Re: How do I stop SA checking mail from authenticated users
On Tue, October 4, 2011 20:59, Frank Leonhardt wrote: On 04/10/2011 19:22, Kris Deugau wrote: Frank Leonhardt wrote: Here's the problem: I have a single mail server (not commercial) using sendmail to accept incoming mail from all sources, and filtering using spamassassin. It also accepts mail from roaming users - encrypted mail using port 465 and authenticating users with SASL, and is expected to relay this. It all works fine except that the trusted mail goes through the milter like any other, and if it's coming from a dodgy location there's a danger that SA will block it. (This happens - sent from a WiFi hotspot, non-static DSL or mobile network that's been blacklisted everywhere). Is there an easy way I can treat trusted mail differently? Configure whatever actually calls SA to not do so on authenticated mail. This is possible with MIMEDefang, may be possible with amavis. I can't say about other milters - you don't say how you're calling SA from sendmail. FWIW, this general answer applies no matter where in the mail chain you're calling SA - if you don't want it scanned, configure whatever calls SA to skip the call on whatever conditions you want. Whether you *can* actually configure x to do this is another matter. Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call the milter for stuff on 465! Unfortunately I don't know how to achieve this, but I'll go off and do some research now I know what I'm trying to find. I use a version of spamass-milter, 0.3.2. It has the following option: -I: skip (ignore) checks if sender is authenticated
Re: How do I stop SA checking mail from authenticated users
On 05/10/2011 16:23, Giles Coochey wrote: On Tue, October 4, 2011 20:59, Frank Leonhardt wrote: On 04/10/2011 19:22, Kris Deugau wrote: Frank Leonhardt wrote: Here's the problem: I have a single mail server (not commercial) using sendmail to accept incoming mail from all sources, and filtering using spamassassin. It also accepts mail from roaming users - encrypted mail using port 465 and authenticating users with SASL, and is expected to relay this. It all works fine except that the trusted mail goes through the milter like any other, and if it's coming from a dodgy location there's a danger that SA will block it. (This happens - sent from a WiFi hotspot, non-static DSL or mobile network that's been blacklisted everywhere). Is there an easy way I can treat trusted mail differently? Configure whatever actually calls SA to not do so on authenticated mail. This is possible with MIMEDefang, may be possible with amavis. I can't say about other milters - you don't say how you're calling SA from sendmail. FWIW, this general answer applies no matter where in the mail chain you're calling SA - if you don't want it scanned, configure whatever calls SA to skip the call on whatever conditions you want. Whether you *can* actually configurex to do this is another matter. Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call the milter for stuff on 465! Unfortunately I don't know how to achieve this, but I'll go off and do some research now I know what I'm trying to find. I use a version of spamass-milter, 0.3.2. It has the following option: -I: skip (ignore) checks if sender is authenticated Interesting... but my version of 0.3.2 lacks this option (in the documentation, and in the source code). I'm curious to know how the milter could actually tell. Have you any idea where you version of 0.3.2 came from? As I mentioned elsewhere, the problem is solved for my purposes but I'm planning to write a comprehensive answer to this whole issue. Thanks, Frank.
Re: How do I stop SA checking mail from authenticated users
On Wed, October 5, 2011 18:02, Frank Leonhardt wrote: On 05/10/2011 16:23, Giles Coochey wrote: On Tue, October 4, 2011 20:59, Frank Leonhardt wrote: On 04/10/2011 19:22, Kris Deugau wrote: Frank Leonhardt wrote: Here's the problem: I have a single mail server (not commercial) using sendmail to accept incoming mail from all sources, and filtering using spamassassin. It also accepts mail from roaming users - encrypted mail using port 465 and authenticating users with SASL, and is expected to relay this. It all works fine except that the trusted mail goes through the milter like any other, and if it's coming from a dodgy location there's a danger that SA will block it. (This happens - sent from a WiFi hotspot, non-static DSL or mobile network that's been blacklisted everywhere). Is there an easy way I can treat trusted mail differently? Configure whatever actually calls SA to not do so on authenticated mail. This is possible with MIMEDefang, may be possible with amavis. I can't say about other milters - you don't say how you're calling SA from sendmail. FWIW, this general answer applies no matter where in the mail chain you're calling SA - if you don't want it scanned, configure whatever calls SA to skip the call on whatever conditions you want. Whether you *can* actually configurex to do this is another matter. Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call the milter for stuff on 465! Unfortunately I don't know how to achieve this, but I'll go off and do some research now I know what I'm trying to find. I use a version of spamass-milter, 0.3.2. It has the following option: -I: skip (ignore) checks if sender is authenticated Interesting... but my version of 0.3.2 lacks this option (in the documentation, and in the source code). I'm curious to know how the milter could actually tell. Have you any idea where you version of 0.3.2 came from? As I mentioned elsewhere, the problem is solved for my purposes but I'm planning to write a comprehensive answer to this whole issue. I use the city-fan.org repo under CentOS for spamassassin related stuff: [city-fan.org] name=city-fan.org repository for Red Hat Enterprise Linux (and clones) $releasev er ($basearch) #baseurl=http://mirror.city-fan.org/ftp/contrib/yum-repo/rhel$releasever/$basear ch mirrorlist=http://mirror.city-fan.org/ftp/contrib/yum-repo/mirrorlist-rhel$relea sever enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-city-fan.org priority=1
Re: How do I stop SA checking mail from authenticated users
On Wed, 05 Oct 2011 17:02:12 +0100, Frank Leonhardt wrote: As I mentioned elsewhere, the problem is solved for my purposes but I'm planning to write a comprehensive answer to this whole issue. whitelist_auth m...@junc.org priority USER_IN_DKIM_WHITELIST -2000 shortcircuit USER_IN_DKIM_WHITELIST on in local.cf, maybe adjust priotity as needed so only dkim is tested works ok for me
Re: How do I stop SA checking mail from authenticated users
On Tue, 04 Oct 2011 18:48:44 +0100, Frank Leonhardt wrote: Is there an easy way I can treat trusted mail differently? only if you have all ips untrusted, and make sure authed clients use submission not port 25, where submission reject if not sasl authed, then you can have diff milter for this or no milter at all :) on top of that make sure trusted_networks internal_networks is set currect in local.cf, it must contain all ips you have, and if you have forwaring remote hosts that send forwarded mails to you add them as trusted so spf not fire on this, but only do this if you trust this verified host not to be a spam host it self
Re: How do I stop SA checking mail from authenticated users - Solved
On Wed, 05 Oct 2011 00:45:32 +0100, Frank Leonhardt wrote: Now solved! The solution is really simple but I'll collate all the facts and write it up properly. The quick answer is to add InputMailFilters= into the DaemonOptions imho there is no quick answer, what you have now is just limited solution to not scan authed mails, it can still contain malware virus and or spam from authed users, yes most i see in my inbox confirm this here i use clamav-milter for ALL mails called from postfix in before queue , and spam scan all mails in after queue in amavisd-new, this solves for me to not quarantine virus, and spam is now just tagged and each users can filter it to junk folder with sieve, save me mailzu installed :=)
How do I stop SA checking mail from authenticated users
Here's the problem: I have a single mail server (not commercial) using sendmail to accept incoming mail from all sources, and filtering using spamassassin. It also accepts mail from roaming users - encrypted mail using port 465 and authenticating users with SASL, and is expected to relay this. It all works fine except that the trusted mail goes through the milter like any other, and if it's coming from a dodgy location there's a danger that SA will block it. (This happens - sent from a WiFi hotspot, non-static DSL or mobile network that's been blacklisted everywhere). Is there an easy way I can treat trusted mail differently? I can't say it's IP address is trusted - I'm out and about with a laptop using dynamic IP addresses (okay, I could VPN if Android supported it and...) I can't easily check the Received: header in SA to determine if it's from a local trusted user (see thread Rule matching in a wrapped header). I can see how to solve this using two or more servers, or running sendmail in a jail or other crazy ideas. But surely this must be a common problem with an easy solution - I just can't find one! Can anyone please enlighten me before I crack, and end up writing YA replacement for sendmail? Or if this is a trivial problem with one of these new-fangled MTAs that sound almost a complicated, but a less familiar than sendmail? After 20 years I'm almost okay with Sendmail and don't want to start again without a good reason. Thanks, Frank. -- -- Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
On 10/4/2011 12:48 PM, Frank Leonhardt wrote: Here's the problem: I have a single mail server (not commercial) using sendmail to accept incoming mail from all sources, and filtering using spamassassin. It also accepts mail from roaming users - encrypted mail using port 465 and authenticating users with SASL, and is expected to relay this. It all works fine except that the trusted mail goes through the milter like any other, and if it's coming from a dodgy location there's a danger that SA will block it. (This happens - sent from a WiFi hotspot, non-static DSL or mobile network that's been blacklisted everywhere). Is there an easy way I can treat trusted mail differently? Don't run the milter on ports that only accept authenticated connections.
RE: How do I stop SA checking mail from authenticated users
-Original Message- From: Frank Leonhardt [mailto:fra...@extremecomputing.org.uk] I have a single mail server (not commercial) using sendmail to accept incoming mail from all sources, and filtering using spamassassin. It also accepts mail from roaming users - encrypted mail using port 465 and authenticating users with SASL, and is expected to relay this. It all works fine except that the trusted mail goes through the milter like any other, and if it's coming from a dodgy location there's a danger that SA will block it. (This happens - sent from a WiFi hotspot, non-static DSL or mobile network that's been blacklisted everywhere). Is there an easy way I can treat trusted mail differently? Short answer: You need to configure this at the milter or sendmail level and not send the mail to SpamAssassin to begin with. Slightly longer answer: It's been a while since I worked with Sendmail, but we used to do exactly this. Basically, it boils down to one of two things: 1. Use a separate config for the submission port that doesn't send stuff through the milter. (I forget whether this is possible, so if it's not, never mind.) 2. Configure your milter to check whether the message is authenticated (IIRC, you look for the auth_type macro), and not send those messages to spamassassin. (This is what we did.) You don't say what milter you're using. We were using MIMEDefang, and I remember we had to do two things: set MD up to read the Sendmail macros, then add the code to our MD filter to check for the macro before sending mail to SA. Sorry I couldn't be of more detailed help, but this should at least point you in the right direction. --Kelson Vibber
Re: How do I stop SA checking mail from authenticated users
Frank Leonhardt wrote: Here's the problem: I have a single mail server (not commercial) using sendmail to accept incoming mail from all sources, and filtering using spamassassin. It also accepts mail from roaming users - encrypted mail using port 465 and authenticating users with SASL, and is expected to relay this. It all works fine except that the trusted mail goes through the milter like any other, and if it's coming from a dodgy location there's a danger that SA will block it. (This happens - sent from a WiFi hotspot, non-static DSL or mobile network that's been blacklisted everywhere). Is there an easy way I can treat trusted mail differently? Configure whatever actually calls SA to not do so on authenticated mail. This is possible with MIMEDefang, may be possible with amavis. I can't say about other milters - you don't say how you're calling SA from sendmail. FWIW, this general answer applies no matter where in the mail chain you're calling SA - if you don't want it scanned, configure whatever calls SA to skip the call on whatever conditions you want. Whether you *can* actually configure x to do this is another matter. -kgd
Re: How do I stop SA checking mail from authenticated users
On 04/10/2011 19:22, Kris Deugau wrote: Frank Leonhardt wrote: Here's the problem: I have a single mail server (not commercial) using sendmail to accept incoming mail from all sources, and filtering using spamassassin. It also accepts mail from roaming users - encrypted mail using port 465 and authenticating users with SASL, and is expected to relay this. It all works fine except that the trusted mail goes through the milter like any other, and if it's coming from a dodgy location there's a danger that SA will block it. (This happens - sent from a WiFi hotspot, non-static DSL or mobile network that's been blacklisted everywhere). Is there an easy way I can treat trusted mail differently? Configure whatever actually calls SA to not do so on authenticated mail. This is possible with MIMEDefang, may be possible with amavis. I can't say about other milters - you don't say how you're calling SA from sendmail. FWIW, this general answer applies no matter where in the mail chain you're calling SA - if you don't want it scanned, configure whatever calls SA to skip the call on whatever conditions you want. Whether you *can* actually configure x to do this is another matter. Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call the milter for stuff on 465! Unfortunately I don't know how to achieve this, but I'll go off and do some research now I know what I'm trying to find. Regards, Frank. -- -- Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
Frank Leonhardt wrote: Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call the milter for stuff on 465! Unfortunately I don't know how to achieve this, but I'll go off and do some research now I know what I'm trying to find. As far as I'm aware you can't bypass a milter - you would have to *configure* the milter to not pass the message to SA. You still haven't said which one you're using so none of us can give you any more specific advice (ie, of the been there, done that kind). -kgd
Re: How do I stop SA checking mail from authenticated users
On 10/4/2011 1:59 PM, Frank Leonhardt wrote: Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call the milter for stuff on 465! Unfortunately I don't know how to achieve this, but I'll go off and do some research now I know what I'm trying to find. The alternative is to configure your milter to skip mail based on one of the milter authentication macros, such as auth_authen or auth_author. -- Noel Jones
Re: How do I stop SA checking mail from authenticated users
On 04/10/2011 20:17, Kris Deugau wrote: Frank Leonhardt wrote: Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call the milter for stuff on 465! Unfortunately I don't know how to achieve this, but I'll go off and do some research now I know what I'm trying to find. As far as I'm aware you can't bypass a milter - you would have to *configure* the milter to not pass the message to SA. You still haven't said which one you're using so none of us can give you any more specific advice (ie, of the been there, done that kind). I think there's a terminology mis-match here. To me milter is a sendmail mail filter, of which there can be any number configured (this is me making no assumptions about Postfix c). In this case it's just spamass-milter (Georg C. F. Greve 2002) - nothing to do with MIMEDefang and suchlike. It's a daemon - hangs around on a socket and waits for sendmail to give it an email. It then calls spamc and sends the modified message back to sendmail. It didn't occur to me that it'd be called indirectly by one of the other general purpose milters, but I can see that now. Fortunately for me it's written in 'C', so I've got a reasonable chance of understanding it. I'm trawling through the source now. Regards, Frank. -- -- Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
Frank Leonhardt wrote: I think there's a terminology mis-match here. To me milter is a sendmail mail filter, of which there can be any number configured (this is me making no assumptions about Postfix c). In this case it's just spamass-milter (Georg C. F. Greve 2002) Nope, you've got the terminology straight. MIMEDefang is another (much more flexible) milter - which can call a great many other things to do its processing including SpamAssassin. IIRC amavis can be deployed as a milter. ClamAV ships one very similar to spamass-milter, in that it's dedicated to passing messages to ClamAV. There are several dedicated to SPF and DKIM. And any of them can be used with Postfix = 2.3 (although IIRC some functions may not work well with Postfix 2.3). IIRC, spamass-milter isn't particularly configurable; it's either installed and passing all mail to SA, or not. Other milters *do* have a lot more flexibility in deciding what to do with any given message - for instance, since the configuration is a Perl script fragment, anything you can do to a stream of bytes or a file in Perl can be done by MIMEDefang. It uses SA a little differently (by default) in that it loads the SA Perl libraries, rather than passing a message to spamd. I recently migrated outbound filtering at work to MIMEDefang from a homebrew Postfix content filter. We have four or five intersecting sets of conditions that decide whether or not a given message will be scanned, and if so what threshold to reject the message at. The conditions are currently set by the presence and content of a collection of flatfiles, but we're planning on moving that data into a database sometime. - nothing to do with MIMEDefang and suchlike. Well, not exactly. sendmail - [some milter] - spamd (or the Perl SA libraries) [some milter] is spamass-milter in your case. I briefly tried a number of milters before settling on MIMEDefang for flexibility in implementing the full range of capabilities in the milter interface. It's a daemon - hangs around on a socket and waits for sendmail to give it an email. And it's up to the milter to decide what to do with that message. spamass-milter, IIRC, doesn't have many knobs to twist in this respect; it passes everything to SA. It then calls spamc and sends the modified message back to sendmail. It didn't occur to me that it'd be called indirectly by one of the other general purpose milters, but I can see that now. IIRC there *is* a milter-multiplexor milter that calls other milters, but I'm not sure what the real use-case is. Fortunately for me it's written in 'C', so I've got a reasonable chance of understanding it. I'm trawling through the source now. That's certainly an option. I'm not sure how active spamass-milter development is, and whether they'd accept a patch for a bypass on SMTP AUTH configuration switch - if not, you'll be carrying a custom patch. -kgd
Re: How do I stop SA checking mail from authenticated users
This question comes up enough so that it ought to be in the FAQ.
spamass-milter as others have said does not pay attention to
authenticated mail. Other milters do - but other milters are
often a lot more complicated, and can run slower, to say nothing
of having to learn additional configuration steps and possibly
load additional dependent libraries on the server for the milters.
There is something to be said for the UNIX philosophy of small
is beautiful You may love your MIMEdefang but why do I have to
run it when this problem is so easily fixed?
The reason spamass-milter doesn't do this was documented
http://lists.nongnu.org/archive/html/spamass-milt-list/2004-03/msg00014.html
spamass-milter doesen't pass a complete Received line to Spamassassin so
there is no way to exempt authenticated mail from spam scanning unless
you do it in spamass-milter itself. The patch here does that:
mail# diff -u spamass-milter.cpp.original spamass-milter.cpp
--- spamass-milter.cpp.original 2009-01-15 14:43:32.0 -0800
+++ spamass-milter.cpp 2009-01-15 14:45:05.0 -0800
@@ -776,6 +776,12 @@
struct context *sctx = (struct context *)smfi_getpriv(ctx);
char *queueid;
+ if (smfi_getsymval (ctx, {auth_type}) != NULL)
+ {
+ return SMFIS_ACCEPT;
+ }
+
+
if (sctx == NULL)
{
debug(D_ALWAYS, smfi_getpriv failed!);
mail#
Make sure you pass the -a flag to the milter or this patch is not activated
ALSO NOTE:
This spamass-milter patch is already present in a number of UNIX
distributions. For example in the FreeBSD ports system it is
a flag that is selected during the spamassassin build. I believe I've
seen it mentioned in a Debian distro as well.
Ted
On 10/4/2011 2:52 PM, Kris Deugau wrote:
Frank Leonhardt wrote:
I think there's a terminology mis-match here. To me milter is a
sendmail mail filter, of which there can be any number configured (this
is me making no assumptions about Postfix c). In this case it's just
spamass-milter (Georg C. F. Greve 2002)
Nope, you've got the terminology straight.
MIMEDefang is another (much more flexible) milter - which can call a
great many other things to do its processing including SpamAssassin.
IIRC amavis can be deployed as a milter. ClamAV ships one very similar
to spamass-milter, in that it's dedicated to passing messages to ClamAV.
There are several dedicated to SPF and DKIM.
And any of them can be used with Postfix = 2.3 (although IIRC some
functions may not work well with Postfix 2.3).
IIRC, spamass-milter isn't particularly configurable; it's either
installed and passing all mail to SA, or not.
Other milters *do* have a lot more flexibility in deciding what to do
with any given message - for instance, since the configuration is a
Perl script fragment, anything you can do to a stream of bytes or a file
in Perl can be done by MIMEDefang. It uses SA a little differently (by
default) in that it loads the SA Perl libraries, rather than passing a
message to spamd.
I recently migrated outbound filtering at work to MIMEDefang from a
homebrew Postfix content filter. We have four or five intersecting sets
of conditions that decide whether or not a given message will be
scanned, and if so what threshold to reject the message at. The
conditions are currently set by the presence and content of a collection
of flatfiles, but we're planning on moving that data into a database
sometime.
- nothing to do with MIMEDefang
and suchlike.
Well, not exactly. sendmail - [some milter] - spamd (or the Perl SA
libraries)
[some milter] is spamass-milter in your case. I briefly tried a number
of milters before settling on MIMEDefang for flexibility in implementing
the full range of capabilities in the milter interface.
It's a daemon - hangs around on a socket and waits for
sendmail to give it an email.
And it's up to the milter to decide what to do with that message.
spamass-milter, IIRC, doesn't have many knobs to twist in this respect;
it passes everything to SA.
It then calls spamc and sends the modified
message back to sendmail. It didn't occur to me that it'd be called
indirectly by one of the other general purpose milters, but I can see
that now.
IIRC there *is* a milter-multiplexor milter that calls other milters,
but I'm not sure what the real use-case is.
Fortunately for me it's written in 'C', so I've got a reasonable
chance of understanding it. I'm trawling through the source now.
That's certainly an option. I'm not sure how active spamass-milter
development is, and whether they'd accept a patch for a bypass on SMTP
AUTH configuration switch - if not, you'll be carrying a custom patch.
-kgd
Re: How do I stop SA checking mail from authenticated users
On 04/10/2011 22:52, Kris Deugau wrote: Frank Leonhardt wrote: I think there's a terminology mis-match here. To me milter is a sendmail mail filter, of which there can be any number configured (this is me making no assumptions about Postfix c). In this case it's just spamass-milter (Georg C. F. Greve 2002) Nope, you've got the terminology straight. MIMEDefang is another (much more flexible) milter - which can call a great many other things to do its processing including SpamAssassin. IIRC amavis can be deployed as a milter. ClamAV ships one very similar to spamass-milter, in that it's dedicated to passing messages to ClamAV. There are several dedicated to SPF and DKIM. snip Thanks for the full explanation - the world of milters has obviously passed me by. Another thing to research. It never occurred to me that anyone would be using anything other than spamass-milter, which is why I didn't understand why everyone asked what I was using. I found the part of spamass-milter that's faking up the header easily enough. The comment at the start of the block suggests its putting more in the header than the code actually does - including authorisation stuff. One kind and knowledgeable person emailed me an interesting bit I didn't know about the sendmail.mc, and this might provide the solution (will post when I know it works) - undocumented AFAIK, like most of this stuff! Regards, Frank. -- -- Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
On Tue, 2011-10-04 at 15:10 -0700, Ted Mittelstaedt wrote:
This question comes up enough so that it ought to be in the FAQ.
While I believe a FAQ does really not help all that much on and by
itself, but instead serves as a handy place to point people to...
It's a wiki.
Please feel free to add it and discuss the topic as detailed as you seem
fit, possibly on a page of it's own for the glorious details, with a
shorter note in the FAQ. If you haven't been granted write permissions
in the ACL yet, I can handle that if you tell me your wiki username.
--
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How do I stop SA checking mail from authenticated users
On 04/10/2011 23:10, Ted Mittelstaedt wrote:
This question comes up enough so that it ought to be in the FAQ.
spamass-milter as others have said does not pay attention to
authenticated mail. Other milters do - but other milters are
often a lot more complicated, and can run slower, to say nothing
of having to learn additional configuration steps and possibly
load additional dependent libraries on the server for the milters.
There is something to be said for the UNIX philosophy of small
is beautiful You may love your MIMEdefang but why do I have to
run it when this problem is so easily fixed?
The reason spamass-milter doesn't do this was documented
http://lists.nongnu.org/archive/html/spamass-milt-list/2004-03/msg00014.html
spamass-milter doesen't pass a complete Received line to Spamassassin
so there is no way to exempt authenticated mail from spam scanning
unless you do it in spamass-milter itself. The patch here does that:
mail# diff -u spamass-milter.cpp.original spamass-milter.cpp
--- spamass-milter.cpp.original 2009-01-15 14:43:32.0 -0800
+++ spamass-milter.cpp 2009-01-15 14:45:05.0 -0800
@@ -776,6 +776,12 @@
struct context *sctx = (struct context *)smfi_getpriv(ctx);
char *queueid;
+ if (smfi_getsymval (ctx, {auth_type}) != NULL)
+ {
+ return SMFIS_ACCEPT;
+ }
+
+
if (sctx == NULL)
{
debug(D_ALWAYS, smfi_getpriv failed!);
mail#
Make sure you pass the -a flag to the milter or this patch is not
activated
ALSO NOTE:
This spamass-milter patch is already present in a number of UNIX
distributions. For example in the FreeBSD ports system it is
a flag that is selected during the spamassassin build. I believe I've
seen it mentioned in a Debian distro as well.
Thanks Ted! I was on the verge of adding something similar to the code
myself. I can't actually find the patch on the current FreeBSD ports
tree but it obviously goes at the start of mlfi_envfrom() in
spamass-milter.cpp
You're not wrong about this being a FAQ - trouble is it's not frequently
answered.
The solution I'm going for now is to use a different filter set for
daemons that have required authentication - a facility I didn't know
existed until an hour ago.
Regards, Frank.
--
--
Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users - Solved
On 04/10/2011 23:45, Karsten Bräckelmann wrote: On Tue, 2011-10-04 at 15:10 -0700, Ted Mittelstaedt wrote: This question comes up enough so that it ought to be in the FAQ. While I believe a FAQ does really not help all that much on and by itself, but instead serves as a handy place to point people to... Now solved! The solution is really simple but I'll collate all the facts and write it up properly. The quick answer is to add InputMailFilters= into the DaemonOptions line of the sendmail or .cf or .mc file. You'll end up with a line something like: DAEMON_OPTIONS(`Port=smtps, Name=SSLMTA, M=sa, InputMailFilters=')dnl Each Daemon has it's own options INCLUDING the set of filters it uses - in other words, confINPUT_MAIL_FILTERS isn't the only game in town. The example above simply sets the list of filters to null. I haven't found this documented anywhere yet, but it seems to work. Many thanks to PR in France, who emailed me this vital piece of the jigsaw. This obviously won't work if your using STARTTLS as an on port 25, but that's a bit of a bodge anyway. If you're going to upload mail from a public WiFi you should be using SSL and authentication, and port 25 will probably be blocked anyway, so having to use 465 and forcing authentication on (M=a) is no hardship. Thanks to everyone who's helped get this sorted. Regards, Frank. -- -- Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
On Tue, 04 Oct 2011 15:10:20 -0700 Ted Mittelstaedt t...@ipinc.net wrote: There is something to be said for the UNIX philosophy of small is beautiful You may love your MIMEdefang but why do I have to run it when this problem is so easily fixed? This (alone) is no reason to run MIMEDefang. However, if you have moderately-complex to hairy policy requirements, you may find that MIMEDefang lets you code them up more maintainably than other solutions. In that case, it's a fine idea to use MIMEDefang's facilities for avoiding scanning authenticated mail. Regards, David.
