Bypassing header checks for local clients (PostFix/Amavis)

Issue: Email with non-legitimate headers (eg: generated from scripts) from one of my servers was being trashed by Postfix/Amavis. Very annoying, and in the end I had to modify the /etc/amavisd/avavisd.conf file as follows to make things work properly:

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
  bypass_spam_checks_maps   => [1],  # don't spam-check internal mail
  bypass_banned_checks_maps => [1],  # don't banned-check internal mail
  bypass_header_checks_maps => [1],  # don't header-check internal mail
};

Note that @mynetworks is defined as follows, where 1.2.3.4/32 is an additional server not in RFC1918 space.

@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
                  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 1.2.3.4/32 );
Tagged , , , . Bookmark the permalink.

One Response to Bypassing header checks for local clients (PostFix/Amavis)

  1. Cody says:

    Do you bring up Postfix because you use it along with Amavisd (that is, along with clamav, the combination I use, too) or is it that it was Postfix that was part of the problem? (I see the amavasid config so I assume it _was_ amavisd but…) In Postfix you can check headers and have it accepted/rejected/etc. For example, I use the following (using pcre: form) in my main.cf… and for once I’m trying to use the html tags to (maybe) prevent the formatting:

    /^Content-Type:.*charset=koi8/ REJECT Unreadable

    (actually that’s only one line but you get the idea)
    Of course even if it is amavisd if you didn’t know about the header_checks then maybe it is of use. I might add that the syntax in main.cf is (for example):

    header_checks = pcre:/etc/postfix/header_checks

Leave a Reply

Your email address will not be published. Required fields are marked *