Yeah, assuming the stuff I outlined below, you should be able to bypass
spam checking for certain recipient domains... if it's a sending domain
you are trying to whitelist, you would have to do something like this in
one of the sender maps you were trying to use.
contents of hash:/etc/postfix/good_domains
mygooddomain.com PERMIT
by having the explicit permit statement, it will bypass all the
remaining UCE checks in the smtpd_recipient_restrictions section and go
straight to adding it to your queue for delivery or relaying(once the
header and body checks are complete...if you have any). Keep in mind
that hash maps aren't searched in a top down manner like the pcre or
regex maps are. If nothing matches in the hash map, that particular map
search exits with a DUNNO which basically says to postfix, I don't know,
maybe a later restriction check will, and will that message will then
continue to be check by any later UCE checks. The PERMIT will bypass
all that. In this particular case, you are better of permitting based
client ip address instead of sending domain as the sending domain can be
spoofed and that explicit permit would basically make you an open relay
so long as they are spoofing one of your permitted domains..
Anyway, in your particular case, I think that if you add the stuff to
the dpsam_incoming like I showed you below, all will work as you expect.
Todd
Andy Durant wrote:
Hi Todd,
Thanks for the tips. I'll try changing the order and add everything to
recipient restrictions as noted. The following is the output from postconf -n
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.3.7/html
mailbox_size_limit = 536870000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydomain = domain.com
myhostname = Hostname
mynetworks = 192.168.0.0/24, 192.168.1.0/24, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases
readme_directory = /usr/share/doc/postfix-2.3.7/readme
relay_domains = domain
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtpd_banner = Welcome to the X Mail System
smtpd_recipient_limit = 35
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_destination check_recipient_access
pcre:/etc/postfix/dspam_incoming permit
smtpd_sender_restrictions = hash:/etc/postfix/good_domains
hash:/etc/postfix/client_access hash:/etc/postfix/banned_domains
reject_rbl_client zen.spamhaus.org
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
The following is the dspam trigger
/./ FILTER dspam:unix:/var/run/dspam/dspam.sock
And the following section from master.cf
dspam unix - - n - 10 lmtp
127.0.0.1:10025 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
-----Original Message-----
From: Todd S. Florman [mailto:[EMAIL PROTECTED]
Sent: Friday, April 27, 2007 11:21 AM
To: Andy Durant
Cc: [email protected]
Subject: Re: [dspam-users] Specific domains bypass dspam?
Andy Durant wrote:
Hello all,
I am using dspam and postfix to relay mail for exchange and so far everything
is going smoothly but for some minor issues. We have several clients in china
who mail us in Chinese only and all of them get flagged as spam.. Since my
quarantine is not delivering mail when released (another issue) I have to
manually send the email through with altered headers to reflect the correct
sender. However; the Chinese characters get converted to asci characters like
this ÔÓʼþ·¢¼þÈËÃû×Ö: pol and of course no one can read it any longer.
Is there a way to have specific incoming domains bypass dspam' s spam
checking altogether. I had though configuring main.cf in postfix with
the dspam trigger last would allow that to happen but its not. Dspam is
still picking up and scanning everything. Relevant postfix portion below:
smtpd_sender_restrictions =
hash:/etc/postfix/good_domains
hash:/etc/postfix/client_access
hash:/etc/postfix/banned_domains
reject_rbl_client zen.spamhaus.org
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_recipient_access pcre:/etc/postfix/dspam_incoming
permit
**Andy Durant**
Network Administrator
*Addressograph Bartizan*
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
_http:// <http://www.imprinters.com/>_www.imprinters.com
<http://www.imprinters.com/>
(519) 893-4510 x 145
(519) 748-9843 Fax
Hi Andy,
It would be more helpful if you would include a postconf -n and the
contents of any relevent maps.... like dspam_incoming.
Also be sure that you don't have dspam setup as a global filter in
master.cf.
One thing I have noticed is that the following is not correct syntax.
You list out the map, but you don't say what to do with it...like
check_sender_access.
smtpd_sender_restrictions =
hash:/etc/postfix/good_domains
hash:/etc/postfix/client_access
hash:/etc/postfix/banned_domains
reject_rbl_client zen.spamhaus.org
Honestly, if I were you, I would simply put all of your UCE checks into
the smtpd_recipient_restrictions like the following... as postfix
defaults to delaying any rejections until the rcpt to phase of the smtp
transaction anyway. It's not that it really does anything different in
the end, but it will keeps things a bit cleaner and more easy to
understand and allow for more information to be shown in the logs.
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/good_domains,
check_sender_access hash:/etc/postfix/client_access,
check_sender_access hash:/etc/postfix/banned_domains,
reject_rbl_client zen.spamhaus.org,
check_recipient_access pcre:/etc/postfix/dspam_incoming,
permit
Here is an example of what your dspam_incoming file could look like to
have some domains bypassing the filters while the rest get filtered as
expected. Keep in mind that pcre maps look for first match and exit
with whatever result you list as the second argument in the match string.
contents of dspam_incoming.
/[EMAIL PROTECTED]/ OK
/[EMAIL PROTECTED]/ OK
/./ FILTER dspam:dspam
or
/./ FILTER dspam:[127.0.0.1]:10026 (depending on how you have dspam running)
Hope this helps..
Todd Florman
