(Last Updated On: March 7, 2018)

If you’re on this page it means you’ve experienced noqueue messages on Zimbra Amavis for some emails. On this guide, I’ll show you how to Configure whitelist and blacklist Zimbra Amavis Spam filtering. Both for domains, email addresses, and IP networks/addresses.

What is Amavis?

From Amavis’s site – Amavis is a high-performance interface between mailer (MTA) and content checkers: virus scanners, and/or SpamAssassin. It is written in Perl for maintainability, without paying a significant price for speed. It talks to MTA via (E)SMTP or LMTP, or by using helper programs. Best with Postfix, fine with dual-sendmail setup and Exim v4, works with sendmail/milter, or with any MTA as an SMTP relay.

Zimbra and Amavis

Zimbra uses Amavis to scan incoming and outgoing emails for viruses, and gives postfix reply whether the email should be delivered or dropped depending on the results of the scan. At some point, you may encounter false negatives, mostly common with encrypted and executable files, and would like to whitelist the trusted domain, email address or network. The vice versa is also true, where you need to blacklist a domain or IP address you know is associated with spammers.

Configure whitelist and blacklist Zimbra Amavis Spam filtering

There are mainly two types of messages logged by Amavis, namely:

NOQUEUE: Postfix hasn’t assigned a queue-id to this message as of yet.
Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026: This means an email will be filtered through amavis. By default, all sender addresses will be triggered.

Whitelist | Blacklist a domain or email address on Zimbra Amavis

Create two files that will store the domains and email addresses you wish to whitelist or blacklist.

$ sudo touch /opt/zimbra/conf/{whitelist,blacklist}

All whitelists will be in the file /opt/zimbra/conf/whitelist, the blacklisted will be in the file /opt/zimbra/conf/blacklist. Example

$ cat /opt/zimbra/conf/whitelist
[email protected]
example.org

$ cat /opt/zimbra/conf/blacklist
[email protected]
fakedomain.com

 

Now you need to modify your /opt/zimbra/conf/amavisd.conf.in configuration file have checks on the two files we just added above.

read_hash(%whitelist_sender, '/opt/zimbra/conf/whitelist');
read_hash(%blacklist_sender, '/opt/zimbra/conf/blacklist');

After saving the changes, restart the amavis service.

# su - zimbra -c "zmamavisdctl restart"

You can now retry sending email from a blocked domain/address or whitelisted ones and see if the email is delivered.

Whitelist certain IP ranges on Zimbra Amavis

Assuming you trust a network e.g an internal network and would like to bypass checks for these networks, you can configure this on Amavis. First, you need to enable bypass feature which is disabled by default.

$ sudo su - zimbra
$ zmprov mcf zimbraAmavisOriginatingBypassSA TRUE

When it has been enabled, restart the following services related to Amavis.

$ zmantispamctl restart 
$ zmantivirusctl restart 
$ zmamavisdctl restart

Only then should Amavis bypass SpamAssassin for all messages originating internal trusted networks.

Check the setting for the current list of trusted networks

$ sudo su - zimbra
$ postconf mynetworks
$ zmprov gs `zmhostname` zimbraMtaMyNetworks

To update a list of trusted MTA networks, use the commands:

$ sudo su - zimbra
$ zmprov ms `zmhostname` zimbraMtaMyNetworks '127.0.0.0/8 10.0.0.0/8 192.168.3.0/22'

A point to note is that zmconfigd will automatically restart the MTA processes after this change is made. The zimbraMtaMyNetworks configuration is then included in Amavis in @mynetworks, which causes those IPs to be white-listed.

This marks the end of our article on Configure whitelist and blacklist Zimbra Amavis Spam filtering. Sign up for our newsletter and like our social media pages for quick updates.