Dan Mahoney, System Admin wrote:
In looking through my sendmail logs, I've found that some connecting mail servers actually are correctly configured with a signed, valid cert from one of the major CA's.
Interesting!
Is there a rule that can match this, on sendmail, based on the connecting ip on your network edge?
It's easy enough to create a rule that matches the phrase in the Received: Header. The trick would be picking only the header for the relay that sent to you. Otherwise, spammers would just add 'verify=OK' to their fake headers.
I don't think TLS info is included in the various X-Spam-Relays pseudoheaders described here, which would make it relatively easy: http://wiki.apache.org/spamassassin/TrustedRelays
If you can get access to sendmail macros (through a milter, for instance, like MIMEDefang or Amavisd-New), you could match against the "verify" macro being "OK". Relevant macros are listed here: http://www.sendmail.org/~ca/email/starttls.html
This might be a place to start: it talks about setting up MIMEDefang to skip filtering entirely on verify=OK, but it could probably be adapted to pass the info to SA.
http://sial.org/howto/mimedefang/macro-pass/ -- Kelson Vibber SpeedGate Communications <www.speed.net>
