Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Whitelisting by IP address
370 views
Skip to first unread message
Tom Johnson
Mar 9, 2016, 10:43:00 AM3/9/16
to
We have some customers who need to whitelist email for their domain based on the sender's IP address.
I don't want to set up custom policy banks for them (we have hundreds of domains, which have different needs and requirements), and I can't add it to a general spamassassin whitelist_from_rcvd setting, since not all customers are going to want that stuff whitelisted. We use sa_userpref's right now, but it's really slow to switch spamassassin contexts, and for this one use, just doesn't seem worth it.
The ideal would be to have it work with the standard wblist feature (we use sql).
Are there any plans to add whitelisting by IP address to the regular wblist feature? Or is this something we're going to have add on our own via a custom hook?
Thanks-
Tom
I don't want to set up custom policy banks for them (we have hundreds of domains, which have different needs and requirements), and I can't add it to a general spamassassin whitelist_from_rcvd setting, since not all customers are going to want that stuff whitelisted. We use sa_userpref's right now, but it's really slow to switch spamassassin contexts, and for this one use, just doesn't seem worth it.
The ideal would be to have it work with the standard wblist feature (we use sql).
Are there any plans to add whitelisting by IP address to the regular wblist feature? Or is this something we're going to have add on our own via a custom hook?
Thanks-
Tom
Robert Schetterer
Mar 9, 2016, 12:01:37 PM3/9/16
to
but in spamassassin something like
https://wiki.apache.org/spamassassin/UsingSQL
username | preference | value |
+------------------+-------------------------+------------------------+
| $GLOBAL | required_hits | 4.00 |
| $GLOBAL | subject_tag | [SPAM-_HITS_]- |
| $GLOBAL | score USER_IN_WHITELIST | -10 |
| $GLOBAL | whitelist_from | *@sonicwall.com
should work
i think in amavis sql exists some equal
but it might be a better idea to use an own build rbl
with latest patches from Patrick
https://groups.google.com/forum/#!topic/mailing.unix.amavis-user/K_LufqxEBKk
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Benny Pedersen
Mar 9, 2016, 12:20:46 PM3/9/16
to
So foo-user trusted_networks 8.8.8.8 in sql user prefs, untested
Note whitelist_from is a joke
Note whitelist_from is a joke
J. Echter
Mar 9, 2016, 2:15:16 PM3/9/16
to
Am 09.03.2016 um 18:11 schrieb Benny Pedersen:
> So foo-user trusted_networks 8.8.8.8 in sql user prefs, untested
>
> Note whitelist_from is a joke
i'd also go for trusted_networks in local.cf of spamassassin.
> So foo-user trusted_networks 8.8.8.8 in sql user prefs, untested
>
> Note whitelist_from is a joke
Is greylisting also a problem?
Benny Pedersen
Mar 9, 2016, 2:28:20 PM3/9/16
to
On 9. mar. 2016 20.15.41 "J. Echter" <j.ec...@echter-kuechen-elektro.de>
wrote:
>> So foo-user trusted_networks 8.8.8.8 in sql user prefs, untested
>> Note whitelist_from is a joke
> i'd also go for trusted_networks in local.cf of spamassassin.
> Is greylisting also a problem?
Yes trusted must be global in mta stage to be usefull for pr user in
spamassassin, so sync ips, dont use it in local.cf where its global, i hope
its possible to use trusted pr recipient, so do it in sql pr user
wrote:
>> So foo-user trusted_networks 8.8.8.8 in sql user prefs, untested
>> Note whitelist_from is a joke
> i'd also go for trusted_networks in local.cf of spamassassin.
> Is greylisting also a problem?
spamassassin, so sync ips, dont use it in local.cf where its global, i hope
its possible to use trusted pr recipient, so do it in sql pr user
Tom Johnson
Mar 9, 2016, 2:30:41 PM3/9/16
to
I'm sorry if I wasn't clear - adding to trusted_networks is not an option. Different users have different needs. One person might want x.x.x.x whitelisted, but another may not.
I'm currently using the sa_userconf feature in amavisd to do this, but it really hurts performance. From the amavisd-new release notes:
Each time that currently loaded configuration needs to be replaced by another or restored to a systemwide default, an initial SpamAssassin configuration is restored through SpamAssassin's copy_config() method. Note that saving an original SpamAssassin configuration, loading a user configuration, and restoring to the original configuration does not come cheap: it can take 200 ms for a load and restore, and 370 ms for the initial saving of the configuration (saving is only done once per child process, and only if needed). Saved configuration can occupy additional 2 MB of virtual memory, so use the feature sparingly. No penalty occurs until a child process does its first loading of a user configuration, so rarely activated or inactive policy banks or per-recipient setting using this feature do not cause any additional processing or occupy additional memory.
I'm trying to avoid this performance hit.
Robert Schetterer
Mar 9, 2016, 3:35:23 PM3/9/16
to
Am 09.03.2016 um 20:27 schrieb Tom Johnson:
> I'm sorry if I wasn't clear - adding to trusted_networks is not an
> option. Different users have different needs. One person might want
> x.x.x.x whitelisted, but another may not.
perhaps you like
> I'm sorry if I wasn't clear - adding to trusted_networks is not an
> option. Different users have different needs. One person might want
> x.x.x.x whitelisted, but another may not.
http://wiki.policyd.org/policies
http://wiki.policyd.org/amavis
>
> I'm currently using the sa_userconf feature in amavisd to do this, but
> it really hurts performance. From the amavisd-new release notes:
>
>> Each time that currently loaded configuration needs to be replaced by
>> another or restored to a systemwide default, an initial SpamAssassin
>> configuration is restored through SpamAssassin's copy_config() method.
>> Note that saving an original SpamAssassin configuration, loading a
>> user configuration, and restoring to the original configuration does
>> not come cheap: it can take 200 ms for a load and restore, and 370 ms
>> for the initial saving of the configuration (saving is only done once
>> per child process, and only if needed). Saved configuration can occupy
>> additional 2 MB of virtual memory, so use the feature sparingly. No
>> penalty occurs until a child process does its first loading of a user
>> configuration, so rarely activated or inactive policy banks or
>> per-recipient setting using this feature do not cause any additional
>> processing or occupy additional memory.
>
> I'm trying to avoid this performance hit.
>
>
Indunil Jayasooriya
Mar 9, 2016, 10:12:27 PM3/9/16
to
On Thu, Mar 10, 2016 at 12:57 AM, Tom Johnson <t...@terramar.net> wrote:
I'm sorry if I wasn't clear - adding to trusted_networks is not an option. Different users have different needs. One person might want x.x.x.x whitelisted, but another may not.
Why don't you need to whitelist or blacklist domains per user basis in following way in amavisd.conf file
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables are summed
# ## per-recipient personal tables (NOTE: positive: black, negative: white)
'us...@example.com' => [{'bla-mobi...@example.com' => 10.0}],
'us...@example.com' => [{'.ebay.com' => -3.0}],
'us...@example.com' => [{'clear...@cleargreen.com' => -7.0,
'.cleargreen.com' => -5.0}],
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables are summed
# ## per-recipient personal tables (NOTE: positive: black, negative: white)
'us...@example.com' => [{'bla-mobi...@example.com' => 10.0}],
'us...@example.com' => [{'.ebay.com' => -3.0}],
'us...@example.com' => [{'clear...@cleargreen.com' => -7.0,
'.cleargreen.com' => -5.0}],
--
cat /etc/motd
Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Tom Johnson
Mar 9, 2016, 10:53:43 PM3/9/16
to
On Thu, Mar 10, 2016 at 12:57 AM, Tom Johnson <t...@terramar.net> wrote:I'm sorry if I wasn't clear - adding to trusted_networks is not an option. Different users have different needs. One person might want x.x.x.x whitelisted, but another may not.Why don't you need to whitelist or blacklist domains per user basis in following way in amavisd.conf file
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
We do whitelisting and blacklisting if senders (using sql).
But we also have some customers who need to whitelist everything coming from a given ip address.
Michael H
Mar 10, 2016, 5:53:28 AM3/10/16
to
On 10/03/16 03:53, Tom Johnson wrote:
>
>
> On Mar 9, 2016, at 7:11 PM, Indunil Jayasooriya <indu...@gmail.com
>
>
> On Mar 9, 2016, at 7:11 PM, Indunil Jayasooriya <indu...@gmail.com
This is on topic but not quite as the previous thread required.
I have amended my spamassassin/local.cf and added trusted_networks and
internal_networks with all of my IP addresses listed.
I have an alarm system that is emailing without a date field in the
headers, this email originates from an IP address in my trusted_networks
but is still being blocked by amavisd.
Could someone please tell me the correct way to whitelist IP addresses
so that it is applied to amavisd as well as spamassassin?
thanks
Michael
Michael H
Mar 10, 2016, 6:03:17 AM3/10/16
to
cat /etc/amavisd/amavis.conf
[...]
@mynetworks = qw( 127.0.0.0/8 [::1]
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
XXX.XXX.XXX.XXX/32
);
# allow all mail from local IPs:
$policy_bank{'MYNETS'} = { # clients in @mynetworks
bypass_spam_checks_maps => [1], # don't spam-check internal mail
bypass_banned_checks_maps => [1], # don't banned-check internal mail
bypass_header_checks_maps => [1], # don't header-check internal mail
};
[...]
cat /etc/mail/spamassassin/local.cf
[...]
required_hits 6
report_safe 0
rewrite_header Subject [SPAM]
internal_networks [IP's of my MX's]
trusted_networks [lots of ip addresses]
[...]
The IP address is in both of these files but the mail is still being
checked, what did I do wrong here?
thanks
Michael H
Mar 10, 2016, 7:00:16 AM3/10/16
to
Mar 10 11:57:54 mail1 amavis[22633]: (22633-07) Blocked BAD-HEADER-0
{BouncedInternal,Quarantined}, MYNETS LOCAL [XXX.XXX.XXX.XXX]:12001
[XXX.XXX.XXX.XXX] <us...@domain.com> -> <us...@domain.com>, quarantine:
badh-CgHOR2w6yANk, Queue-ID: 18EC6818E735, mail_id: CgHOR2w6yANk, Hits:
-, size: 461, 194 ms
Michael
Michael H
Mar 10, 2016, 8:45:28 AM3/10/16
to
Configuring like this fails;
# allow all mail from local IPs:
$policy_bank{'MYNETS'} = { # clients in @mynetworks
bypass_spam_checks_maps => [1], # don't spam-check internal mail
bypass_banned_checks_maps => [1], # don't banned-check internal mail
bypass_header_checks_maps => [1], # don't header-check internal mail
};
adding these two lines solved it;
$policy_bank{'MYNETS'} = { # clients in @mynetworks
bypass_spam_checks_maps => [1], # don't spam-check internal mail
bypass_banned_checks_maps => [1], # don't banned-check internal mail
bypass_header_checks_maps => [1], # don't header-check internal mail
};
># allow all mail from local IPs:
>$policy_bank{'MYNETS'} = { # clients in @mynetworks
os_fingerprint_method => undef, # don't query p0f
> bypass_spam_checks_maps => [1], # don't spam-check internal mail
> bypass_banned_checks_maps => [1], # don't banned-check internal mail
> bypass_header_checks_maps => [1], # don't header-check internal mail
>};
Michael
> bypass_banned_checks_maps => [1], # don't banned-check internal mail
> bypass_header_checks_maps => [1], # don't header-check internal mail
>};
Benny Pedersen
Mar 10, 2016, 9:55:59 AM3/10/16
to
set mynetworks in amavisd, equal to internal_networks in spamassassin
Michael H
Mar 11, 2016, 4:10:02 AM3/11/16
to
On 10/03/16 14:55, Benny Pedersen wrote:
> set mynetworks in amavisd, equal to internal_networks in spamassassin
>
Hi Benny,
> set mynetworks in amavisd, equal to internal_networks in spamassassin
>
I have done this and it appears to have solved the problem for my alarm
system.
I now have another issue; my mailserver generates a summary of posfix
logs using pflogsum.pl - this is sent from the same host I have amavisd
running on, mynetworks contains 127.0.0.0/8 which should whitelist the
email. it is still being spam checked and rejected, any suggestions?
thanks
Michael
Benny Pedersen
Mar 11, 2016, 12:03:04 PM3/11/16
to
set policy bank in amavisd for that reject with a highter spam reject
score, or solve it in spamassassin with shourcircuit based on no_relays, or
all_trusted, so spammasssin is not so agrasive for things in local networks
score, or solve it in spamassassin with shourcircuit based on no_relays, or
all_trusted, so spammasssin is not so agrasive for things in local networks
0 new messages