Policy Banks with Amavis
Amavisd-new provides Policy Banks that allow you to manage messages based on the client or sender. For example if you wanted senders to be able to send to email lists without using the server resources for scanning with Spamassassin and ClamAv for these outgoing messages you could create a Policy Bank
Solution: Specify Clients Who Can Bypass Scanning
This solution will allow the mail server to avoid the scanning process to save on system resources, This solution will require you to add an additional port so you can separate options.
master.cf
Notice that there are two ports here. The port 10024 assumes you are using it with Amavis to scan incoming mail on a re-injection port. The 10026 port is what you can separate the outgoing mail to avoid scanning to save on resources for your server.
smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10024
4025 inet n - n - - smtpd
-o mynetworks=127.0.0.0/8,192.168.1.0/24
-o smtpd_client_restrictions=permit_mynetworks,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
smtp-amavis unix - - n - 6 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
-o max_use=20
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o replay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
You need to add the additional port and set up the Policy Bank in amavisd.conf.
$inet_socket_port = [10024, 10026];
You will set up the Policy Bank, “SERVER” for the Policy Bank on port 10026.
$interface_policy{’10026′} = ‘SERVER’;
$policy_bank{‘SERVER’} = { # Server mail submitted to port 4025
originating => 1, # mail submitted by server
bypass_spam_checks_maps => [1], # no spam check
bypass_banned_checks_maps => [1], # no banned check
bypass_header_checks_maps => [1], # no header checks
};
The mail can actually avoid the content filter and be sent to port 4025. By placing an IP Address in the amavis_bypass_client you will be able to control who will be able to use this option.
4025 inet n - n - - smtpd
-o content_filter=
-o smtpd_client_restrictions=hash:/etc/postfix/amavis_bypass_client,reject
The reject will stop other clients from having this option.
contents of /etc/postfix/amavis_bypass_client:
192.168.7.9 OK
Once you have made the changes you want restart Postfix and amavis and check network connections to verify your ports are listening. You should see these four ports.
netstat -aunt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4025 0.0.0.0:* LISTEN
Exmaples of what you should see in logs.
Outgoing Mail Scanned with Spamassassin before changes.
Mail sent out is tagged as SPAMMY and scores 6.282
Jan 30 06:22:58 mail postfix/pickup[9525]: C22BA73479D: uid=501 from=<tom>
Jan 30 06:22:58 mail postfix/cleanup[9600]: C22BA73479D: message-id=<20100130132258.C22BA73479D@mail.testexample.com>
Jan 30 06:22:58 mail postfix/qmgr[9526]: C22BA73479D: from=<tom@testexample.com>, size=309, nrcpt=1 (queue active)
Jan 30 06:23:13 mail amavis[9566]: (09566-01) Passed SPAMMY, <tom@testexample.com> -> <joe@example.com>, Message-ID: <20100130132258.C22BA73479D@mail.testexample.com>, mail_id: y-Y0FBXjT2KH, Hits: 6.282, size: 309, queued_as: DF09F734795, 14102 ms
After Changes No Scan
This indicates that Spamassassin did not scan the mail as there are no hits.
Jan 30 07:11:22 mail amavis[10249]: (10249-01) Passed CLEAN, <tom@testexample.com> -> <joe@example.com>, Message-ID: <20100130141111.EC9A6734791@mail.testexample.com>, mail_id: 7fdE5pMr6Zjb, Hits: -, size: 298, queued_as: 77B6073478D, 10576 ms
Incoming Mail Indicates it is Scanned
Jan 30 17:40:38 mail amavis[19274]: (19274-01) 2822.From: <joe@example.com>
Jan 30 17:40:38 mail amavis[19274]: (19274-01) collect banned table[0]: tom@testexample.com, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x983e7a0)
Jan 30 17:40:38 mail amavis[19274]: (19274-01) p.path tom@testexample.com: “P=p001,L=1,M=text/plain,T=asc”
Jan 30 17:40:43 mail amavis[19274]: (19274-01) spam_scan: score=6.283 autolearn=no tests=[FH_DATE_PAST_20XX=3.384,TVD_SPACE_RATIO=2.899]
Jan 30 17:40:43 mail amavis[19274]: (19274-01) do_notify_and_quar: ccat=Spammy (5,0) (“5″:Spammy, “1,1″:CleanTag, “1″:Clean, “0″:CatchAll) ccat_block=(), qar_mth=
Jan 30 17:40:43 mail amavis[19274]: (19274-01) SPAM-TAG, <joe@example.com> -> <tom@testexample.com>, Yes, score=6.283 tagged_above=2 required=6.2 tests=[FH_DATE_PAST_20XX=3.384, TVD_SPACE_RATIO=2.899] autolearn=no
