Re: [dspam-users] Specific domains bypass dspam?

Mon, 30 Apr 2007 13:41:00 -0700 


mouss wrote:

Andy Durant wrote:

Thanks, I am going to try to test these over the weekend.  Will post
back either way to let know you know how it went.

Andy




-----Original Message-----

From: Todd S. Florman [mailto:[EMAIL PROTECTED] Sent: Friday, 
April 27, 2007 1:42 PM

To: Andy Durant
Cc: John Peacock; [email protected]
Subject: Re: [dspam-users] Specific domains bypass dspam?

you could use restriction classes...like so

smtpd_recipient_restrictions =
         permit_mynetworks
         reject_unauth_destination
    check_client_access = cidr:/etc/postfix/from_chinese_client
         check_recipient_access pcre:/etc/postfix/dspam_incoming
         permit

smtpd_restriction_classes = from_chinese

from_chinese =
    check_sender_access = pcre:/etc/postfix/from_chinese_sender
    permit


contents of from_chinese_client

192.168.0.1/32    from_chinese



contents of from_chinese_sender

/[EMAIL PROTECTED]/    PERMIT

  


replace "PERMIT" with "FILTER dummy:".


/./    FILTER    dspam:unix:/tmp/dspam.sock


  



The last line is not needed if he has content_filter set in main.cf (or 
master.cf).


in fact, there is no need for a pcre. a hash works.

ourchineseclient.example         FILTER dummy:


but then it is safer to liste exact addresses instead of the whole 
domain, so as to make things harder for spammers.



Also, instead of dummy, you could pass the mail through clamsmtp to 
check for viruses.



PS. using FILTER in a check_recipient_access (as suggested some posts 
before) is _unsafe_.  it may cause filter evasion using a 
multi-recipient email.





Would it be safer if the following line was added to main.cf?

dspam_destination_recipient_limit = 1




So... in the smtpd_recipient_restrictions, we look for the chinese 
server in the cidr map.  If we match on that, we kick ourselves into the



  from_chinese restriction class... all others simply continue to the 
dspam_incoming check.  Once we have matched based on the client, we then


force another check based on the senders domain(this isn't fool proof as


spammers coming from that chinese server can still spoof the from 
address, but its less likely to happen)  If you are sending from the 
right domain, we permit the email with no spam checking, if you are 
coming from any other domain, you get spam filtered by the /./ catchall.



As I said, its not foolproof, but the risks are greatly reduced.

Todd


  

























					Reply via email to