How to Disable Amavis “UNCHECKED” Warning Emails for Encrypted Messages in Postfix


8 views

When running a mail server with Postfix and Amavis on Debian, you might encounter a situation where Amavis sends warning emails to the postmaster with subjects like "UNCHECKED contents in mail FROM" whenever users send encrypted emails. This occurs because Amavis cannot scan encrypted messages, triggering these notifications by default.

The solution involves modifying Amavis configuration to suppress these specific warnings. Here's how to implement it:


# Edit the Amavis configuration file
sudo nano /etc/amavis/conf.d/50-user

Add or modify these parameters in your Amavis configuration:


$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_DISCARD;

# Specifically disable UNCHECKED notifications
$warnbadhsender = 0;
$warnbannedrecip = 0;
$warnbadhrecip = 0;
$warnvirussender = 0;
$warnspamsender = 0;

For encrypted email handling, you might want to add:


# Skip scanning for encrypted messages
$bypass_decrypt_scan = 1;

After making these changes, restart the necessary services:


sudo service amavis restart
sudo service postfix restart

To verify the changes, send an encrypted email and check your postmaster mailbox. You should no longer receive the "UNCHECKED" notifications while still maintaining security for other message types.

If you prefer to keep some level of notification but reduce frequency, consider adjusting the log level instead:


$log_level = 1;  # Reduce from default 2 to suppress some warnings

If you're running a mail server with Amavis and Postfix on Debian, you've probably encountered those persistent "UNCHECKED contents in mail FROM" notifications flooding your postmaster inbox. These alerts trigger whenever users send encrypted emails that Amavis can't scan.

The messages originate from Amavis' security policy. When it encounters encrypted content it cannot decrypt (like PGP-encrypted emails), it marks them as UNCHECKED and notifies the postmaster by default. While well-intentioned, this becomes noisy in environments where encrypted communication is common.

The main configuration file we need to modify is /etc/amavis/conf.d/50-user. Here are the key parameters to adjust:

# Disable unchecked notifications for encrypted mail
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_DISCARD;

$virus_admin = undef;
$spam_admin = undef;
$banned_admin = undef;
$bad_header_admin = undef;
$mailfrom_notify_admin = undef;
$mailfrom_notify_recip = undef;
$mailfrom_notify_spamadmin = undef;

If you want more granular control, you can implement conditional notification rules:

@bypass_virus_checks_maps = (
   \\%bypass_virus_checks,
   \\@bypass_virus_checks_acl,
   \\$bypass_virus_checks_re);

$bypass_virus_checks = {
   'user@domain.com' => 1,  # Skip scanning for specific users
   '.trusted-domain.com' => 1  # Skip for entire domain
};

After making these changes:

  1. Restart Amavis: service amavis restart
  2. Test with an encrypted email
  3. Check /var/log/mail.log for any errors

For those who still want some notifications but less frequently, consider adjusting the notification level:

$log_level = 1;  # Reduce from default 2 to suppress some notifications
$notify_method = undef;  # Disables all email notifications