On Sun, 15 Aug 2010, Josef Karliak wrote:
Yes, our users (from local LAN) are authorized over Domainkeys (all emails
frou our network are signed), and SA has a "trusted" network. All from our
company is OK and solved.
But we want to create whitelist for companies that our users mails to.
Ah, okay. That makes more sense. That's also harder for a spammer to
abuse. The whitelist_from example using what appeared to be your own
domain misdirected me.
This should still be easier at the MTA level, as most MTAs have support
for databases of email addresses against which to apply policy, and those
databases can be updated without having to restart the application. You'd
create a database for correspondent email addresses and set up a postfix
policy that bypasses SA for those addresses.
Short of a custom plugin you'd probably be looking at a tool to extract
external email addresses from your outbound log and create a whitelist .cf
file that SA reads, and you'd periodically run this tool and then restart
SA.
Ideally the log parser would look for an inbound response from that email
address so that it could create whitelist_from_rcvd where possible. It
should probably also create whitelist_from_auth just in case the
correspondent _did_ have SPF or domainkeys set up.
Creating a plugin to do this without having to restart SA sounds like a
good idea...
Cituji John Hardin <jhar...@impsec.org>:
On Sun, 15 Aug 2010, Josef Karliak wrote:
> My idea is to create whitelist file for inluding to SA from emails sent
> by our users (from Sent Items folders in cyrus emails). SA is a content
> filter in the Postfix. Only global, not user prefs.
Is there some easy way to identify your users other than the domain they
claim to be sending from? In other words, is this a corporate MTA where all
the local mail originates from a specific subnet, or an ISP where users
send mail via authenticated SMTP?
If so, then there should be some way to tell postfix to trust messages
originating from those sources and not run them through SA at all.
I am not a postfix guru. You might want to do some searches of the SA list
archives for posts that discuss postfix, there may be some config examples
already available that will work for you.
Best of luck.
> Interesting is that I've many installs but on this server doesn't mark
> me whitelisted domain (or email address) with "USER_IN_WHITELIST" test
> at all. I'll look over your recomendation about whitelist_from_auth,
> but if don't mark one whitelist mode, it couldn't mark another :-/.
whitelist_from_rcvd specifying your local network may be another option for
this.
> Thanks.
> J.K.
>
> Cituji John Hardin <jhar...@impsec.org>:
>
> > On Sun, 15 Aug 2010, Josef Karliak wrote:
> >
> > > I've some problem with whitelisting.
> > > In the local.cf file I've for example:
> > > > whitelist_from *...@ajetaci.cz
> >
> > You do not want to do that. The From address on an email is trivially
> > easy to forge, and it is common practice for spammers to forge a From
> > address in the same domain as the target address. whitelist_from is
> > only to be used if nothing else will work, as it is a naive whitelist.
> >
> > You want to use whitelist_from_auth or one of the other authenticated
> > variants.
> >
> > > What did I missed ?
> >
> > The best way to skip SA for local users is in the glue layer. Tell it
> > to recognize mail that originates from your local network and for those
> > messages simply _not call SA_ at all. Then you save the processing
> > overhead.
> >
> > You didn't tell us how you're gluing SA onto your MTA. How are you
> > doing that?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The difference is that Unix has had thirty years of technical
types demanding basic functionality of it. And the Macintosh has
had fifteen years of interface fascist users shaping its progress.
Windows has the hairpin turns of the Microsoft marketing machine
and that's all. -- Red Drag Diva
-----------------------------------------------------------------------
Today: the 65th anniversary of the end of World War II
