OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: SASL and content_filter

From: Bill Boebel (billwebmail.us)
Date: Wed Feb 18 2004 - 11:50:26 CST


With the recent Postfix snapshot, it is possible to use the PREPEND feature
to tell SpamAssassin to whitelist mail that is sent using SMTP Auth. For
those interested, here is how to do it..

You need at least this version of Postfix and the SASL patch:
 postfix-2.0.18-20040205
 pfixtls-0.8.18-2.0.18-20040205-0.9.7c

/etc/postfix/main.cf:
   smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    ...
    check_helo_access pcre:/etc/postfix/helo_add_auth_header.regexp,
    ...
    permit

/etc/postfix/helo_add_auth_header.regexp:
   /.*/ PREPEND X-SMTP-Auth: no

/etc/mail/spamassassin/local.cf:
   header __NO_SMTP_AUTH X-SMTP-Auth =~ /^no$/
   meta SMTP_AUTH !__NO_SMTP_AUTH
   describe SMTP_AUTH Message sent using SMTP Authentication
   tflags SMTP_AUTH nice
   score SMTP_AUTH -100

Bill

-----Original Message-----
From: owner-postfix-userspostfix.org
[mailto:owner-postfix-userspostfix.org]On Behalf Of Tony Earnshaw
Sent: Sunday, February 08, 2004 6:25 AM
To: Postfix list
Subject: Re: SASL and content_filter

lÝr, 07.02.2004 kl. 23.21 skrev Bill Boebel:

> I want to tell a content_filter that an email arrived using SASL
> authentication. I cannot figure out a way to do this. Is there a way?
>
> Specifically, I want to tell amavis/spamassassin that it was SASL
> authenticated, so that it can whitelist mail sent by local users - without
> relying on the sender envelope since that can be forged. With the latest
> snapshot it looks like I can add a header somehow, which might do the
trick
> for me; however that can also be forged.
>
> Any suggestions?

If you do an EHLO to the amavisd-new port, you can see what Postfix can
pass to Amavis. Not what you want, at any rate.

What you *can* do with the latest amavisd-new (and without going into
specifics), is to use a MySQL or LDAP (I use LDAP) database to tell
Amavis whose mail to scan and whose not. You can avoid all scanning on
mail from local users ($mynetworks, for example), by forcing them to use
a Postfix smtpd daemon without content filter on another port than 25. I
use 26.

--Tonni

--
I wish that mailing-list people would stop CC'ing me.
Chances (95%) are that if they do, the CC will never
make it, anyway.

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl