[AMaViS-user] Policy bank setting

[swathi hk]

Hi,
Thank u in advance
I am trying to set policy bank setting for recipients. But not able to
retrive values from table policy.

changes made in amavisd.conf

$inet_socket_bind = '127.0.0.1';
$sa_tag2_level_deflt = 3.0;
$policy_bank{'AM.PDP-INET'} = {
protocol => 'AM.PDP', # Amavis policy delegation protocol
inet_acl => [qw( 127.0.0.1 [::1])] # restrict to these IP addresses
};
$interface_policy{'9998'} = 'AM.PDP-INET';
$sql_select_policy = 'SELECT *,users.id FROM users,policy'.
' WHERE (users.policyid=policy.id) AND (users.email IN (%k))';

As i am just checking this for $sa_tag2_level_deflt for one user
ma...@example.com entries lin policy looks like this.
*Table policy*
+------+-----------------------+-------------------------------
| id | spam_tag2_level | spam_quarantine_to |
+------+------------------------+------------------------------+
| 1 | 9 | spam_quarantine |
+------+------------------------+-------------------------------+

*Table users
*
+----+----------+------------------------------
| id | policyid | email |
+----+----------+------------------------------+
| 8 | 1 | ma...@example.com |
+----+----------+----------------------------+

Whenever mail is sent to ma...@example.com subject must be tagged with
*******spam******** only if spam score is above 9. But that is not
happening. Its taking default value($sa_tag2_level_deflt = 3.0;) only. How
to solve this problem. Waiting........

-with regards
Manthra
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
AMaViS-user mailing list
AMaVi...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

[Daniel Luttermann]

manth...@gmail.com wrote:

> Hi,
> Thank u in advance
> I am trying to set policy bank setting for recipients. But not able to
> retrive values from table policy.

> changes made in amavisd.conf

> $inet_socket_bind = '127.0.0.1';
> $sa_tag2_level_deflt = 3.0;
> $policy_bank{'AM.PDP-INET'} = {
> protocol => 'AM.PDP', # Amavis policy delegation protocol
> inet_acl => [qw( 127.0.0.1 [::1])] # restrict to these IP addresses
> };
> $interface_policy{'9998'} = 'AM.PDP-INET';
> $sql_select_policy = 'SELECT *,users.id FROM users,policy'.
> ' WHERE (users.policyid=policy.id) AND (users.email IN (%k))';

have you set the correct values for the mysql connect like

@lookup_sql_dsn =
( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1']);

in amavisd.conf?

If you've set the correct values you can also increase the log level
to get more informations.

A setting of "$log_level = 3;" in amavisd.conf should be verbose
enough to see the sql select queries or any errors.

The above policy bank settings $policy_bank{'AM.PDP-INET'} from your
current config does not control the per recipient spam levels.
For more informations about policy banks see:
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks

> As i am just checking this for $sa_tag2_level_deflt for one user
> ma...@example.com entries lin policy looks like this.
> *Table policy*
> +------+-----------------------+-------------------------------
> | id | spam_tag2_level | spam_quarantine_to |
> +------+------------------------+------------------------------+
> | 1 | 9 | spam_quarantine |
> +------+------------------------+-------------------------------+

> *Table users
> *
> +----+----------+------------------------------
> | id | policyid | email |
> +----+----------+------------------------------+
> | 8 | 1 | ma...@example.com |
> +----+----------+----------------------------+

> Whenever mail is sent to ma...@example.com subject must be tagged with
> *******spam******** only if spam score is above 9. But that is not
> happening. Its taking default value($sa_tag2_level_deflt = 3.0;) only. How
> to solve this problem. Waiting........

Looks good so please check if your sql connect is working correctly.

Daniel

[Michael Scheidell]

swathi hk wrote:
> Hi,
> Thank u in advance
> I am trying to set policy bank setting for recipients. But not able to
> retrive values from table policy.
>
>

I don't think you can have SQL based per-recipient settings in a policy
bank.
you either use SQL based settings OR a policy bank.

usually you use sql settings for the default INCOMING (no policy), and a
policy bank for 'clients' or 'mynets'.

in the policy bank, you would need to use hard coded values.

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________

[Mark Martinec]

Michael wrote:
> I don't think you can have SQL based per-recipient settings in a policy
> bank. you either use SQL based settings OR a policy bank.

Actually you can. The associative array %sql_clause is a member of
policy banks, so you can tweak SQL clauses based on which policy bank
is loaded.

Mind that this has nothing to do with the original question from Manthra,
which only needs SQL lookups, not policy banks (which are just a distraction
in that posting).

> usually you use sql settings for the default INCOMING (no policy), and a
> policy bank for 'clients' or 'mynets'.

Policy banks affects message as a whole, and as such can not be per-recipient
(as a mail message can have more than one recipient). So it only makes
sense to base policy bank loading on common attributes of a message,
like TCP port number, IP address of a SMTP client, a sender address,
valid DKIM signatures in the message etc.

Per-recipient settings are a different breed, they use a lookups mechanism:
the *_maps settings, including their implied SQL and LDAP lookups.

It is an unfortunate historical incident causing confusion that one of the
SQL tables is named 'policy' - it has nothing to do with policy banks.

Mark

[Martin Foster]

Hello List,

I'm looking at using policy banks to load a bunch of default settings
for a class of recipient, then to fine-tune the settings (eg:
spamassassin levels) with ldap lookups. This seems relevant to this
month old thread, so I'll continue from there.

I have postfix selecting the policy to apply, which routes the message
to the desired interface policy.

Once the message is picked up by the policy bank, I find that
parameters such as sa_kill_level_deflt aren't used.

My questions: is it possible with amavisd-new to load defaults, such
as SA tag levels, spam & quarantine actions per policy bank, then
override these with per-recipient ldap lookups? I haven't looked at
policyd_v2 integration, but the docs suggest this could be another way
to accomplish this without hacking amavis code.

From Mark's message, it would suggest that the design decision is:
- yes, for parameters that aren't recipient-dependent (eg,
av_scanners, spam_scanners - which works fine btw)
- no, for parameters that are believed to be per-recipient,
sa_kill_level_deflt. I can overcome the multiple recipient problem by
splitting multi-recipient messages and processing them one recipient
at a time, eg with postfix using "destination_recipient_limit = 1".

some configuration bits follow to explain where I'm coming from:
-------------- CONFIG ONLY BELOW --------------

postfix: choose filter / policy bank, an ldap lookup:
....main.cf...
smtpd_recipient_restrictions =
check_recipient_access proxy:ldap:/etc/postfix/ldap/
policybank_FIXED_AVAS_NOQUARANTINE.cf,
check_recipient_access proxy:ldap:/etc/postfix/ldap/
policybank_ANOTER_ONE.cf,
check_recipient_access proxy:ldap:/etc/postfix/ldap/
policybank_ANOTER_TWO.cf,
permit_mynetworks,
reject_unauth_destination
....

an "amavis" transport is defined in postfix/master.cf, LMTP protocol
to a unix socket (standard stuff):
...
amavis unix - - n - 2
lmtp
-o disable_dns_lookups=yes
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o max_use=20
...

ldap lookup, policy bank selected == ldap mailClass attr. of course,
for all things that I'm using LDAP for, other could use SQL... files/
hashes.
check_recipient_access proxy:ldap:/etc/postfix/ldap/
policybank_FIXED_AVAS_NOQUARANTINE.cf. using my own schema (can be
many inbound mailAddress, only one destination mailbox keyed on
uid).

The idea is that if the recipient address matches, and has
mailClass=FIXED_AVAS_NOQUARANTINE, we push the message to that policy
bank.
....
server_host = ldap://server1, ldap://server2
search_base = o=stuff
query_filter = (&(mailClass=FIXED_AVAS_NOQUARANTINE)(mailAddress=%s))
result_attribute = uid
result_format = FILTER amavis:[127.0.0.1]:10031
result_scope = sub
bind = no
version = 3
destination_recipient_limit = 1

...

there are similar lookups for other policy banks, that would forward
to different ports. it works well.

amavis then picks it up and... in amavisd.conf (or a file included
from there):

$interface_policy{'10031'} = 'FIXED_AVAS_NOQUARANTINE';
$policy_bank{'FIXED_AVAS_NOQUARANTINE'} = {

# this works

# anti-virus: scanners to use
av_scanners => [
['ClamAV-clamd', #
Clam AV
\&ask_daemon, ["CONTSCAN {}\n", "127.0.0.1:3310"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
],

# this fails/has no effect.
sa_tag_level_deflt => 0.0,
sa_tag2_level_deflt => 9.0,
sa_kill_level_deflt => 9.0,
spam_quarantine_to => undef,

# there's more of course, examples suffice
};

as suggested by Mark, the per-recipient bits are ignored. from the
logs:
amavis[4512]: Net::Server: 2009/12/16-06:12:27 CONNECT TCP Peer:
"127.0.0.1:33081" Local: "127.0.0.1:10031"
amavis[4512]: loaded base policy bank
amavis[4512]: (!)loading policy bank "FIXED_AVAS_NOQUARANTINE":
unknown field "sa_kill_level_deflt"
amavis[4512]: (!)loading policy bank "FIXED_AVAS_NOQUARANTINE":
unknown field "sa_tag_level_deflt"
amavis[4512]: (!)loading policy bank "FIXED_AVAS_NOQUARANTINE":
unknown field "spam_quarantine_to"
amavis[4512]: (!)loading policy bank "FIXED_AVAS_NOQUARANTINE":
unknown field "sa_tag2_level_deflt"
amavis[4512]: loaded policy bank "FIXED_AVAS_NOQUARANTINE"

Thanks,

-Martin

> AMaViS-u...@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/amavis-user

[Martin Foster]

I have answered my own question by reading the code, and smartening up
about the new map-based dynamic_confvars that replace the
legacy_confvars.

Short answer:
maps can be overriden in policy banks, use them instead, which is
something we should be doing anyways but I had failed to read that
part.

Long answer:

default amavis config, with legacy var:
$sa_tag_level_deflt = 2.0

since $sa_tag_level_deflt is now part of @spam_tag_level_maps, in the
policy bank do this:

$policy_bank{'FIXED_AVAS_NOQUARANTINE'} = {

@spam_tag_level_maps = [ 0.0 ],

... usually, more maps/vars here ...

};

the policy bank will then trigger & load without errors, from logs:
amavis[22883]: Net::Server: 2009/12/16-16:42:53 CONNECT TCP Peer:
"127.0.0.1:49058" Local: "127.0.0.1:10031"
amavis[22883]: loaded base policy bank
amavis[22883]: loaded policy bank "FIXED_AVAS_NOQUARANTINE"
amavis[22883]: lookup_ip_acl (inet_acl): key="127.0.0.1" matches
"127.0.0.1", result=1

and the debug will show the new value of 0 being read:

amavis[22883]: (22883-01) lookup: (scalar) matches, result="0"
amavis[22883]: (22883-01) lookup => false, "te...@domain1.test"
matches, result="0", matching_key="(constant:0)"

success!