Spamassassin postfix authenticated users

Revision as of 22:23, 5 July 2011 by Jefft (talk | contribs)

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 5.0 Article ZCS 5.0

Howdy, Here's a little How-To I wrote up after not being able to find a way of whitelisting authenticated users in spamassassin.

Please note that this configuration will need reviewing EACH and EVERY Upgrade of zimbra that you do, as not all settings will carry over.

Feel free to drop me a a line, or update this article, This example was written and tested on Zimbra NE 5.0.6

I've updated some of the instructions in order to work with Zimbra NE 7.1.1 - jeff turmelle

All of the following should be done as the user zimbra

Postfix Changes

Enable Auth User Header

This enables a header on all authenticated emails that shows who authenticated to send the email.

Received: from [0.0.0.0] (unknown [192.168.255.4])
	(Authenticated sender: myemail@mydomain.com)
	by smtp.mydomain.com (Postfix) with ESMTP id 08333374399
	for <geekygeeks@gmail.com>; Tue, 28 Oct 2008 10:45:37 -0400 (EDT)
5.0 Version

Edit your zmmta.cf file, in /opt/zimbra/conf/ on your MTA Find the section that starts with: SECTION mta DEPENDS amavis

Right before the end of this section, and the line that says RESTART mta Add the line:

  POSTCONF smtpd_sasl_authenticated_header          yes 
7.1 Version

Use the zmlocalconfig command to save this option permanently instead of editing the zmmta.cf file, which means it should translate to upgrades.

zmlocalconfig -e postfix_smtpd_sasl_authenticated_header=yes

Change the Header to not leak Usernames

This header leaks the user's login to whomever is sent an email, to change this we should rewrite that header to something we can match later from spamassassin, such as:

Received: from [127.0.0.1] (localhost [127.0.0.1]) by Authenticated User (smtp.mydomain.com) with ESMTP id BA7D13744DB
5.0 Version

To do this, we need to edit /opt/zimbra/conf/postfix_header_checks

And add the Regex to match & rewrite (note that \ in the line end mean that line continues).

/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*\(Authenticated sender: ([^)]+)\).*\
by (smtp\.mydomain\.com) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ \
 REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1]) by Authenticated User (smtp.mydomain.com) with $5 id $6
7.1 Version

I found that the Received Header had changed a bit from the 5.0 instance, and looks more like this on my system:

Received: 	from smtp.mydomain.com (smtp.mydomain.com [192.168.155.123]) (Authenticated sender: userid) by mydomain.com (Postfix) with ESMTPSA id 61B8F2582E for <userid@mydomain.com>; Fri,  1 Jul 2011 17:25:41 -0400 (EDT)

You will need to edit the file ~zimbra/conf/postfix_header_checks.in and add the REGEX

In addition, as of Zimbra 6.0, postfix_header_checks are turned off. You need to disable zimbraMtaBlockedExtensionsWarnRecipient (which does exactly what you would think.) It appears that we can't use postfix_header_checks AND warn recipients that extensions are being blocked. You have to pick one. If you don't care about leaking the usernames, then you can skip this step and just jump to fixing the score. But if you DO want to warn the sender (I have no idea why you can't do both) then: > zmprov mcf zimbraMtaBlockedExtensionsWarnRecipient FALSE

And then setup a REGEX to rewrite the Received Header:

Obviously, it will be different for everyone, so you may need to fool around with the Regex depending on your situation, but I found this one worked for me. A good resource for testing your REGEX: Regex Tester

/^Received:\s+from\s+(.*)\s+\((.*)\)\s+\(Authenticated sender:\s+(.*)\)\s+by\s+(.*)\s+with\s+(.*)\s+id\s+(.*)\s+for\s+\<(.*)\>;(.*)$/
	REPLACE Received: from $1 ($2) (Authenticated User: mydomain.com) by $4 with $5 id $6 for <$7>; $8

which ends up as something like this:

Received: 	from smtp.mydomain.com (smtp.mydomain.com [192.168.155.123]) (Authenticated User: mydomain.com) by smtp.mydomain.com (Postfix) with ESMTPSA id AE6A12583F for <userid@mydomain.com>;  Tue,  5 Jul 2011 16:21:26 -0400 (EDT)

And Reload Postfix

postfix reload

SpamAssassin Changes

Now we need to create a rule, and give it a negative score, in order to lower all authenticated senders messages (but not whitelist!)

Create the Rule

Create and edit a new rule, in this example I will use /opt/zimbra/conf/spamassassin/20_user_auth.cf

Add the following lines to this file

# This is a spamassasin ruleset that gives a much lower spam rating for authenticated users
#
header LOCAL_AUTH_RCVD    Received =~  /Authenticated User \(smtp.mydomain.com\).* /

Add a Score to your new rule

In this example, I lower all authenticated senders spam scores by 8.

Edit /opt/zimbra/conf/spamassassin/50_scores.cf

Add the Line:
score LOCAL_AUTH_RCVD -8 -8 -8 -8

Restart Amavis

zmamavisctl restart

The Source


Verified Against: Zimbra NE 5.0.6 Date Created: 10/28/2008
Article ID: https://wiki.zimbra.com/index.php?title=Spamassassin_postfix_authenticated_users Date Modified: 2011-07-05



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search