On 7/10/2006 8:47 PM, Gino Cerullo wrote:
On 10-Jul-06, at 7:39 PM, Daryl C. W. O'Shea wrote:
You have two options:
1) Quoting mouss...
mouss wrote:
> martin f krafft a écrit :
>> Well, sure, this makes sense, but how can I support this standard
>> use-case? Postfix adding a SASL-header that causes Spamassassin then
>> to ignore the message isn't the solution as spammers would simply do
>> that sooner or later. Short of whitelisting people, what should
>> I do?
>>
>
> how do you integrate SA with postfix?
>
> If using content_filter, then you could skip SA for authenticated
users.
<snip config details>
I see but is the trade-off here that if SA skips authenticated users
and they are compromised then they can become spam sources that
wouldn't be caught locally or does it only skip SPF and still do all
other scans?
Skipping SA for auth'd users in your Postfix config would skip all of
SA, not just SPF checks in SA.
I wouldn't necessarily call not spam checking local spam zombies a
trade-off. Personally, I'd want to receive the spam from these local
machines/users so that I can take action against/for those users.
or
2) Upgrade to Postfix 2.3, if necessary, set
"smtpd_sasl_authenticated_header yes" in your Postfix config and then
offer to buy me lunch next time I'm in the city to persuade me to
make a patch to support this. :)
Are you a contributor to SA's development?
I've been known to commit enough good, and apparently not enough bad,
code to the SA code base.
I guess the same compromise will exist in this scenario? Would it be
difficult to get SA to see that the user is authenticated and just skip
SPF but still do everything else?
In this case (SA knows the user is authenticated), SA does The Right
Thing (tm). All regex based tests and network tests against body
content are done and the appropriate network based checks are done
against the appropriate hosts.
I see from the header in the message you sent that you have deployed
DKIM. I'm hoping to do that as well but not for a while yet. Do similar
problems arise with DKIM and SA as we've discussed here with SPF?
DKIM doesn't rely on any defined set of relays. It uses the envelope
sender (usually just the domain) and the signature found in the headers.
Also note that SPF isn't the only thing suffering from your trust path
issues, it's just a symptom you've noticed. You'll also currently be
doing dynablock checks against users you'd rather not be, along with a
whole slew of other tests that will FP when SA thinks it's testing mail
from some random system/zombie and not an authenticated user.
Let me know if you're running Postfix 2.3 and can enable the auth
headers in your config. I'll probably get to making a patch tonight as
long as the rain doesn't stop and I don't get distracted by the big
stash of fireworks I've accumulated. :)
Daryl
