bypass Amavisd

bypass Amavisd-new filters

-----

How to bypass amavisd for some senders?

solved like this:

1) I created the file /etc/amavisd/whitelist

where I inserted the addresses of the senders that I wanted to whitelist, one per line.

it works also for whole domains (but without the @)

Example:

user1@example.com user2@example.org example.net example.eu

2) in /etc/amavisd/amavisd.conf I decommented AND modified the following section:

# This policy will perform virus checks only. read_hash(\%whitelist_sender, '/etc/amavisd/whitelist'); @whitelist_sender_maps = (\%whitelist_sender);  $interface_policy{'10026'} = 'VIRUSONLY'; $policy_bank{'VIRUSONLY'} = { # mail from the pickup daemon     bypass_spam_checks_maps   => ['@whitelist_sender_maps'],  # don't spam-check this mail     bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't banned-check this mail     bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't header-check this mail };

Checked the logs and the headers of the messages... it works perfectly! 

            

######faruq

     12 # @bypass_virus_checks_maps = (1);  # controls running of anti-virus code

     13 # @bypass_spam_checks_maps  = (1);  # controls running of anti-spam code

     16 ######faruq

 @bypass_virus_checks_maps = ([qw(junkmail@worldcm.net)]);

 @bypass_spam_checks_maps = ([qw(junkmail@worldcm.net)]);

 @bypass_banned_checks_maps = ([qw(junkmail@worldcm.net)]);

#################################################

Don't do virus and spam checks for outgoing email

#  vi /etc/amavisd/amavisd.conf

@local_domains_maps = ( [".$mydomain"] ); # list of all local domains

@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10

                          10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 203.76.150.162/32 );

$policy_bank{'MYNETS'} = { # mail originating from @mynetworks

           originating => 1, # is true in MYNETS by default, but let's make it explicit

           os_fingerprint_method => undef, # don't query p0f for internal clients

           # don't perform spam/virus/header check.

           bypass_spam_checks_maps => [1],

           bypass_virus_checks_maps => [1],

           bypass_header_checks_maps => [1],

};

#####

systemctl restart amavisd

Amavis bypass scanning from localhost

1. Allow clients on my internal network to bypass scanning by using the 'MYNETS' policy bank. You can use the built in 'MYNETS' policy bank to allow clients included in $mynetworks. Let's assume you allow all (or most) clients on your internal network to send outbound mail through your spamfilter. The IP addresses of these clients are included in 

Postfix' $mynetworks in main.cf:

mynetworks = 127.0.0.0/8 !192.168.1.1 192.168.1.0/24 

In amavisd.conf @mynetworks determines which clients will use the 'MYNETS' policy bank:

@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10                   !192.168.1.1 192.168.1.0/24 );

And you would configure the 'MYNETS' policy bank as desired:

$policy_bank{'MYNETS'} = {  # clients in @mynetworks   bypass_spam_checks_maps   => [1],  # don't spam-check internal mail   bypass_banned_checks_maps => [1],  # don't banned-check internal mail   bypass_header_checks_maps => [1],  # don't header-check internal mail   };

When using the "MYNETS' policy bank, you must use *_send_xforward_command in master.cf:

smtp-amavis unix    -    -    n    -    2    smtp     -o smtp_data_done_timeout=1200     -o smtp_send_xforward_command=yes     -o disable_dns_lookups=yes     -o max_use=20

(or)

lmtp-amavis unix    -    -    n    -    2    lmtp     -o lmtp_data_done_timeout=1200     -o lmtp_send_xforward_command=yes     -o disable_dns_lookups=yes     -o max_use=20

This enables forwarding of the client's IP address to amavisd-new.

Disable spam virus scanning for outgoing mails

To disable spam/virus scanning for outgoing mails, you can add bypass settings in Amavisd config file: /etc/amavisd/amavisd.conf (RHEL/CentOS) or /etc/amavis/conf.d/50-user (Debian/Ubuntu) or /usr/local/etc/amavisd.conf (FreeBSD).

These settings can be added in setting block $policy_bank{'ORIGINATING'}:

$policy_bank{'ORIGINATING'} = {     [...OMIT OTHER SETTINGS HERE...]      # don't perform spam/virus/header check.     bypass_spam_checks_maps => [1],     bypass_virus_checks_maps => [1],     bypass_header_checks_maps => [1],      # allow sending any file names and types     bypass_banned_checks_maps => [1], }

Restarting Amavisd service is required after changing settings.

### BYPASS LOCAL EMAILS ##@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10                  192.168.0.11/16                 );  $policy_bank{'MYNETS'} = {  # mail originating from @mynetworks   bypass_spam_checks_maps      => [1],  # don't spam-check internal mail   bypass_banned_checks_maps    => [1],  # don't banned-check internal mail   final_spam_destiny           => D_PASS,   final_banned_destiny         => D_PASS,   bypass_virus_checks_maps     => [1],   bypass_header_checks_maps    => [1],   final_virus_destiny          => D_PASS, };

                            ---------------xxxxxxxxxxxxx--------------------------

postfix bypass amavis completely for specific domains

down vote

I think it is easier to do the following:

Include in /etc/postfix/main.cf

smtpd_recipient_restrictions = #     check_sender_access hash:/etc/postfix/exempt_senders,     check_policy_service inet:127.0.0.1:10023,

The file /etc/postfix/exempt/senders contains:

someone@somedomain.com FILTER smtp:[127.0.0.1]:10025 anotherdomain.com FILTER smtp:[127.0.0.1]:10025

then a

postmap /etc/postfix/exempt_senders

reload or restart postfix

or

i added the following line to /etc/postfix/main.cf

header_checks = pcre:/etc/postfix/whitelist.pcre

and in the /etc/postfix/whitelist.pcre file i have a single line

info@xxxxxxxxx.yyy FILTER  SMTP:[127.0.0.1]:10025

where SMTP:[127.0.0.1]:10025 is (AT LEAST I THINK IT IS!) the transport everything returns to after amavis, so emails are delivered. 

1

down vote

See man 5 pcre_table especially in TABLE FORMAT section. Also, check man 5 header_checks to get right behavior of header_checks feature.

Your PCRE syntax is wrong. It should wrapped in /.../. And you must escape some special characters. For example

/info@example\.com/ FILTER  smtp:[127.0.0.1]:10025

-------------------------------------------------------------------------------------------------------------------------

  In /etc/postfix/main.cf

mynetworks = 127.0.0.0/8

In /etc/amavis/conf.d/50-user (You can also create a separate policy file such as 40-policy)

@mynetworks = qw( 127.0.0.0/8);   $policy_bank{'MYNETS'} = {    bypass_spam_checks_maps   => [1],    bypass_banned_checks_maps => [1],    bypass_header_checks_maps => [1],  };

Modify /etc/postfix/master.cf as below

smtp-amavis unix    -    -    n    -    2    smtp     -o smtp_data_done_timeout=1200     -o smtp_send_xforward_command=yes     -o disable_dns_lookups=yes     -o max_use=20

Don’t forget to reload/restart postfix after doing this. Also reload amavis.

------------------------------------------

----------------------------------XXXXXXXXXXXXXXXX_----------------------------------------

make postfix bypass amavis completely for specific domains

down vote

I think it is easier to do the following:

Include in /etc/postfix/main.cf

smtpd_recipient_restrictions = #     check_sender_access hash:/etc/postfix/exempt_senders,     check_policy_service inet:127.0.0.1:10023,

The file /etc/postfix/exempt/senders contains:

someone@somedomain.com FILTER smtp:[127.0.0.1]:10025 anotherdomain.com FILTER smtp:[127.0.0.1]:10025

then a

postmap /etc/postfix/exempt_senders

reload or restart postfix

or

i added the following line to /etc/postfix/main.cf

header_checks = pcre:/etc/postfix/whitelist.pcre

and in the /etc/postfix/whitelist.pcre file i have a single line

info@xxxxxxxxx.yyy FILTER  SMTP:[127.0.0.1]:10025

where SMTP:[127.0.0.1]:10025 is (AT LEAST I THINK IT IS!) the transport everything returns to after amavis, so emails are delivered. 

1

down vote

See man 5 pcre_table especially in TABLE FORMAT section. Also, check man 5 header_checks to get right behavior of header_checks feature.

Your PCRE syntax is wrong. It should wrapped in /.../. And you must escape some special characters. For example

/info@example\.com/ FILTER  smtp:[127.0.0.1]:10025

Now let's look at specific requests.

1. Allow clients on my internal network to bypass scanning by using the MYNETS policy bank.

'MYNETS' policy bank to allow clients included in $mynetworks. Let's assume you allow all (or most) clients on your internal network to send outbound mail through your spamfilter. The IP addresses of these clients are included in Postfix' $mynetworks in main.cf:

mynetworks = 127.0.0.0/8 !192.168.1.1 192.168.1.0/24

In amavisd.conf @mynetworks determines which clients will use the 'MYNETS' policy bank:

@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10

                !192.168.1.1 192.168.1.0/24 );

And you would configure the 'MYNETS' policy bank as desired:

$policy_bank{'MYNETS'} = {  # clients in @mynetworks

  bypass_spam_checks_maps   => [1],  # don't spam-check internal mail

  bypass_banned_checks_maps => [1],  # don't banned-check internal mail

  bypass_header_checks_maps => [1],  # don't header-check internal mail 

};

When using the "MYNETS' policy bank, you must use *_send_xforward_command in master.cf:

smtp-amavis unix    -    -    n    -    2    smtp

    -o smtp_data_done_timeout=1200

    -o smtp_send_xforward_command=yes

    -o disable_dns_lookups=yes

    -o max_use=20

(or)

lmtp-amavis unix    -    -    n    -    2    lmtp

    -o lmtp_data_done_timeout=1200

    -o lmtp_send_xforward_command=yes

    -o disable_dns_lookups=yes

    -o max_use=20

This enables forwarding of the client's IP address to amavisd-new.

2. Use two or more IP addresses to only filter incoming messages (bypass filtering for internal clients).

Derived from http://www.postfix.org/FILTER_README.html#remote_only . When we start out, our spamfilter has one IP address assigned to our network interface, one assigned to the loopback interface, and master.cf is configured to listen to them there:

smtp    inet  n       -       n       -       -       smtpd

and in main.cf we listen on all interfaces:

inet_interfaces = all

Let's assume the IP address of the spamfilter's network interface is 192.168.1.2. You would begin by adding a second IP address to this network interface (I do not outline this procedure - it is specific to each operating system). If the current IP address is a public IP address, this assumes you have a spare one available for use. If you have a backup MX server that will also use this type of configuration, then another available address may be needed. We will assign 192.168.1.222. This procedure will require you to reconfigure the clients on your network to use the newly added address. You split the smtpd listener into three listeners (we add 127.0.0.1:smtp because we lost it when we broke out 192.168.1.2:smtp):

192.168.1.2:smtp   inet  n       -       n       -       -       smtpd

127.0.0.1:smtp     inet  n       -       n       -       -       smtpd

192.168.1.222:smtp inet  n       -       n       -       -       smtpd

In main.cf you must remove or comment out:

#content_filter=smtp-amavis:[127.0.0.1]:10024

You then configure the original IP and 127.0.0.1 to use amavisd-new as it was before, and the new IP we set to override the content_filter. We also prevent connections to 192.168.1.222 from untrusted IP addresses (we only allow internal clients):

192.168.1.2:smtp   inet  n       -       n       -       -       smtpd

    -o content_filter=smtp-amavis:[127.0.0.1]:10024

127.0.0.1:smtp     inet  n       -       n       -       -       smtpd

    -o content_filter=smtp-amavis:[127.0.0.1]:10024

192.168.1.222:smtp inet  n       -       n       -       -       smtpd

    -o content_filter=smtp-amavis:[127.0.0.1]:10026

    -o mynetworks=127.0.0.0/8,!192.168.1.1,192.168.1.0/24

    -o smtpd_client_restrictions=permit_mynetworks,reject

#192.168.1.1 is the internal interface of our NAT router

#the NAT router sends all external mail to 192.168.1.2

#internal clients (192.168.1.0/24) are (re)configured to send mail to 192.168.1.222  

Create a policy bank in amavisd.conf that listens on port 10026:

#change this from the original setting

$inet_socket_port = [10024, 10026]; 

#add these

$interface_policy{'10026'} = 'BYPASS';

$policy_bank{'BYPASS'} = {  #those configured to send mail to port 10026

   originating => 1,  #Since amavisd-new 2.5.0

                      #declare that mail was submitted by our smtp client

   bypass_spam_checks_maps   => [1],  #don't spam-check this mail

   bypass_banned_checks_maps => [1],  #don't banned-check this mail

   bypass_header_checks_maps => [1],  #don't header-check this mail 

};

Because we moved the content_filter setting from main.cf to master.cf we have turned off the content_filter for the pickup service (a possibly desirable side effect). Instead of completely bypassing amavisd-new, another option would be to use the BYPASS policy bank so virus checks (for example) are still performed.

pickup    fifo  n       -       n       60      1       pickup

    -o content_filter=smtp-amavis:[127.0.0.1]:10026

As you can see, by manipulating the overrides for the newly added listener on 192.168.1.222, you can do a number of different things. For example, you could limit access to one particular client (192.168.1.41 in this example):

192.168.1.222:smtp inet  n       -       n       -       -       smtpd

    -o content_filter=smtp-amavis:[127.0.0.1]:10026

    -o smtpd_client_restrictions=hash:/etc/postfix/amavis_bypass_client,reject

contents of /etc/postfix/amavis_bypass_client:

192.168.1.41 OK

You could use a cidr: map to allow certain networks (networks you do not wish to include in $mynetworks) or a regexp: or pcre: map to allow other chosen clients. Also note that you don't have to send to a policy bank. Since we removed content_filter from main.cf, you could simply bypass amavisd-new by not setting a content_filter:

192.168.1.222:smtp inet  n       -       n       -       -       smtpd

    -o smtpd_client_restrictions=permit_mynetworks,reject

A note on address rewriting: you should only rewrite addresses once. When a content_filter like amavisd-new is used, unless you have chosen to disable address rewriting on the reinjection port (127.0.0.1:10025), you might consider disabling rewriting on the listeners above by adding

   -o receive_override_options=no_address_mappings

3. Use two or more IP addresses to bypass filtering for different destination domains.

This is from http://www.postfix.org/FILTER_README.html#domain_dependent . You filter mail for a number of domains, but a couple domains only want virus filtering, and a couple others do not want mail to pass through amavisd-new at all. This presumes you have one or two extra public IP addresses available for use. If you have a backup MX server that will also use this type of configuration, then one or more additional available addresses may be needed. When we start out, our spamfilter has one IP address, and master.cf is configured to listen there:

smtp    inet  n       -       n       -       -       smtpd

and in main.cf we listen on all interfaces:

inet_interfaces = all

Let's assume the IP address of the spamfilter is 192.168.1.2 with a hostname of host.example.com. You would begin by adding a second (and possibly third) IP address to the network interface (I do not outline this procedure - it is specific to each operating system). We will create 192.168.1.222 and 192.168.1.223 and will also create DNS A records for them 'hostip2.example.com' and 'hostip3.example.com' and for the domains that wish to bypass scanning, MX records would be changed so they point to the new hosts. You split the smtpd listener into four listeners (we add 127.0.0.1:smtp because we lost it when we broke out 192.168.1.2:smtp):

192.168.1.2:smtp   inet  n       -       n       -       -       smtpd

127.0.0.1:smtp     inet  n       -       n       -       -       smtpd

192.168.1.222:smtp inet  n       -       n       -       -       smtpd

192.168.1.223:smtp inet  n       -       n       -       -       smtpd

In main.cf you must remove or comment out:

#content_filter=smtp-amavis:[127.0.0.1]:10024

Then we configure our four listeners:

#host.example.com uses standard amavisd-new configuration

192.168.1.2:smtp   inet  n       -       n       -       -       smtpd

    -o content_filter=smtp-amavis:[127.0.0.1]:10024   

#as does the loopback interface

127.0.0.1:smtp     inet  n       -       n       -       -       smtpd

    -o content_filter=smtp-amavis:[127.0.0.1]:10024   

#hostip2.example.com uses a policy bank listening on port 10026

192.168.1.222:smtp inet  n       -       n       -       -       smtpd

    -o content_filter=smtp-amavis:[127.0.0.1]:10026   

#and hostip3.example.com bypasses amavisd-new altogether   

192.168.1.223:smtp inet  n       -       n       -       -       smtpd

    -o content_filter=

Create a policy bank in amavisd.conf that listens on port 10026:

#change this from the original setting

$inet_socket_port = [10024, 10026]; 

#add these

$interface_policy{'10026'} = 'BYPASS';

$policy_bank{'BYPASS'} = {  # those configured to send mail to port 10026

   bypass_spam_checks_maps   => [1],  # don't spam-check this mail

   bypass_banned_checks_maps => [1],  # don't banned-check this mail

   bypass_header_checks_maps => [1],  # don't header-check this mail 

};

Because we moved the content_filter setting from main.cf to master.cf we have turned off the content_filter for the pickup service. Instead of completely bypassing amavisd-new, another option would be to use the BYPASS policy bank so virus checks (for example) are still performed:

pickup    fifo  n       -       n       60      1       pickup

    -o content_filter=smtp-amavis:[127.0.0.1]:10026

A note on address rewriting: you should only rewrite addresses once. When a content_filter like amavisd-new is used, unless you have chosen to disable address rewriting on the reinjection port (127.0.0.1:10025), you might consider disabling rewriting on the listeners above by adding

   -o receive_override_options=no_address_mappings

Although this may be unlikely, I can see one problem. Spammers often send mail to hosts (A records) instead of heeding MX records so there would be a problem if they decided to send mail for any of your hosted domains to the wrong hostname (IP address).

4. Allow a particular client (or clients) to bypass scanning by using an additional port

This is another handy way to allow an internal mail server (or any clients in $mynetworks or a properly configured access map) to use our spamfilter with less restrictive (or completely bypassed) content_filter settings. You can also control access to the port using your firewall (whether local or external). In master.cf add the additional port, set it to use the policy bank, and configure which clients may access it. Obviously any clients that wish to use the new port would need to be reconfigured to do so. In this example these clients in $mynetworks are also able to use the spamfilter as a relay:

smtp inet  n       -       n       -       -       smtpd

4025 inet  n       -       n       -       -       smtpd

    -o mynetworks=127.0.0.0/8,192.168.1.0/24

    -o smtpd_client_restrictions=permit_mynetworks,reject

    -o content_filter=smtp-amavis:[127.0.0.1]:10026

Create a policy bank in amavisd.conf:

#change this from the original setting

$inet_socket_port = [10024, 10026]; 

#add these

$interface_policy{'10026'} = 'INTERNAL';

$policy_bank{'INTERNAL'} = {  # Internal mail submitted to port 4025

   originating => 1,  # Since amavisd-new 2.5.0

                      # declare that mail was submitted by our smtp client

   bypass_spam_checks_maps   => [1],  # don't spam-check this mail

   bypass_banned_checks_maps => [1],  # don't banned-check this mail

   bypass_header_checks_maps => [1],  # don't header-check this mail 

};

Remember that you don't have to send mail to the content filter. As you can see, by manipulating the overrides for the newly added port 4025, you can do a number of different things. For example, you could limit access to one particular client (192.168.1.41 in this example):

4025 inet  n       -       n       -       -       smtpd

    -o content_filter=

    -o smtpd_client_restrictions=hash:/etc/postfix/amavis_bypass_client,reject

contents of /etc/postfix/amavis_bypass_client:

192.168.1.41 OK

You could use a cidr: map to allow certain networks (networks you do not wish to include in $mynetworks) or a regexp: or pcre: map to allow other chosen clients.

A note on address rewriting: you should only rewrite addresses once. When a content_filter like amavisd-new is used, unless you have chosen to disable address rewriting on the reinjection port (127.0.0.1:10025), you might consider disabling rewriting on the listeners above by adding

   -o receive_override_options=no_address_mappings

5. Allow a particular client (or clients) to bypass scanning by using check_client_access

This is simple. We use a policy bank and a check_client_access map to allow 192.168.1.41 to bypass checks. In main.cf:

smtpd_client_restrictions =

    check_client_access hash:/etc/postfix/amavis_bypass

contents of /etc/postfix/amavis_bypass:

192.168.1.41 FILTER smtp-amavis:[127.0.0.1]:10026

Run:

postmap /etc/postfix/amavis_bypass

to create amavis_bypass.db.

Create a policy bank in amavisd.conf that listens on port 10026:

#change this from the original setting

$inet_socket_port = [10024, 10026]; 

#add these

$interface_policy{'10026'} = 'BYPASS';

$policy_bank{'BYPASS'} = {  # those configured to send mail to port 10026

   bypass_spam_checks_maps   => [1],  # don't spam-check this mail

   bypass_banned_checks_maps => [1],  # don't banned-check this mail

   bypass_header_checks_maps => [1],  # don't header-check this mail 

};

It is also possible to skip amavisd-new entirely by sending the mail back to Postfix on the reinjection port. This is a bit convoluted but useful if you are still using amavisd-new 20030616p10 which does not support policy banks.

contents of /etc/postfix/amavis_bypass:

192.168.1.41 FILTER smtp:[127.0.0.1]:10025

6. Allow a particular sender to bypass scanning

I'm mainly talking about allowing a particular sender to bypass banned files checks but this could also be used to allow senders to bypass SpamAssassin. However, if you want to allow a sender to send spam, consider using one of the means to whitelist a sender outlined in the SpamAssassin or amavisd-new documentation. Use amavisd-new's @score_sender_maps for one example. Anyone can spoof the sender address. Allowing a sender to send banned files is to invite disaster. I don't suggest you use this (but if forced to confess, I use it for one sender myself). Look to the following section for a more secure idea. Nonetheless, if you insist on using this simple method, then you should at least limit the damage by only allowing the banned files to pass to a chosen recipient or short list of recipients. Definitely don't use this for a sender in one of your own domains because it is extremely likely you will get mail that spoofs your own addresses. In main.cf:

smtpd_sender_restrictions =

    check_sender_access hash:/etc/postfix/amavis_senderbypass

contents of /etc/postfix/amavis_senderbypass

sender@example.net FILTER smtp-amavis:[127.0.0.1]:10026

sender@example.org FILTER smtp-amavis:[127.0.0.1]:10026

In amavisd.conf:

$inet_socket_port = [10024,10026];

$interface_policy{'10026'} = 'SENDERBYPASS'; 

$policy_bank{'SENDERBYPASS'} = {

 bypass_spam_checks_maps => [[qw( recip1@example.com recip2@example.com )]],

 bypass_banned_checks_maps => [[qw( recip1@example.com recip2@example.com )]],

 bypass_header_checks_maps => [[qw( recip1@example.com recip2@example.com )]],

};

7. Allow particular senders to bypass scanning - but in a somewhat more secure manner

Read http://www.postfix.org/RESTRICTION_CLASS_README.html. With this setup we will say: Allow the clients at 10.0.0.13 and 10.0.0.14 to bypass checks, but only if mail sent from those clients is from joe@example.org or tom@example.org and the recipient(s) is (are) either recip1@example.net and/or recip2@example.net. You can use networks instead of clients if absolutely necessary.

smtpd_restriction_classes = from_policy_bank_senders 

from_policy_bank_senders =

   check_sender_access hash:/etc/postfix/policy_bank_senders, permit

smtpd_sender_restrictions =

    [... possible other stuff ...]

    check_client_access cidr:/etc/postfix/policy_bank_clients

contents of /etc/postfix/policy_bank_senders:

joe@example.org FILTER smtp-amavis:[127.0.0.1]:10027

tom@example.org FILTER smtp-amavis:[127.0.0.1]:10027

contents of /etc/postfix/policy_bank_clients:

10.0.0.13/32 from_policy_bank_senders

10.0.0.14/32 from_policy_bank_senders

Create a policy bank in amavisd.conf:

$inet_socket_port = [10024,10027];

$interface_policy{'10027'} = 'SENDERBYPASS'; 

$policy_bank{'SENDERBYPASS'} = {

 bypass_spam_checks_maps => [[qw( recip1@example.net recip2@example.net )]],

 bypass_banned_checks_maps => [[qw( recip1@example.net recip2@example.net )]],

 bypass_header_checks_maps => [[qw( recip1@example.net recip2@example.net )]],

};

Note that due to the needed permit statement in check_sender_access, any messages from the clients '10.0.0.13' and '10.0.0.14' will bypass any additional restrictions in smtpd_sender_restrictions (had there been any), so be very careful with your placement - last is best. As you may notice, adding additional clients/networks, senders and recipients will water down the security. If necessary you can add additional smtpd_restriction_classes that include other unique sender/network or sender/client pairs and additional policy banks but I'm not certain how well this scales.

8. Configure particular senders to use unique banned files settings

If you use 2.3.0 or newer and your intent is to allow a particular sender (or senders) to send certain files that are blocked by the current settings in banned_filename_re, you could first redefine the %banned_rules hash and include a complete custom set of $banned_filename_re settings there. In addition, this hash necessarily includes the 'DEFAULT' set of banned_filename_re settings currently defined in $banned_filename_re and is necessarily positioned after the existing $banned_filename_re new_RE( ... ); setting. For example:

%banned_rules = (

  'ALLOW_EXE' =>  new_RE(

      [qr'.\.(exe|com)$'i => 0],  # pass .exe and .com files

      # block certain double extensions anywhere in the base name

      qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

      [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

      qr'.\.(vbs|pif|scr|cmd|cpl|bat)$'i,  # banned extension - basic

      qr'^\.(lha|cab|dll)$',  # banned file(1) types

      ),

  'DEFAULT' => $banned_filename_re,

);

Then add it to a policy bank:

$inet_socket_port = [10024,10026];

$interface_policy{'10026'} = 'ALLOWEXE'; 

$policy_bank{'ALLOWEXE'} = {

 banned_filename_maps => ['ALLOW_EXE'], # more permissive banning rules

};

In main.cf:

smtpd_sender_restrictions =

    check_sender_access hash:/etc/postfix/amavis_allow_exe

The contents of /etc/postfix/amavis_allow_exe:

sender@example.net FILTER smtp-amavis:[127.0.0.1]:10026

Now, however, this sender may be able to send .exe files to anyone in any of your domains, and of course as always, the sender can be spoofed. See the previous section for a way to make this more secure by using Postfix' smtpd_restriction_classes.

9. Configure particular recipients to bypass checks using amavisd-new @bypass_*_checks_maps

Amavisd-new new uses @bypass_*_checks_maps static maps as a way to bypass checks for listed recipients/domains. SQL and LDAP lookups have similar settings. However, because multiple recipients may be involved, if one of those recipients disagrees that a scan should be bypassed, the scan will occur. Listing a recipient/domain in a @bypass maps does not guarantee delivery of the message. To work around this issue it is also necessary to place those recipients/domains in complimentary @*_lovers_maps. Let's take an example where you have one domain that is currently listed in a @spam_lovers_maps:

@spam_lovers_maps = ( ['.example.com', ], );

Now we have example.net that wants to bypass all checks except virus checks. There is also one recipient at example.com that wants the same thing:

@bypass_spam_checks_maps

   = @bypass_banned_checks_maps

   = @bypass_header_checks_maps

   = @banned_files_lovers_maps

   = @bad_header_lovers_maps = ( ['.example.net', 'user1@example.com'], ); 

@spam_lovers_maps = ( ['.example.com', '.example.net'], );

Notice how I saved typing by assigning maps to other maps. Also note that if mail is scanned and then passed, depending on the spam_kill_level for a given recipient, a copy of the message may still get quarantined (as well as passed). To prevent this additional useless step it might be a good idea to set spam_kill_level to a high level. For example, if using static maps:

$sa_kill_level_deflt = 8.00; 

@spam_kill_level_maps = (

  { '.example.com' => 9999,

    '.example.net' => 9999 },

  \$sa_kill_level_deflt,   # catchall default

);

10. Allow SASL authenticated users to bypass scanning

Typically SASL users already submit messages to the submission port (587) or the smtps port (465):

submission    inet n      -       n       -       -       smtpd

    -o smtpd_etrn_restrictions=reject

    -o smtpd_sasl_auth_enable=yes   

    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

smtps     inet  n       -       n       -       -       smtpd

    -o smtpd_tls_wrappermode=yes

    -o smtpd_sasl_auth_enable=yes

    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

If that is the case, it is simple to override the content_filter and (optionally) use a policy bank (to at least perform virus checks):

submission    inet n      -       n       -       -       smtpd

    -o smtpd_etrn_restrictions=reject

    -o smtpd_sasl_auth_enable=yes   

    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

    -o content_filter=smtp-amavis:[127.0.0.1]:10026

smtps     inet  n       -       n       -       -       smtpd

    -o smtpd_tls_wrappermode=yes

    -o smtpd_sasl_auth_enable=yes

    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

    -o content_filter=smtp-amavis:[127.0.0.1]:10026

Create a policy bank in amavisd.conf:

#change this from the original setting

$inet_socket_port = [10024, 10026]; 

#add these

$interface_policy{'10026'} = 'SASLBYPASS';

$policy_bank{'SASLBYPASS'} = {  # mail from submission and smtps ports

   originating => 1,  # Since amavisd-new 2.5.0

                      # declare that mail was submitted by our smtp client

   bypass_spam_checks_maps   => [1],  # don't spam-check this mail

   bypass_banned_checks_maps => [1],  # don't banned-check this mail

   bypass_header_checks_maps => [1],  # don't header-check this mail 

};

If for some reason SASL users connect to port 25, as an alternate method you could have all clients in Postfix' $mynetworks and SASL auth senders bypass checks and let everything else fall through to a catchall that sets the content_filter. Since clients in $mynetworks will (optionally) use the policy bank, be careful if you are behind a gateway whose IP address is included in $mynetworks (and the gateway acts as a proxy in such a way that mail appears to come from the IP address of the gateway). While using the same policy bank above, in main.cf:

content_filter = smtp-amavis:[127.0.0.1]:10026

smtpd_data_restrictions =

    reject_unauth_pipelining

    permit_mynetworks

    permit_sasl_authenticated

    check_client_access regexp:/etc/postfix/filter-catchall.regexp

With the contents of /etc/postfix/filter-catchall.regexp:

/^/ FILTER smtp-amavis:[127.0.0.1]:10024

If necessary, you could exclude certain SASL or $mynetworks clients from the policy bank by creating another access map (here I place it in smtpd_sender_restrictions):

smtpd_sender_restrictions =

    check_client_access hash:/etc/postfix/use_normal_amavis 

#contents of /etc/postfix/use_normal_amavis:

192.168.1.13 FILTER smtp-amavis:[127.0.0.1]:10024

The main drawback to this whole approach is you have to be very careful about adding any access lists or restrictions in smtpd_data_restrictions that OK/PERMIT something/someone prior to "check_sender_access regexp:/etc/postfix/filter-catchall.regexp" because they would use the more permissive default policy bank (or optionally use no content_filter at all). The order of any access lists would be critical and testing would be in order. This approach uses 'permit then deny' as opposed to 'deny then permit'.

Another possibility. If you are using Postfix 2.3.x, and SpamAssassin 3.1.4 or newer, you can use this to reduce the spam score for SASL auth messages; this is from:http://wiki.apache.org/spamassassin/DynablockIssues.

Postfix quick fix: Get latest versions of Postfix (at least 2.3.0) and SpamAssassin (at least 3.1.4). Add 'smtpd_sasl_authenticated_header = yes' to the Postfix main.cf. With that set, SpamAssassin should catch such authenticated emails as ALL_TRUSTED, bypassing possible SPF and RBL problems.

Make sure your trust path is set up correctly. For example:

#explicitly set our internal_networks (might be the same or similar to mynetworks)

clear_internal_networks

internal_networks 127/8

internal_networks 333.333.333.333/24

internal_networks 10.10.10.10/24

#add the same to trusted_networks,

#and possibly other computers/networks whose mail we trust

clear_trusted_networks

trusted_networks 127/8

trusted_networks 333.333.333.333/24

trusted_networks 10.10.10.10/24

http://marc.theaimsgroup.com/?l=spamassassin-users&m=115112073816917

http://wiki.apache.org/spamassassin/TrustPath

Here is also another way to reduce the spam score for SASL auth users that can be used with Postfix version 2.1 or newer. This should add a 'X-SMTP-Auth: no' header to all messages except authenticated. The SpamAssassin rule then adds -10 points if this header is missing:

#In main.cf:

smtpd_data_restrictions =

    reject_unauth_pipelining

    permit_sasl_authenticated

    check_client_access regexp:/etc/postfix/add_auth_header.regexp

   

#In /etc/postfix/add_auth_header.regexp:

/^/ PREPEND X-SMTP-Auth: no 

#In SpamAssassin's local.cf:

header NO_SMTP_AUTH X-SMTP-Auth =~ /^no$/m

meta SMTP_AUTH !NO_SMTP_AUTH

describe SMTP_AUTH Message sent using SMTP Authentication

tflags SMTP_AUTH nice

score SMTP_AUTH -10

I suggest you do not use X-SMTP-Auth literally. I would obscure this by using a X-something-else header name of your choice, and if you have more than one machine, I suggest using something different on each. In order to prevent confusion (the header would end up getting written again after the message was processed by amavisd-new), you should override smtpd_data_restrictions on the amavisd-new reinjection port. In master.cf add

 -o smtpd_data_restrictions=

127.0.0.1:10025    inet    n    -    n    -    -    smtpd

    -o content_filter=

    -o smtpd_data_restrictions=

    [other typical amavisd-new reinjection port overrides]

Credit for this one goes to Bill Boebel and Viktor.

11. Bypass checks for internally generated mail

Mail picked up by the 'pickup' daemon - this type of mail is dropped into the maildrop queue by programs such as mail, mailx and sendmail via the Postfix compatible sendmail command. With the way I worded that, this may be obvious. Simply override the content_filter for the pickup service in master.cf. Note that doing so is not always appropriate. You may have local users or a web form using the sendmail command to deliver mail to the outside world. It may not be a good idea to allow this mail to pass unchecked, so I also illustrate using a more permissive policy bank to check this mail.

pickup    fifo  n       -       n       60      1       pickup

    -o content_filter=

If you would like to still perform virus checks (for example):

pickup    fifo  n       -       n       60      1       pickup

    -o content_filter=smtp-amavis:[127.0.0.1]:10026

Create a policy bank in amavisd.conf:

#change this from the original setting

$inet_socket_port = [10024, 10026]; 

#add these

$interface_policy{'10026'} = 'VIRUSONLY';

$policy_bank{'VIRUSONLY'} = {  # mail from the pickup daemon

   originating => 1,  # Since amavisd-new 2.5.0

                      # declare that mail was submitted by our smtp client

   bypass_spam_checks_maps   => [1],  # don't spam-check this mail

   bypass_banned_checks_maps => [1],  # don't banned-check this mail

   bypass_header_checks_maps => [1],  # don't header-check this mail 

};

Or continue normal scanning, yet be more permissive:

$interface_policy{'10026'} = 'PERMISSIVE'; 

$policy_bank{'PERMISSIVE'} = {  # mail from the pickup daemon

   originating => 1, # declare that mail was submitted by our smtp client

   spam_kill_level_maps => [9.0],  # more permissive spam kill level

};

Note: In the first example we had to override the content_filter because we set a content_filter in main.cf. An alternative would be to instead set the content_filter in master.cf (override the content filter for the smtpd daemon). Doing so confines the setting to messages received via the smtpd daemon (or daemons if required):

smtp   inet  n       -       n       -       -       smtpd

    -o content_filter=smtp-amavis:[127.0.0.1]:10024

12. Bypass amavisd-new by using two copies of Postfix and transport maps

Initially this is the most difficult to construct method of bypassing amavisd-new but provides the most control and may offer other benefits not discussed here. What I document here is not the complete solution. Because of the many ways Postfix can be configured, I'm sure you will have a number of additional issues when you set this up, one of which is carefully controlling access to the second IP address. Having only tested this for a short time myself, it's possible there are better ways to configure this. You would be wise to make a backup of your current settings, and even more wise to test on a non-production box. I do not document how to create a second copy of Postfix, you will have to look elsewhere for that. Here is a start:

http://www.advosys.ca/papers/postfix-instance.html

http://archives.neohapsis.com/archives/postfix/2005-12/0695.html

http://archives.neohapsis.com/archives/postfix/2006-03/0977.html

http://souptonuts.sourceforge.net/postfix_sbr.html

          1.2.3.11       1.2.3.22

Internet-> postfix1-----> postfix2 --> to local or nexthop server

               \   ----->   /   

                amavisd-new

We will use the example where each instance of Postfix has its own IP address (but keep in mind you could instead set the second copy of Postfix up on a different port). We disable the content_filter directive (everywhere) and instead direct mail to amavisd-new via the transport table. You may still wish to use the FILTER directive for certain clients and/or senders to send messages to an amavisd-new policy bank as described many times in previous examples. If you want mail addressed to example.com or ted@example.net to bypass amavisd-new, you could create entries in the transport table for the postfix1 instance that read:

example.com relay:[1.2.3.22]

ted@example.net relay:[1.2.3.22]

or you could alternately relay the messages directly to the next hop server (or deliver locally) but this may add unnecessary complexity. If you want to send mail to amavisd-new, you would also use the transport table for postfix1:

example.org smtp-amavis:[127.0.0.1]:10024

example.net smtp-amavis:[127.0.0.1]:10024

The postfix2 transport table may possibly remain unchanged. Since amavisd-new will not return mail to the same instance of Postfix, a change in amavisd.conf would be needed:

$forward_method = 'smtp:1.2.3.22:10025';# we send mail to postfix2 after processing

#$notify_method = $forward_method; # notifications go to the same place

In /etc/postfix/master.cf you disable the reinjection port:

##127.0.0.1:10025        inet    n       -       n       -       -       smtpd

##    -o content_filter=

## [ ... other overrides...]

##    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

and in /etc/postfix2/master.cf you change the IP address and mynetworks of the reinjection port:

1.2.3.22:10025        inet    n       -       n       -       -       smtpd

    -o content_filter=

 [ ... other overrides...]

    -o mynetworks=127.0.0.0/8,1.2.3.11,1.2.3.22

    -o smtpd_recipient_restrictions=permit_mynetworks,reject

 [ ... other overrides...]   

    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

and comment out the smtp-amavis transport:

##smtp-amavis    unix    -       -       n       -       2       smtp

##    -o smtp_data_done_timeout=1200

##    -o smtp_send_xforward_command=yes

##    -o disable_dns_lookups=yes

##    -o max_use=20

In /etc/postfix/main.cf you no longer use the amavis content_filter and you may need to reconfigure inet_interfaces:

#content_filter = ....

inet_interfaces = 1.2.3.11 127.0.0.1

In /etc/postfix2/main.cf you no longer use the amavis content_filter and you may need to reconfigure inet_interfaces:

#content_filter = ....

inet_interfaces = postfix2.example.com

myhostname = postfix2.example.com

Fonte:  Bypass amavisd-new scanning

----