you could use restriction classes...like so
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_client_access = cidr:/etc/postfix/from_chinese_client
check_recipient_access pcre:/etc/postfix/dspam_incoming
permit
smtpd_restriction_classes = from_chinese
from_chinese =
check_sender_access = pcre:/etc/postfix/from_chinese_sender
permit
contents of from_chinese_client
192.168.0.1/32 from_chinese
contents of from_chinese_sender
/[EMAIL PROTECTED]/ PERMIT
/./ FILTER dspam:unix:/tmp/dspam.sock
So... in the smtpd_recipient_restrictions, we look for the chinese
server in the cidr map. If we match on that, we kick ourselves into the
from_chinese restriction class... all others simply continue to the
dspam_incoming check. Once we have matched based on the client, we then
force another check based on the senders domain(this isn't fool proof as
spammers coming from that chinese server can still spoof the from
address, but its less likely to happen) If you are sending from the
right domain, we permit the email with no spam checking, if you are
coming from any other domain, you get spam filtered by the /./ catchall.
As I said, its not foolproof, but the risks are greatly reduced.
Todd
Andy Durant wrote:
They aren't my users though, they are clients of ours using their own
SMTP servers that are based in China. (We are in Canada) They are
trying to send email to us and its all getting picked off by dspam, I'm
assuming because it's all in Chinese. I then have to forward the email
to the original recipient (internal user) but the Chinese characters get
corrupted in the process and it becomes illegible.
My concern with white listing the IP is the sending server sends mail
for a multitude of users from all different companies, and white listing
that IP would relay open us up to spam from half of China
I can't think of a solution that would accept mail from the specific
users but disallow the rest of sending servers users not to spam us.
Letting the specific email addresses bypass dspam exposes us to the
least amount of risk.
Andy
-----Original Message-----
From: John Peacock [mailto:[EMAIL PROTECTED]
Sent: Friday, April 27, 2007 1:07 PM
To: Andy Durant
Cc: Todd S. Florman; [email protected]
Subject: Re: [dspam-users] Specific domains bypass dspam?
Andy Durant wrote:
I thought about that but some of the customers in question are based
in
China and are on a shared server with thousands of non-related users.
Rather than whitelist by address (which as I said is easily forged), you
should be setting up SMTP AUTH, so the users in China still use your
server to send mail out. If you find that port 25 is blocked in China,
you can use SMTP over SSL (port 465) or SMTP SUBMISSION (port 587).
John
