ISPConfig Spamfilter Whitelist

Discussion in 'ISPConfig 3 Priority Support' started by jnewman67, Apr 24, 2024.

  1. jnewman67

    jnewman67 Active Member HowtoForge Supporter

    I'm having an issue where a piece of accounting software is not including the Date in the headers of the emails it generates - a problem on its own - so I wanted to just whitelist that special email account so it would pass through amavisd without issue.
    I found the Spamfilter Whitelist section of ISPConfig 3.2, and I put in the information for the email address - gotta wait to see if it works after someone's here to try sending an email through that software.
    In the meantime, I went looking for the config file that might have been modified to allow that to happen, but I can't find it.
    Could someone enlighten me as to where those changes are stored within a conf file (CentOS 8 Stream server).
    Thanks.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you use Amavis or Rspamd? I guess it's most likely Amavis, as that's what gets used in the CentOS perfect server guides. Amavis reads the white- and blacklist entries directly from the ISPConfig database. There is no config file.
     
  3. jnewman67

    jnewman67 Active Member HowtoForge Supporter

    Sorry, i should have specified, but your assumption was correct.
    Understood about amavis checking the database correctly. However, it still scanned the email submitted by the account I whitelisted, and bounced it.
     
  4. jnewman67

    jnewman67 Active Member HowtoForge Supporter

    I should probably explain what I'm trying to do. there is a third-party accounting software that emails out invoices through an email account on this server. I did some updates 2 weeks ago, and amavis is now rejecting emails from that software with the following error message:
    Code:
    This nondelivery report was generated by the program amavis at host example.com. Our internal reference code for your message is 3759791-05/ujYGHJQ0Knka
    INVALID HEADER
    Missing required header field: "Date"
    
    I thought whitelisting the email address would get past this, and let postfix add the date to the email and we'd be good. apparently amavis gives it a scan BEFORE it checks the whiltelist? would it be better if I added the OK to the sender_checks for postfix instead?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    I think the spam filter whitelist is not for whitelisting spam rules, it's just the whitelist for the blacklist. So when you blacklist e.g. somedomain.com, then you can whitelist [email protected].

    Here an answer from chatGPT what you might do:

     
  6. pyte

    pyte Well-Known Member HowtoForge Supporter

    Don't bypass all header checks. Since Amavis 2.4.X it is possible to disable specific checks. Edit /etc/amavisd/amavisd.conf and add:

    $allowed_header_tests{'missing'} = 0;

    This will disable the bad-header test only for missing header fields which should be sufficient in your case.
     
    till likes this.
  7. jnewman67

    jnewman67 Active Member HowtoForge Supporter

    Thanks for the responses, till & pyte.
    pyte - wondering if you have a suggestion on where in the conf file I should place that rule - should it be before or after anything specific? the only section that seems "header" related is the "defang" section, slightly (default conf other than socket # changed).
    till - you're the first person to admit to me they've used ChatGPT to find an answer to something (and it appears its probably accurate) - but I have a hard time accepting the overlords won't eat me for lunch if I give in and get too close :)
    That fear aside, I've added till's suggestion as follows:
    Code:
    $policy_bank{'ORIGINATING'} = {
    ...
    bypass_header_checks => 1,
    }
    
    if that doesn't work, and someone gives a suggestion on location for the "allow", i'll try that idea next, which I like because it's more specific, though "originating" sounds like they could be trusted more.
    Thanks!
    (edit: removed INDENT indicators that were nested, did not work)
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    ChatGPT can be a handy tool in software development and when fixing config issues, but one should know a bit about the topic to estimate if the solution it suggests can be valid or not :) But in many cases, it's way faster than scanning through the software package documentation yourself and one can still verify the solution afterwards when you know the exact keywords and config options to search for on the web. That said, be careful when asking ChatGPT about doing things in/with ISPConfig, most of the answers are garbage. The last time I asked ChatGPT about how to install ISPConfig, it assured me that I could install it with apt like apt-get install ispconfig ... just that there is no Debian ISPConfig package at all.
     
  9. pyte

    pyte Well-Known Member HowtoForge Supporter

    I don't know your setup but if you want it globally just put it in the 50-user config somewhere (be aware of hints like "Do not modify anything below this line").
    If you only want it for a specific policy bank you have to place it within the policy bank in question for example "MYNETS".
     
  10. jnewman67

    jnewman67 Active Member HowtoForge Supporter

    Sorry, I have no idea what your "50-user" reference means, and there's nothing in my conf file related to that, so if my current attempt doesn't work, i'll just put it somewhere that seems safe, and give it a try.
    Thanks.
     
  11. pyte

    pyte Well-Known Member HowtoForge Supporter

    Sorry i only have an really old system with amavis installed so my setup most likly differs alot. What is the content of "/etc/amavis" and "/etc/amavis/conf.d" on your system? If you only have one big amavis.conf then it should be sufficient to set it somewhere in that, expect from the very top/bottom.
     
  12. jnewman67

    jnewman67 Active Member HowtoForge Supporter

    FYI, my implementation of till's suggestion did not work, so i placed the "allowed_header_tests" rule right after all the *_policy{} sections, and before the $sa_* rules, and it worked - thank you both for the help.
     
    till and pyte like this.

Share This Page