Am 20.06.2014 10:52, schrieb Jürgen Herrmann:
> Am 18.06.2014 16:24, schrieb li...@rhsoft.net:
>> Am 18.06.2014 16:17, schrieb Jürgen Herrmann:
>>> Am 18.06.2014 15:59, schrieb li...@rhsoft.net:
>>>> Am 18.06.2014 15:49, schrieb Jürgen Herrmann:
>>>>> I have a problem with the following pcre table:
>>>>>
>>>>> if !/X-Spam-Level:.*\*{7,}/
>>>>> /X-Spam-Flag:.*YES/ HOLD
>>>>> endif
>>>>> /X-Spam-Level:.*\*{7,}/ DISCARD
>>>>>
>>>>> the HOLD part of it is executed. the DISCARD part never matches.
>>>>>
>>>>> I also had a version with
>>>>> /X-Spam-Level: \*{7,}/
>>>>> instead of
>>>>> /X-Spam-Level:.*\*{7,}/
>>>>>
>>>>> and also the following version does never discard any mails:
>>>>>
>>>>> /X-Spam-Flag:.*YES/ HOLD
>>>>> /X-Spam-Level:.*\*{7,}/ DISCARD
>>>>
>>>> are you aware that you *must not* answer with 250 OK and the
>>>> silently discard messages? the spamfilter belongs *pre-queue*
>>>> and you have to REJECT spam, after you receive it and answer
>>>> with "250 OK" you have to deliver the message - period
>>>>
>>>> http://wiki.apache.org/spamassassin/IntegratePostfixViaSpampd
>>>> "and the ability to use before-queue content filtering"
>>>>
>>>> fix your setup and get rid of the broken pcre-after-queue idea
>>>
>>> this is in a milter_header_checks and on a host used as relay
>>> host. so if i reject mail there it would create backscatter via
>>> the relaying host. why not discard mails that are surely spam?
>>
>> why not discard mails which are surely spam?
>>
>> because you can not say "surely", a filter without false positives
>> is just a dream and because the sender has to know that the are
>> not accepted to have a chance re-send, a spammer won't do that
>>
>> you bring anybody in big trouble debugging mailproblems
>>
>> one complains why a message was not answered
>> the other says "i never got a email"
>> the sender says his operator said the message was accepted
>>
>> *always* the first station has to check and reject mails
>> and after accepting it it must not be rejected on the
>> next hop while discard is always a very bad idea
>
> hi!
>
> mind you this is for _outgoing_ spam protection only for a farm
> of webservers. we had so many problems regarding outgoing spam
> in the last few months that i'm willing to take a little risk...
> as mail here is 90% of the time queued via the sendmail command
> you'd probably agree that i should not reject mails in this case
> and cause backscatter?
>
> thanks for your input!
uhm if the message is rejected directly on the MTA on the webserver
you just reject it for the web-application given the webservers
have a sane setup and enforce SMTP instead sendmail
our webservers dont allow mail() function and limit senders
to adresses for which we would also receive mail, that should
be done anyways because sooner or later your farm will land
on blacklists if your customers are using random senders from
domains with SPF/DKIM/DMARC
_____________________
that's on any webserver here and the mysql-user for mysql-senderaccess.cf
has a limited view on the main mailserer to only get valid addresses
local_recipient_maps = proxy:mysql:/etc/postfix/mysql-recipients.cf
smtpd_sender_restrictions = check_sender_access
proxy:mysql:/etc/postfix/mysql-senderaccess.cf
