On 28 Nov 2016, at 17:37, Michael Munger wrote:
TLDR:
How do I configure Postfix to NOT use spamassassin to scan the email
if
it is coming from a domain that is whitelisted via
check_sender_access?
You *COULD* do this inside SA, but for that you'd be better off asking
in the SA mailing list rather than here. You can also do at the Postfix
level more cleanly.
DETAILS:
--------
We maintain a white-list of company domains that are aggregated from
all
our employee's address books.
We want all email that claims to be from those domains (even if they
are
spam, forged, contain cryptolocker, etc...). It's full-on, highway to
the danger zone, unbridled email acceptance if your domain is on this
whitelist.
At least you understand how crazy that is...
If you did this in SA, you could do that with whitelist_from entries and
narrow that down by using whitelist_from_rcvd or whitelist_auth (or the
older whitelist_from_{spf,dk,dkim}) but those would require some sort of
export/transformation from your MySQL DB to put in place all the
whitelisting rules.
For the most part, the configs below work. check_sender_access queries
our MySQL database and gets an "OK" for these domains. And, (I
believe)
once this is returned, the remainder of the checking stops for that
step
in the process. (Please correct me if I am wrong here, but that IS the
desired behavior).
We still have a few automated emails (these are order confirmations)
that are getting caught by spamassassin DESPITE being on the whitelist
because they are HTML only, and they talk about money if you fill out
a
form. And, Spamassassin is executing post-queue, where these rules do
not apply post-queue, and only upon receipt.
Example of a good message caught in the bad filter:
Content analysis details: (2.8 points, 2.0 required) pts rule name
[Switching hats]
Do not do this. The default SA ruleset is re-scored daily by the "Rule
QA" process with changes to rules and their scores distributed to users
who run the 'sa-update' program. That process assumes that 5.0 is the
line between ham and spam. You can safely adjust the threshold a little
bit (best done with data to support your number) but going as low as 2.0
essentially ruins the assumptions of Rule QA and guarantees that you
will see false positives. As you are.
How do I configure Postfix to NOT use spamassassin to scan the email
if
it is coming from one of these whitelisted domains?
Make the check_sender_access queries return a FILTER result (specifying
a suitable transport, likely 'local:$myhostname') which will override
your content_filter directive. See access(5)
Or, in the
alternative, can I configure Postfix to add a header to emails that
are
on the whitelist, and then configure spam assassin to not check emails
with that header?
Make the check_sender_access queries return a PREPEND result with an
obscure header name and value of your choosing, then create a local SA
rule that looks for that header with that value, scores it with an
absurdly big negative value, and make it a "shortcircuit" rule so as to
not waste resources figuring out whether to score messages it hits at
-1001 or -999.
NOTE: If you do this, you should only do it in
smtpd_recipient_restrictions, and have the earlier restriction lists use
a query that still just returns OK. i.e. add a new DB field and use it
for the select_field in the smtpd_recipient_restrictions check.
********************Relevant sections of
master.cf:**************************
[snip]
Also possibly relevant: your other enabled transports.
*************Relevant sections for main.cf:*********************
[snip]
Also possibly relevant: smtpd_delay_reject, mailbox_transport,
default_transport, local_transport.
This is why the welcome message and the DEBUG_README advice sending
postconf -nf and postconf -Mf output rather than what you think is
relevant from config files.
