On 8/25/2010 3:51 PM, Stan Hoeppner wrote:
Would anyone happen to have an example guide showing the proper
master.cf and main.cf parameters for setting up daemonized spamassassin
to run super selectively via FILTER?
I've reached the point that I'm killing about 98% of my spam load but
I'm tired of the few phish/419 that make it into my inbox due to "zero
day" attacks from compromised Hotmail, Yahoo, Squirrelmail, Horde,
Exchange accounts and the like. I plan on configuring SA to be very
lean, focusing on body content, bayes, and uribl hits.
All the config examples I find on the Spamassassin site are geared
toward a "heavy" setup running ALL mail through SA. I absolutely will
not do this. I need very selective use of SA, one reason being that I
have spamtrap mailboxen. Running SA "globally" would probably cause
problems with this. It should only fire on one or two emails a day,
which are the ones getting through, and these are to a single recipient
address, mine. I'm using Dovecot LDA, not procmail etc, so I can't just
run the spamassassin script (which would actually be much easier to
implement for what I want to do).
So, basically I want something as a last effort restriction, such as:
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_recipient_access hash:/etc/postfix/whitelist
check_sender_access hash:/etc/postfix/whitelist
check_client_access hash:/etc/postfix/whitelist
check_sender_access hash:/etc/postfix/auto-whtlst
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
reject_unlisted_recipient
check_client_access hash:/etc/postfix/blacklist
check_client_access proxy:regexp:/etc/postfix/fqrdns.regexp
check_client_access proxy:pcre:/etc/postfix/ptr-tld.pcre
check_client_access proxy:${cidr}/countries
check_client_access proxy:${cidr}/spammer
check_client_access proxy:${cidr}/misc-spam-srcs
reject_rbl_client zen.spamhaus.org
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service inet:127.0.0.1:60000
*check_recipient_access hash:/etc/postfix/sa*
/etc/postfix/sa
stan@ filter smtp:??127.0.0.1:783??
Which master.cf example on the SA site should I use? Or which portion
of one? Or, if none of them, what should my master.cf entry(s) look
like? Does FILTER call spamc or spamd? How do I specify the proper SA
daemon to send to? Do I need anything in master.cf other than a new
smtpd listener, without restrictions, for re-injection? What would that
look like given my standard restrictions above?
Sorry this is a bit of a long question. This stems from the fact that
I've never used SA, and I wanted to make clear exactly what I want to
do, and why I'm having trouble gluing the various bits and pieces of
docs together to accomplish my goal. It would appear no one else runs
SA this way, or if so, hasn't documented it. I don't need virus
scanning so I don't need/want amavisd-new in the mix (or do I?). I want
as few additional daemons sucking up resources as possible. Remember,
if we get this setup correctly, SA should only fire one or two times a day.
Or, is there a better solution to my needs than using SA in this super
selective manner?
FILTER is a poor choice for per-recipient filtering. FILTER
is a per-message action, with only one FILTER action per
message (if there are multiple FILTER actions triggered, only
the last will be used). If there are multiple recipients for
a message, they all get the same FILTER action; the last one
triggered.
The proper solution for per-recipient content filtering is to
use multiple postfix instances.
Easy choices for single-recipient filtering:
- use whatever filtering dovecot can provide
- use amavisd-new for everyone; define (not Stan) as
@bypass_spam_checks_maps and @spam_lovers_maps. This would
probably be low enough resource usage to be run as a
smtpd_proxy_filter.
-- Noel Jones
