Whitelist authenticated clients

Conz Conz at B0x.nl
Sun Oct 29 09:05:20 UTC 2017 

I ended up rewriting the Received line for incoming mail on the submission port and doing HOLD on a different part of the header.
I got another option to do this with ' -o smtpd_end_of_data_restrictions=static:hold' from the postfix list but I could not figure out how to get this to work.
That would have been the preferred way.
Basically everything is so focussed on having fixed ip's where your clients are, the moment you're dealing with mobile clients that can come from anywhere (aka, 0.0.0.0/0) it becomes tricky.

In case anyone else runs into something like this, what I did was(only the relevant parts):
Master.cf:
submission inet n       -       n       -       -       smtpd
        -o cleanup_service_name=auth-cleanup
auth-cleanup    unix    n       -       n       -       0       cleanup
        -o syslog_name=postfix/auth-cleanup
        -o header_checks=pcre:/etc/postfix/auth_header_checks.pcre

Auth_header_checks.pcre:
/^\s*(Received: from)[^\n]*(.*for <.*@(?!mydomain.com).*)/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])$2
/^\s*User-Agent/ IGNORE
/^\s*X-Enigmail/ IGNORE
/^\s*X-Mailer/ IGNORE
/^\s*X-Originating-IP/ IGNORE
/^\s*Mime-Version:*/ HOLD


-----Oorspronkelijk bericht-----
Van: MailScanner [mailto:mailscanner-bounces+conz=b0x.nl at lists.mailscanner.info] Namens Mark Sapiro
Verzonden: donderdag 26 oktober 2017 05:28
Aan: mailscanner at lists.mailscanner.info
Onderwerp: Re: Whitelist authenticated clients

On 10/25/2017 12:20 PM, Conz wrote:
> 
> Can I make it ignore/whitelist emails from the local domain that have 
> been submitted with authentication ?  I don’t want to open up the 
> possibility of having forged emails getting through by just 
> whitelisting the domain.


I think you can't white list per se, but you can make a spamassassin rule something like this


> header __X_SASL_1 Received =~ /Authenticated sender:.*by 
> sbh16.songbird.com / header __X_SASL_2 ALL =~ 
> /^Received:.*^Received:.* by sbh16.songbird.com /msi meta X_SASL 
> __X_SASL_1 && !__X_SASL_2 describe X_SASL SASL Authenticated mail 
> score X_SASL -20

The first rule __X_SASL_1 looks for a header like

> Received: from [10.211.115.100] (45-24-217-241.lightspeed.sntcca.sbcglobal.net [45.24.217.241])
> 	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
> 	(No client certificate requested)
> 	(Authenticated sender: mark)
> 	by sbh16.songbird.com (Postfix) with ESMTPSA id 4550711E00AA
> 	for <mark at ms2.msapiro.net>; Wed, 25 Oct 2017 20:10:34 -0700 (PDT)

looking for "Authenticated sender:" and the local host name (sbh16.songbird.com in this case)

The second rule says "Received:.* by sbh16.songbird.com " is not the topmost (i.e. last) Received: header (to prevent spoofing)

Then the meta rule basically says the topmost Received: header contains "Authenticated sender:" and "by our host"

Give that a large enough negative score to offset any positive score.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list