Whitelist authenticated clients

[Mark Sapiro]

On 10/25/2017 12:20 PM, Conz wrote:
> 
> Can I make it ignore/whitelist emails from the local domain that have
> been submitted with authentication ?  I don’t want to open up the
> possibility of having forged emails getting through by just whitelisting
> the domain.


I think you can't white list per se, but you can make a spamassassin
rule something like this


> header __X_SASL_1 Received =~ /Authenticated sender:.*by sbh16.songbird.com /
> header __X_SASL_2 ALL =~ /^Received:.*^Received:.* by sbh16.songbird.com /msi
> meta X_SASL __X_SASL_1 && !__X_SASL_2
> describe X_SASL SASL Authenticated mail
> score X_SASL -20

The first rule __X_SASL_1 looks for a header like

> Received: from [10.211.115.100] (45-24-217-241.lightspeed.sntcca.sbcglobal.net [45.24.217.241])
> 	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
> 	(No client certificate requested)
> 	(Authenticated sender: mark)
> 	by sbh16.songbird.com (Postfix) with ESMTPSA id 4550711E00AA
> 	for <mark at ms2.msapiro.net>; Wed, 25 Oct 2017 20:10:34 -0700 (PDT)

looking for "Authenticated sender:" and the local host name
(sbh16.songbird.com in this case)

The second rule says "Received:.* by sbh16.songbird.com " is not the
topmost (i.e. last) Received: header (to prevent spoofing)

Then the meta rule basically says the topmost Received: header contains
"Authenticated sender:" and "by our host"

Give that a large enough negative score to offset any positive score.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan