Cedric Knight <ced...@gn.apc.org> writes: > On 07/07/10 23:26, Greg Troxel wrote: >> >> Louis Guillaume <lo...@zabrico.com> writes: >>> I just need to clarify one thing that's not clear to me in re-reading >>> our thread from the other day: Is there a work-around for this? >>> >>> My users are getting restless. Everytime their ISP changes their IP >>> address I have to whitelist them! >> >> I think there are currently only two viable approaches: >> >> arrange not to pass authenticated mail to spamass-milter >> >> change postfix and/or spamass-milter to insert a line in the >> pseudoheader saying the mail was authenticated, so the ALL_TRUSTED >> test fires and not the RBL checks. This is some twitchy code to >> write, but I suspect it isn't really that hard. > > I don't think Louis has said what MTA is involved, but if it's Postfix > 2.3 or later, you just add the following line to main.cf: > > smtpd_sasl_authenticated_header = yes > > And SA should then put all relays in X-Spam-Relays-Trusted and add > ALL_TRUSTED (about -1.8 points) and not do any RBL checks. It's the RBL > checks that could be the major problem because client IPs are naturally > listed in DULs, and look like dynablocks.
I have that, and that indeed causes postfix to put in the authenticated-user header and SA processes it. The problem is with spamass-milter. spamass-milter generates a synthetic Received: line for the message arriving, trying to be similar to the Received: line that the MTA will add when the message is actually received, so that SA can process the message normally. The synthetic Received: line just needs to be similar to what postfix inserts with smtpd_sasl_authenticated_header=yes. This isn't wicked hard - it's just that no one has written the code, plus spamass-milter upstream seems to be dead.
pgpc80EeGnlUD.pgp
Description: PGP signature
