IP Address whitelisting: Difference between revisions

No edit summary
Line 1: Line 1:
At times, you may want to bypass or whitelist certain IP ranges, either because they are known to be trusted and internal, or because they provide specific services that should not be checked for spam. It is very important that you don't whitelist an MTA that sends untrusted email, though, for example an inbound MTA (from the Internet) that has not already been checked for spam will then allow all email to arrive unchecked.
= Bypassing Internal Networks =
== amavis_originating_bypass_sa ==
In 8.0 (IronMaiden) and later, there is a feature in ZCS to automatically bypass SpamAssassin for mail originating from all IPs within the postfix "mynetworks" IP ranges:
Bypass SA for emails sent from internal ZWC users (or provide a way to score them)
https://bugzilla.zimbra.com/show_bug.cgi?id=44384
Fixed: 8.0
By default, this bypass is not enabled:
Default:
$ zmlocalconfig amavis_originating_bypass_sa
amavis_originating_bypass_sa = false
In order to enable, set to true and restart the MTA processes:
$ zmlocalconfig -e amavis_originating_bypass_sa=true
$ zmmtactl restart
= Manual Whitelisting =
This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.
This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.



Revision as of 14:56, 28 August 2013

At times, you may want to bypass or whitelist certain IP ranges, either because they are known to be trusted and internal, or because they provide specific services that should not be checked for spam. It is very important that you don't whitelist an MTA that sends untrusted email, though, for example an inbound MTA (from the Internet) that has not already been checked for spam will then allow all email to arrive unchecked.

Bypassing Internal Networks

amavis_originating_bypass_sa

In 8.0 (IronMaiden) and later, there is a feature in ZCS to automatically bypass SpamAssassin for mail originating from all IPs within the postfix "mynetworks" IP ranges:

Bypass SA for emails sent from internal ZWC users (or provide a way to score them) https://bugzilla.zimbra.com/show_bug.cgi?id=44384 Fixed: 8.0

By default, this bypass is not enabled:

Default:

$ zmlocalconfig amavis_originating_bypass_sa
amavis_originating_bypass_sa = false

In order to enable, set to true and restart the MTA processes:

$ zmlocalconfig -e amavis_originating_bypass_sa=true
$ zmmtactl restart

Manual Whitelisting

This shows how to disable anti-spam checking of all emails coming from an IP address -- in other words whitelist an IP address instead of conventional domain name whitelisting.


Everything here is done as the zimbra user. Let's say you want to whitelist all the emails coming from 192.168.1.1:

postfix_recipient_restrictions.cf

Enter following line at the top of: /opt/zimbra/conf/postfix_recipient_restrictions.cf

check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist

amavis_client_whitelist

Create a file: /opt/zimbra/postfix/conf/amavis_client_whitelist

vi /opt/zimbra/postfix/conf/amavis_client_whitelist
192.168.1.1 FILTER smtp-amavis:[127.0.0.1]:10026

Converting amavis_client_whitelist an ASCII form file into maptype database file:

/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist

That will create a Berkeley DB:

zimbra@zimbra:~$ file /opt/zimbra/postfix/conf/amavis_client_whitelist.db
/opt/zimbra/postfix/conf/amavis_client_whitelist.db: Berkeley DB (Hash, version 8, native byte-order)

amavisd.conf.in

Enter following in /opt/zimbra/conf/amavisd.conf.in:

NOTE: Make sure you use the amavisd.conf.in and NOT amavisd.conf

NOTE: If you paste this section in directly, you will need to comment out the existing $inet_socket_port paramater

 $inet_socket_port = [10024, 10026];                     # change from original setting
 $interface_policy{'10026'} = 'CLIENTWHITELIST';              
 $policy_bank{'CLIENTWHITELIST'} = {                          
   bypass_spam_checks_maps   => [1],                          
   final_spam_destiny   => D_PASS,                      
 };

if you want to bypass virus checking too:

 $policy_bank{'CLIENTWHITELIST'} = {                          
   bypass_spam_checks_maps   => [1],                          
   final_virus_destiny => D_PASS,
   final_spam_destiny   => D_PASS,                      
 };

http://www.webservertalk.com/archive390-2006-8-1467502.html

Restart postfix and amavisd

 zmmtactl restart && zmamavisdctl restart
Jump to: navigation, search