RE: SA vs. postfix main.cf

2004-12-07 Thread Smart,Dan 
At one time I tried to do it all in Postfix.  It's all or nothing binary
operation of its Spam rules drove me to find another solution to Spam;
SpamAssassin.  Now a triggered rule only adds to a Spamminess value, and
won't kill the message.  I ultimately took almost all the rules out of
Postfix because I couldn't keep up with the false positives they created.

All the FQDN, MX, an A record checks were removed due to false positives...
The check_* restrictions implement white and black listing.

smtpd_recipient_restrictions =
 check_recipient_access hash:$config_directory/smtpd-recipient-checks,
 permit_mynetworks,
 reject_invalid_hostname,
 reject_unauth_destination,
 check_recipient_access regexp:$config_directory/smtpd-recipient-checks.rx,
 check_sender_access hash:$config_directory/smtpd-sender-checks,
 check_sender_access regexp:$config_directory/smtpd-sender-checks.rx,
 check_client_access hash:$config_directory/smtpd-client-checks,
 check_helo_access hash:$config_directory/smtpd-helo-checks,
 reject_unknown_recipient_domain
smtpd_data_restrictions =
 reject_unauth_pipelining

Dan


 

  -Original Message-
  From: Menno van Bennekom [mailto:[EMAIL PROTECTED] 
  Sent: Tuesday, December 07, 2004 5:45 AM
  To: users@spamassassin.apache.org
  Cc: David Newman
  Subject: SA vs. postfix main.cf
  
  We run postfix 2.1.5_1,1 on FreeBSD 5.2.1, and use some RBL lists:
  smtpd_recipient_restrictions =
  ...
 reject_rbl_client opm.blitzed.org,
 reject_rbl_client list.dsbl.org,
 reject_rbl_client proxies.relays.monkeys.com,
 reject_rbl_client relays.ordb.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client sbl.spamhaus.org
  We are seeing cases where mail is rejected because of the 
  RBL lists, 
  even when a sender is whitelisted in a recipient's SA 
  user_prefs file.
  Is there any way to reverse the order of operations so that postfix 
  doesn't check with the RBL list when SA says a sender is OK?
  
  You can't reverse the checks, but you can whitelist 
  addresses in Postfix.
  I use the check_client_access to allow certain domains/ips 
  to send mail although they appear in RBL's. Just put them in 
  the access-file with 'OK'
  on the end of the line. You can do the same with check_sender_access.
  And make sure this check is done before the RBL checks, like:
  smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_mynetworks,
reject_unauth_destination,
check_client_access hash:/etc/postfix/client_access,
check_helo_access hash:/etc/postfix/helo_access,
check_sender_access hash:/etc/postfix/sender_access,
reject_rbl_client dynablock.njabl.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org
  
  Regards
  Menno van Bennekom

Re: SA vs. postfix main.cf

2004-12-06 Thread Per Jessen 
David Newman wrote:

 We run postfix and SpamAssassin. Postfix's use of RBL is pre-empting SA's
 ability to whitelist specific senders. I'm wondering if there is some way
 to override that.
[snip]
 Is there any way to reverse the order of operations so that postfix
 doesn't check with the RBL list when SA says a sender is OK?

Not that I can think of.  Essentially you need to decide who makes the decision
for you - SA or Postfix.  
By the time postfix delivers the mail to SA via the content_filter, all the
Postfix checks are complete - smtpd__restrictions - so if postfix has
decided to reject an email, SA can't really override that later.  Therefore, if
your users disagree with your blockinglist, don't use those blockinglist(s) in
postfix and leave it to SA.


-- 
Per Jessen, Zurich
Let your spam stop here -- http://www.spamchek.com

Re: SA vs. postfix main.cf

2004-12-06 Thread Matt Barton 
Per Jessen wrote:
Not that I can think of.  Essentially you need to decide who makes
the decision for you - SA or Postfix. By the time postfix delivers
the mail to SA via the content_filter, all the Postfix checks are
complete - smtpd__restrictions - so if postfix has decided to
reject an email, SA can't really override that later.  Therefore, if 
your users disagree with your blockinglist, don't use those
blockinglist(s) in postfix and leave it to SA.
In order to do the same kind of whitelisting in Postfix, you'd basically 
need to setup some check_*_access checks before your RBL's allowing them 
to pass.

--
Matt Barton
Webexcellence
PH: 317.423.3548 x22
TF: 800.808.6332 x22
FX: 317.423.8735
[EMAIL PROTECTED]
www.webexc.com