[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: spamassassin/postfix - not accepting the false "from" messages

## Wojciech Ziniewicz (wojciech.ziniewicz@gmail.com):

>  Let's suppose that i am
> using the xxx@xxx.com domain and all spam from !xxx.com is filtered
> but spam with "reply-to" and "from" set to xxx@xxx.com is not filtered
> (spamass automatically assigns -100 hits for such a message).

Bad idea.

> My question is - how to avoid this sittuation - users obviously are
> very nervous saying "who was using my account ?" etc...

Best: seperate your MX and your smarthost and route internal mail
Second best: Whitelist authenticated mail, not just some header.
I use the following, which is based on some or another remark by
bill Boebel:
Assume before-que-filter (smtpd_proxy_filter-setup).
Set up your restrictions in postfix, first allowing all authenticated
mail, then rejecting what should not be accepted as pe policy, then add
a local header. I use smtpd_data_restrictions as follows:
smtpd_data_restrictions =
	<other stuff>
	check_client_access pcre:/etc/postfix/add_header
However, the second postix instance (which receives the mail coming
from amavisd) hast "-o smtpd_data_restrictions=" set via master.cf.

In add_header, I have one simple line to add a new header to each mail
which isn't already accepted by the first lines:
/.*/ PREPEND X-MyID-Auth: No
(MyID should be some identifier for your system).

Then just add a rule for spamassassin:
header __LOCAL_AUTHMAIL X-MyID-Auth =~ /^No$/
describe LOCAL_AUTHMAIL Whitelisted by authentication
tflags LOCAL_AUTHMAIL nice

All mail whithout the "not-authenticated header" will get -100 points
whitelisting. The "not-authenticated header" is forced into all mails
coming per non-authenticated smtp (here: no SASL authentication, no
client certificate; fit to your needs). Works quite nice here for
quite some time.


Spare Space

Reply to: