如何在 amavis 上将域名列入白名单?

如何在 amavis 上将域名列入白名单?

我在接收特定域的邮件时遇到了一些麻烦。例如,我的服务器接收来自 gmail 的邮件没有问题。尝试了很多指南来将发件人域列入白名单,但日志中仍然收到相同的消息。你能帮我解决这个问题吗?已经尝试过将发件人域列入白名单(读取哈希方法)并手动在 amavisd.conf.in 中添加具有负分数的域。没有成功。

这是来自日志的消息

Oct 10 16:55:45 mail postfix/smtpd[31680]: NOQUEUE: filter: RCPT from smtp-senderdomain.com[10.10.10.10]: <[email protected]>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<smtp-out.senderdomain.com>
    Oct 10 16:55:45 mail postfix/smtpd[31680]: NOQUEUE: filter: RCPT from smtp-out.senderdomain.com[10.10.10.10]: <[email protected]>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<smtp-out.senderdomain.com>
    Oct 10 16:55:46 mail postfix/smtpd[31680]: 5E01FA5EA9: client=smtp-out.senderdomain.com[10.10.10.10]

这是 postconf -n

address_verify_negative_refresh_time = 10m
address_verify_poll_count = ${stress?3}${stress:5}
address_verify_poll_delay = 3s
address_verify_positive_refresh_time = 12h
alias_maps = lmdb:/etc/aliases
allow_mail_to_commands =
allow_mail_to_files =
always_add_missing_headers = yes
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
broken_sasl_auth_clients = yes
canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-canonical.cf
command_directory = /opt/zimbra/common/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /opt/zimbra/common/libexec
data_directory = /opt/zimbra/data/postfix/data
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_process_limit = 100
delay_warning_time = 0h
header_checks =
hopcount_limit = 50
html_directory = no
import_environment =
in_flow_delay = 1s
inet_protocols = ipv4
lmdb_map_size = 16777216
lmtp_connection_cache_destinations =
lmtp_connection_cache_time_limit = 4s
lmtp_host_lookup = dns
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_ciphers = export
lmtp_tls_exclude_ciphers =
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_security_level = may
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /opt/zimbra/common/sbin/mailq
manpage_directory = /opt/zimbra/common/share/man
max_use = 100
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
message_size_limit = 10240000
meta_directory = /opt/zimbra/common/conf
milter_command_timeout = 30s
milter_connect_timeout = 30s
milter_content_timeout = 300s
milter_default_action = tempfail
minimal_backoff_time = 300s
mydestination = localhost
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/24
mynetworks_style = subnet
newaliases_path = /opt/zimbra/common/sbin/newaliases
non_smtpd_milters =
notify_classes = resource, software
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = ignore
postscreen_cache_cleanup_interval = 12h
postscreen_cache_retention_time = 7d
postscreen_command_count_limit = 20
postscreen_dnsbl_action = ignore
postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
postscreen_dnsbl_min_ttl = 60s
postscreen_dnsbl_reply_map =
postscreen_dnsbl_sites =
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_ttl = 1h
postscreen_dnsbl_whitelist_threshold = 0
postscreen_greet_action = ignore
postscreen_greet_ttl = 1d
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = no
postscreen_pipelining_ttl = 30d
postscreen_upstream_proxy_protocol =
postscreen_watchdog_timeout = 10s
postscreen_whitelist_interfaces = static:all
propagate_unmatched_extensions = canonical
queue_directory = /opt/zimbra/data/postfix/spool
queue_run_delay = 300s
readme_directory = no
recipient_delimiter =
relayhost =
sample_directory = /opt/zimbra/common/conf
sender_canonical_maps =
sendmail_path = /opt/zimbra/common/sbin/sendmail
setgid_group = postdrop
shlib_directory = no
smtp_cname_overrides_servername = no
smtp_dns_support_level = enabled
smtp_fallback_relay =
smtp_generic_maps =
smtp_helo_name = $myhostname
smtp_sasl_auth_enable = no
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_security_options = noplaintext,noanonymous
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_ciphers = export
smtp_tls_dane_insecure_mx_policy = dane
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_protocols =
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_transport_rate_delay = $default_transport_rate_delay
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_auth_rate_limit = 0
smtpd_client_port_logging = no
smtpd_client_restrictions = reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions =
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_milters =
smtpd_proxy_timeout = 100s
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_reverse_client rhsbl.sorbs.net, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_sender bl.spamcop.net, permit
smtpd_reject_unlisted_recipient = no
smtpd_reject_unlisted_sender = no
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sender_login_maps =
smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re
smtpd_soft_error_limit = 10
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtpd_tls_ciphers = export
smtpd_tls_dh1024_param_file = /opt/zimbra/conf/dhparam.pem
smtpd_tls_exclude_ciphers =
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = no
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtputf8_enable = no
tls_append_default_CA = no
transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
unknown_local_recipient_reject_code = 550
unverified_recipient_defer_code = 250
virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
virtual_alias_expansion_limit = 10000
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
virtual_transport = error

这是main.cf

# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
# debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
#       PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
#       echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
#       >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen sesssion, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
#       PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
#       -dmS $process_name gdb $daemon_directory/$process_name
#       $process_id & sleep 1

# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
# sendmail_path = /opt/zimbra/common/sbin/sendmail

# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
# newaliases_path = /opt/zimbra/common/sbin/newaliases

# mailq_path: The full pathname of the Postfix mailq command.  This
# is the Sendmail-compatible mail queue listing command.
# mailq_path = /opt/zimbra/common/sbin/mailq

# setgid_group: The group for mail submission and queue management
# commands.  This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
# setgid_group = postdrop

# html_directory: The location of the Postfix HTML documentation.
# html_directory = no

# manpage_directory: The location of the Postfix on-line manual pages.
# manpage_directory = /opt/zimbra/common/share/man

# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
# sample_directory = /opt/zimbra/common/conf

# readme_directory: The location of the Postfix README files.
# readme_directory = no inet_protocols = ipv4

#
# Zimbra changes.
#

virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf

virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf

virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf

virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf

virtual_transport = error

canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-canonical.cf

transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf

# If (email domain name == host name), we don't want $myhostname in
# mydestination for testing purposes. mydestination = localhost

# Disable NIS which is in the default alias_maps = lmdb:/etc/aliases

# for security... allow_mail_to_commands = allow_mail_to_files =

smtpd_helo_required = yes

smtpd_client_restrictions = reject_unauth_pipelining

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_reverse_client rhsbl.sorbs.net, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_sender bl.spamcop.net, permit

broken_sasl_auth_clients = yes

smtpd_use_tls = yes smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key smtpd_tls_loglevel = 1 smtputf8_enable = no

meta_directory = /opt/zimbra/common/conf shlib_directory = no postscreen_dnsbl_min_ttl = 60s in_flow_delay = 1s postscreen_dnsbl_whitelist_threshold = 0 postscreen_command_count_limit = 20 smtp_dns_support_level = enabled smtpd_sasl_security_options = noanonymous address_verify_positive_refresh_time = 12h postscreen_pipelining_ttl = 30d default_process_limit = 100 smtpd_tls_ask_ccert = no smtpd_tls_ccert_verifydepth = 9 smtpd_error_sleep_time = 1s lmtp_tls_security_level = may smtp_tls_CApath = smtpd_reject_unlisted_sender = no hopcount_limit = 50 address_verify_poll_delay = 3s lmtp_host_lookup = dns lmtp_tls_loglevel = 0 smtpd_banner = $myhostname ESMTP $mail_name lmtp_tls_ciphers = export postscreen_greet_action = ignore smtp_sasl_security_options = noplaintext,noanonymous postscreen_blacklist_action = ignore smtp_tls_ciphers = export postscreen_pipelining_enable = no delay_warning_time = 0h bounce_queue_lifetime = 5d smtpd_tls_auth_only = yes local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated postscreen_watchdog_timeout = 10s postscreen_access_list = permit_mynetworks mailbox_size_limit = 0 notify_classes = resource, software bounce_notice_recipient = postmaster lmtp_tls_protocols = !SSLv2, !SSLv3 smtp_sasl_auth_enable = no mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/24 message_size_limit = 10240000 smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtp_helo_name = $myhostname address_verify_poll_count = ${stress?3}${stress:5} maximal_queue_lifetime = 5d postscreen_whitelist_interfaces = static:all smtp_tls_loglevel = 0 myhostname = mail.mydomain.com smtpd_sasl_auth_enable = yes postscreen_dnsbl_reply_map = virtual_alias_expansion_limit = 10000 postscreen_non_smtp_command_ttl = 30d smtpd_client_port_logging = no relayhost = postscreen_greet_ttl = 1d smtp_sasl_password_maps = smtpd_tls_CAfile = smtpd_tls_security_level = may postscreen_bare_newline_enable = no import_environment = max_use = 100 milter_content_timeout = 300s minimal_backoff_time = 300s postscreen_dnsbl_sites = recipient_delimiter = unverified_recipient_defer_code = 250 postscreen_upstream_proxy_protocol = postscreen_non_smtp_command_action = drop smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 postscreen_dnsbl_ttl = 1h smtp_tls_mandatory_ciphers = medium smtpd_sender_login_maps = lmtp_connection_cache_destinations = content_filter = smtp-amavis:[127.0.0.1]:10024 queue_run_delay = 300s lmtp_tls_mandatory_ciphers = medium smtp_generic_maps = milter_connect_timeout = 30s milter_default_action = tempfail address_verify_negative_refresh_time = 10m lmtp_tls_exclude_ciphers = smtpd_end_of_data_restrictions = smtp_tls_security_level = may smtpd_tls_mandatory_ciphers = medium postscreen_non_smtp_command_enable = no lmtp_tls_CAfile = lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 postscreen_bare_newline_action = ignore postscreen_cache_retention_time = 7d smtpd_milters = smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re smtp_tls_protocols = !SSLv2, !SSLv3 smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_tls_CApath = smtpd_soft_error_limit
= 10 postscreen_dnsbl_action = ignore postscreen_pipelining_action = enforce smtp_transport_rate_delay = $default_transport_rate_delay smtp_fallback_relay = lmtp_tls_CApath = smtp_cname_overrides_servername = no postscreen_dnsbl_threshold = 1 postscreen_bare_newline_ttl = 30d smtpd_proxy_timeout = 100s smtpd_tls_dh1024_param_file = /opt/zimbra/conf/dhparam.pem postscreen_cache_cleanup_interval = 12h propagate_unmatched_extensions
= canonical smtp_sasl_mechanism_filter = milter_command_timeout = 30s smtpd_client_auth_rate_limit = 0 non_smtpd_milters = smtpd_tls_ciphers
= export lmdb_map_size = 16777216 smtpd_sasl_authenticated_header = no smtpd_hard_error_limit = 20 maximal_backoff_time = 4000s smtp_tls_CAfile = smtpd_reject_unlisted_recipient = no smtpd_tls_protocols = !SSLv2, !SSLv3 tls_append_default_CA = no smtp_tls_dane_insecure_mx_policy = dane smtp_tls_mandatory_protocols = postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h sender_canonical_maps = smtpd_tls_received_header = no always_add_missing_headers = yes lmtp_connection_cache_time_limit = 4s smtpd_tls_exclude_ciphers = smtpd_helo_required = yes

答案1

请注意,根据您的发行版amavisd-new,以下文件可能位于/etc/amavisd/父文件夹中,而不是/etc/amavis/每个文件夹中。请务必记下位置,以防与以下位置不同。

除非您已经使用/etc/amavis/conf.d/50-user覆盖,否则请创建一个新/etc/amavis/conf.d/99-overrides文件。文件名的数字部分很重要 - 名称部分毫无意义。“99-”将最后读取。您可能希望将您可能已经添加的任何覆盖移动50-user到这个新文件中。(50-user 可以被 amavisd-new 包更新覆盖。)

要设置全局白名单,请将其添加到上面描述和/或创建的 Amavis 配置文件中:

# These are up to you. 
$sa_tag_level_deflt  = -9999;
$sa_tag2_level_deflt = 5.5; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 5.5; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
$sa_spam_subject_tag = "**Spam** ";
$final_spam_destiny=D_PASS;
$final_virus_destiny=D_DISCARD;
$final_bad_header_destiny=D_BOUNCE;

# Setup basic global whitelist/pb

read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);

$interface_policy{'10026'} = 'VIRUSONLYCHECK';
$policy_bank{'VIRUSONLYCHECK'} = { # mail from the pickup daemon
    bypass_spam_checks_maps   => ['@whitelist_sender_maps'],  # don't spam-check this mail
    bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't banned-check this mail
    bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't header-check this mail
};

然后创建一个/etc/amavis/whitelist文件。

像这样将您的电子邮件或域名添加到此文件中 - 无需其他内容 - 每行 1 个:

[email protected]
cleandomain1.com
[email protected]
cleandomain2.com
[email protected]

重新启动 amavisd 进程。让某人加入白名单测试它。您还可以通过bypass_virus_checks_maps使用所示相同格式将行添加到上面的策略库并使用 GTUBE 病毒测试签名测试整个过程来绕过病毒检查。显然,您应该 D_DISCARD 病毒(无白名单),或者在不测试时将其从用户文件夹中隔离。另外,请阅读文档了解上述任何指令的详细信息。还有更多。

还请注意,如果您“D_PASS” final_spam_destiny(或任何其他人),您可能希望它进入用户垃圾邮件文件夹。这个问题在其他地方有答案。

相关内容