number of domains - and one or more of
those domains wish to opt out of scanning - and a policy bank or content_filter bypass
is used to accomplish this, those domains may be given the ability to send malware to the other
hosted domains. Make sure you trust those you allow to bypass using these
client/sender methods (and other hosted domains are OK with it too).
If this is not acceptable, the better option is to use amavisd-new recipient based
bypassing for these domains, either per domain/user in SQL or LDAP or with the use of
static maps, of which 9. is one example. A thoughtfully constructed
dual Postfix setup (generally illustrated in example 12) could
also work around this issue.
Suggested reading:
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks. Also see the copy of
amavisd.conf-sample
that is included with the source code
of the version of amavisd-new you are using for examples of policy bank settings.
Settings in a policy bank will override current amavisd-new settings.
In many examples we bypass checks by redirecting mail to port 10026 or 10027.
These port numbers are examples.
In many policy bank examples below I use bypass_spam_checks_maps to bypass spam checks. While bypassing
spam checks does reduce time spent processing spam, using spam_lovers_maps as an alternative gives
the advantage that some messages may then be auto-learned by the Bayes engine. Often this
will aide in feeding needed ham to Bayes. Another alternative is to simply be more permissive
in what is allowed. This example is from
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks:
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
virus_admin_maps => ["security\@$mydomain"], # alert of infected local hosts
spam_admin_maps => ["abuse\@$mydomain"], # alert of internal spam
spam_kill_level_maps => [7.0], # slightly more permissive spam kill level
spam_dsn_cutoff_level_maps => [15],
banned_filename_maps => [
new_RE(
# block double extensions in names:
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
# allow any name or type (except viruses) within an archive:
[ qr'^\.(Z|gz|bz2|rpm|cpio|tar|zip|rar|arc|arj|zoo)$' => 0],
# blocks MS executable file(1) types, unless allowed above:
qr'^\.(exe-ms)$',
),
],
};And here is another MYNETS example where the postmaster is notified if internal users should send spam:
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
spam_admin_maps => ["postmaster\@$mydomain"], # alert of internal spam
spam_kill_level_maps => [9.0],
spam_dsn_cutoff_level_maps => [9999],
spam_dsn_cutoff_level_bysender_maps => [9999],
};
Now let's look at specific requests:
-
1. Allow clients on my internal network to bypass scanning by using the MYNETS policy bank.
-
2. Use two or more IP addresses to only filter incoming messages (bypass filtering for internal clients).
-
3. Use two or more IP addresses to bypass filtering for different destination domains.
-
4. Allow a particular client (or clients) to bypass scanning by using an additional port.
-
5. Allow a particular client (or clients) to bypass scanning by using check_client_access.
-
6. Allow a particular sender to bypass scanning.
-
7. Allow particular senders to bypass scanning - but in a somewhat more secure manner.
-
8. Configure particular senders to use unique banned files settings.
-
9. Configure particular recipients to bypass checks using amavisd-new @bypass_*_checks_maps.
-
10 Allow SASL authenticated users to bypass scanning.
-
11 Bypass checks for internally generated mail (submitted to the 'pickup' service).
-
12 Bypass amavisd-new by using two copies of Postfix and transport maps.
Index
1. Allow clients on my internal network to bypass scanning by using the 'MYNETS' policy bank.
You can use the built in 'MYNETS' policy bank to allow clients included in $mynetworks.
Let's assume you allow all (or most) clients on your internal network to send
outbound mail through your spamfilter. The IP addresses of these clients are
included in Postfix' $mynetworks in main.cf:
mynetworks = 127.0.0.0/8 !192.168.1.1 192.168.1.0/24
In amavisd.conf @mynetworks determines which clients will use the 'MYNETS' policy bank:
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
!192.168.1.1 192.168.1.0/24 );And you would
configure the 'MYNETS' policy bank as desired:
$policy_bank{'MYNETS'} = { # clients in @mynetworks
bypass_spam_checks_maps => [1], # don't spam-check internal mail
bypass_banned_checks_maps => [1], # don't banned-check internal mail
bypass_header_checks_maps => [1], # don't header-check internal mail
};
When using the "MYNETS' policy bank, you must use *_send_xforward_command in master.cf:
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
(or)
lmtp-amavis unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20This enables forwarding of the client's IP address to amavisd-new.
|
Index
2. Use two or more IP addresses to only filter incoming messages
(bypass filtering for internal clients). Derived from
http://www.postfix.org/FILTER_README.html#remote_only. When we start out, our
spamfilter has one IP address assigned to our network interface, one assigned to the loopback interface,
and master.cf is configured to listen to them there:
smtp inet n - n - - smtpd and
in main.cf we listen on all interfaces:
inet_interfaces = all Let's assume
the IP address of the spamfilter's network interface is 192.168.1.2. You would begin by adding
a second IP address to this network interface (I do not outline this procedure -
it is specific to each operating system). If the current IP address is a public
IP address, this assumes you have a spare one available for use. If you have a
backup MX server that will also use this type of configuration, then another
available address may be needed. We will assign
192.168.1.222. This procedure will require you to reconfigure the clients on your network
to use the newly added address. You split the smtpd listener into three listeners (we
add 127.0.0.1:smtp because we lost it when we broke out 192.168.1.2:smtp):
192.168.1.2:smtp inet n - n - - smtpd
127.0.0.1:smtp inet n - n - - smtpd
192.168.1.222:smtp inet n - n - - smtpd
In main.cf you must remove or comment out:
#content_filter=smtp-amavis:[127.0.0.1]:10024
You then configure the original IP and 127.0.0.1 to use amavisd-new as it was
before, and the new IP we set to override the content_filter. We also prevent
connections to 192.168.1.222 from untrusted IP addresses (we only allow internal clients):
192.168.1.2:smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10024
127.0.0.1:smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10024
192.168.1.222:smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10026
-o mynetworks=127.0.0.0/8,!192.168.1.1,192.168.1.0/24
-o smtpd_client_restrictions=permit_mynetworks,reject
# 192.168.1.1 is the internal interface of our NAT router
# the NAT router sends all external mail to 192.168.1.2
# internal clients (192.168.1.0/24) are (re)configured to send mail to 192.168.1.222
Create a policy bank in amavisd.conf that listens on port 10026:
# change this from the original setting
$inet_socket_port = [10024, 10026];
# add these
$interface_policy{'10026'} = 'BYPASS';
$policy_bank{'BYPASS'} = { # those configured to send mail to port 10026
originating => 1, # Since amavisd-new 2.5.0
# declare that mail was submitted by our smtp client
bypass_spam_checks_maps => [1], # don't spam-check this mail
bypass_banned_checks_maps => [1], # don't banned-check this mail
bypass_header_checks_maps => [1], # don't header-check this mail
};Because we moved the content_filter setting from main.cf to master.cf
we have turned off the content_filter for the pickup service (a possibly desirable side
effect). Instead of completely bypassing amavisd-new, another option would be to use
the BYPASS policy bank so virus checks (for example) are still performed.
pickup fifo n - n 60 1 pickup
-o content_filter=smtp-amavis:[127.0.0.1]:10026
As you can see, by manipulating the overrides for the newly added listener
on 192.168.1.222, you can do a number of different things. For example, you
could limit access to one particular client (192.168.1.41 in this example):
192.168.1.222:smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10026
-o smtpd_client_restrictions=hash:/etc/postfix/amavis_bypass_client,reject
contents of /etc/postfix/amavis_bypass_client:
192.168.1.41 OK
You could use a cidr: map to allow certain networks (networks
you do not wish to include in $mynetworks) or a regexp: or pcre: map to allow
other chosen clients.
Also note that you don't have to send to a policy bank. Since we removed
content_filter from main.cf, you could simply bypass amavisd-new by not setting a
content_filter:
192.168.1.222:smtp inet n - n - - smtpd
-o smtpd_client_restrictions=permit_mynetworks,reject
A note on address
rewriting: you should only rewrite addresses once. When a content_filter like amavisd-new
is used, unless you have chosen to disable address rewriting on the reinjection port
(127.0.0.1:10025), you might consider disabling rewriting on the listeners above by adding
-o receive_override_options=no_address_mappings
|
Index
3. Use two or more IP addresses to bypass filtering for different destination domains.
This is from
http://www.postfix.org/FILTER_README.html#domain_dependent. You filter mail for
a number of domains, but a couple domains only want virus filtering, and a couple
others do not want mail to pass through amavisd-new at all. This presumes you
have one or two extra public IP addresses available for use. If you have a backup MX
server that will also use this type of configuration, then one or more additional available
addresses may be needed. When we start out, our spamfilter has
one IP address, and master.cf is configured to listen there:
smtp inet n - n - - smtpd and
in main.cf we listen on all interfaces:
inet_interfaces = all Let's assume
the IP address of the spamfilter is 192.168.1.2 with a hostname of host.example.com.
You would begin by adding a second (and possibly third) IP address to the network
interface (I do not outline this procedure - it is specific to each operating system).
We will create 192.168.1.222 and 192.168.1.223 and will also create DNS A records for
them 'hostip2.example.com' and 'hostip3.example.com' and for the domains that wish to
bypass scanning, MX records would be changed so they point to the new hosts. You split
the smtpd listener into four listeners (we add 127.0.0.1:smtp because we lost it when
we broke out 192.168.1.2:smtp):
192.168.1.2:smtp inet n - n - - smtpd
127.0.0.1:smtp inet n - n - - smtpd
192.168.1.222:smtp inet n - n - - smtpd
192.168.1.223:smtp inet n - n - - smtpd
In main.cf you must remove or comment out:
#content_filter=smtp-amavis:[127.0.0.1]:10024 Then we configure our
four listeners:
# host.example.com uses standard amavisd-new configuration
192.168.1.2:smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10024
# as does the loopback interface
127.0.0.1:smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10024
# hostip2.example.com uses a policy bank listening on port 10026
192.168.1.222:smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10026
# and hostip3.example.com bypasses amavisd-new altogether
192.168.1.223:smtp inet n - n - - smtpd
-o content_filter=
Create a policy bank in amavisd.conf that listens on port 10026:
# change this from the original setting
$inet_socket_port = [10024, 10026];
# add these
$interface_policy{'10026'} = 'BYPASS';
$policy_bank{'BYPASS'} = { # those configured to send mail to port 10026
bypass_spam_checks_maps => [1], # don't spam-check this mail
bypass_banned_checks_maps => [1], # don't banned-check this mail
bypass_header_checks_maps => [1], # don't header-check this mail
};Because we moved the content_filter setting from main.cf to master.cf
we have turned off the content_filter for the pickup service.
Instead of completely bypassing amavisd-new, another option would be to use the BYPASS
policy bank so virus checks (for example) are still performed:
pickup fifo n - n 60 1 pickup
-o content_filter=smtp-amavis:[127.0.0.1]:10026A note on address
rewriting: you should only rewrite addresses once. When a content_filter like amavisd-new
is used, unless you have chosen to disable address rewriting on the reinjection port
(127.0.0.1:10025), you might consider disabling rewriting on the listeners above by adding
-o receive_override_options=no_address_mappings
Although this may be unlikely, I can see one problem. Spammers often send mail to hosts
(A records) instead of heeding MX records so there would be a problem if they decided to
send mail for any of your hosted domains to the wrong hostname (IP address).
|
Index
4. Allow a particular client (or clients) to bypass scanning by using an
additional port. This is another handy way to allow an internal mail server
(or any clients in $mynetworks or a properly configured access map) to use our
spamfilter with less restrictive
(or completely bypassed) content_filter settings. You can also control
access to the port using your firewall (whether local or external). In master.cf
add the additional port, set it to use the policy bank, and configure which
clients may access it. Obviously any clients that wish to use the new port would need
to be reconfigured to do so. In this example these clients in $mynetworks are also able
to use the spamfilter as a relay:
smtp inet n - n - - smtpd
4025 inet n - n - - smtpd
-o mynetworks=127.0.0.0/8,192.168.1.0/24
-o smtpd_client_restrictions=permit_mynetworks,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026 Create a policy bank
in amavisd.conf:
# change this from the original setting
$inet_socket_port = [10024, 10026];
# add these
$interface_policy{'10026'} = 'INTERNAL';
$policy_bank{'INTERNAL'} = { # Internal mail submitted to port 4025
originating => 1, # Since amavisd-new 2.5.0
# declare that mail was submitted by our smtp client
bypass_spam_checks_maps => [1], # don't spam-check this mail
bypass_banned_checks_maps => [1], # don't banned-check this mail
bypass_header_checks_maps => [1], # don't header-check this mail
};
Remember that you don't have to send mail to the content filter.
As you can see, by manipulating the overrides for the newly added port
4025, you can do a number of different things. For example, you
could limit access to one particular client (192.168.1.41 in this example):
4025 inet n - n - - smtpd
-o content_filter=
-o smtpd_client_restrictions=hash:/etc/postfix/amavis_bypass_client,reject
contents of /etc/postfix/amavis_bypass_client:
192.168.1.41 OK
You could use a cidr: map to allow certain networks (networks
you do not wish to include in $mynetworks) or a regexp: or pcre: map to allow
other chosen clients.
A note on address
rewriting: you should only rewrite addresses once. When a content_filter like amavisd-new
is used, unless you have chosen to disable address rewriting on the reinjection port
(127.0.0.1:10025), you might consider disabling rewriting on the listeners above by adding
-o receive_override_options=no_address_mappings
|
Index
5. Allow a particular client (or clients) to bypass scanning by using
check_client_access. This is simple. We use a policy bank and
a check_client_access map to allow 192.168.1.41 to bypass checks. In main.cf:
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/amavis_bypass
contents of /etc/postfix/amavis_bypass:
192.168.1.41 FILTER smtp-amavis:[127.0.0.1]:10026
Create a policy bank in amavisd.conf that listens on port 10026:
# change this from the original setting
$inet_socket_port = [10024, 10026];
# add these
$interface_policy{'10026'} = 'BYPASS';
$policy_bank{'BYPASS'} = { # those configured to send mail to port 10026
bypass_spam_checks_maps => [1], # don't spam-check this mail
bypass_banned_checks_maps => [1], # don't banned-check this mail
bypass_header_checks_maps => [1], # don't header-check this mail
};
It is also possible to skip amavisd-new entirely by sending
the mail back to Postfix on the reinjection port.
This is a bit convoluted but useful if you are still using amavisd-new
20030616p10 which does not support policy banks.
contents of /etc/postfix/amavis_bypass:
192.168.1.41 FILTER smtp:[127.0.0.1]:10025
|
Index
6. Allow a particular sender to bypass scanning.
I'm mainly talking about allowing a particular sender to bypass banned files checks but
this could also be used to allow senders to bypass SpamAssassin.
However, if you want to allow a sender to send spam, consider using one of the
means to whitelist
a sender outlined in the SpamAssassin or amavisd-new documentation. Use amavisd-new's
@score_sender_maps for one example. Anyone can spoof the sender address. Allowing
a sender to send banned files is to invite disaster. I don't suggest you use this
(but if forced to confess, I use it for one sender myself).
Look to the following section for a more secure idea. Nonetheless, if you
insist on using this simple method, then you should at least limit the damage
by only allowing the banned files to pass to a chosen recipient or
short list of recipients. Definitely don't use this for a sender in one of
your own domains because it is extremely likely you will get mail that spoofs
your own addresses. In main.cf:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/amavis_senderbypass
contents of /etc/postfix/amavis_senderbypass
sender@example.net FILTER smtp-amavis:[127.0.0.1]:10026
sender@example.org FILTER smtp-amavis:[127.0.0.1]:10026
In amavisd.conf:
$inet_socket_port = [10024,10026];
$interface_policy{'10026'} = 'SENDERBYPASS';
$policy_bank{'SENDERBYPASS'} = {
bypass_spam_checks_maps => [[qw( recip1@example.com recip2@example.com )]],
bypass_banned_checks_maps => [[qw( recip1@example.com recip2@example.com )]],
bypass_header_checks_maps => [[qw( recip1@example.com recip2@example.com )]],
};
|
Index
7. Allow particular senders to bypass scanning - but in a somewhat more secure manner.
Read
http://www.postfix.org/RESTRICTION_CLASS_README.html.
With this setup we will say: Allow the clients at 10.0.0.13 and 10.0.0.14 to bypass
checks, but only if mail sent from those clients is from joe@example.org or
tom@example.org and the recipient(s) is (are) either recip1@example.net and/or
recip2@example.net. You can use networks instead of clients if absolutely
necessary.
smtpd_restriction_classes = from_policy_bank_senders
from_policy_bank_senders =
check_sender_access hash:/etc/postfix/policy_bank_senders, permit
smtpd_sender_restrictions =
[... possible other stuff ...]
check_client_access cidr:/etc/postfix/policy_bank_clients
contents of /etc/postfix/policy_bank_senders:
joe@example.org FILTER smtp-amavis:[127.0.0.1]:10027
tom@example.org FILTER smtp-amavis:[127.0.0.1]:10027
contents of /etc/postfix/policy_bank_clients:
10.0.0.13/32 from_policy_bank_senders
10.0.0.14/32 from_policy_bank_senders Create a policy bank in
amavisd.conf:
$inet_socket_port = [10024,10027];
$interface_policy{'10027'} = 'SENDERBYPASS';
$policy_bank{'SENDERBYPASS'} = {
bypass_spam_checks_maps => [[qw( recip1@example.net recip2@example.net )]],
bypass_banned_checks_maps => [[qw( recip1@example.net recip2@example.net )]],
bypass_header_checks_maps => [[qw( recip1@example.net recip2@example.net )]],
};Note that due to the needed permit
statement in check_sender_access, any messages from the clients '10.0.0.13' and '10.0.0.14' will bypass any
additional restrictions in smtpd_sender_restrictions (had there been any), so be very
careful with your placement - last is best. As you may notice, adding additional
clients/networks, senders and recipients will water down the security. If necessary
you can add additional smtpd_restriction_classes that include other unique
sender/network or sender/client pairs and additional policy banks but I'm not certain
how well this scales.
|
Index
8. Configure particular senders to use unique banned files settings.
If you use 2.3.0 or newer and your intent is to allow a particular sender
(or senders) to
send certain files that are blocked by the current settings in banned_filename_re,
you could first redefine the %banned_rules hash and include a complete custom
set of $banned_filename_re settings there. In addition, this hash necessarily includes the
'DEFAULT' set of banned_filename_re settings currently defined in
$banned_filename_re and is necessarily positioned
after the existing $banned_filename_re new_RE( ... ); setting. For example:
%banned_rules = (
'ALLOW_EXE' => new_RE(
[qr'.\.(exe|com)$'i => 0], # pass .exe and .com files
# block certain double extensions anywhere in the base name
qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
qr'.\.(vbs|pif|scr|cmd|cpl|bat)$'i, # banned extension - basic
qr'^\.(lha|cab|dll)$', # banned file(1) types
),
'DEFAULT' => $banned_filename_re,
);
Then add it to a policy bank:
$inet_socket_port = [10024,10026];
$interface_policy{'10026'} = 'ALLOWEXE';
$policy_bank{'ALLOWEXE'} = {
banned_filename_maps => ['ALLOW_EXE'], # more permissive banning rules
};In main.cf:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/amavis_allow_exe
The contents of /etc/postfix/amavis_allow_exe:
sender@example.net FILTER smtp-amavis:[127.0.0.1]:10026
Now, however, this sender may be able to send .exe files to anyone in any of your
domains, and of course as always, the sender can be spoofed. See the previous section
for a way to make this more secure by using Postfix' smtpd_restriction_classes.
|
Index
9. Configure particular recipients to bypass checks using amavisd-new @bypass_*_checks_maps.
Amavisd-new new uses @bypass_*_checks_maps static maps as a way to bypass checks for
listed recipients/domains. SQL and LDAP lookups have similar settings. However,
because multiple recipients may be involved, if one of those recipients
disagrees that a scan should be bypassed, the scan will occur. Listing a
recipient/domain in a @bypass maps does not guarantee delivery of the message.
To work around this issue it is also necessary to place those recipients/domains
in complimentary @*_lovers_maps. Let's take an example where you have one domain that is
currently listed in a @spam_lovers_maps:
@spam_lovers_maps = ( ['.example.com', ], );
Now we have example.net that wants to bypass all checks except virus checks. There
is also one recipient at example.com that wants the same thing:
@bypass_spam_checks_maps
= @bypass_banned_checks_maps
= @bypass_header_checks_maps
= @banned_files_lovers_maps
= @bad_header_lovers_maps = ( ['.example.net', 'user1@example.com'], );
@spam_lovers_maps = ( ['.example.net', 'user1@example.com'], );
Notice how I saved typing by assigning maps to other maps. Also
note that if mail is scanned and then passed, depending
on the spam_kill_level for a given recipient, a copy of the message may still get
quarantined (as well as passed). To prevent this additional useless step it might be
a good idea to set spam_kill_level to a high level. For example, if using static maps:
$sa_kill_level_deflt = 8.00;
@spam_kill_level_maps = (
{ '.example.net' => 9999,
'user1@example.com' => 9999 },
\$sa_kill_level_deflt, # catchall default
);
|
Index
10. Allow SASL authenticated users to bypass scanning. Typically SASL users
already submit messages to the submission port (587) or the smtps port (465):
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,rejectIf that is the
case, it is simple to override the content_filter and (optionally) use a policy bank (to at least
perform virus checks):
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026Create
a policy bank in amavisd.conf:
# change this from the original setting
$inet_socket_port = [10024, 10026];
# add these
$interface_policy{'10026'} = 'SASLBYPASS';
$policy_bank{'SASLBYPASS'} = { # mail from submission and smtps ports
originating => 1, # Since amavisd-new 2.5.0
# declare that mail was submitted by our smtp client
bypass_spam_checks_maps => [1], # don't spam-check this mail
bypass_banned_checks_maps => [1], # don't banned-check this mail
bypass_header_checks_maps => [1], # don't header-check this mail
};
If for some reason SASL users connect to port 25, as an alternate method
you could have all clients in Postfix' $mynetworks and SASL auth senders bypass checks
and let everything else fall through
to a catchall that sets the content_filter. Since
clients in $mynetworks will (optionally) use the policy bank, be careful if you are behind
a gateway whose IP address is included in
$mynetworks (and the gateway acts as a proxy in such a way that mail appears to
come from the IP address of the gateway). While using the same policy bank
above, in main.cf:
content_filter = smtp-amavis:[127.0.0.1]:10026
smtpd_data_restrictions =
reject_unauth_pipelining
permit_mynetworks
permit_sasl_authenticated
check_client_access regexp:/etc/postfix/filter-catchall.regexp
With the contents of /etc/postfix/filter-catchall.regexp:
/^/ FILTER smtp-amavis:[127.0.0.1]:10024
If necessary, you could exclude certain SASL or $mynetworks clients from
the policy bank by creating another access map (here I place it in
smtpd_sender_restrictions):
smtpd_sender_restrictions =
check_client_access hash:/etc/postfix/use_normal_amavis
# contents of /etc/postfix/use_normal_amavis:
192.168.1.13 FILTER smtp-amavis:[127.0.0.1]:10024
The main drawback to this whole approach is you have to be very careful about
adding any access lists or restrictions in smtpd_data_restrictions that OK/PERMIT
something/someone prior to "check_sender_access regexp:/etc/postfix/filter-catchall.regexp"
because they would use the more permissive default policy bank (or optionally use no
content_filter at all). The order of any access lists
would be critical and testing would be in order. This approach uses 'permit then deny'
as opposed to 'deny then permit'.
Another possibility. If you are using Postfix 2.3.x, and SpamAssassin 3.1.4 or newer, you can
use this to reduce the spam score for SASL auth messages; this is from:
http://wiki.apache.org/spamassassin/DynablockIssues.
Postfix quick fix: Get latest versions of Postfix (at least 2.3.0) and SpamAssassin
(at least 3.1.4). Add 'smtpd_sasl_authenticated_header = yes' to the Postfix
main.cf. With that set, SpamAssassin should catch such authenticated
emails as ALL_TRUSTED, bypassing possible SPF and RBL problems.
Make sure your trust path is set up correctly. For example:
# explicitly set our internal_networks (might be the same or similar to mynetworks)
clear_internal_networks
internal_networks 127/8
internal_networks 333.333.333.333/24
internal_networks 10.10.10.10/24
# add the same to trusted_networks,
# and possibly other computers/networks whose mail we trust
clear_trusted_networks
trusted_networks 127/8
trusted_networks 333.333.333.333/24
trusted_networks 10.10.10.10/24
http://marc.theaimsgroup.com/?l=spamassassin-users&m=115112073816917
http://wiki.apache.org/spamassassin/TrustPath
Here is also another way to reduce the spam score for SASL auth users that can be used
with Postfix version 2.1 or newer. This should add a 'X-SMTP-Auth: no'
header to all messages except authenticated. The SpamAssassin rule then adds -10
points if this header is missing:
# In main.cf:
smtpd_data_restrictions =
reject_unauth_pipelining
permit_sasl_authenticated
check_client_access regexp:/etc/postfix/add_auth_header.regexp
# In /etc/postfix/add_auth_header.regexp:
/^/ PREPEND X-SMTP-Auth: no
# In SpamAssassin's local.cf:
header __NO_SMTP_AUTH X-SMTP-Auth =~ /^no$/m
meta SMTP_AUTH !__NO_SMTP_AUTH
describe SMTP_AUTH Message sent using SMTP Authentication
tflags SMTP_AUTH nice
score SMTP_AUTH -10
I suggest you do not use X-SMTP-Auth literally.
I would obscure this by using a X-something-else header name of your choice,
and if you have more than one machine, I suggest using something different on each.
In order to prevent confusion (the header would end up getting written again after the
message was processed by amavisd-new),
you should override smtpd_data_restrictions on the amavisd-new
reinjection port. In master.cf add
-o smtpd_data_restrictions=
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_data_restrictions=
[other typical amavisd-new reinjection port overrides]
Credit for this one goes to Bill Boebel and Viktor.
|
Index
11. Bypass checks for internally generated mail (mail picked up by the 'pickup' daemon -
this type of mail is dropped into the maildrop queue by programs such
as mail, mailx and sendmail via the Postfix compatible sendmail command).
With the way I worded that, this may be obvious. Simply override the content_filter for the pickup service
in master.cf. Note that doing so is not always appropriate. You may have
local users or a web form using the sendmail command to deliver mail to the outside
world. It may not be a good idea to allow this mail to pass unchecked, so I
also illustrate using a more permissive policy bank to check this mail.
pickup fifo n - n 60 1 pickup
-o content_filter=
If you would like to still perform virus checks (for example):
pickup fifo n - n 60 1 pickup
-o content_filter=smtp-amavis:[127.0.0.1]:10026 Create a policy bank
in amavisd.conf:
# change this from the original setting
$inet_socket_port = [10024, 10026];
# add these
$interface_policy{'10026'} = 'VIRUSONLY';
$policy_bank{'VIRUSONLY'} = { # mail from the pickup daemon
originating => 1, # Since amavisd-new 2.5.0
# declare that mail was submitted by our smtp client
bypass_spam_checks_maps => [1], # don't spam-check this mail
bypass_banned_checks_maps => [1], # don't banned-check this mail
bypass_header_checks_maps => [1], # don't header-check this mail
};
Or continue normal scanning, yet be more permissive:
$interface_policy{'10026'} = 'PERMISSIVE';
$policy_bank{'PERMISSIVE'} = { # mail from the pickup daemon
originating => 1, # declare that mail was submitted by our smtp client
spam_kill_level_maps => [9.0], # more permissive spam kill level
};
Note: In the first example we had to override the content_filter because we
set a content_filter in main.cf. An alternative would be to instead set the content_filter
in master.cf (override the content filter for the smtpd daemon). Doing so confines the
setting to messages received via the smtpd daemon (or daemons if required):
smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10024
|
Index
12. Bypass amavisd-new by using two copies of Postfix and transport maps.
Initially this is the most difficult to construct method of bypassing amavisd-new
but provides the most control and may offer
other benefits not discussed here. What I document here is not
the complete solution. Because of the many ways Postfix can be configured, I'm sure you
will have a number of additional issues when you set this up, one of which is
carefully controlling access to the second IP address.
Having only tested this for
a short time myself, it's possible there are better ways to configure this. You would be
wise to make a backup of your current settings, and even more wise to test on a
non-production box. I do not document how to create a second copy of Postfix, you
will have to look elsewhere for that. Here is a start:
http://www.advosys.ca/papers/postfix-instance.html
http://archives.neohapsis.com/archives/postfix/2005-12/0695.html
http://archives.neohapsis.com/archives/postfix/2006-03/0977.html
http://souptonuts.sourceforge.net/postfix_sbr.html
1.2.3.11 1.2.3.22
Internet-> postfix1-----> postfix2 --> to local or nexthop server
\ -----> /
amavisd-new We will use the example where each instance of
Postfix has its own IP address (but keep in mind you could instead set
the second copy of Postfix up on a different port).
We disable the content_filter directive (everywhere)
and instead direct mail to amavisd-new via the transport table. You may still wish
to use the FILTER directive for certain clients and/or senders to send messages to
an amavisd-new policy bank as described many times in previous examples. If you want
mail addressed to example.com or ted@example.net to bypass amavisd-new, you
could create entries in the transport table for the postfix1 instance that read:
example.com relay:[1.2.3.22]
ted@example.net relay:[1.2.3.22]
or you could alternately relay the messages directly to the next hop server (or
deliver locally) but this may add unnecessary complexity.
If you want to send mail to amavisd-new, you would also use the transport table
for postfix1:
example.org smtp-amavis:[127.0.0.1]:10024
example.net smtp-amavis:[127.0.0.1]:10024
The postfix2 transport table may possibly remain unchanged.
Since amavisd-new will not return mail to the same instance of Postfix, a change
in amavisd.conf would be needed:
$forward_method = 'smtp:1.2.3.22:10025';# we send mail to postfix2 after processing
#$notify_method = $forward_method; # notifications go to the same place
In /etc/postfix/master.cf you disable the reinjection port:
#127.0.0.1:10025 inet n - n - - smtpd
# -o content_filter=
# [ ... other overrides...]
# -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
and in /etc/postfix2/master.cf you change the IP address and mynetworks of
the reinjection port:
1.2.3.22:10025 inet n - n - - smtpd
-o content_filter=
[ ... other overrides...]
-o mynetworks=127.0.0.0/8,1.2.3.11,1.2.3.22
-o smtpd_recipient_restrictions=permit_mynetworks,reject
[ ... other overrides...]
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
and comment out the smtp-amavis transport:
#smtp-amavis unix - - n - 2 smtp
# -o smtp_data_done_timeout=1200
# -o smtp_send_xforward_command=yes
# -o disable_dns_lookups=yes
# -o max_use=20
In /etc/postfix/main.cf you no longer use the amavis content_filter and you may need to reconfigure inet_interfaces:
#content_filter = ....
inet_interfaces = 1.2.3.11 127.0.0.1
In /etc/postfix2/main.cf you no longer use the amavis content_filter and you may need to reconfigure inet_interfaces:
#content_filter = ....
inet_interfaces = postfix2.example.com
myhostname = postfix2.example.com
|
|