[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bypass spamassassin on smtp authenticated users


If anyone is interested, I made it work with postfix adding a line like this:

smtpd_data_restrictions = reject_unauth_pipelining,permit_sasl_authenticated, check_client_access pcre:/etc/postfix/add_auth_header.pcre

And creating /etc/postfix/add_auth_header.pcre with this content:
/^/ PREPEND X-some-header: no

This will add a header to unauthenticated users, so your customFunction would be:

if (/X-some-header: no/)
MailScanner::Log::InfoLog("Message %s from (%s) is NOT authenticated", $message->{id}, $message->{fromuser});
                            return 1;
            return 0;

I think this way the header is no longer a secret

Jim Barber escribió:
Am Freitag 19 September 2008 14:05:21 schrieb Carlos Acedo:

I'm using postfix, mailscanner and spamassassin in my mail server, is
there a way to aboid spamassassin to check for spam in smtp athenticated
users mail?


This is a question probably better asked on the MailScanner mailing list.
But here's what I do (I use Exim, MailScanner, and SpamAssassin).

I've created a perl module called CheckSMTPAuth.pm that I've placed in the /etc/MailScanner/CustomFunctions/ directory.
It's contents (slightly modified here) are as follows:

    package MailScanner::CustomConfig;

    # Package to check message headers to determine if a message was
        # recieved via an SMTP AUTH connection.
    # The header it is checking for is configured to be added by the Exim
    # mail server when an authenticated session is detected.
    # Using this function, I can add the following to MailScanner.conf
    # to skip spam checks for authenticated users:
    #       Spam Checks = &CheckSMTPAuth

    use strict;

    sub InitCheckSMTPAuth
            # Empty

    sub EndCheckSMTPAuth
            # Empty

    sub CheckSMTPAuth
            my ($message) = @_;
            return 1 unless $message;

            foreach (@{$message->{headers}})
                    if (/X-Some-Header-Added-For-Authenticated-Users: Yes/)
MailScanner::Log::InfoLog("Message %s from (%s) is authenticated", $message->{id}, $message->{fromuser});
                            return 0;
            return 1;


As you can see in the comments, I call this from the 'Spam Checks' directive in the MailScanner.conf file. It also relies on your mail server adding a header when authenticated users are encountered. For the above code example I just wrote it as X-Some-Header-Added-For-Authenticated-Users: but that's not what I use.
The header added shouldn't be known to the outside world.
It's important to also make sure your mail server strips this header from any outgoing emails.
You don't want people to know what it is.
I don't know how this is done in postfix so you'll have to research that yourself.
For Exim I do the following:

To add the header, add the following to the acl_check_rcpt section of the Debian exim config:

      authenticated = *
      add_header = X-Some-Header-Added-For-Authenticated-Users: Yes
      control = submission/sender_retain

To strip the headers from outgoing emails, add the following to the remote_smtp transport in the Debian exim config:

    headers_remove = \

Hopefully that helps and gives you an idea of what to do with postfix.


Jim Barber
DDI Health

Reply to: