Difference between revisions of "SpamAssassin/SMTP-AUTH bypass"

From braindump
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{DISPLAYTITLE:Bypassing SMPT_AUTH on SpamAssassin}}
{{DISPLAYTITLE:Bypassing SpamAssassin when using SMTP_AUTH}}


Until very recently I had absolutely no issues with my SpamAssassin configuration at all. But since I happen to be mostly connecting from [http://sunrise.ch Sunrise] which seems to be universally blocked by [http://spamhouse.org spamhaus.org]. I had to look for another solution. Since I have been using SMPT_AUTH since like forever over TLS or SSL this configuration should do the job.
Until very recently I had absolutely no issues with my SpamAssassin configuration at all. But since I happen to be mostly connecting from [http://sunrise.ch Sunrise] which seems to be universally blocked by [http://spamhouse.org spamhaus.org]. I had to look for another solution. Since I have been using SMPT_AUTH since like forever over TLS or SSL this configuration should do the job.
Line 31: Line 31:


== Testing ==
== Testing ==
Sending mail from and outside address account such as Hotmail, Yahoo, Gmail or from the one that came with your ISP contract you should find a new header in the mail header called <tt>X-<span class="highlight"><RandomWord></span>.
Sending mail from and outside address account such as Hotmail, Yahoo, Gmail or from the one that came with your ISP contract you should find a new header in the mail header called <tt>X-<span class="highlight"><RandomWord></span></tt>.


However when sending vi the MTA via SMTP_AUTH the header should not appear.
However when sending vi the MTA via SMTP_AUTH the header should not appear.
Line 40: Line 40:
* http://de.postfix.org/pipermail/postfix-users/2008-July/000366.html
* http://de.postfix.org/pipermail/postfix-users/2008-July/000366.html
* http://www.virtualmin.com/node/8868
* http://www.virtualmin.com/node/8868
[[Category:Mail]]
[[Category:SpamAssassin]]

Latest revision as of 23:03, 26 May 2012


Until very recently I had absolutely no issues with my SpamAssassin configuration at all. But since I happen to be mostly connecting from Sunrise which seems to be universally blocked by spamhaus.org. I had to look for another solution. Since I have been using SMPT_AUTH since like forever over TLS or SSL this configuration should do the job.

postfix

Firstly we create a new file in /etc/postfix/include called add-auth-header.regexp with something like the below. Replace <RandomWord with somewhat unique word or string of letters and numbers:

## use this to a token to SpamAssasin to let authenticated
## bypass the spam filter
/^/ PREPEND X-<RandomWord>: no

Then under /etc/postfix/main.cf the smtpd_recipient_restrictions or the smtpd_data_restrictions have to look somwhat like the example below. The outcome depends on what is already in place.

smtpd_recipient_restrictions = permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination,
                               reject_unauth_pipelining,
                               check_client_access regexp:/etc/postfix/include/add-auth-header.regexp

After all is done reload postfix.

Note: In the references below there is one more configuration step described touching master.cf of postfix which was not required for my configuration.

SpamAssassin

In SpamAssassin's local.cf or when on a debian based distro under /etc/mail/spamassassin create a file called 99_bybass-smtp_auth.cf with the following content. Note: <RandomWord> needs to be the same as in the add-auth-header.regexp:

header __NO_SMTP_AUTH X-<RandomWord> =~ /^no$/m 
meta SMTP_AUTH !__NO_SMTP_AUTH 
descrinibe SMTP_AUTH Message sent using SMTP Authentication 
tflags SMTP_AUTH nice 
score SMTP_AUTH -10

After that reload SpamAssassin

Testing

Sending mail from and outside address account such as Hotmail, Yahoo, Gmail or from the one that came with your ISP contract you should find a new header in the mail header called X-<RandomWord>.

However when sending vi the MTA via SMTP_AUTH the header should not appear.

References