On 07/07/10 23:26, Greg Troxel wrote: > > Louis Guillaume <lo...@zabrico.com> writes: >> I just need to clarify one thing that's not clear to me in re-reading >> our thread from the other day: Is there a work-around for this? >> >> My users are getting restless. Everytime their ISP changes their IP >> address I have to whitelist them! > > I think there are currently only two viable approaches: > > arrange not to pass authenticated mail to spamass-milter > > change postfix and/or spamass-milter to insert a line in the > pseudoheader saying the mail was authenticated, so the ALL_TRUSTED > test fires and not the RBL checks. This is some twitchy code to > write, but I suspect it isn't really that hard.
I don't think Louis has said what MTA is involved, but if it's Postfix 2.3 or later, you just add the following line to main.cf: smtpd_sasl_authenticated_header = yes And SA should then put all relays in X-Spam-Relays-Trusted and add ALL_TRUSTED (about -1.8 points) and not do any RBL checks. It's the RBL checks that could be the major problem because client IPs are naturally listed in DULs, and look like dynablocks. However, some other checks may still run with ALL_TRUSTED and I found the following kind of thing helped: ifplugin Mail::SpamAssassin::Plugin::Shortcircuit meta TRUST_SHORTCIRCUIT (ALL_TRUSTED) score TRUST_SHORTCIRCUIT -5.0 tflags TRUST_SHORTCIRCUIT nice priority TRUST_SHORTCIRCUIT -1000 shortcircuit TRUST_SHORTCIRCUIT on endif So you don't necessarily need to separate inbound and outbound ports or IP addresses, although if you're designing a system from scratch you probably would. If some people are using pop-before-smtp there's the POPAuth plugin which adds the authenticated client IP addresses to trusted_networks (although in that case be careful of mail 2 web services like Google and now Hotmail). Were you using amavis with a single MX, an alternative is a postfix kludge to separate incoming and authenticated mail to run different amavis policy banks (e.g. authenticated virus check and DKIM signing; incoming virus and spam check). See http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-postfix-dual-path I don't know about doing this in MTAs other than postfix. HTH C
