Results 1 to 8 of 8

Thread: amavisWhiteListSender equivalent for domains?

  1. #1
    jxn
    jxn is offline Active Member
    Join Date
    Jun 2010
    Posts
    26
    Rep Power
    5

    Default amavisWhiteListSender equivalent for domains?

    ZCS NE 6.0.7, second patch

    I'm trying to set up some spam whitelisting by domain, so that the whitelist is active for all users on the domain, without having to manually add the whitelist exception for new users as their mailbox accounts are created. I'm wondering if the amavisWhiteListSender attribute is honored by the domain, so that, for instance, I could use:
    zmprov md +amavisWhitelistSender safeuser@safedomain.com

    Incidentally, can anyone point me to a list of all valid attributes and values for accounts, domains, cos, etc.? I looked, but perhaps I'm not looking in quite the right place?

  2. #2
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    I don't think you can do domain-wide whitelisting via zmprov. You could script your account creation using CLI commands, so that the whitelist step will be included, but I think I have a better approach.

    as root:

    cd /opt/zimbra/conf
    cp amavisd.conf.in amavisd.conf.in.bak
    vi amavisd.conf.in


    Now in the section following the line # read_hash("/var/amavis/sender_scores_sitewide"), add this:

    'desireddomain.com' => -15.0,

    This should be more than enough to prevent anything from that domain being marked as spam.

    Then, as zimbra, do zmamavisdctl stop && zmamavisdctl start.

    Finally, look in amavisd.conf and confirm that the change has gone into it.

    Note: this change will probably be wiped out when you upgrade, so make a note to re-do it when you upgrade.

  3. #3
    eniomarconcini is offline Intermediate Member
    Join Date
    May 2011
    Posts
    17
    Rep Power
    4

    Default

    Right, how can I do this but using a mail address instead the domain, its possible?

    I need like this:

    someone@especificdomain.com
    anotherguy@hotmail.com
    *@whitehouse.gov

  4. #4
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Just...use a mail address instead of a domain, in the same place within amavisd.conf.in.

    Incidentally, a score of -15 really ought to be enough to whitelist anybody, but I've seen spam with scores higher than 40. I highly doubt a legitimate mail could get such a high score without being deliberately crafted to do so. But if you want to be really sure, you can always use a bigger negative number.

  5. #5
    eniomarconcini is offline Intermediate Member
    Join Date
    May 2011
    Posts
    17
    Rep Power
    4

    Default

    Dear ewilen, I understod, but my problem is more deeper,

    as you can see here Improving Anti-spam system - Postfix whitelist when using RBL's

    some mail was rejected because of RBL systems (like barracudacentral.org), so I did this trick like explained on wiki (link above).

    But, its works to domains, and I need to control manually some email addresses to do not be checked by RBL.

    Its possible?

    ZCS 7.1

  6. #6
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    It's very important to distinguish between MTA-based spam controls and amavis. They don't interact with each other in any way.

    There's no way to create per-address exceptions to the MTA-based spam controls.

    What you need to do in this case is to turn those MTA-level RBL entries into spam assassin rules. If you search the forums you'll find some examples. Here's one: Allowing some mail to pass through dnsbl checks

    Just assign a high enough score to the RBL rule and you'll have effectively treated it as a full blacklist. Then you can create per-address exceptions using either amavisd.conf.in or the individual user's whitelist in Zimbra.

  7. #7
    eniomarconcini is offline Intermediate Member
    Join Date
    May 2011
    Posts
    17
    Rep Power
    4

    Default

    ewilen, if I have understood right, you suggested me to turn off RBL (from DNS Checks) and all setup of spamcop/sorbs/barracudacentral and others using a config in /opt/zimbra/conf/salocal.cf.in, right?

    I think if I do this case like you have explained, spam mail wont be blocked directly like happens using MTA-level RBL, and maybe spam mail will be sent to Spam mailbox of Webmail? and the users can decide what is considered spam or not.

    Is right or wrong this my think?

  8. #8
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    You are correct that mail from servers that are on those RBLs won't be blocked directly. What happens next depends on the scores you assign to those RBLs, other scores that come out of spamassassin, and the thresholds you've set for tagging and killing spam.

    If you would like to have all mail from those servers blocked completely except if your user whitelists the sender, you'll want a very high score for those RBLs--enough to push the total over the kill percent. (Note: percent=spam score * 5.)

    Personally, I would back off on the score slightly. E.g. with a kill percent of 75 and a tag score of 22 (equivalent to spam scores of 15 and 4.4, which is what I use), I would just give the RBLs scores of something between 4 and 8. This is still enough to get the mail tagged as "spammy" (gets put into spam folder) provided other elements indicate it's spam.

    The reason I'd prefer not to have a single RBL cause a "kill" all by itself is that mail which is "killed" is simply discarded instead of being refused during the MTA transaction. Therefore it doesn't generate a non-delivery report from the sending MTA to the sender, which means that no one is made aware of false positives until somebody starts wondering why they aren't getting mail or why their mail isn't prompting a response.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [HELP]: Public Folder equivalent, help needed
    By devnull in forum Migration
    Replies: 4
    Last Post: 11-09-2007, 01:46 AM
  2. Equivalent (Redundant) Domains?
    By dschneider78 in forum Administrators
    Replies: 5
    Last Post: 01-12-2007, 08:12 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •