Mailing List Archive

On 12/23/20 9:55 PM, John Hardin wrote:
> Did you see my mention of this earlier?

Yes, I did see it.

That's a bit more invasive of a change than I was hoping to do for this
task.

I had been waiting to reply to your earlier message to test some things
that you recommended.

As you will see in my recent reply, I do believe that I've managed to
achieve most of what I wanted to do.



--
Grant. . . .
unix || die

On 12/22/20 4:56 PM, Grant Taylor wrote:
> Is there a way to bypass RBL checks for a specific address?

Thank you all.

I believe I have been able to get the result I desired and learn a few
things in the process.

TL;DR: Setting scores to 0 in the specific recipient's
~/.spamassassin/user_prefs file worked.

I learned that spamass-milter /does/ /apparently/ support
personalization, something I wasn't aware of.

I learned that adding the "-x" option to spamass-milter will cause it to
use sendmail -bv to try to identify the Unix account that needs to be
passed to spamc via (spamc's) "-u" option.

I needed to tweak group membership so that the user spamass-milter ran
as could read /etc/mail/virtusertable.db.

Now, things seem to be working. spamd is setuid(ing) to the correct
Unix user and reading the user_prefs file like I need.

Thank you again for all your help.



--
Grant. . . .
unix || die

On Wed, 23 Dec 2020, Grant Taylor wrote:

> On 12/23/20 2:15 PM, John Hardin wrote:
>> spamass-milter has a -u flag for a username to pass to SA. If these are
>> single-recipient messages that may be enough to reliably tie into per-user
>> config to disable the RBL check.
>
> It seems as if spamass-milter is using the -u to specify a default user. It
> also seems as if spamass-milter will attempt to discover the (first)
> recipient if -x is also used. Spamass-milter will then use -u to pass the
> username default for first detected to spamc so that spamc can use
> personalized settings.

Right. Sorry, I misworded my description a bit.

>> I am fairly sure that setting a rule score to zero bypasses the rule (vs.
>> running it and ignoring the result) but you will probably want to test that
>> to confirm whether the RBL is checked anyways. However, if the RBL check is
>> written as a subrule then it can't be disabled this way as subrules don't
>> have scores to set to zero.
>
> ACK
>
> This matches my tests.

Oh, good. Thanks for the confirmation.

>> That last option sounds to me like the first one you should explore.
>
> Thankfully, and to my surprise, SpamAssassin / spamass-milter /is/ attempting
> personalization.
>
> "-u spamass-milter" was already in place.
>
> I added "-x" to cause spamass-milter to try to detect the first user, tweaked
> permissions (group membership) to allow spamass-milter to run sendmail -bv to
> detect some other users correctly, and now things seem to be working much
> closer to how I want.
>
> Initial testing seems very promising use of heavily modified
> ~/.spamassassin/user_prefs.

Good news!

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas

On Wed, 23 Dec 2020, Grant Taylor wrote:

> On 12/23/20 9:55 PM, John Hardin wrote:
>> Did you see my mention of this earlier?
>
> Yes, I did see it.
>
> That's a bit more invasive of a change than I was hoping to do for this task.
>
> I had been waiting to reply to your earlier message to test some things that
> you recommended.
>
> As you will see in my recent reply, I do believe that I've managed to achieve
> most of what I wanted to do.

Good.

I did notice from your earlier description that you (weakly) wanted to
completely bypass SA scanning for those automated messages, which makes
sense from a resource management perspective. The milter proxy would be
the way to do that, as it would give you a way to bypass spamass-milter
based on recipient (or more reliably sender + recipient).

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas