Spamassassin postfix authenticated users: Difference between revisions
Benshambaugh (talk | contribs) No edit summary |
No edit summary |
||
(17 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
{{BC|Community Sandbox}} | |||
__FORCETOC__ | |||
<div class="col-md-12 ibox-content"> | |||
=SpamAssasin Postfix authenticated users= | |||
{{KB|{{Unsupported}}|{{ZCS 7.0}}||}} | |||
{{Archive}}{{WIP}} | |||
Howdy, Here's a little How-To I wrote up after not being able to find a way of whitelisting authenticated users in spamassassin. | Howdy, Here's a little How-To I wrote up after not being able to find a way of whitelisting authenticated users in spamassassin. | ||
Line 5: | Line 11: | ||
Feel free to drop me a a line, or update this article, This example was written and tested on Zimbra NE 5.0.6 | Feel free to drop me a a line, or update this article, This example was written and tested on Zimbra NE 5.0.6 | ||
I've updated some of the instructions in order to work with Zimbra NE 7.1.1 - jeff turmelle | |||
'''All of the following should be done as the user <code>zimbra</code>''' | |||
==Postfix Changes== | ==Postfix Changes== | ||
===Enable Auth User Header=== | ===Enable Auth User Header=== | ||
Line 16: | Line 24: | ||
</pre> | </pre> | ||
=====5.0 Version===== | |||
Edit your zmmta.cf file, in /opt/zimbra/conf/ on your MTA | Edit your zmmta.cf file, in /opt/zimbra/conf/ on your MTA | ||
Find the section that starts with: | Find the section that starts with: | ||
Line 24: | Line 33: | ||
Add the line: | Add the line: | ||
<pre> POSTCONF smtpd_sasl_authenticated_header yes </pre> | <pre> POSTCONF smtpd_sasl_authenticated_header yes </pre> | ||
=====7.1 Version===== | |||
Use the zmlocalconfig command to save this option permanently instead of editing the zmmta.cf file, which means it should translate to upgrades. | |||
<pre>zmlocalconfig -e postfix_smtpd_sasl_authenticated_header=yes</pre> | |||
===Change the Header to not leak Usernames=== | ===Change the Header to not leak Usernames=== | ||
This header leaks the user's login to whomever is sent an email, to change this we should rewrite that header to something we can match later from spamassassin, such as: | This header leaks the user's login to whomever is sent an email, to change this we should rewrite that header to something we can match later from spamassassin, such as: | ||
Line 30: | Line 44: | ||
</pre> | </pre> | ||
=====5.0 Version===== | |||
To do this, we need to edit <code>/opt/zimbra/conf/postfix_header_checks</code> | To do this, we need to edit <code>/opt/zimbra/conf/postfix_header_checks</code> | ||
And add the Regex to match & rewrite. | And add the Regex to match & rewrite (note that \ in the line end mean that line continues). | ||
<pre> | |||
/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*\(Authenticated sender: ([^)]+)\).*\ | |||
by (smtp\.mydomain\.com) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ \ | |||
REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1]) by Authenticated User (smtp.mydomain.com) with $5 id $6 | |||
</pre> | |||
=====7.1 Version===== | |||
I found that the Received Header had changed a bit from the 5.0 instance, and looks more like this on my system: | |||
<pre> | |||
Received: from smtp.mydomain.com (smtp.mydomain.com [192.168.155.123]) (Authenticated sender: userid) by mydomain.com (Postfix) with ESMTPSA id 61B8F2582E for <userid@mydomain.com>; Fri, 1 Jul 2011 17:25:41 -0400 (EDT) | |||
</pre> | |||
You will need to edit the file <code>/opt/zimbra/conf/postfix_header_checks.in</code> to add the REGEX you will create in the next step. | |||
In addition, as of Zimbra 6.0, postfix_header_checks are turned off. You need to disable zimbraMtaBlockedExtensionsWarnRecipient (which does exactly what you would think) in order to enable postfix_header_checks. It appears that we can't use postfix_header_checks AND warn recipients that extensions are being blocked at the same time; you have to choose one. If you don't care about leaking the usernames, then you can skip this step and just jump to fixing the score. But if you DO want to warn the sender (I have no idea why you can't do both) then: | |||
<code>> zmprov mcf zimbraMtaBlockedExtensionsWarnRecipient FALSE</code> | |||
Obviously, it will be different for everyone, so you may need to fool around with the Regex depending on your situation, but I found this one worked for me. A good resource for testing your REGEX: [http://www.myregextester.com Regex Tester] | |||
<pre> | <pre> | ||
/^Received: from (.* \ | /^Received:\s+from\s+(.*)\s+\((.*)\)\s+\(Authenticated sender:\s+(.*)\)\s+by\s+(.*)\s+with\s+(.*)\s+id\s+(.*)\s+for\s+\<(.*)\>;(.*)$/ | ||
( | REPLACE Received: from $1 ($2) Authenticated User: (smtp.mydomain.com) by $4 with $5 id $6 for <$7>; $8 | ||
( | </pre> | ||
With the output looking something like this: | |||
<pre> | |||
Received: from smtp.mydomain.com (smtp.mydomain.com [192.168.155.123]) Authenticated User: (smtp.mydomain.com) by smtp.mydomain.com (Postfix) with ESMTPSA id AE6A12583F for <userid@mydomain.com>; Tue, 5 Jul 2011 16:21:26 -0400 (EDT) | |||
</pre> | </pre> | ||
And Reload Postfix | And Reload Postfix | ||
<pre>postfix reload</pre> | <pre>postfix reload</pre> | ||
==SpamAssassin Changes== | ==SpamAssassin Changes== | ||
Now we need to create a rule, and give it a negative score, in order to lower all authenticated senders messages (but not whitelist!) | Now we need to create a rule, and give it a negative score, in order to lower all authenticated senders messages (but not whitelist!) | ||
===Create the Rule=== | |||
===5.0 Version=== | |||
====Create the Rule==== | |||
Create and edit a new rule, in this example I will use <code>/opt/zimbra/conf/spamassassin/20_user_auth.cf</code> | Create and edit a new rule, in this example I will use <code>/opt/zimbra/conf/spamassassin/20_user_auth.cf</code> | ||
Line 53: | Line 93: | ||
</pre> | </pre> | ||
===Add a Score to your new rule=== | ====Add a Score to your new rule==== | ||
In this example, I lower all authenticated senders spam scores by 8. | In this example, I lower all authenticated senders spam scores by 8. | ||
Line 60: | Line 100: | ||
Add the Line: <pre>score LOCAL_AUTH_RCVD -8 -8 -8 -8</pre> | Add the Line: <pre>score LOCAL_AUTH_RCVD -8 -8 -8 -8</pre> | ||
===Restart Amavis=== | ===7.1 Version=== | ||
zmamavisctl restart | ====Create the Rule==== | ||
Create and edit a new rule by appending to <code>/opt/zimbra/conf/salocal.cf.in</code> | |||
Add the following lines to this file | |||
<pre> | |||
# This is a spamassasin ruleset that gives a much lower spam rating for authenticated users | |||
# | |||
header LOCAL_AUTH_RCVD Received =~ /Authenticated User \(smtp.mydomain.com\).* / | |||
</pre> | |||
====Add a Score to your new rule==== | |||
In this example, I lower all authenticated senders spam scores by 8. | |||
Edit <code>/opt/zimbra/conf/salocal.cf.in</code> | |||
Add the Line: <pre>score LOCAL_AUTH_RCVD -8</pre> | |||
===Restart Amavis and MTA=== | |||
zmmtactl restart && zmamavisctl restart | |||
[http://thegeeks.us/index.php/Spamassassin_postfix_authenticated_users_2 The Source] | |||
{{Article Footer|Zimbra NE 7.0|10/28/2008}} | |||
[[Category:Administration]] | [[Category:Administration]] | ||
[[Category:Performance and Tuning]] | [[Category:Performance and Tuning]] | ||
[[Category:Anti-spam]] | |||
[[Category:ZCS 5.0]] | |||
[[Category:ZCS 7.0]] |
Latest revision as of 09:38, 13 July 2015
SpamAssasin Postfix authenticated users
Howdy, Here's a little How-To I wrote up after not being able to find a way of whitelisting authenticated users in spamassassin.
Please note that this configuration will need reviewing EACH and EVERY Upgrade of zimbra that you do, as not all settings will carry over.
Feel free to drop me a a line, or update this article, This example was written and tested on Zimbra NE 5.0.6
I've updated some of the instructions in order to work with Zimbra NE 7.1.1 - jeff turmelle
All of the following should be done as the user zimbra
Postfix Changes
Enable Auth User Header
This enables a header on all authenticated emails that shows who authenticated to send the email.
Received: from [0.0.0.0] (unknown [192.168.255.4]) (Authenticated sender: myemail@mydomain.com) by smtp.mydomain.com (Postfix) with ESMTP id 08333374399 for <geekygeeks@gmail.com>; Tue, 28 Oct 2008 10:45:37 -0400 (EDT)
5.0 Version
Edit your zmmta.cf file, in /opt/zimbra/conf/ on your MTA
Find the section that starts with:
SECTION mta DEPENDS amavis
Right before the end of this section, and the line that says
RESTART mta
Add the line:
POSTCONF smtpd_sasl_authenticated_header yes
7.1 Version
Use the zmlocalconfig command to save this option permanently instead of editing the zmmta.cf file, which means it should translate to upgrades.
zmlocalconfig -e postfix_smtpd_sasl_authenticated_header=yes
Change the Header to not leak Usernames
This header leaks the user's login to whomever is sent an email, to change this we should rewrite that header to something we can match later from spamassassin, such as:
Received: from [127.0.0.1] (localhost [127.0.0.1]) by Authenticated User (smtp.mydomain.com) with ESMTP id BA7D13744DB
5.0 Version
To do this, we need to edit /opt/zimbra/conf/postfix_header_checks
And add the Regex to match & rewrite (note that \ in the line end mean that line continues).
/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*\(Authenticated sender: ([^)]+)\).*\ by (smtp\.mydomain\.com) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ \ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1]) by Authenticated User (smtp.mydomain.com) with $5 id $6
7.1 Version
I found that the Received Header had changed a bit from the 5.0 instance, and looks more like this on my system:
Received: from smtp.mydomain.com (smtp.mydomain.com [192.168.155.123]) (Authenticated sender: userid) by mydomain.com (Postfix) with ESMTPSA id 61B8F2582E for <userid@mydomain.com>; Fri, 1 Jul 2011 17:25:41 -0400 (EDT)
You will need to edit the file /opt/zimbra/conf/postfix_header_checks.in
to add the REGEX you will create in the next step.
In addition, as of Zimbra 6.0, postfix_header_checks are turned off. You need to disable zimbraMtaBlockedExtensionsWarnRecipient (which does exactly what you would think) in order to enable postfix_header_checks. It appears that we can't use postfix_header_checks AND warn recipients that extensions are being blocked at the same time; you have to choose one. If you don't care about leaking the usernames, then you can skip this step and just jump to fixing the score. But if you DO want to warn the sender (I have no idea why you can't do both) then:
> zmprov mcf zimbraMtaBlockedExtensionsWarnRecipient FALSE
Obviously, it will be different for everyone, so you may need to fool around with the Regex depending on your situation, but I found this one worked for me. A good resource for testing your REGEX: Regex Tester
/^Received:\s+from\s+(.*)\s+\((.*)\)\s+\(Authenticated sender:\s+(.*)\)\s+by\s+(.*)\s+with\s+(.*)\s+id\s+(.*)\s+for\s+\<(.*)\>;(.*)$/ REPLACE Received: from $1 ($2) Authenticated User: (smtp.mydomain.com) by $4 with $5 id $6 for <$7>; $8
With the output looking something like this:
Received: from smtp.mydomain.com (smtp.mydomain.com [192.168.155.123]) Authenticated User: (smtp.mydomain.com) by smtp.mydomain.com (Postfix) with ESMTPSA id AE6A12583F for <userid@mydomain.com>; Tue, 5 Jul 2011 16:21:26 -0400 (EDT)
And Reload Postfix
postfix reload
SpamAssassin Changes
Now we need to create a rule, and give it a negative score, in order to lower all authenticated senders messages (but not whitelist!)
5.0 Version
Create the Rule
Create and edit a new rule, in this example I will use /opt/zimbra/conf/spamassassin/20_user_auth.cf
Add the following lines to this file
# This is a spamassasin ruleset that gives a much lower spam rating for authenticated users # header LOCAL_AUTH_RCVD Received =~ /Authenticated User \(smtp.mydomain.com\).* /
Add a Score to your new rule
In this example, I lower all authenticated senders spam scores by 8.
Edit /opt/zimbra/conf/spamassassin/50_scores.cf
score LOCAL_AUTH_RCVD -8 -8 -8 -8
7.1 Version
Create the Rule
Create and edit a new rule by appending to /opt/zimbra/conf/salocal.cf.in
Add the following lines to this file
# This is a spamassasin ruleset that gives a much lower spam rating for authenticated users # header LOCAL_AUTH_RCVD Received =~ /Authenticated User \(smtp.mydomain.com\).* /
Add a Score to your new rule
In this example, I lower all authenticated senders spam scores by 8.
Edit /opt/zimbra/conf/salocal.cf.in
score LOCAL_AUTH_RCVD -8
Restart Amavis and MTA
zmmtactl restart && zmamavisctl restart