Hosting Provided By

Re: spamassassin/postfix - not accepting the false "from" messages

From: Christoph Moench-Tegeder <cmt(at)burggraben.net>
Date: Fri Oct 05 2007 - 19:11:15 EDT

## Wojciech Ziniewicz (wojciech.ziniewicz@gmail.com):

> Let's suppose that i am
> using the xxx@xxx.com domain and all spam from !xxx.com is filtered
> but spam with "reply-to" and "from" set to xxx@xxx.com is not filtered
> (spamass automatically assigns -100 hits for such a message).

Bad idea.

> My question is - how to avoid this sittuation - users obviously are
> very nervous saying "who was using my account ?" etc...

Best: seperate your MX and your smarthost and route internal mail internally.
Second best: Whitelist authenticated mail, not just some header. I use the following, which is based on some or another remark by bill Boebel:
Assume before-que-filter (smtpd_proxy_filter-setup). Set up your restrictions in postfix, first allowing all authenticated mail, then rejecting what should not be accepted as pe policy, then add a local header. I use smtpd_data_restrictions as follows: smtpd_data_restrictions =

	permit_sasl_authenticated
	permit_tls_clientcerts
	
	check_client_access pcre:/etc/postfix/add_header

However, the second postix instance (which receives the mail coming from amavisd) hast "-o smtpd_data_restrictions=" set via master.cf.

In add_header, I have one simple line to add a new header to each mail which isn't already accepted by the first lines: /.*/ PREPEND X-MyID-Auth: No
(MyID should be some identifier for your system).

Then just add a rule for spamassassin:
header __LOCAL_AUTHMAIL X-MyID-Auth =~ /^No$/ meta LOCAL_AUTHMAIL !__LOCAL_AUTHMAIL
describe LOCAL_AUTHMAIL Whitelisted by authentication tflags LOCAL_AUTHMAIL nice
score LOCAL_AUTHMAIL -100

All mail whithout the "not-authenticated header" will get -100 points whitelisting. The "not-authenticated header" is forced into all mails coming per non-authenticated smtp (here: no SASL authentication, no client certificate; fit to your needs). Works quite nice here for quite some time.

Do you need help?

Regards
Christoph

-- 
Spare Space


-- 
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Fri Oct 5 19:11:42 2007

This message: [ Message body ]
Next message: Wojciech Ziniewicz: "Re: spamassassin/postfix - not accepting the false "from" messages"
Previous message: Craig Sanders: "Re: spamassassin/postfix - not accepting the false "from" messages"
In reply to: Wojciech Ziniewicz: "spamassassin/postfix - not accepting the false "from" messages"
Next in thread: Wojciech Ziniewicz: "Re: spamassassin/postfix - not accepting the false "from" messages"
Reply: Wojciech Ziniewicz: "Re: spamassassin/postfix - not accepting the false "from" messages"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 07 2007 - 00:08:26 EDT