policy_bank => CLIENTWHITELIST

Gary,

u nicely suggested me to use policy_bank to white list some
ips that i trust;
i would allow senders fromt that ip to send mail with zip
attach closed with 
password

i put my ip into white list:

amavis_client_whitelist:
151.38.3.123 FILTER smtp-amavis:[127.0.0.1]:10026

and i issued: postmap /etc/postfix/amavis_client_whitelist

in postfix main.cf i have:

smtpd_recipient_restrictions =
    reject_multi_recipient_bounce
    permit_mynetworks
    reject_unauth_destination
    check_helo_access pcre:/etc/postfix/helo_checks
    check_policy_service inet:127.0.0.1:60000
    check_client_access
hash:/etc/postfix/amavis_client_whitelist


coming to amavis conf,
in my debian conf i have put into:
/etc/amavis/conf.d/50-user

$inet_socket_port = [10024, 10026]; # change from original
setting

$interface_policy{'10026'} = 'CLIENTWHITELIST'; # add
this setting

$policy_bank{'CLIENTWHITELIST'} = {  # mail originating
from trusted servers
  bypass_spam_checks_maps   => [1],  # don't spam-check
  bypass_virus_checks_maps => [1],
  final_virus_destiny   => D_PASS,
  final_spam_destiny   => D_PASS,    # insure spam passes
};


restart postfix and amavis, when i try to send a mail with
zip passworded i 
get into mail.log:

Apr 19 17:21:36 mailgw1 amavis[5186]: (05186-05) Blocked
INFECTED 
(Encrypted.Zip), [151.38.3.123] <?adsl-123-3.38-151.net24.it> -> 
<maumarevinco.it>, Message-ID
: <200604191721.30805.maumardatalogica.com>,
mail_id: qFAaLs1cbXZh, Hits: -, 
605 ms
Apr 19 17:21:36 mailgw1 postfix/smtp[5177]: 8A55C37CB0:
to=<maumarxxxx.it>, 
relay=127.0.0.1[127.0.0.1], delay=18, status=sent (250 2.5.0
Ok, id=05186-05, 
BOUNC
E)
Apr 19 17:21:36 mailgw1 postfix/smtpd[5182]: disconnect from

localhost.localdomain[127.0.0.1]
Apr 19 17:21:36 mailgw1 postfix/qmgr[20428]: 8A55C37CB0:
removed
Apr 19 17:21:36 mailgw1 postfix/local[5221]: 203FC37CE7: 
to=<virusadminmailgw1.cost.it>, relay=local, delay=0,
status=sent (delivered 
to command: procmail -a "$E
XTENSION")
Apr 19 17:21:36 mailgw1 postfix/qmgr[20428]: 203FC37CE7:
removed


can u be so nice to help me to discover where i was wrong??
TIA, Gary 


-- 
Maurizio Marini         	GSM +39-335-8259739
Fano: +39-0721-855285   	Milano +39-02303123406
S. Costanzo: +39-0721950396	IAXTel: (700) 350-1234
Crashing is the only thing windows does quickly.


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web
services, security?
Get stuff done quickly with pre-integrated technology to
make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on
Apache Geronimo
http://sel.as-us.falkag.net/
sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Maurizio wrote:

> Gary,

> u nicely suggested me to use policy_bank to white list
some ips that i trust;
> i would allow senders fromt that ip to send mail with
zip attach closed with 
> password

> i put my ip into white list:

> amavis_client_whitelist:
> 151.38.3.123 FILTER smtp-amavis:[127.0.0.1]:10026

> and i issued: postmap
/etc/postfix/amavis_client_whitelist

> in postfix main.cf i have:

> smtpd_recipient_restrictions =
>     reject_multi_recipient_bounce
>     permit_mynetworks
>     reject_unauth_destination
>     check_helo_access pcre:/etc/postfix/helo_checks
>     check_policy_service inet:127.0.0.1:60000
>     check_client_access
hash:/etc/postfix/amavis_client_whitelist


> coming to amavis conf,
> in my debian conf i have put into:
/etc/amavis/conf.d/50-user

> $inet_socket_port = [10024, 10026]; # change from
original setting

> $interface_policy{'10026'} = 'CLIENTWHITELIST'; #
add this setting

> $policy_bank{'CLIENTWHITELIST'} = {  # mail
originating from trusted servers
>   bypass_spam_checks_maps   => [1],  # don't
spam-check
>   bypass_virus_checks_maps => [1],
>   final_virus_destiny   => D_PASS,
>   final_spam_destiny   => D_PASS,    # insure spam
passes
> };

> restart postfix and amavis, when i try to send a mail
with zip passworded i 
> get into mail.log:

> Apr 19 17:21:36 mailgw1 amavis[5186]: (05186-05)
Blocked INFECTED 
> (Encrypted.Zip), [151.38.3.123] <?adsl-123-3.38-151.net24.it> -> 
> <maumarevinco.it>, Message-ID
> : <200604191721.30805.maumardatalogica.com>,
mail_id: qFAaLs1cbXZh, Hits: -, 
> 605 ms

Is 151.38.3.123 also listed in 'mynetworks' in main.cf?
If so, you will have to move
check_client_access
hash:/etc/postfix/amavis_client_whitelist
ahead of 'permit_mynetworks'.

If you don't want to block banned files, you may also want
to add:

bypass_banned_checks_maps => [1],
final_banned_destiny   => D_PASS,

to your policy bank.

Just FYI, here is an example where you can also limit who
can receive this type of file:

$policy_bank{'CLIENTWHITELIST'} = {
 bypass_spam_checks_maps => [[qw( maumarexample.it )]],
 bypass_banned_checks_maps => [[qw( maumarexample.it )]],
 bypass_virus_checks_maps => [[qw( maumarexample.it )]],
 spam_lovers_maps => [[qw( maumarexample.it )]],
 banned_files_lovers_maps => [[qw( maumarexample.it )]],
 virus_lovers_maps => [[qw( maumarexample.it )]],
};

To further debug this, set $log_level to 5 and try to send
the message
again, you will be looking to see if the CLIENTWHITELIST
policy bank
is used.

Gary V



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web
services, security?
Get stuff done quickly with pre-integrated technology to
make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on
Apache Geronimo
http://sel.as-us.falkag.net/
sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On Wed April 19 2006 18:19, Gary V wrote:
> Maurizio wrote:
> 
> > Gary,
> 
> > u nicely suggested me to use policy_bank to white
list some ips that i 
trust;
> > i would allow senders fromt that ip to send mail
with zip attach closed 
with 
> > password
> 
> > i put my ip into white list:
> 
> > amavis_client_whitelist:
> > 151.38.3.123 FILTER smtp-amavis:[127.0.0.1]:10026
> 
> > and i issued: postmap
/etc/postfix/amavis_client_whitelist
> 
> > in postfix main.cf i have:
> 
> > smtpd_recipient_restrictions =
> >     reject_multi_recipient_bounce
> >     permit_mynetworks
> >     reject_unauth_destination
> >     check_helo_access
pcre:/etc/postfix/helo_checks
> >     check_policy_service inet:127.0.0.1:60000
> >     check_client_access
hash:/etc/postfix/amavis_client_whitelist
> 
> 
> > coming to amavis conf,
> > in my debian conf i have put into:
/etc/amavis/conf.d/50-user
> 
> > $inet_socket_port = [10024, 10026]; # change from
original setting
> 
> > $interface_policy{'10026'} =
'CLIENTWHITELIST'; # add this setting
> 
> > $policy_bank{'CLIENTWHITELIST'} = {  # mail
originating from trusted 
servers
> >   bypass_spam_checks_maps   => [1],  # don't
spam-check
> >   bypass_virus_checks_maps => [1],
> >   final_virus_destiny   => D_PASS,
> >   final_spam_destiny   => D_PASS,    # insure
spam passes
> > };
> 
> > restart postfix and amavis, when i try to send a
mail with zip passworded 
i 
> > get into mail.log:
> 
> > Apr 19 17:21:36 mailgw1 amavis[5186]: (05186-05)
Blocked INFECTED 
> > (Encrypted.Zip), [151.38.3.123] <?adsl-123-3.38-151.net24.it> -> 
> > <maumarevinco.it>, Message-ID
> > : <200604191721.30805.maumardatalogica.com>, mail_id: qFAaLs1cbXZh, Hits: 
-, 
> > 605 ms
> 
> Is 151.38.3.123 also listed in 'mynetworks' in
main.cf?
> If so, you will have to move
> check_client_access
hash:/etc/postfix/amavis_client_whitelist
> ahead of 'permit_mynetworks'.
yes, you were right!!

> 
> If you don't want to block banned files, you may also
want to add:
> 
> bypass_banned_checks_maps => [1],
> final_banned_destiny   => D_PASS,
> 
> to your policy bank.
yes i did
now:
pr 19 19:01:48 mailgw1 amavis[6779]: (06779-04) Passed
CLEAN, CLIENTWHITELIST 
[151.38.3.123] <maumardatalogica.com> ->
<maumarexample.it>, Message-ID: 
<200604191901.58382.maumardatalogica.com>,
mail_id: h7EAaYeF7WcQ, Hits: -, 
289 ms

you are just *great* !!!

> 
> Just FYI, here is an example where you can also limit
who
> can receive this type of file:
> 
> $policy_bank{'CLIENTWHITELIST'} = {
>  bypass_spam_checks_maps => [[qw( maumarexample.it )]],
>  bypass_banned_checks_maps => [[qw( maumarexample.it )]],
>  bypass_virus_checks_maps => [[qw( maumarexample.it )]],
>  spam_lovers_maps => [[qw( maumarexample.it )]],
>  banned_files_lovers_maps => [[qw( maumarexample.it )]],
>  virus_lovers_maps => [[qw( maumarexample.it )]],
> };
very interesting 

> 
> To further debug this, set $log_level to 5 and try to
send the message
> again, you will be looking to see if the
CLIENTWHITELIST policy bank
> is used.
thnx a lot!

-- 
Maurizio Marini         	GSM +39-335-8259739
Fano: +39-0721-855285   	Milano +39-02303123406
S. Costanzo: +39-0721950396	IAXTel: (700) 350-1234
Crashing is the only thing windows does quickly.


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web
services, security?
Get stuff done quickly with pre-integrated technology to
make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on
Apache Geronimo
http://sel.as-us.falkag.net/
sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Maurizio wrote:

>>
>> To further debug this, set $log_level to 5 and try
to send the message
>> again, you will be looking to see if the
CLIENTWHITELIST policy bank
>> is used.

> thnx a lot!

I forget to mention, after you are finished debugging,
don't forget to set
it back to your previous setting or your log will grow to be
unusually large.

(8-}

Gary V



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web
services, security?
Get stuff done quickly with pre-integrated technology to
make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on
Apache Geronimo
http://sel.as-us.falkag.net/
sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On Wed April 19 2006 18:19, Gary V wrote:
> Maurizio wrote:
> 
> > Gary,
> 
> > u nicely suggested me to use policy_bank to white
list some ips that i trust;
> > i would allow senders fromt that ip to send mail
with zip attach closed with 
> > password
> 
> > i put my ip into white list:
> 
> > amavis_client_whitelist:
> > 151.38.3.123 FILTER smtp-amavis:[127.0.0.1]:10026
> 
> > and i issued: postmap
/etc/postfix/amavis_client_whitelist
> 
> > in postfix main.cf i have:
> 
> > smtpd_recipient_restrictions =
> >     reject_multi_recipient_bounce
> >     permit_mynetworks
> >     reject_unauth_destination
> >     check_helo_access
pcre:/etc/postfix/helo_checks
> >     check_policy_service inet:127.0.0.1:60000
> >     check_client_access
hash:/etc/postfix/amavis_client_whitelist
> 
> 
> > coming to amavis conf,
> > in my debian conf i have put into:
/etc/amavis/conf.d/50-user
> 
Hi Gary,
all your setup you suggested me does work like a charm 
now, i would add whitelisting for receivers, too;
my  /etc/amavis/conf.d/50-user is this:
http://paste.debian.net
/10181

i would add to this file :
banned_files_lovers_maps => ( [qw( maumarcost.it
)]);

what i would get is that no mail with attachment zipped and
password encrypted will ever blocked:
http://paste.debian.net
/10182

i have added the line this way:
# See /usr/share/doc/amavisd-new/ for documentation and
examples of
# the directives you can use in this file
#
banned_files_lovers_maps => ( [qw( maumarcost.it
)]);
$inet_socket_port = [10024, 10026]; # change from original
setting
[...]

but still mail is blocked; 
$interface_policy{'10026'} = 'CLIENTWHITELIST';
this way 'CLIENTWHITELIST' is applied to
$interface_policy{'10026'}

now, how can i apply 'CLIENTWHITELIST' to a mail address
or an entire domain?

you help is always useful and very apreciated 

-- 
Maurizio Marini 

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief surveys
-- and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Maurizio wrote:

> On Wed April 19 2006 18:19, Gary V wrote:
>> Maurizio wrote:
>> 
>> > Gary,
>> 
>> > u nicely suggested me to use policy_bank to
white list some ips that i trust;
>> > i would allow senders fromt that ip to send
mail with zip attach closed with 
>> > password
>> 
>> > i put my ip into white list:
>> 
>> > amavis_client_whitelist:
>> > 151.38.3.123 FILTER
smtp-amavis:[127.0.0.1]:10026
>> 
>> > and i issued: postmap
/etc/postfix/amavis_client_whitelist
>> 
>> > in postfix main.cf i have:
>> 
>> > smtpd_recipient_restrictions =
>> >     reject_multi_recipient_bounce
>> >     permit_mynetworks
>> >     reject_unauth_destination
>> >     check_helo_access
pcre:/etc/postfix/helo_checks
>> >     check_policy_service inet:127.0.0.1:60000
>> >     check_client_access
hash:/etc/postfix/amavis_client_whitelist
>> 
>> 
>> > coming to amavis conf,
>> > in my debian conf i have put into:
/etc/amavis/conf.d/50-user
>> 
> Hi Gary,
> all your setup you suggested me does work like a charm

> now, i would add whitelisting for receivers, too;
> my  /etc/amavis/conf.d/50-user is this:
> http://paste.debian.net
/10181

> i would add to this file :
> banned_files_lovers_maps => ( [qw( maumarcost.it
)]);

> what i would get is that no mail with attachment zipped
and password encrypted will ever blocked:
> http://paste.debian.net
/10182

> i have added the line this way:
> # See /usr/share/doc/amavisd-new/ for documentation and
examples of
> # the directives you can use in this file
> #
> banned_files_lovers_maps => ( [qw( maumarcost.it
)]);
> $inet_socket_port = [10024, 10026]; # change from
original setting
> [...]

> but still mail is blocked; 
> $interface_policy{'10026'} = 'CLIENTWHITELIST';
> this way 'CLIENTWHITELIST' is applied to
$interface_policy{'10026'}

> now, how can i apply 'CLIENTWHITELIST' to a mail
address or an entire domain?

You are talking about two different things here. The
CLIENTWHITELIST
allows certain clients (machines that are sending mail to
you) bypass
spam/virus/banned checks.

If I'm not mistaken, amavisd-new will allow encrypted zip
files to
pass. The sample you provided was not delivered because is
is INFECTED
with a virus, not because it was banned. To allow
spam/virus/banned
files to a recipient (or domain), you could do something
like this:

bypass_virus_checks_maps  = ( [qw( usrexample.com )] );
virus_lovers_maps         = ( [qw( usrexample.com )] ); 
bypass_spam_checks_maps   = ( [qw( usrexample.com )] ); 
spam_lovers_maps          = ( [qw( usrexample.com )] ); 
bypass_banned_checks_maps = ( [qw( usrexample.com )] ); 
banned_files_lovers_maps  = ( [qw( usrexample.com )] ); 
bypass_header_checks_maps = ( [qw( usrexample.com )] ); 
bad_header_lovers_maps    = ( [qw( usrexample.com )] );

but since in this case these are all identical, you could
instead set only one of them, and then use that variable to
assign all the others:

bad_header_lovers_maps = ( [qw( usrexample.com )] );

bypass_virus_checks_maps  =
 virus_lovers_maps         = 
 bypass_spam_checks_maps   = 
 spam_lovers_maps          =
 bypass_banned_checks_maps = 
 banned_files_lovers_maps  =
 bypass_header_checks_maps = bad_header_lovers_maps;

Gary V


------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief surveys
-- and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Gary wrote:

> If I'm not mistaken, amavisd-new will allow encrypted
zip files to
> pass.

I am mistaken. Even if the zip is encrypted, the file names
are still
evident, and may be blocked by banned settings. This thread
illustrates using [ qr'^UNDECIPHERABLE$'=> 0 ], to
allow encrypted
zips to pass.

1) list items you want to block
2) allow UNDECIPHERABLE
3) list items you want to block unless they are
UNDECIPHERABLE

http://marc.theaimsgroup.com/?l=amavis-
user&m=111988384524492&w=2

Gary V


------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief surveys
-- and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/