The trick (at least for me, and I'm running Postfix), is to tell your
SASL authenticated users to use a different port, like 465 or 587. In
fact, port 25 was nominated to be a server-to-server mail exchange
service. Clients should use Submission or smtps port. I'm re-routing
traffic from my client networks (which try to connect to port 25) to
port 587, and only allowing connections to port 25 from outside my
network.
The code snip from master.cf:
<SNIP>
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=amavis:[127.0.0.1]:10026
</SNIP>
and from amavisd.conf:
<SNIP>
$inet_socket_port = [10024,10026]; # listen on multiple TCP ports
$interface_policy{'10026'} = 'SASLBYPASS';
$policy_bank{'SASLBYPASS'} = { # mail from submission and smtps ports
bypass_spam_checks_maps => [1], # don't spam-check this mail
bypass_banned_checks_maps => [0], # don't banned-check this mail
bypass_header_checks_maps => [1], # don't header-check this mail
};
</SNIP>
Hope this helps,
Luix
2007/7/31, Bartłomiej Rutkowski <[EMAIL PROTECTED]>:
> On Tue, 31 Jul 2007 10:41:44 +0200
> Mark Martinec <[EMAIL PROTECTED]> wrote:
>
> > Bartek,
> >
> > > I was wondering, if there would be a way to tell amavisd not to scan
> > > messages that were sent by sasl authorized (logged in) users by p0f?
> > > This would allow to use relatively high scores on windows machines
> > > sending mail to our system. Right now most of us is unable to do the
> > > trick, as we cant say what IP numbers our customers are using, and
> > > penalizing their mail is not very good idea. Maybe some sort of tag
> > > in message header, like X-SASL-Authorized or something?
> >
> > p0f lookup is controled by $os_fingerprint_method, which is a
> > policy bank setting.
> >
> > The trick is to route locally-submitted mail and authenticated
> > mail coming from roaming users to a dedicated amavisd port which
> > can load its policy bank with setting that need to apply to local
> > and authenticated users.
> >
> > This is useful for other reasons too, not just to disable p0f.
> > It can be used to apply less strict checks on mail from our
> > users, to enable administrator virus or spam notifications
> > on locally submitted or authenticated mail, to apply disclaimers,
> > to reroute such mail to a DKIM-signing milter or smtp-proxy,
> > and for proper pen pals operation on roaming submissions.
> >
> > There are a couple of examples at:
> > http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex
> > and
> > http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
> >
> > All you need to do extra is to disable p0f in a policy bank
> > like ORIGINATING:
> >
> > $policy_bank{'ORIGINATING'} = { # mail originating from our users
> > originating => 1, # indicates our client, introduced in
> > amavisd-new-2.5.0
> > os_fingerprint_method => undef,
> > ...
> > };
> >
> > Mark
> >
>
> But how would amavisd knew that mail is originating, that is it comes from
> sasl authenticated user? What about case, when amavisd is separated from
> machine
> that authenticated user and received the message, to pass it to external
> amavisd
> machines?
>
> --
> Bartłomiej Rutkowski <[EMAIL PROTECTED]>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> AMaViS-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/amavis-user
> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
> AMaViS-HowTos:http://www.amavis.org/howto/
>
--
-------------------------------------------------
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-------------------------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
