Ignacio, > We have a server runing postfix + amavisd-new (SuSE 10.1). We are very > happy with the spam filtering capabilities of amavisd-new, but we would > like to disable checking against sbl, xbl lists (any kind of lists > actually) only for outgoing email, since sometimes our users might be in > a public place (i.e internet cafe, public hotspot), and their IP might > be in a CBL list, thus preventing them to send emails with this > configuration. > Is it possible to disable these rules only for outgoing email?
Others gave advice on how to turn off SA checks entirely for mail from trusted sources. More selectivity on rules may or may not be possible: - $sa_local_tests_only is a global option and applies when SA is initialized, so it is not possible to control it by a policy bank - certain xbl lookups are skipped by SA when it understands that mail is coming from inside or from an authenticated user - DUL lookups are not done by SA when it knows mail was submitted by authenticated users. It is very important to get the SA settings (in local.cf) of trusted_networks and internal_networks right! Don't rely on SA to guess it, always do clear_trusted_networks and clear_internal_networks and then list the networks explicitly. Here are some notes I keep in local.cf on the issue: # Anytime there are trusted relays present there will be at least one internal # relay, The machine you're scanning on should be internal & trusted and # should add its own received header before scanning. # # trusted_networks should contain "all the trusted hosts" # and internal_networks should contain "all the trusted hosts # except for your MSAs". # # ALL hosts after (and including) the MX that accepts mail on your behalf # are a part of your internal network. # # ALL internal_networks MUST be in trusted_networks. # # Specifying internal_networks that aren't also (manually config'd) # in trusted_networks should be a configuration error. # # Internal networks IS NOT all of your IPs though. It cannot include your # MSA if you don't also include all of your user's IPs. Since some MTAs # still don't include auth tokens in their headers, we can't always extend # the trust path to roaming users who we don't know the IP of. So, for some # MTAs, even if you know all of your local dial-pool addresses, and your # users use SMTP auth, you still can't include your MSA in internal networks. For mail submission from authenicated remote users please see SA list, the topic was recently discussed (again), and a patch to SA to recognize Postfix authentication headers was recently posted. See topic: Postfix auth headers (Re: Problem with false-positives for SASL users) on the SA list, and the SA patch in: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4980 Mark ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
