Am 17.12.2010 17:28, schrieb Aaron Bennett: > Hi, > > I've got an issue where users off-campus who are doing authenticated SMTP/TLS > from home networks are having their mail hit by the PBL. I have > trusted_networks set to include the incoming relay, but still the PBL hits > it as follows: > > Received: from cmail.clarku.edu (muse.clarku.edu [140.232.1.151]) > by mothra.clarku.edu (Postfix) with ESMTP id D4FC2684FEA > for <re...@clarku.edu>; Tue, 7 Dec 2010 00:11:24 -0500 (EST) > Received: from SENDERMACHINE (macaddress.hsd1.ma.comcast.net > [98.216.185.77]) > by cmail.clarku.edu (Postfix) with ESMTP id 82F21901E48 > for <re...@clarku.edu>; Tue, 7 Dec 2010 00:11:24 -0500 (EST) > From: "USER NAME" <sen...@clarku.edu> > > Despite that internal_networks and trusted_networks are set to > 140.232.0.0/16, the message still triggers the PBL rule. Given that I know > that (unless there's a trojaned machine or whatever) I must trust email that > comes in over authenticated SMTP/TLS through the 'cmail' host, how can I > prevent it from hitting the PBL? > > Thanks, > > Aaron > > --- > Aaron Bennett > Manager of Systems Administration > Clark University ITS >
forget trusted_networks use i.e spamass-milter with spamassassin with option -I: skip (ignore) checks if sender is authenticated additional use clamav-milter with a few sanesecurity antispam sigs , its fast enough to reject known spam from authed user without slowing down deliver out other chance, depending how you setted up spamassassin with postfix read this http://www200.pair.com/mecham/spam/bypassing.html in some setups you can use simular configs to bypass with spamassassin like bypass for amavis specially something like this ---snip In main.cf: smtpd_data_restrictions = reject_unauth_pipelining permit_sasl_authenticated check_client_access regexp:/etc/postfix/add_auth_header.regexp # In /etc/postfix/add_auth_header.regexp: /^/ PREPEND X-SMTP-Auth: no # In SpamAssassin's local.cf: header __NO_SMTP_AUTH X-SMTP-Auth =~ /^no$/m meta SMTP_AUTH !__NO_SMTP_AUTH describe SMTP_AUTH Message sent using SMTP Authentication tflags SMTP_AUTH nice score SMTP_AUTH -10 I suggest you do not use X-SMTP-Auth literally. I would obscure this by using a X-something-else header name of your choice, and if you have more than one machine, I suggest using something different on each. In order to prevent confusion (the header would end up getting written again after the message was processed by amavisd-new), you should override smtpd_data_restrictions on the amavisd-new reinjection port. In master.cf add -o smtpd_data_restrictions= 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_data_restrictions= [other typical amavisd-new reinjection port overrides] ---snip which is marking authed mail and bypass the spamassassin/amavis filter afterwards the recommended way is to let authed user use submission port submission 587/tcp , without configured the filter for it in master.cf -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria