Looks like your case was similar to this example case on Amavisd documentation
If for some reason SASL users connect to port 25, as an alternate method you could have all clients in Postfix' $mynetworks and SASL auth senders bypass checks and let everything else fall through to a catchall that sets the content_filter.
#main.cf
content_filter = smtp-amavis:[127.0.0.1]:10026
smtpd_data_restrictions =
reject_unauth_pipelining
permit_mynetworks
permit_sasl_authenticated
check_client_access regexp:/etc/postfix/filter-catchall.regexp
# /etc/postfix/filter-catchall.regexp:
/^/ FILTER smtp-amavis:[127.0.0.1]:10024
In this mode,
- SASL user will permitted through
permit_sasl_authenticated
so it'll fall into content_filter
parameter i.e. content_filter = smtp-amavis:[127.0.0.1]:10026
.
- Other email will fall into catchall
check_client_access regexp:/etc/postfix/filter-catchall.regexp
. So, it will go through smtp-amavis:[127.0.0.1]:10024.
The last part is configuring separate policy bank in port 10024 and 10026.
Above setup can be extended to allow whitelisting based on other factor, for example: SASL username and sender domain.
For SASL username, you can use check_sasl_access before permit_sasl_authenticated. Note: this feature was available for Postfix 2.11 and later.
# main.cf
...
check_sasl_access hash:/etc/postfix/amavis-bypass-sasl
permit_sasl_authenticated
...
#/etc/postfix/amavis-bypass-sasl
# Use this when smtpd_sasl_local_domain is empty.
username FILTER smtp-amavis:[127.0.0.1]:10026
# Use this when smtpd_sasl_local_domain=example.com.
username@example.com FILTER smtp-amavis:[127.0.0.1]:10026
For sender domain, you can use check_sender_access
# main.cf
...
check_sender_access hash:/etc/postfix/amavis-bypass-sender
permit_sasl_authenticated
...
#/etc/postfix/amavis-bypass-sasl
# Use this when smtpd_sasl_local_domain is empty.
internal.example.com FILTER smtp-amavis:[127.0.0.1]:10026
# Use this when smtpd_sasl_local_domain=example.com.
whitelist.example.org FILTER smtp-amavis:[127.0.0.1]:10026