Thanks, I am going to try to test these over the weekend. Will post back either way to let know you know how it went.
Andy -----Original Message----- From: Todd S. Florman [mailto:[EMAIL PROTECTED] Sent: Friday, April 27, 2007 1:42 PM To: Andy Durant Cc: John Peacock; [email protected] Subject: Re: [dspam-users] Specific domains bypass dspam? you could use restriction classes...like so smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_client_access = cidr:/etc/postfix/from_chinese_client check_recipient_access pcre:/etc/postfix/dspam_incoming permit smtpd_restriction_classes = from_chinese from_chinese = check_sender_access = pcre:/etc/postfix/from_chinese_sender permit contents of from_chinese_client 192.168.0.1/32 from_chinese contents of from_chinese_sender /[EMAIL PROTECTED]/ PERMIT /./ FILTER dspam:unix:/tmp/dspam.sock So... in the smtpd_recipient_restrictions, we look for the chinese server in the cidr map. If we match on that, we kick ourselves into the from_chinese restriction class... all others simply continue to the dspam_incoming check. Once we have matched based on the client, we then force another check based on the senders domain(this isn't fool proof as spammers coming from that chinese server can still spoof the from address, but its less likely to happen) If you are sending from the right domain, we permit the email with no spam checking, if you are coming from any other domain, you get spam filtered by the /./ catchall. As I said, its not foolproof, but the risks are greatly reduced. Todd Andy Durant wrote: > They aren't my users though, they are clients of ours using their own > SMTP servers that are based in China. (We are in Canada) They are > trying to send email to us and its all getting picked off by dspam, I'm > assuming because it's all in Chinese. I then have to forward the email > to the original recipient (internal user) but the Chinese characters get > corrupted in the process and it becomes illegible. > > My concern with white listing the IP is the sending server sends mail > for a multitude of users from all different companies, and white listing > that IP would relay open us up to spam from half of China > > I can't think of a solution that would accept mail from the specific > users but disallow the rest of sending servers users not to spam us. > Letting the specific email addresses bypass dspam exposes us to the > least amount of risk. > > Andy > > > > > -----Original Message----- > From: John Peacock [mailto:[EMAIL PROTECTED] > Sent: Friday, April 27, 2007 1:07 PM > To: Andy Durant > Cc: Todd S. Florman; [email protected] > Subject: Re: [dspam-users] Specific domains bypass dspam? > > Andy Durant wrote: >> I thought about that but some of the customers in question are based > in >> China and are on a shared server with thousands of non-related users. > > Rather than whitelist by address (which as I said is easily forged), you > > should be setting up SMTP AUTH, so the users in China still use your > server to send mail out. If you find that port 25 is blocked in China, > you can use SMTP over SSL (port 465) or SMTP SUBMISSION (port 587). > > John >
