You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Frank Leonhardt <fr...@extremecomputing.org.uk> on 2011/10/04 19:48:44 UTC
How do I stop SA checking mail from authenticated users
Here's the problem:
I have a single mail server (not commercial) using sendmail to accept
incoming mail from all sources, and filtering using spamassassin. It
also accepts mail from roaming users - encrypted mail using port 465 and
authenticating users with SASL, and is expected to relay this. It all
works fine except that the trusted mail goes through the milter like any
other, and if it's coming from a dodgy location there's a danger that SA
will block it. (This happens - sent from a WiFi hotspot, non-static DSL
or mobile network that's been blacklisted everywhere).
Is there an easy way I can treat trusted mail differently?
I can't say it's IP address is trusted - I'm out and about with a laptop
using dynamic IP addresses (okay, I could VPN if Android supported it
and...)
I can't easily check the Received: header in SA to determine if it's
from a local trusted user (see thread "Rule matching in a wrapped header").
I can see how to solve this using two or more servers, or running
sendmail in a jail or other crazy ideas. But surely this must be a
common problem with an easy solution - I just can't find one! Can anyone
please enlighten me before I crack, and end up writing YA replacement
for sendmail? Or if this is a trivial problem with one of these
new-fangled MTAs that sound almost a complicated, but a less familiar
than sendmail? After 20 years I'm almost okay with Sendmail and don't
want to start again without a good reason.
Thanks, Frank.
--
--------------
Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
Posted by Benny Pedersen <me...@junc.org>.
On Tue, 04 Oct 2011 18:48:44 +0100, Frank Leonhardt wrote:
> Is there an easy way I can treat trusted mail differently?
only if you have all ips untrusted, and make sure authed clients use
submission not port 25, where submission reject if not sasl authed, then
you can have diff milter for this or no milter at all :)
on top of that make sure trusted_networks internal_networks is set
currect in local.cf, it must contain all ips you have, and if you have
forwaring remote hosts that send forwarded mails to you add them as
trusted so spf not fire on this, but only do this if you trust this
verified host not to be a spam host it self
Re: How do I stop SA checking mail from authenticated users
Posted by Noel <no...@gmail.com>.
On 10/4/2011 1:59 PM, Frank Leonhardt wrote:
> Thanks Kris, Kelson and Noel - pretty unanimous answer - just
> don't call the milter for stuff on 465! Unfortunately I don't know
> how to achieve this, but I'll go off and do some research now I
> know what I'm trying to find.
The alternative is to configure your milter to skip mail based on
one of the milter authentication macros, such as auth_authen or
auth_author.
-- Noel Jones
Re: How do I stop SA checking mail from authenticated users
Posted by Frank Leonhardt <fr...@extremecomputing.org.uk>.
On 04/10/2011 22:52, Kris Deugau wrote:
> Frank Leonhardt wrote:
>> I think there's a terminology mis-match here. To me "milter" is a
>> sendmail mail filter, of which there can be any number configured (this
>> is me making no assumptions about Postfix &c). In this case it's just
>> spamass-milter (Georg C. F. Greve 2002)
>
> Nope, you've got the terminology straight.
>
> MIMEDefang is another (much more flexible) milter - which can call a
> great many other things to do its processing including SpamAssassin.
> IIRC amavis can be deployed as a milter. ClamAV ships one very
> similar to spamass-milter, in that it's dedicated to passing messages
> to ClamAV. There are several dedicated to SPF and DKIM.
>
<snip>
Thanks for the full explanation - the world of milters has obviously
passed me by. Another thing to research. It never occurred to me that
anyone would be using anything other than spamass-milter, which is why I
didn't understand why everyone asked what I was using.
I found the part of spamass-milter that's faking up the header easily
enough. The comment at the start of the block suggests its putting more
in the header than the code actually does - including authorisation stuff.
One kind and knowledgeable person emailed me an interesting bit I didn't
know about the sendmail.mc, and this might provide the solution (will
post when I know it works) - undocumented AFAIK, like most of this stuff!
Regards, Frank.
--
--------------
Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Tue, 04 Oct 2011 15:10:20 -0700
Ted Mittelstaedt <te...@ipinc.net> wrote:
> There is something to be said for the UNIX philosophy of "small
> is beautiful" You may love your MIMEdefang but why do I have to
> run it when this problem is so easily fixed?
This (alone) is no reason to run MIMEDefang. However, if you have
moderately-complex to hairy policy requirements, you may find that
MIMEDefang lets you code them up more maintainably than other
solutions. In that case, it's a fine idea to use MIMEDefang's
facilities for avoiding scanning authenticated mail.
Regards,
David.
Re: How do I stop SA checking mail from authenticated users - Solved
Posted by Benny Pedersen <me...@junc.org>.
On Wed, 05 Oct 2011 00:45:32 +0100, Frank Leonhardt wrote:
> Now solved! The solution is really simple but I'll collate all the
> facts and write it up properly.
>
> The quick answer is to add "InputMailFilters=" into the DaemonOptions
imho there is no quick answer, what you have now is just limited
solution to not scan authed mails, it can still contain malware virus
and or spam from authed users, yes most i see in my inbox confirm this
here i use clamav-milter for ALL mails called from postfix in before
queue , and spam scan all mails in after queue in amavisd-new, this
solves for me to not quarantine virus, and spam is now just tagged and
each users can filter it to junk folder with sieve, save me mailzu
installed :=)
Re: How do I stop SA checking mail from authenticated users - Solved
Posted by Frank Leonhardt <fr...@extremecomputing.org.uk>.
On 04/10/2011 23:45, Karsten Bräckelmann wrote:
> On Tue, 2011-10-04 at 15:10 -0700, Ted Mittelstaedt wrote:
>> This question comes up enough so that it ought to be in the FAQ.
> While I believe a FAQ does really not help all that much on and by
> itself, but instead serves as a handy place to point people to...
>
>
>
Now solved! The solution is really simple but I'll collate all the facts
and write it up properly.
The quick answer is to add "InputMailFilters=" into the DaemonOptions
line of the sendmail or .cf or .mc file.
You'll end up with a line something like:
DAEMON_OPTIONS(`Port=smtps, Name=SSLMTA, M=sa, InputMailFilters=')dnl
Each Daemon has it's own options INCLUDING the set of filters it uses -
in other words, confINPUT_MAIL_FILTERS isn't the only game in town. The
example above simply sets the list of filters to null. I haven't found
this documented anywhere yet, but it seems to work. Many thanks to PR in
France, who emailed me this vital piece of the jigsaw.
This obviously won't work if your using STARTTLS as an on port 25, but
that's a bit of a bodge anyway. If you're going to upload mail from a
public WiFi you should be using SSL and authentication, and port 25 will
probably be blocked anyway, so having to use 465 and forcing
authentication on (M=a) is no hardship.
Thanks to everyone who's helped get this sorted.
Regards, Frank.
--
--------------
Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2011-10-04 at 15:10 -0700, Ted Mittelstaedt wrote:
> This question comes up enough so that it ought to be in the FAQ.
While I believe a FAQ does really not help all that much on and by
itself, but instead serves as a handy place to point people to...
It's a wiki.
Please feel free to add it and discuss the topic as detailed as you seem
fit, possibly on a page of it's own for the glorious details, with a
shorter note in the FAQ. If you haven't been granted write permissions
in the ACL yet, I can handle that if you tell me your wiki username.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How do I stop SA checking mail from authenticated users
Posted by Frank Leonhardt <fr...@extremecomputing.org.uk>.
On 04/10/2011 23:10, Ted Mittelstaedt wrote:
> This question comes up enough so that it ought to be in the FAQ.
>
> spamass-milter as others have said does not pay attention to
> authenticated mail. Other milters do - but other milters are
> often a lot more complicated, and can run slower, to say nothing
> of having to learn additional configuration steps and possibly
> load additional dependent libraries on the server for the milters.
>
> There is something to be said for the UNIX philosophy of "small
> is beautiful" You may love your MIMEdefang but why do I have to
> run it when this problem is so easily fixed?
>
> The reason spamass-milter doesn't do this was documented
> http://lists.nongnu.org/archive/html/spamass-milt-list/2004-03/msg00014.html
>
>
> spamass-milter doesen't pass a complete Received line to Spamassassin
> so there is no way to exempt authenticated mail from spam scanning
> unless you do it in spamass-milter itself. The patch here does that:
>
> mail# diff -u spamass-milter.cpp.original spamass-milter.cpp
> --- spamass-milter.cpp.original 2009-01-15 14:43:32.000000000 -0800
> +++ spamass-milter.cpp 2009-01-15 14:45:05.000000000 -0800
> @@ -776,6 +776,12 @@
> struct context *sctx = (struct context *)smfi_getpriv(ctx);
> char *queueid;
>
> + if (smfi_getsymval (ctx, "{auth_type}") != NULL)
> + {
> + return SMFIS_ACCEPT;
> + }
> +
> +
> if (sctx == NULL)
> {
> debug(D_ALWAYS, "smfi_getpriv failed!");
> mail#
>
> Make sure you pass the -a flag to the milter or this patch is not
> activated
>
> ALSO NOTE:
>
> This spamass-milter patch is already present in a number of UNIX
> distributions. For example in the FreeBSD ports system it is
> a flag that is selected during the spamassassin build. I believe I've
> seen it mentioned in a Debian distro as well.
Thanks Ted! I was on the verge of adding something similar to the code
myself. I can't actually find the patch on the current FreeBSD ports
tree but it obviously goes at the start of mlfi_envfrom() in
spamass-milter.cpp
You're not wrong about this being a FAQ - trouble is it's not frequently
answered.
The solution I'm going for now is to use a different filter set for
daemons that have required authentication - a facility I didn't know
existed until an hour ago.
Regards, Frank.
--
--------------
Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
Posted by Ted Mittelstaedt <te...@ipinc.net>.
This question comes up enough so that it ought to be in the FAQ.
spamass-milter as others have said does not pay attention to
authenticated mail. Other milters do - but other milters are
often a lot more complicated, and can run slower, to say nothing
of having to learn additional configuration steps and possibly
load additional dependent libraries on the server for the milters.
There is something to be said for the UNIX philosophy of "small
is beautiful" You may love your MIMEdefang but why do I have to
run it when this problem is so easily fixed?
The reason spamass-milter doesn't do this was documented
http://lists.nongnu.org/archive/html/spamass-milt-list/2004-03/msg00014.html
spamass-milter doesen't pass a complete Received line to Spamassassin so
there is no way to exempt authenticated mail from spam scanning unless
you do it in spamass-milter itself. The patch here does that:
mail# diff -u spamass-milter.cpp.original spamass-milter.cpp
--- spamass-milter.cpp.original 2009-01-15 14:43:32.000000000 -0800
+++ spamass-milter.cpp 2009-01-15 14:45:05.000000000 -0800
@@ -776,6 +776,12 @@
struct context *sctx = (struct context *)smfi_getpriv(ctx);
char *queueid;
+ if (smfi_getsymval (ctx, "{auth_type}") != NULL)
+ {
+ return SMFIS_ACCEPT;
+ }
+
+
if (sctx == NULL)
{
debug(D_ALWAYS, "smfi_getpriv failed!");
mail#
Make sure you pass the -a flag to the milter or this patch is not activated
ALSO NOTE:
This spamass-milter patch is already present in a number of UNIX
distributions. For example in the FreeBSD ports system it is
a flag that is selected during the spamassassin build. I believe I've
seen it mentioned in a Debian distro as well.
Ted
On 10/4/2011 2:52 PM, Kris Deugau wrote:
> Frank Leonhardt wrote:
>> I think there's a terminology mis-match here. To me "milter" is a
>> sendmail mail filter, of which there can be any number configured (this
>> is me making no assumptions about Postfix &c). In this case it's just
>> spamass-milter (Georg C. F. Greve 2002)
>
> Nope, you've got the terminology straight.
>
> MIMEDefang is another (much more flexible) milter - which can call a
> great many other things to do its processing including SpamAssassin.
> IIRC amavis can be deployed as a milter. ClamAV ships one very similar
> to spamass-milter, in that it's dedicated to passing messages to ClamAV.
> There are several dedicated to SPF and DKIM.
>
> And any of them can be used with Postfix >= 2.3 (although IIRC some
> functions may not work well with Postfix 2.3).
>
> IIRC, spamass-milter isn't particularly configurable; it's either
> installed and passing all mail to SA, or not.
>
> Other milters *do* have a lot more flexibility in deciding what to do
> with any given message - for instance, since the "configuration" is a
> Perl script fragment, anything you can do to a stream of bytes or a file
> in Perl can be done by MIMEDefang. It uses SA a little differently (by
> default) in that it loads the SA Perl libraries, rather than passing a
> message to spamd.
>
> I recently migrated outbound filtering at work to MIMEDefang from a
> homebrew Postfix content filter. We have four or five intersecting sets
> of conditions that decide whether or not a given message will be
> scanned, and if so what threshold to reject the message at. The
> conditions are currently set by the presence and content of a collection
> of flatfiles, but we're planning on moving that data into a database
> sometime.
>
>> - nothing to do with MIMEDefang
>> and suchlike.
>
> Well, not exactly. sendmail <-> [some milter] <-> spamd (or the Perl SA
> libraries)
>
> [some milter] is spamass-milter in your case. I briefly tried a number
> of milters before settling on MIMEDefang for flexibility in implementing
> the full range of capabilities in the milter interface.
>
>> It's a daemon - hangs around on a socket and waits for
>> sendmail to give it an email.
>
> And it's up to the milter to decide what to do with that message.
> spamass-milter, IIRC, doesn't have many knobs to twist in this respect;
> it passes everything to SA.
>
>> It then calls spamc and sends the modified
>> message back to sendmail. It didn't occur to me that it'd be called
>> indirectly by one of the other general purpose milters, but I can see
>> that now.
>
> IIRC there *is* a milter-multiplexor milter that calls other milters,
> but I'm not sure what the real use-case is.
>
> > Fortunately for me it's written in 'C', so I've got a reasonable
> > chance of understanding it. I'm trawling through the source now.
>
> That's certainly an option. I'm not sure how active spamass-milter
> development is, and whether they'd accept a patch for a "bypass on SMTP
> AUTH" configuration switch - if not, you'll be carrying a custom patch.
>
> -kgd
Re: How do I stop SA checking mail from authenticated users
Posted by Kris Deugau <kd...@vianet.ca>.
Frank Leonhardt wrote:
> I think there's a terminology mis-match here. To me "milter" is a
> sendmail mail filter, of which there can be any number configured (this
> is me making no assumptions about Postfix &c). In this case it's just
> spamass-milter (Georg C. F. Greve 2002)
Nope, you've got the terminology straight.
MIMEDefang is another (much more flexible) milter - which can call a
great many other things to do its processing including SpamAssassin.
IIRC amavis can be deployed as a milter. ClamAV ships one very similar
to spamass-milter, in that it's dedicated to passing messages to ClamAV.
There are several dedicated to SPF and DKIM.
And any of them can be used with Postfix >= 2.3 (although IIRC some
functions may not work well with Postfix 2.3).
IIRC, spamass-milter isn't particularly configurable; it's either
installed and passing all mail to SA, or not.
Other milters *do* have a lot more flexibility in deciding what to do
with any given message - for instance, since the "configuration" is a
Perl script fragment, anything you can do to a stream of bytes or a file
in Perl can be done by MIMEDefang. It uses SA a little differently (by
default) in that it loads the SA Perl libraries, rather than passing a
message to spamd.
I recently migrated outbound filtering at work to MIMEDefang from a
homebrew Postfix content filter. We have four or five intersecting sets
of conditions that decide whether or not a given message will be
scanned, and if so what threshold to reject the message at. The
conditions are currently set by the presence and content of a collection
of flatfiles, but we're planning on moving that data into a database
sometime.
> - nothing to do with MIMEDefang
> and suchlike.
Well, not exactly. sendmail <-> [some milter] <-> spamd (or the Perl SA
libraries)
[some milter] is spamass-milter in your case. I briefly tried a number
of milters before settling on MIMEDefang for flexibility in implementing
the full range of capabilities in the milter interface.
> It's a daemon - hangs around on a socket and waits for
> sendmail to give it an email.
And it's up to the milter to decide what to do with that message.
spamass-milter, IIRC, doesn't have many knobs to twist in this respect;
it passes everything to SA.
> It then calls spamc and sends the modified
> message back to sendmail. It didn't occur to me that it'd be called
> indirectly by one of the other general purpose milters, but I can see
> that now.
IIRC there *is* a milter-multiplexor milter that calls other milters,
but I'm not sure what the real use-case is.
> Fortunately for me it's written in 'C', so I've got a reasonable
> chance of understanding it. I'm trawling through the source now.
That's certainly an option. I'm not sure how active spamass-milter
development is, and whether they'd accept a patch for a "bypass on SMTP
AUTH" configuration switch - if not, you'll be carrying a custom patch.
-kgd
Re: How do I stop SA checking mail from authenticated users
Posted by Frank Leonhardt <fr...@extremecomputing.org.uk>.
On 04/10/2011 20:17, Kris Deugau wrote:
> Frank Leonhardt wrote:
>> Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call
>> the milter for stuff on 465! Unfortunately I don't know how to achieve
>> this, but I'll go off and do some research now I know what I'm trying to
>> find.
>
> As far as I'm aware you can't bypass a milter - you would have to
> *configure* the milter to not pass the message to SA. You still
> haven't said which one you're using so none of us can give you any
> more specific advice (ie, of the "been there, done that" kind).
I think there's a terminology mis-match here. To me "milter" is a
sendmail mail filter, of which there can be any number configured (this
is me making no assumptions about Postfix &c). In this case it's just
spamass-milter (Georg C. F. Greve 2002) - nothing to do with MIMEDefang
and suchlike. It's a daemon - hangs around on a socket and waits for
sendmail to give it an email. It then calls spamc and sends the modified
message back to sendmail. It didn't occur to me that it'd be called
indirectly by one of the other general purpose milters, but I can see
that now.
Fortunately for me it's written in 'C', so I've got a reasonable chance
of understanding it. I'm trawling through the source now.
Regards, Frank.
--
--------------
Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
Posted by Kris Deugau <kd...@vianet.ca>.
Frank Leonhardt wrote:
> Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call
> the milter for stuff on 465! Unfortunately I don't know how to achieve
> this, but I'll go off and do some research now I know what I'm trying to
> find.
As far as I'm aware you can't bypass a milter - you would have to
*configure* the milter to not pass the message to SA. You still haven't
said which one you're using so none of us can give you any more specific
advice (ie, of the "been there, done that" kind).
-kgd
Re: How do I stop SA checking mail from authenticated users
Posted by Benny Pedersen <me...@junc.org>.
On Wed, 05 Oct 2011 17:02:12 +0100, Frank Leonhardt wrote:
> As I mentioned elsewhere, the problem is solved for my purposes but
> I'm planning to write a comprehensive answer to this whole issue.
whitelist_auth me@junc.org
priority USER_IN_DKIM_WHITELIST -2000
shortcircuit USER_IN_DKIM_WHITELIST on
in local.cf, maybe adjust priotity as needed so only dkim is tested
works ok for me
Re: How do I stop SA checking mail from authenticated users
Posted by Giles Coochey <gi...@coochey.net>.
On Wed, October 5, 2011 18:02, Frank Leonhardt wrote:
>
> On 05/10/2011 16:23, Giles Coochey wrote:
>> On Tue, October 4, 2011 20:59, Frank Leonhardt wrote:
>>> On 04/10/2011 19:22, Kris Deugau wrote:
>>>> Frank Leonhardt wrote:
>>>>> Here's the problem:
>>>>>
>>>>> I have a single mail server (not commercial) using sendmail to accept
>>>>> incoming mail from all sources, and filtering using spamassassin. It
>>>>> also accepts mail from roaming users - encrypted mail using port 465
>>>>> and
>>>>> authenticating users with SASL, and is expected to relay this. It all
>>>>> works fine except that the trusted mail goes through the milter like
>>>>> any
>>>>> other, and if it's coming from a dodgy location there's a danger that
>>>>> SA
>>>>> will block it. (This happens - sent from a WiFi hotspot, non-static
>>>>> DSL
>>>>> or mobile network that's been blacklisted everywhere).
>>>>>
>>>>> Is there an easy way I can treat trusted mail differently?
>>>> Configure whatever actually calls SA to not do so on authenticated
>>>> mail.
>>>>
>>>> This is possible with MIMEDefang, may be possible with amavis. I
>>>> can't say about other milters - you don't say how you're calling SA
>>>> from sendmail.
>>>>
>>>> FWIW, this general answer applies no matter where in the mail chain
>>>> you're calling SA - if you don't want it scanned, configure whatever
>>>> calls SA to skip the call on whatever conditions you want. Whether
>>>> you *can* actually configure<x> to do this is another matter.
>>>>
>>> Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't
>>> call
>>> the milter for stuff on 465! Unfortunately I don't know how to achieve
>>> this, but I'll go off and do some research now I know what I'm trying
>>> to
>>> find.
>>>
>> I use a version of spamass-milter, 0.3.2.
>>
>> It has the following option:
>>
>> -I: skip (ignore) checks if sender is authenticated
>>
> Interesting... but my version of 0.3.2 lacks this option (in the
> documentation, and in the source code). I'm curious to know how the
> milter could actually tell.
>
> Have you any idea where you version of 0.3.2 came from?
>
> As I mentioned elsewhere, the problem is solved for my purposes but I'm
> planning to write a comprehensive answer to this whole issue.
>
I use the city-fan.org repo under CentOS for spamassassin related stuff:
[city-fan.org]
name=city-fan.org repository for Red Hat Enterprise Linux (and clones)
$releasev
er ($basearch)
#baseurl=http://mirror.city-fan.org/ftp/contrib/yum-repo/rhel$releasever/$basear
ch
mirrorlist=http://mirror.city-fan.org/ftp/contrib/yum-repo/mirrorlist-rhel$relea
sever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-city-fan.org
priority=1
Re: How do I stop SA checking mail from authenticated users
Posted by Frank Leonhardt <fr...@extremecomputing.org.uk>.
On 05/10/2011 16:23, Giles Coochey wrote:
> On Tue, October 4, 2011 20:59, Frank Leonhardt wrote:
>> On 04/10/2011 19:22, Kris Deugau wrote:
>>> Frank Leonhardt wrote:
>>>> Here's the problem:
>>>>
>>>> I have a single mail server (not commercial) using sendmail to accept
>>>> incoming mail from all sources, and filtering using spamassassin. It
>>>> also accepts mail from roaming users - encrypted mail using port 465
>>>> and
>>>> authenticating users with SASL, and is expected to relay this. It all
>>>> works fine except that the trusted mail goes through the milter like
>>>> any
>>>> other, and if it's coming from a dodgy location there's a danger that
>>>> SA
>>>> will block it. (This happens - sent from a WiFi hotspot, non-static DSL
>>>> or mobile network that's been blacklisted everywhere).
>>>>
>>>> Is there an easy way I can treat trusted mail differently?
>>> Configure whatever actually calls SA to not do so on authenticated mail.
>>>
>>> This is possible with MIMEDefang, may be possible with amavis. I
>>> can't say about other milters - you don't say how you're calling SA
>>> from sendmail.
>>>
>>> FWIW, this general answer applies no matter where in the mail chain
>>> you're calling SA - if you don't want it scanned, configure whatever
>>> calls SA to skip the call on whatever conditions you want. Whether
>>> you *can* actually configure<x> to do this is another matter.
>>>
>> Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call
>> the milter for stuff on 465! Unfortunately I don't know how to achieve
>> this, but I'll go off and do some research now I know what I'm trying to
>> find.
>>
> I use a version of spamass-milter, 0.3.2.
>
> It has the following option:
>
> -I: skip (ignore) checks if sender is authenticated
>
Interesting... but my version of 0.3.2 lacks this option (in the
documentation, and in the source code). I'm curious to know how the
milter could actually tell.
Have you any idea where you version of 0.3.2 came from?
As I mentioned elsewhere, the problem is solved for my purposes but I'm
planning to write a comprehensive answer to this whole issue.
Thanks, Frank.
Re: How do I stop SA checking mail from authenticated users
Posted by Giles Coochey <gi...@coochey.net>.
On Tue, October 4, 2011 20:59, Frank Leonhardt wrote:
> On 04/10/2011 19:22, Kris Deugau wrote:
>> Frank Leonhardt wrote:
>>> Here's the problem:
>>>
>>> I have a single mail server (not commercial) using sendmail to accept
>>> incoming mail from all sources, and filtering using spamassassin. It
>>> also accepts mail from roaming users - encrypted mail using port 465
>>> and
>>> authenticating users with SASL, and is expected to relay this. It all
>>> works fine except that the trusted mail goes through the milter like
>>> any
>>> other, and if it's coming from a dodgy location there's a danger that
>>> SA
>>> will block it. (This happens - sent from a WiFi hotspot, non-static DSL
>>> or mobile network that's been blacklisted everywhere).
>>>
>>> Is there an easy way I can treat trusted mail differently?
>>
>> Configure whatever actually calls SA to not do so on authenticated mail.
>>
>> This is possible with MIMEDefang, may be possible with amavis. I
>> can't say about other milters - you don't say how you're calling SA
>> from sendmail.
>>
>> FWIW, this general answer applies no matter where in the mail chain
>> you're calling SA - if you don't want it scanned, configure whatever
>> calls SA to skip the call on whatever conditions you want. Whether
>> you *can* actually configure <x> to do this is another matter.
>>
>
> Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call
> the milter for stuff on 465! Unfortunately I don't know how to achieve
> this, but I'll go off and do some research now I know what I'm trying to
> find.
>
I use a version of spamass-milter, 0.3.2.
It has the following option:
-I: skip (ignore) checks if sender is authenticated
Re: How do I stop SA checking mail from authenticated users
Posted by Frank Leonhardt <fr...@extremecomputing.org.uk>.
On 04/10/2011 19:22, Kris Deugau wrote:
> Frank Leonhardt wrote:
>> Here's the problem:
>>
>> I have a single mail server (not commercial) using sendmail to accept
>> incoming mail from all sources, and filtering using spamassassin. It
>> also accepts mail from roaming users - encrypted mail using port 465 and
>> authenticating users with SASL, and is expected to relay this. It all
>> works fine except that the trusted mail goes through the milter like any
>> other, and if it's coming from a dodgy location there's a danger that SA
>> will block it. (This happens - sent from a WiFi hotspot, non-static DSL
>> or mobile network that's been blacklisted everywhere).
>>
>> Is there an easy way I can treat trusted mail differently?
>
> Configure whatever actually calls SA to not do so on authenticated mail.
>
> This is possible with MIMEDefang, may be possible with amavis. I
> can't say about other milters - you don't say how you're calling SA
> from sendmail.
>
> FWIW, this general answer applies no matter where in the mail chain
> you're calling SA - if you don't want it scanned, configure whatever
> calls SA to skip the call on whatever conditions you want. Whether
> you *can* actually configure <x> to do this is another matter.
>
Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call
the milter for stuff on 465! Unfortunately I don't know how to achieve
this, but I'll go off and do some research now I know what I'm trying to
find.
Regards, Frank.
--
--------------
Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
Posted by Kris Deugau <kd...@vianet.ca>.
Frank Leonhardt wrote:
> Here's the problem:
>
> I have a single mail server (not commercial) using sendmail to accept
> incoming mail from all sources, and filtering using spamassassin. It
> also accepts mail from roaming users - encrypted mail using port 465 and
> authenticating users with SASL, and is expected to relay this. It all
> works fine except that the trusted mail goes through the milter like any
> other, and if it's coming from a dodgy location there's a danger that SA
> will block it. (This happens - sent from a WiFi hotspot, non-static DSL
> or mobile network that's been blacklisted everywhere).
>
> Is there an easy way I can treat trusted mail differently?
Configure whatever actually calls SA to not do so on authenticated mail.
This is possible with MIMEDefang, may be possible with amavis. I can't
say about other milters - you don't say how you're calling SA from sendmail.
FWIW, this general answer applies no matter where in the mail chain
you're calling SA - if you don't want it scanned, configure whatever
calls SA to skip the call on whatever conditions you want. Whether you
*can* actually configure <x> to do this is another matter.
-kgd
Re: How do I stop SA checking mail from authenticated users
Posted by Noel <no...@gmail.com>.
On 10/4/2011 12:48 PM, Frank Leonhardt wrote:
> Here's the problem:
>
> I have a single mail server (not commercial) using sendmail to
> accept incoming mail from all sources, and filtering using
> spamassassin. It also accepts mail from roaming users - encrypted
> mail using port 465 and authenticating users with SASL, and is
> expected to relay this. It all works fine except that the trusted
> mail goes through the milter like any other, and if it's coming
> from a dodgy location there's a danger that SA will block it.
> (This happens - sent from a WiFi hotspot, non-static DSL or mobile
> network that's been blacklisted everywhere).
>
> Is there an easy way I can treat trusted mail differently?
Don't run the milter on ports that only accept authenticated
connections.
RE: How do I stop SA checking mail from authenticated users
Posted by Kelson Vibber <KV...@tollfreeforwarding.com>.
> -----Original Message-----
> From: Frank Leonhardt [mailto:frank1@extremecomputing.org.uk]
>
> I have a single mail server (not commercial) using sendmail to accept
> incoming mail from all sources, and filtering using spamassassin. It also
> accepts mail from roaming users - encrypted mail using port 465 and
> authenticating users with SASL, and is expected to relay this. It all works fine
> except that the trusted mail goes through the milter like any other, and if it's
> coming from a dodgy location there's a danger that SA will block it. (This
> happens - sent from a WiFi hotspot, non-static DSL or mobile network that's
> been blacklisted everywhere).
>
> Is there an easy way I can treat trusted mail differently?
Short answer: You need to configure this at the milter or sendmail level and not send the mail to SpamAssassin to begin with.
Slightly longer answer:
It's been a while since I worked with Sendmail, but we used to do exactly this. Basically, it boils down to one of two things:
1. Use a separate config for the submission port that doesn't send stuff through the milter. (I forget whether this is possible, so if it's not, never mind.)
2. Configure your milter to check whether the message is authenticated (IIRC, you look for the "auth_type" macro), and not send those messages to spamassassin. (This is what we did.)
You don't say what milter you're using. We were using MIMEDefang, and I remember we had to do two things: set MD up to read the Sendmail macros, then add the code to our MD filter to check for the macro before sending mail to SA.
Sorry I couldn't be of more detailed help, but this should at least point you in the right direction.
--Kelson Vibber