Prev: Receipent Access
Next: track down deferred mail reason
From: Jon Tullett on 17 May 2010 10:50
Hi all

I'm hoping to configure postfix to only apply content filtering to
mail that comes from unauthenticated sources, or outside sources if
that's not possible. Basically, I want unauthenticated email checked
for spam+viruses, but not authenticated email, because we've had the
occasional problem with false positives (using spamassassin). I'm not
especially worried about outbound viruses - we do use desktop AV, and
a virus or worm which makes an unauthenticated SMTP connection on its
own should then get filtered normally.

I've found two options, please tell me if I'm barking up completely
the wrong tree :)

The first is described in a forum post here:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200410.mbox/%3C00a201c4bef4$766b2ed0$0a00a8c0(a)splatter%3E#archives

That page suggests a way to use amavis for non-SASL connections only:

main.cf:
content-filter =
smtpd_sender_restrictions = permit_sasl_authenticated,
check_sender_access regexp:/etc/postfix/amavisd.regexp

amavisd.regexp:
/^/ FILTER smtp-amavis:[127.0.0.1]:10024

I didn't see another reference to doing it this way, so my question
is, is this a workable solution or a terribly bad idea? Will it
achieve what I want, or surprise me by breaking postfix in some new
and interesting way? Also: is there a more efficient way of matching
everything without using a regular expression?

Anyway. If that's not a workable option, I also found what appears to
be an Official Postfix Way:
http://www.postfix.org/FILTER_README.html#remote_only, which describes
how to set up content filters for outside communications only. That
looks promising as an alternative, but it's definitely above my
current competency level (ie: "newbie": that section really didn't
make much sense to me). If this IS the right way to go, I'll give it a
shot and ask for help if I can't figure it out.

Thanks!
-Jon

From: Noel Jones on 17 May 2010 11:05
On 5/17/2010 9:50 AM, Jon Tullett wrote:
> Hi all
>
> I'm hoping to configure postfix to only apply content filtering to
> mail that comes from unauthenticated sources, or outside sources if
> that's not possible. Basically, I want unauthenticated email checked
> for spam+viruses, but not authenticated email, because we've had the
> occasional problem with false positives (using spamassassin). I'm not
> especially worried about outbound viruses - we do use desktop AV, and
> a virus or worm which makes an unauthenticated SMTP connection on its
> own should then get filtered normally.
>
> I've found two options, please tell me if I'm barking up completely
> the wrong tree :)
>
> The first is described in a forum post here:
> http://mail-archives.apache.org/mod_mbox/spamassassin-users/200410.mbox/%3C00a201c4bef4$766b2ed0$0a00a8c0(a)splatter%3E#archives
>
> That page suggests a way to use amavis for non-SASL connections only:
>
> main.cf:
> content-filter =
> smtpd_sender_restrictions = permit_sasl_authenticated,
> check_sender_access regexp:/etc/postfix/amavisd.regexp
>
> amavisd.regexp:
> /^/ FILTER smtp-amavis:[127.0.0.1]:10024
>
> I didn't see another reference to doing it this way, so my question
> is, is this a workable solution or a terribly bad idea? Will it
> achieve what I want, or surprise me by breaking postfix in some new
> and interesting way?

This is a valid config and will send only unauthenticated mail
to amavisd. Authenticated mail gets a free pass. Similar
setups are posted here frequently and can be found in the
amavisd-new docs.


> Also: is there a more efficient way of matching
> everything without using a regular expression?

No. The method shown is correct.


>
> Anyway. If that's not a workable option, I also found what appears to
> be an Official Postfix Way:
> http://www.postfix.org/FILTER_README.html#remote_only, which describes
> how to set up content filters for outside communications only. That
> looks promising as an alternative, but it's definitely above my
> current competency level (ie: "newbie": that section really didn't
> make much sense to me). If this IS the right way to go, I'll give it a
> shot and ask for help if I can't figure it out.

This is more flexible, but -- as frequently happens -- when
you add flexibility, complexity comes along for the ride.

-- Noel Jones

From: Jon Tullett on 17 May 2010 11:14
On 17 May 2010 17:05, Noel Jones <njones(a)megan.vbhcs.org> wrote:
> On 5/17/2010 9:50 AM, Jon Tullett wrote:
>>
>> Hi all
>>
>> I'm hoping to configure postfix to only apply content filtering to
>> mail that comes from unauthenticated sources, or outside sources if
>> that's not possible. Basically, I want unauthenticated email checked
>> for spam+viruses, but not authenticated email, because we've had the
>> occasional problem with false positives (using spamassassin). I'm not
>> especially worried about outbound viruses - we do use desktop AV, and
>> a virus or worm which makes an unauthenticated SMTP connection on its
>> own should then get filtered normally.
>>
>> I've found two options, please tell me if I'm barking up completely
>> the wrong tree :)
>>
>> The first is described in a forum post here:
>>
>> http://mail-archives.apache.org/mod_mbox/spamassassin-users/200410.mbox/%3C00a201c4bef4$766b2ed0$0a00a8c0(a)splatter%3E#archives
>>
>> That page suggests a way to use amavis for non-SASL connections only:
>>
>> main.cf:
>> content-filter =
>> smtpd_sender_restrictions = permit_sasl_authenticated,
>> check_sender_access regexp:/etc/postfix/amavisd.regexp
>>
>> amavisd.regexp:
>> /^/ FILTER smtp-amavis:[127.0.0.1]:10024
>>
>> I didn't see another reference to doing it this way, so my question
>> is, is this a workable solution or a terribly bad idea? Will it
>> achieve what I want, or surprise me by breaking postfix in some new
>> and interesting way?
>
> This is a valid config and will send only unauthenticated mail to amavisd..
>  Authenticated mail gets a free pass.  Similar setups are posted here
> frequently and can be found in the amavisd-new docs.

Super. Thanks Noel - much appreciated!

-J

 | 
Pages: 1
Prev: Receipent Access
Next: track down deferred mail reason