Spamassassin postfix authenticated users: Difference between revisions
m (fixing an \( typo and upgrading url) |
(fixed config changes for more recent versions of Zimbra) |
||
Line 25: | Line 25: | ||
Add the line: | Add the line: | ||
<pre> POSTCONF smtpd_sasl_authenticated_header yes </pre> | <pre> POSTCONF smtpd_sasl_authenticated_header yes </pre> | ||
OR | |||
<pre>zmlocalconfig -e postfix_smtpd_sasl_authenticated_header=yes</pre> | |||
===Change the Header to not leak Usernames=== | ===Change the Header to not leak Usernames=== | ||
This header leaks the user's login to whomever is sent an email, to change this we should rewrite that header to something we can match later from spamassassin, such as: | This header leaks the user's login to whomever is sent an email, to change this we should rewrite that header to something we can match later from spamassassin, such as: |
Revision as of 23:31, 30 June 2011
Article Information |
---|
This article applies to the following ZCS versions. |
Howdy, Here's a little How-To I wrote up after not being able to find a way of whitelisting authenticated users in spamassassin.
Please note that this configuration will need reviewing EACH and EVERY Upgrade of zimbra that you do, as not all settings will carry over.
Feel free to drop me a a line, or update this article, This example was written and tested on Zimbra NE 5.0.6
All of the following should be done as the user zimbra
Postfix Changes
Enable Auth User Header
This enables a header on all authenticated emails that shows who authenticated to send the email.
Received: from [0.0.0.0] (unknown [192.168.255.4]) (Authenticated sender: myemail@mydomain.com) by smtp.mydomain.com (Postfix) with ESMTP id 08333374399 for <geekygeeks@gmail.com>; Tue, 28 Oct 2008 10:45:37 -0400 (EDT)
Edit your zmmta.cf file, in /opt/zimbra/conf/ on your MTA
Find the section that starts with:
SECTION mta DEPENDS amavis
Right before the end of this section, and the line that says
RESTART mta
Add the line:
POSTCONF smtpd_sasl_authenticated_header yes
OR
zmlocalconfig -e postfix_smtpd_sasl_authenticated_header=yes
Change the Header to not leak Usernames
This header leaks the user's login to whomever is sent an email, to change this we should rewrite that header to something we can match later from spamassassin, such as:
Received: from [127.0.0.1] (localhost [127.0.0.1]) by Authenticated User (smtp.mydomain.com) with ESMTP id BA7D13744DB
To do this, we need to edit /opt/zimbra/conf/postfix_header_checks
And add the Regex to match & rewrite (note that \ in the line end mean that line continues).
/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*\(Authenticated sender: ([^)]+)\).*\ by (smtp\.mydomain\.com) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ \ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1]) by Authenticated User (smtp.mydomain.com) with $5 id $6
And Reload Postfix
postfix reload
SpamAssassin Changes
Now we need to create a rule, and give it a negative score, in order to lower all authenticated senders messages (but not whitelist!)
Create the Rule
Create and edit a new rule, in this example I will use /opt/zimbra/conf/spamassassin/20_user_auth.cf
Add the following lines to this file
# This is a spamassasin ruleset that gives a much lower spam rating for authenticated users # header LOCAL_AUTH_RCVD Received =~ /Authenticated User \(smtp.mydomain.com\).* /
Add a Score to your new rule
In this example, I lower all authenticated senders spam scores by 8.
Edit /opt/zimbra/conf/spamassassin/50_scores.cf
Add the Line:
score LOCAL_AUTH_RCVD -8 -8 -8 -8
Restart Amavis
zmamavisctl restart