You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Leonardo Rodrigues Magalhães <le...@solutti.com.br> on 2006/01/05 13:27:06 UTC
dealing with SPF and external authenticated users
Hello Guys,
I have SA running with amavisd/postfix. I also have several external
users with dinamic IP addresses which are allowed to relay using my
server because they authenticate, i have SASL running.
The problem is that right after publishing my SPF informations and
enabling SA to process SPF data, i have some messages from my users,
which are allowed to relay because they authenticated, hitting the
SPF_FAIL rule.
What would be the correct way of dealing with this situation ? As a
workaround I have used whitelist_from_rvc *@mydomain.com, which seems to
be a great workaround, because I have rules in postfix that do not allow
external users that do NOT authenticate to send messages with my own
domain, not even to my local users.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
Re: dealing with SPF and external authenticated users
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 05/01/2006 1:56 PM, Jason Haar wrote:
> Leonardo Rodrigues Magalhães wrote:
>
>> Hello Guys,
>>
>> I have SA running with amavisd/postfix. I also have several
>>external users with dinamic IP addresses which are allowed to relay
>>using my server because they authenticate, i have SASL running.
>>
>> The problem is that right after publishing my SPF informations and
>>enabling SA to process SPF data, i have some messages from my users,
>>which are allowed to relay because they authenticated, hitting the
>>SPF_FAIL rule.
>
> I'd love to hear the answer too. As a long time Qmail user, this issue
> is easily dealt to as Qmail sets environment variables telling you if
> the current mail message is from a RELAYCLIENT (i.e. a trusted IP or an
> authenticated user). As such, tools such as Qmail-Scanner default to not
> running SA over "locally" generated mails - which stops this issue entirely.
>
> I've always wanted to know how to do the same thing in Postfix...
The problem with Postfix is that it doesn't insert an RFC 3848
compatible (or any other) auth token in its received headers.
Apparently Postfix 2.3 will include an option to include an auth token
(thanks for budging on this Wietse!), which will allow SpamAssassin to
automatically extend its trust boundary to auth'd users.
Until then, according to David Hollis (see Dec 16/05 message to this
list) there is a patch available for Postfix to include such a token.
If you want to do the same in Qmail, there's a patch available from
Erwin Hoffmann at: http://www.fehcom.de/qmail/smtpauth.html#PATCHES
Daryl
Re: dealing with SPF and external authenticated users
Posted by Jason Haar <Ja...@trimble.co.nz>.
Leonardo Rodrigues Magalhães wrote:
>
> Hello Guys,
>
> I have SA running with amavisd/postfix. I also have several
> external users with dinamic IP addresses which are allowed to relay
> using my server because they authenticate, i have SASL running.
>
> The problem is that right after publishing my SPF informations and
> enabling SA to process SPF data, i have some messages from my users,
> which are allowed to relay because they authenticated, hitting the
> SPF_FAIL rule.
I'd love to hear the answer too. As a long time Qmail user, this issue
is easily dealt to as Qmail sets environment variables telling you if
the current mail message is from a RELAYCLIENT (i.e. a trusted IP or an
authenticated user). As such, tools such as Qmail-Scanner default to not
running SA over "locally" generated mails - which stops this issue entirely.
I've always wanted to know how to do the same thing in Postfix...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: dealing with SPF and external authenticated users
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 05/01/2006 7:27 AM, Leonardo Rodrigues Magalhães wrote:
>
> Hello Guys,
>
> I have SA running with amavisd/postfix. I also have several external
> users with dinamic IP addresses which are allowed to relay using my
> server because they authenticate, i have SASL running.
>
> The problem is that right after publishing my SPF informations and
> enabling SA to process SPF data, i have some messages from my users,
> which are allowed to relay because they authenticated, hitting the
> SPF_FAIL rule.
>
> What would be the correct way of dealing with this situation ? As a
> workaround I have used whitelist_from_rvc *@mydomain.com, which seems to
> be a great workaround, because I have rules in postfix that do not allow
> external users that do NOT authenticate to send messages with my own
> domain, not even to my local users.
There's nothing wrong with that solution since you have Postfix setup to
refuse mail to local address from un-auth'd users.
Daryl