Re: spamassassin/postfix - not accepting the false "from" messages
## Wojciech Ziniewicz (wojciech.ziniewicz@gmail.com):
> Let's suppose that i am
> using the xxx@xxx.com domain and all spam from !xxx.com is filtered
> but spam with "reply-to" and "from" set to xxx@xxx.com is not filtered
> (spamass automatically assigns -100 hits for such a message).
Bad idea.
> My question is - how to avoid this sittuation - users obviously are
> very nervous saying "who was using my account ?" etc...
Best: seperate your MX and your smarthost and route internal mail
internally.
Second best: Whitelist authenticated mail, not just some header.
I use the following, which is based on some or another remark by
bill Boebel:
Assume before-que-filter (smtpd_proxy_filter-setup).
Set up your restrictions in postfix, first allowing all authenticated
mail, then rejecting what should not be accepted as pe policy, then add
a local header. I use smtpd_data_restrictions as follows:
smtpd_data_restrictions =
permit_sasl_authenticated
permit_tls_clientcerts
<other stuff>
check_client_access pcre:/etc/postfix/add_header
However, the second postix instance (which receives the mail coming
from amavisd) hast "-o smtpd_data_restrictions=" set via master.cf.
In add_header, I have one simple line to add a new header to each mail
which isn't already accepted by the first lines:
/.*/ PREPEND X-MyID-Auth: No
(MyID should be some identifier for your system).
Then just add a rule for spamassassin:
header __LOCAL_AUTHMAIL X-MyID-Auth =~ /^No$/
meta LOCAL_AUTHMAIL !__LOCAL_AUTHMAIL
describe LOCAL_AUTHMAIL Whitelisted by authentication
tflags LOCAL_AUTHMAIL nice
score LOCAL_AUTHMAIL -100
All mail whithout the "not-authenticated header" will get -100 points
whitelisting. The "not-authenticated header" is forced into all mails
coming per non-authenticated smtp (here: no SASL authentication, no
client certificate; fit to your needs). Works quite nice here for
quite some time.
Regards
Christoph
--
Spare Space
Reply to: