[AMaViS-user] bypass scanning outgoing mail
Peter Newall
and it works very well. We have an internal Linux mail server that only
talks to the amavis gateway box for security reasons. I now want to stop all
our outgoing mail being scanned as mail with password protected zips get
flagged as virus mails and quarantined. :(
Looking for a solution.
regards
Peter
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
AMaViS-user mailing list
AMaVi...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Gary V
> We have amavis-new with Postfix/ClamAV/SA running as our secure mail gateway
> and it works very well. We have an internal Linux mail server that only
> talks to the amavis gateway box for security reasons. I now want to stop all
> our outgoing mail being scanned as mail with password protected zips get
> flagged as virus mails and quarantined. :(
> Looking for a solution.
> regards
> Peter
>
The best way is to use a policy bank. This way you can scan for
viruses but bypass everything else. You can use the MYNETS policy bank
or you can configure a check_client_access map in main.cf to send mail
to a different amavisd-new listening port and then configure a policy
bank for that port (among other methods).
You need to make sure you use smtp_send_xforward_command (or
lmtp_send_xforward_command if you use lmtp) here in master.cf:
smtp-amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
You need to use and configure @mynetworks in amavisd.conf:
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); # default
The network (or IP address) the sending server is on should be included
here, and at least the IP address of the sending server should also be
listed in mynetworks in main.cf
Then, if you would like to use MYNETS:
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
bypass_spam_checks_maps => [1], # don't spam-check internal mail
bypass_banned_checks_maps => [1], # don't banned-check internal mail
final_spam_destiny => D_PASS,
final_banned_destiny => D_PASS,
};
Another way is more specific:
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/amavis_internal
permit_mynetworks
reject_unauth_destination
contents of /etc/postfix/amavis_internal
(ip address of the internal server is listed here):
192.168.1.17 FILTER smtp-amavis:[127.0.0.1]:10026
Then in amavisd.conf:
$inet_socket_port = [10024, 10026];
$interface_policy{'10026'} = 'INTERNAL';
$policy_bank{'INTERNAL'} = { # mail originating from the internal server
bypass_spam_checks_maps => [1], # don't spam-check outgoing mail
bypass_banned_checks_maps => [1], # don't banned-check outgoing mail
final_spam_destiny => D_PASS, # insure spam passes
final_banned_destiny => D_PASS, # insure banned files pass
};
See more examples in amavisd.conf-sample and
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex
Gary V
M. Lewis
In the last few days, someone had written in and asked how to do this. I
believe the answer was from Gary. Gary gave two options for doing this.
I chose to do the latter of his two options. But it isn't working for
some reason.
The original thread is here:
http://marc.theaimsgroup.com/?l=amavis-user&m=113415019700881&w=2
I am getting this in the maillog when I try the second method:
Dec 12 00:40:57 moe postfix/smtpd[23856]: warning: access table
hash:/etc/postfix/amavis_internal: with smtpd_proxy_filter specified,
action FILTER is unavailable
Gary's second suggestion was this:
Another way is more specific:
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/amavis_internal
permit_mynetworks
reject_unauth_destination
contents of /etc/postfix/amavis_internal
(ip address of the internal server is listed here):
192.168.1.17 FILTER smtp-amavis:[127.0.0.1]:10026
Then in amavisd.conf:
$inet_socket_port = [10024, 10026];
$interface_policy{'10026'} = 'INTERNAL';
$policy_bank{'INTERNAL'} = { # mail originating from the internal server
bypass_spam_checks_maps => [1], # don't spam-check outgoing mail
bypass_banned_checks_maps => [1], # don't banned-check outgoing mail
final_spam_destiny => D_PASS, # insure spam passes
final_banned_destiny => D_PASS, # insure banned files pass
};
--
Profanity is the one language all programmers know best.
00:40:01 up 19:33, 5 users, load average: 0.24, 0.39, 0.33
Linux Registered User #241685 http://counter.li.org
Erik Petersen
smtp inet n - n - - smtpd
-o content_filter=amavis:[127.0.0.1]:10024
-o receive_override_options=no_address_mappings
-o smtpd_client_restrictions=cidr:/etc/postfix/client.cidr
submission inet n - n - - smtpd
-o content_filter=
-o smtpd_etrn_restrictions=reject
-o
smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
-o smtpd_sasl_auth_enable=yes
This way you have port 25 which does local SMTP delivery with RBL checks and
filtering (incoming) and port 587 which does no filtering but only from
clients connection with SASL or those defined as local network hosts
(outgoing). Consider 587 your relay port. This also conveniently bypasses
SMTP port blocking by residential ISPs or corporate firewalls, allowing
authorized accounts to relay from anywhere. Splitting these two type of
traffic is not a bad idea.
HTH
--
Erik Petersen <er...@s2ki.com>
(760) 715-8519
S2K International
The International Honda S2000 Owners Community
http://www.s2ki.com
M. Lewis
suggesting this as an alternative to what Gary V said.
I'm not using sasl, so I guess that would make it a little bit easier still.
Mike
--
IBM: Idiots Being Mental
21:05:01 up 4:14, 3 users, load average: 0.09, 0.10, 0.04
Linux Registered User #241685 http://counter.li.org