Re: How do I stop SA checking mail from authenticated users - Solved
On Wed, 05 Oct 2011 00:45:32 +0100, Frank Leonhardt wrote: Now solved! The solution is really simple but I'll collate all the facts and write it up properly. The quick answer is to add "InputMailFilters=" into the DaemonOptions imho there is no quick answer, what you have now is just limited solution to not scan authed mails, it can still contain malware virus and or spam from authed users, yes most i see in my inbox confirm this here i use clamav-milter for ALL mails called from postfix in before queue , and spam scan all mails in after queue in amavisd-new, this solves for me to not quarantine virus, and spam is now just tagged and each users can filter it to junk folder with sieve, save me mailzu installed :=)
Re: How do I stop SA checking mail from authenticated users
On Tue, 04 Oct 2011 18:48:44 +0100, Frank Leonhardt wrote: Is there an easy way I can treat trusted mail differently? only if you have all ips untrusted, and make sure authed clients use submission not port 25, where submission reject if not sasl authed, then you can have diff milter for this or no milter at all :) on top of that make sure trusted_networks internal_networks is set currect in local.cf, it must contain all ips you have, and if you have forwaring remote hosts that send forwarded mails to you add them as trusted so spf not fire on this, but only do this if you trust this verified host not to be a spam host it self
Re: How do I stop SA checking mail from authenticated users
On Wed, 05 Oct 2011 17:02:12 +0100, Frank Leonhardt wrote: As I mentioned elsewhere, the problem is solved for my purposes but I'm planning to write a comprehensive answer to this whole issue. whitelist_auth m...@junc.org priority USER_IN_DKIM_WHITELIST -2000 shortcircuit USER_IN_DKIM_WHITELIST on in local.cf, maybe adjust priotity as needed so only dkim is tested works ok for me
Re: How do I stop SA checking mail from authenticated users
On Wed, October 5, 2011 18:02, Frank Leonhardt wrote: > > On 05/10/2011 16:23, Giles Coochey wrote: >> On Tue, October 4, 2011 20:59, Frank Leonhardt wrote: >>> On 04/10/2011 19:22, Kris Deugau wrote: Frank Leonhardt wrote: > Here's the problem: > > I have a single mail server (not commercial) using sendmail to accept > incoming mail from all sources, and filtering using spamassassin. It > also accepts mail from roaming users - encrypted mail using port 465 > and > authenticating users with SASL, and is expected to relay this. It all > works fine except that the trusted mail goes through the milter like > any > other, and if it's coming from a dodgy location there's a danger that > SA > will block it. (This happens - sent from a WiFi hotspot, non-static > DSL > or mobile network that's been blacklisted everywhere). > > Is there an easy way I can treat trusted mail differently? Configure whatever actually calls SA to not do so on authenticated mail. This is possible with MIMEDefang, may be possible with amavis. I can't say about other milters - you don't say how you're calling SA from sendmail. FWIW, this general answer applies no matter where in the mail chain you're calling SA - if you don't want it scanned, configure whatever calls SA to skip the call on whatever conditions you want. Whether you *can* actually configure to do this is another matter. >>> Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't >>> call >>> the milter for stuff on 465! Unfortunately I don't know how to achieve >>> this, but I'll go off and do some research now I know what I'm trying >>> to >>> find. >>> >> I use a version of spamass-milter, 0.3.2. >> >> It has the following option: >> >> -I: skip (ignore) checks if sender is authenticated >> > Interesting... but my version of 0.3.2 lacks this option (in the > documentation, and in the source code). I'm curious to know how the > milter could actually tell. > > Have you any idea where you version of 0.3.2 came from? > > As I mentioned elsewhere, the problem is solved for my purposes but I'm > planning to write a comprehensive answer to this whole issue. > I use the city-fan.org repo under CentOS for spamassassin related stuff: [city-fan.org] name=city-fan.org repository for Red Hat Enterprise Linux (and clones) $releasev er ($basearch) #baseurl=http://mirror.city-fan.org/ftp/contrib/yum-repo/rhel$releasever/$basear ch mirrorlist=http://mirror.city-fan.org/ftp/contrib/yum-repo/mirrorlist-rhel$relea sever enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-city-fan.org priority=1
Re: How do I stop SA checking mail from authenticated users
On 05/10/2011 16:23, Giles Coochey wrote: On Tue, October 4, 2011 20:59, Frank Leonhardt wrote: On 04/10/2011 19:22, Kris Deugau wrote: Frank Leonhardt wrote: Here's the problem: I have a single mail server (not commercial) using sendmail to accept incoming mail from all sources, and filtering using spamassassin. It also accepts mail from roaming users - encrypted mail using port 465 and authenticating users with SASL, and is expected to relay this. It all works fine except that the trusted mail goes through the milter like any other, and if it's coming from a dodgy location there's a danger that SA will block it. (This happens - sent from a WiFi hotspot, non-static DSL or mobile network that's been blacklisted everywhere). Is there an easy way I can treat trusted mail differently? Configure whatever actually calls SA to not do so on authenticated mail. This is possible with MIMEDefang, may be possible with amavis. I can't say about other milters - you don't say how you're calling SA from sendmail. FWIW, this general answer applies no matter where in the mail chain you're calling SA - if you don't want it scanned, configure whatever calls SA to skip the call on whatever conditions you want. Whether you *can* actually configure to do this is another matter. Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call the milter for stuff on 465! Unfortunately I don't know how to achieve this, but I'll go off and do some research now I know what I'm trying to find. I use a version of spamass-milter, 0.3.2. It has the following option: -I: skip (ignore) checks if sender is authenticated Interesting... but my version of 0.3.2 lacks this option (in the documentation, and in the source code). I'm curious to know how the milter could actually tell. Have you any idea where you version of 0.3.2 came from? As I mentioned elsewhere, the problem is solved for my purposes but I'm planning to write a comprehensive answer to this whole issue. Thanks, Frank.
Re: How do I stop SA checking mail from authenticated users
On Tue, October 4, 2011 20:59, Frank Leonhardt wrote: > On 04/10/2011 19:22, Kris Deugau wrote: >> Frank Leonhardt wrote: >>> Here's the problem: >>> >>> I have a single mail server (not commercial) using sendmail to accept >>> incoming mail from all sources, and filtering using spamassassin. It >>> also accepts mail from roaming users - encrypted mail using port 465 >>> and >>> authenticating users with SASL, and is expected to relay this. It all >>> works fine except that the trusted mail goes through the milter like >>> any >>> other, and if it's coming from a dodgy location there's a danger that >>> SA >>> will block it. (This happens - sent from a WiFi hotspot, non-static DSL >>> or mobile network that's been blacklisted everywhere). >>> >>> Is there an easy way I can treat trusted mail differently? >> >> Configure whatever actually calls SA to not do so on authenticated mail. >> >> This is possible with MIMEDefang, may be possible with amavis. I >> can't say about other milters - you don't say how you're calling SA >> from sendmail. >> >> FWIW, this general answer applies no matter where in the mail chain >> you're calling SA - if you don't want it scanned, configure whatever >> calls SA to skip the call on whatever conditions you want. Whether >> you *can* actually configure to do this is another matter. >> > > Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call > the milter for stuff on 465! Unfortunately I don't know how to achieve > this, but I'll go off and do some research now I know what I'm trying to > find. > I use a version of spamass-milter, 0.3.2. It has the following option: -I: skip (ignore) checks if sender is authenticated
Re: How do I stop SA checking mail from authenticated users
On Tue, 04 Oct 2011 15:10:20 -0700 Ted Mittelstaedt wrote: > There is something to be said for the UNIX philosophy of "small > is beautiful" You may love your MIMEdefang but why do I have to > run it when this problem is so easily fixed? This (alone) is no reason to run MIMEDefang. However, if you have moderately-complex to hairy policy requirements, you may find that MIMEDefang lets you code them up more maintainably than other solutions. In that case, it's a fine idea to use MIMEDefang's facilities for avoiding scanning authenticated mail. Regards, David.
Re: How do I stop SA checking mail from authenticated users - Solved
On 04/10/2011 23:45, Karsten Bräckelmann wrote: On Tue, 2011-10-04 at 15:10 -0700, Ted Mittelstaedt wrote: This question comes up enough so that it ought to be in the FAQ. While I believe a FAQ does really not help all that much on and by itself, but instead serves as a handy place to point people to... Now solved! The solution is really simple but I'll collate all the facts and write it up properly. The quick answer is to add "InputMailFilters=" into the DaemonOptions line of the sendmail or .cf or .mc file. You'll end up with a line something like: DAEMON_OPTIONS(`Port=smtps, Name=SSLMTA, M=sa, InputMailFilters=')dnl Each Daemon has it's own options INCLUDING the set of filters it uses - in other words, confINPUT_MAIL_FILTERS isn't the only game in town. The example above simply sets the list of filters to null. I haven't found this documented anywhere yet, but it seems to work. Many thanks to PR in France, who emailed me this vital piece of the jigsaw. This obviously won't work if your using STARTTLS as an on port 25, but that's a bit of a bodge anyway. If you're going to upload mail from a public WiFi you should be using SSL and authentication, and port 25 will probably be blocked anyway, so having to use 465 and forcing authentication on (M=a) is no hardship. Thanks to everyone who's helped get this sorted. Regards, Frank. -- -- Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
On 04/10/2011 23:10, Ted Mittelstaedt wrote: This question comes up enough so that it ought to be in the FAQ. spamass-milter as others have said does not pay attention to authenticated mail. Other milters do - but other milters are often a lot more complicated, and can run slower, to say nothing of having to learn additional configuration steps and possibly load additional dependent libraries on the server for the milters. There is something to be said for the UNIX philosophy of "small is beautiful" You may love your MIMEdefang but why do I have to run it when this problem is so easily fixed? The reason spamass-milter doesn't do this was documented http://lists.nongnu.org/archive/html/spamass-milt-list/2004-03/msg00014.html spamass-milter doesen't pass a complete Received line to Spamassassin so there is no way to exempt authenticated mail from spam scanning unless you do it in spamass-milter itself. The patch here does that: mail# diff -u spamass-milter.cpp.original spamass-milter.cpp --- spamass-milter.cpp.original 2009-01-15 14:43:32.0 -0800 +++ spamass-milter.cpp 2009-01-15 14:45:05.0 -0800 @@ -776,6 +776,12 @@ struct context *sctx = (struct context *)smfi_getpriv(ctx); char *queueid; + if (smfi_getsymval (ctx, "{auth_type}") != NULL) + { + return SMFIS_ACCEPT; + } + + if (sctx == NULL) { debug(D_ALWAYS, "smfi_getpriv failed!"); mail# Make sure you pass the -a flag to the milter or this patch is not activated ALSO NOTE: This spamass-milter patch is already present in a number of UNIX distributions. For example in the FreeBSD ports system it is a flag that is selected during the spamassassin build. I believe I've seen it mentioned in a Debian distro as well. Thanks Ted! I was on the verge of adding something similar to the code myself. I can't actually find the patch on the current FreeBSD ports tree but it obviously goes at the start of mlfi_envfrom() in spamass-milter.cpp You're not wrong about this being a FAQ - trouble is it's not frequently answered. The solution I'm going for now is to use a different filter set for daemons that have required authentication - a facility I didn't know existed until an hour ago. Regards, Frank. -- -- Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
On Tue, 2011-10-04 at 15:10 -0700, Ted Mittelstaedt wrote: > This question comes up enough so that it ought to be in the FAQ. While I believe a FAQ does really not help all that much on and by itself, but instead serves as a handy place to point people to... It's a wiki. Please feel free to add it and discuss the topic as detailed as you seem fit, possibly on a page of it's own for the glorious details, with a shorter note in the FAQ. If you haven't been granted write permissions in the ACL yet, I can handle that if you tell me your wiki username. -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How do I stop SA checking mail from authenticated users
On 04/10/2011 22:52, Kris Deugau wrote: Frank Leonhardt wrote: I think there's a terminology mis-match here. To me "milter" is a sendmail mail filter, of which there can be any number configured (this is me making no assumptions about Postfix &c). In this case it's just spamass-milter (Georg C. F. Greve 2002) Nope, you've got the terminology straight. MIMEDefang is another (much more flexible) milter - which can call a great many other things to do its processing including SpamAssassin. IIRC amavis can be deployed as a milter. ClamAV ships one very similar to spamass-milter, in that it's dedicated to passing messages to ClamAV. There are several dedicated to SPF and DKIM. Thanks for the full explanation - the world of milters has obviously passed me by. Another thing to research. It never occurred to me that anyone would be using anything other than spamass-milter, which is why I didn't understand why everyone asked what I was using. I found the part of spamass-milter that's faking up the header easily enough. The comment at the start of the block suggests its putting more in the header than the code actually does - including authorisation stuff. One kind and knowledgeable person emailed me an interesting bit I didn't know about the sendmail.mc, and this might provide the solution (will post when I know it works) - undocumented AFAIK, like most of this stuff! Regards, Frank. -- -- Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
This question comes up enough so that it ought to be in the FAQ. spamass-milter as others have said does not pay attention to authenticated mail. Other milters do - but other milters are often a lot more complicated, and can run slower, to say nothing of having to learn additional configuration steps and possibly load additional dependent libraries on the server for the milters. There is something to be said for the UNIX philosophy of "small is beautiful" You may love your MIMEdefang but why do I have to run it when this problem is so easily fixed? The reason spamass-milter doesn't do this was documented http://lists.nongnu.org/archive/html/spamass-milt-list/2004-03/msg00014.html spamass-milter doesen't pass a complete Received line to Spamassassin so there is no way to exempt authenticated mail from spam scanning unless you do it in spamass-milter itself. The patch here does that: mail# diff -u spamass-milter.cpp.original spamass-milter.cpp --- spamass-milter.cpp.original 2009-01-15 14:43:32.0 -0800 +++ spamass-milter.cpp 2009-01-15 14:45:05.0 -0800 @@ -776,6 +776,12 @@ struct context *sctx = (struct context *)smfi_getpriv(ctx); char *queueid; + if (smfi_getsymval (ctx, "{auth_type}") != NULL) + { + return SMFIS_ACCEPT; + } + + if (sctx == NULL) { debug(D_ALWAYS, "smfi_getpriv failed!"); mail# Make sure you pass the -a flag to the milter or this patch is not activated ALSO NOTE: This spamass-milter patch is already present in a number of UNIX distributions. For example in the FreeBSD ports system it is a flag that is selected during the spamassassin build. I believe I've seen it mentioned in a Debian distro as well. Ted On 10/4/2011 2:52 PM, Kris Deugau wrote: Frank Leonhardt wrote: I think there's a terminology mis-match here. To me "milter" is a sendmail mail filter, of which there can be any number configured (this is me making no assumptions about Postfix &c). In this case it's just spamass-milter (Georg C. F. Greve 2002) Nope, you've got the terminology straight. MIMEDefang is another (much more flexible) milter - which can call a great many other things to do its processing including SpamAssassin. IIRC amavis can be deployed as a milter. ClamAV ships one very similar to spamass-milter, in that it's dedicated to passing messages to ClamAV. There are several dedicated to SPF and DKIM. And any of them can be used with Postfix >= 2.3 (although IIRC some functions may not work well with Postfix 2.3). IIRC, spamass-milter isn't particularly configurable; it's either installed and passing all mail to SA, or not. Other milters *do* have a lot more flexibility in deciding what to do with any given message - for instance, since the "configuration" is a Perl script fragment, anything you can do to a stream of bytes or a file in Perl can be done by MIMEDefang. It uses SA a little differently (by default) in that it loads the SA Perl libraries, rather than passing a message to spamd. I recently migrated outbound filtering at work to MIMEDefang from a homebrew Postfix content filter. We have four or five intersecting sets of conditions that decide whether or not a given message will be scanned, and if so what threshold to reject the message at. The conditions are currently set by the presence and content of a collection of flatfiles, but we're planning on moving that data into a database sometime. - nothing to do with MIMEDefang and suchlike. Well, not exactly. sendmail <-> [some milter] <-> spamd (or the Perl SA libraries) [some milter] is spamass-milter in your case. I briefly tried a number of milters before settling on MIMEDefang for flexibility in implementing the full range of capabilities in the milter interface. It's a daemon - hangs around on a socket and waits for sendmail to give it an email. And it's up to the milter to decide what to do with that message. spamass-milter, IIRC, doesn't have many knobs to twist in this respect; it passes everything to SA. It then calls spamc and sends the modified message back to sendmail. It didn't occur to me that it'd be called indirectly by one of the other general purpose milters, but I can see that now. IIRC there *is* a milter-multiplexor milter that calls other milters, but I'm not sure what the real use-case is. > Fortunately for me it's written in 'C', so I've got a reasonable > chance of understanding it. I'm trawling through the source now. That's certainly an option. I'm not sure how active spamass-milter development is, and whether they'd accept a patch for a "bypass on SMTP AUTH" configuration switch - if not, you'll be carrying a custom patch. -kgd
Re: How do I stop SA checking mail from authenticated users
Frank Leonhardt wrote: I think there's a terminology mis-match here. To me "milter" is a sendmail mail filter, of which there can be any number configured (this is me making no assumptions about Postfix &c). In this case it's just spamass-milter (Georg C. F. Greve 2002) Nope, you've got the terminology straight. MIMEDefang is another (much more flexible) milter - which can call a great many other things to do its processing including SpamAssassin. IIRC amavis can be deployed as a milter. ClamAV ships one very similar to spamass-milter, in that it's dedicated to passing messages to ClamAV. There are several dedicated to SPF and DKIM. And any of them can be used with Postfix >= 2.3 (although IIRC some functions may not work well with Postfix 2.3). IIRC, spamass-milter isn't particularly configurable; it's either installed and passing all mail to SA, or not. Other milters *do* have a lot more flexibility in deciding what to do with any given message - for instance, since the "configuration" is a Perl script fragment, anything you can do to a stream of bytes or a file in Perl can be done by MIMEDefang. It uses SA a little differently (by default) in that it loads the SA Perl libraries, rather than passing a message to spamd. I recently migrated outbound filtering at work to MIMEDefang from a homebrew Postfix content filter. We have four or five intersecting sets of conditions that decide whether or not a given message will be scanned, and if so what threshold to reject the message at. The conditions are currently set by the presence and content of a collection of flatfiles, but we're planning on moving that data into a database sometime. - nothing to do with MIMEDefang and suchlike. Well, not exactly. sendmail <-> [some milter] <-> spamd (or the Perl SA libraries) [some milter] is spamass-milter in your case. I briefly tried a number of milters before settling on MIMEDefang for flexibility in implementing the full range of capabilities in the milter interface. It's a daemon - hangs around on a socket and waits for sendmail to give it an email. And it's up to the milter to decide what to do with that message. spamass-milter, IIRC, doesn't have many knobs to twist in this respect; it passes everything to SA. It then calls spamc and sends the modified message back to sendmail. It didn't occur to me that it'd be called indirectly by one of the other general purpose milters, but I can see that now. IIRC there *is* a milter-multiplexor milter that calls other milters, but I'm not sure what the real use-case is. > Fortunately for me it's written in 'C', so I've got a reasonable > chance of understanding it. I'm trawling through the source now. That's certainly an option. I'm not sure how active spamass-milter development is, and whether they'd accept a patch for a "bypass on SMTP AUTH" configuration switch - if not, you'll be carrying a custom patch. -kgd
Re: How do I stop SA checking mail from authenticated users
On 04/10/2011 20:17, Kris Deugau wrote: Frank Leonhardt wrote: Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call the milter for stuff on 465! Unfortunately I don't know how to achieve this, but I'll go off and do some research now I know what I'm trying to find. As far as I'm aware you can't bypass a milter - you would have to *configure* the milter to not pass the message to SA. You still haven't said which one you're using so none of us can give you any more specific advice (ie, of the "been there, done that" kind). I think there's a terminology mis-match here. To me "milter" is a sendmail mail filter, of which there can be any number configured (this is me making no assumptions about Postfix &c). In this case it's just spamass-milter (Georg C. F. Greve 2002) - nothing to do with MIMEDefang and suchlike. It's a daemon - hangs around on a socket and waits for sendmail to give it an email. It then calls spamc and sends the modified message back to sendmail. It didn't occur to me that it'd be called indirectly by one of the other general purpose milters, but I can see that now. Fortunately for me it's written in 'C', so I've got a reasonable chance of understanding it. I'm trawling through the source now. Regards, Frank. -- -- Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
On 10/4/2011 1:59 PM, Frank Leonhardt wrote: > Thanks Kris, Kelson and Noel - pretty unanimous answer - just > don't call the milter for stuff on 465! Unfortunately I don't know > how to achieve this, but I'll go off and do some research now I > know what I'm trying to find. The alternative is to configure your milter to skip mail based on one of the milter authentication macros, such as auth_authen or auth_author. -- Noel Jones
Re: How do I stop SA checking mail from authenticated users
Frank Leonhardt wrote: Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call the milter for stuff on 465! Unfortunately I don't know how to achieve this, but I'll go off and do some research now I know what I'm trying to find. As far as I'm aware you can't bypass a milter - you would have to *configure* the milter to not pass the message to SA. You still haven't said which one you're using so none of us can give you any more specific advice (ie, of the "been there, done that" kind). -kgd
Re: How do I stop SA checking mail from authenticated users
On 04/10/2011 19:22, Kris Deugau wrote: Frank Leonhardt wrote: Here's the problem: I have a single mail server (not commercial) using sendmail to accept incoming mail from all sources, and filtering using spamassassin. It also accepts mail from roaming users - encrypted mail using port 465 and authenticating users with SASL, and is expected to relay this. It all works fine except that the trusted mail goes through the milter like any other, and if it's coming from a dodgy location there's a danger that SA will block it. (This happens - sent from a WiFi hotspot, non-static DSL or mobile network that's been blacklisted everywhere). Is there an easy way I can treat trusted mail differently? Configure whatever actually calls SA to not do so on authenticated mail. This is possible with MIMEDefang, may be possible with amavis. I can't say about other milters - you don't say how you're calling SA from sendmail. FWIW, this general answer applies no matter where in the mail chain you're calling SA - if you don't want it scanned, configure whatever calls SA to skip the call on whatever conditions you want. Whether you *can* actually configure to do this is another matter. Thanks Kris, Kelson and Noel - pretty unanimous answer - just don't call the milter for stuff on 465! Unfortunately I don't know how to achieve this, but I'll go off and do some research now I know what I'm trying to find. Regards, Frank. -- -- Sent from my Cray XT5
Re: How do I stop SA checking mail from authenticated users
Frank Leonhardt wrote: Here's the problem: I have a single mail server (not commercial) using sendmail to accept incoming mail from all sources, and filtering using spamassassin. It also accepts mail from roaming users - encrypted mail using port 465 and authenticating users with SASL, and is expected to relay this. It all works fine except that the trusted mail goes through the milter like any other, and if it's coming from a dodgy location there's a danger that SA will block it. (This happens - sent from a WiFi hotspot, non-static DSL or mobile network that's been blacklisted everywhere). Is there an easy way I can treat trusted mail differently? Configure whatever actually calls SA to not do so on authenticated mail. This is possible with MIMEDefang, may be possible with amavis. I can't say about other milters - you don't say how you're calling SA from sendmail. FWIW, this general answer applies no matter where in the mail chain you're calling SA - if you don't want it scanned, configure whatever calls SA to skip the call on whatever conditions you want. Whether you *can* actually configure to do this is another matter. -kgd
RE: How do I stop SA checking mail from authenticated users
> -Original Message- > From: Frank Leonhardt [mailto:fra...@extremecomputing.org.uk] > > I have a single mail server (not commercial) using sendmail to accept > incoming mail from all sources, and filtering using spamassassin. It also > accepts mail from roaming users - encrypted mail using port 465 and > authenticating users with SASL, and is expected to relay this. It all works > fine > except that the trusted mail goes through the milter like any other, and if > it's > coming from a dodgy location there's a danger that SA will block it. (This > happens - sent from a WiFi hotspot, non-static DSL or mobile network that's > been blacklisted everywhere). > > Is there an easy way I can treat trusted mail differently? Short answer: You need to configure this at the milter or sendmail level and not send the mail to SpamAssassin to begin with. Slightly longer answer: It's been a while since I worked with Sendmail, but we used to do exactly this. Basically, it boils down to one of two things: 1. Use a separate config for the submission port that doesn't send stuff through the milter. (I forget whether this is possible, so if it's not, never mind.) 2. Configure your milter to check whether the message is authenticated (IIRC, you look for the "auth_type" macro), and not send those messages to spamassassin. (This is what we did.) You don't say what milter you're using. We were using MIMEDefang, and I remember we had to do two things: set MD up to read the Sendmail macros, then add the code to our MD filter to check for the macro before sending mail to SA. Sorry I couldn't be of more detailed help, but this should at least point you in the right direction. --Kelson Vibber
Re: How do I stop SA checking mail from authenticated users
On 10/4/2011 12:48 PM, Frank Leonhardt wrote: > Here's the problem: > > I have a single mail server (not commercial) using sendmail to > accept incoming mail from all sources, and filtering using > spamassassin. It also accepts mail from roaming users - encrypted > mail using port 465 and authenticating users with SASL, and is > expected to relay this. It all works fine except that the trusted > mail goes through the milter like any other, and if it's coming > from a dodgy location there's a danger that SA will block it. > (This happens - sent from a WiFi hotspot, non-static DSL or mobile > network that's been blacklisted everywhere). > > Is there an easy way I can treat trusted mail differently? Don't run the milter on ports that only accept authenticated connections.