Difference between revisions of "SpamAssassin/SMTP-AUTH bypass"
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{DISPLAYTITLE:Bypassing |
{{DISPLAYTITLE:Bypassing SpamAssassin when using SMTP_AUTH}} |
||
Until very recently I had absolutely no issues with my SpamAssassin configuration at all. But since I happen to be mostly connecting from [http://sunrise.ch Sunrise] which seems to be universally blocked by [http://spamhouse.org spamhaus.org]. I had to look for another solution. Since I have been using SMPT_AUTH since like forever over TLS or SSL this configuration should do the job. |
Until very recently I had absolutely no issues with my SpamAssassin configuration at all. But since I happen to be mostly connecting from [http://sunrise.ch Sunrise] which seems to be universally blocked by [http://spamhouse.org spamhaus.org]. I had to look for another solution. Since I have been using SMPT_AUTH since like forever over TLS or SSL this configuration should do the job. |
||
== postfix == |
|||
Firstly we create a new file in <tt>/etc/postfix/include</tt> called <tt>add-auth-header.regexp</tt> with something like the below. Replace <tt><RandomWord</tt> with somewhat unique word or string of letters and numbers: |
|||
## use this to a token to SpamAssasin to let authenticated |
|||
## bypass the spam filter |
|||
/^/ PREPEND X-<span class="input"><RandomWord></span>: no |
|||
Then under <tt>/etc/postfix/main.cf</tt> the <tt>smtpd_recipient_restrictions</tt> or the <tt>smtpd_data_restrictions</tt> have to look somwhat like the example below. The outcome depends on what is already in place. |
|||
smtpd_recipient_restrictions = permit_mynetworks, |
|||
permit_sasl_authenticated, |
|||
reject_unauth_destination, |
|||
reject_unauth_pipelining, |
|||
<span class="highlight">check_client_access regexp:/etc/postfix/include/add-auth-header.regexp</span> |
|||
After all is done reload <tt>postfix</tt>. |
|||
'''Note:''' In the references below there is one more configuration step described touching <tt>master.cf</tt> of <tt>postfix</tt> which was not required for my configuration. |
|||
== SpamAssassin == |
|||
In SpamAssassin's <tt>local.cf</tt> or when on a debian based distro under <tt>/etc/mail/spamassassin</tt> create a file called <tt>99_bybass-smtp_auth.cf</tt> with the following content. '''Note:''' <tt><RandomWord></tt> needs to be the same as in the <tt>add-auth-header.regexp</tt>: |
|||
header __NO_SMTP_AUTH X-<span class="input"><RandomWord></span> =~ /^no$/m |
|||
meta SMTP_AUTH !__NO_SMTP_AUTH |
|||
descrinibe SMTP_AUTH Message sent using SMTP Authentication |
|||
tflags SMTP_AUTH nice |
|||
score SMTP_AUTH -10 |
|||
After that reload <tt>SpamAssassin</tt> |
|||
== Testing == |
|||
Sending mail from and outside address account such as Hotmail, Yahoo, Gmail or from the one that came with your ISP contract you should find a new header in the mail header called <tt>X-<span class="highlight"><RandomWord></span></tt>. |
|||
However when sending vi the MTA via SMTP_AUTH the header should not appear. |
|||
== References == |
== References == |
||
| Line 8: | Line 40: | ||
* http://de.postfix.org/pipermail/postfix-users/2008-July/000366.html |
* http://de.postfix.org/pipermail/postfix-users/2008-July/000366.html |
||
* http://www.virtualmin.com/node/8868 |
* http://www.virtualmin.com/node/8868 |
||
[[Category:Mail]] |
|||
[[Category:SpamAssassin]] |
|||
Latest revision as of 23:03, 26 May 2012
Until very recently I had absolutely no issues with my SpamAssassin configuration at all. But since I happen to be mostly connecting from Sunrise which seems to be universally blocked by spamhaus.org. I had to look for another solution. Since I have been using SMPT_AUTH since like forever over TLS or SSL this configuration should do the job.
postfix
Firstly we create a new file in /etc/postfix/include called add-auth-header.regexp with something like the below. Replace <RandomWord with somewhat unique word or string of letters and numbers:
## use this to a token to SpamAssasin to let authenticated
## bypass the spam filter
/^/ PREPEND X-<RandomWord>: no
Then under /etc/postfix/main.cf the smtpd_recipient_restrictions or the smtpd_data_restrictions have to look somwhat like the example below. The outcome depends on what is already in place.
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
check_client_access regexp:/etc/postfix/include/add-auth-header.regexp
After all is done reload postfix.
Note: In the references below there is one more configuration step described touching master.cf of postfix which was not required for my configuration.
SpamAssassin
In SpamAssassin's local.cf or when on a debian based distro under /etc/mail/spamassassin create a file called 99_bybass-smtp_auth.cf with the following content. Note: <RandomWord> needs to be the same as in the add-auth-header.regexp:
header __NO_SMTP_AUTH X-<RandomWord> =~ /^no$/m
meta SMTP_AUTH !__NO_SMTP_AUTH
descrinibe SMTP_AUTH Message sent using SMTP Authentication
tflags SMTP_AUTH nice
score SMTP_AUTH -10
After that reload SpamAssassin
Testing
Sending mail from and outside address account such as Hotmail, Yahoo, Gmail or from the one that came with your ISP contract you should find a new header in the mail header called X-<RandomWord>.
However when sending vi the MTA via SMTP_AUTH the header should not appear.