TLDR:
How do I configure Postfix to NOT use spamassassin to scan the email if
it is coming from a domain that is whitelisted via check_sender_access?
DETAILS:
--------
We maintain a white-list of company domains that are aggregated from all
our employee's address books.
We want all email that claims to be from those domains (even if they are
spam, forged, contain cryptolocker, etc...). It's full-on, highway to
the danger zone, unbridled email acceptance if your domain is on this
whitelist.
For the most part, the configs below work. check_sender_access queries
our MySQL database and gets an "OK" for these domains. And, (I believe)
once this is returned, the remainder of the checking stops for that step
in the process. (Please correct me if I am wrong here, but that IS the
desired behavior).
We still have a few automated emails (these are order confirmations)
that are getting caught by spamassassin DESPITE being on the whitelist
because they are HTML only, and they talk about money if you fill out a
form. And, Spamassassin is executing post-queue, where these rules do
not apply post-queue, and only upon receipt.
Example of a good message caught in the bad filter:
Content analysis details: (2.8 points, 2.0 required) pts rule name
description ---- ----------------------
-------------------------------------------------- -0.0
RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [67.231.157.48 listed in
wl.mailspike.net] 1.1 MIME_HTML_ONLY BODY: Message only has text/html
MIME parts 0.0 HTML_MESSAGE BODY: HTML included in message 0.0
LOTS_OF_MONEY Huge... sums of money 0.6 HTML_MIME_NO_HTML_TAG HTML-only
message, but there is no HTML tag 0.0 T_FILL_THIS_FORM_SHORT Fill in a
short form with personal information 1.0 MONEY_FORM_SHORT Lots of money
if you fill out a short form
How do I configure Postfix to NOT use spamassassin to scan the email if
it is coming from one of these whitelisted domains? Or, in the
alternative, can I configure Postfix to add a header to emails that are
on the whitelist, and then configure spam assassin to not check emails
with that header?
********************Relevant sections of
master.cf:**************************
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
-o content_filter=spamassassin
# ... other stuff ... #
spamassassin unix - n n - - pipe
user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f
${sender} ${recipient}
*************Relevant sections for main.cf:*********************
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_unauth_pipelining,
reject_unknown_recipient_domain,
reject_unauth_destination,
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access mysql:/etc/postfix/whitelist.cf,
check_policy_service unix:private/policy-spf
permit
smtpd_helo_restrictions = permit_mynetworks,
check_sender_access mysql:/etc/postfix/whitelist.cf,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
# 1. We whitelist customers as best we can regardless of what a cesspool
their email servers, IP address, or network neighborhood might be.
# 2. Then, we let the RBLs do their job to lessen the load on the MySQL
server.
# 3. If the email passes all those checks, it's time to see if it is on
our custom blacklists. If so, we reject, otherwise, we'll let it
continue down the chain.
smtpd_client_restrictions = check_sender_access
mysql:/etc/postfix/whitelist.cf,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl-1.uceprotect.net,
reject_rbl_client ubl.unsubscore.com,
reject_rbl_client dnsrbl.org,
reject_rbl_client bad.psky.me,
reject_rbl_client dnsbl-2.uceprotect.net
check_sender_access mysql:/etc/postfix/blacklist.cf
Incidentally, blacklist.cf rejects an email if it is coming from a
domain that NONE of our customers have ever sent from before. This
eliminates day-old-bread TLDs that are just spam factories. (.top for
example is spewing forth untold mountains of spam right now based on our
logs.).
--
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
mich...@highpoweredhelp.com
--
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
mich...@highpoweredhelp.com
