Loading ...
Sorry, an error occurred while loading the content.

296650Restrict access to spam filter retraining aliases

Expand Messages
  • Igor Zinovik
    Nov 14, 2013

      I would like to ask for help with implementing access control for retraining aliases.

      What I implemented:
      - User found message in his mailbox (e.g. sales@...) that he considers spam,
      then he forwards this letter to sales-spam@... to retrain filter
      - User found message in his mailbox that accidently was marked as spam and was stored
      in Spam folder.  So he forwards this letter to sales-nospam@... to retraing filter
      that this letter was false positive.

      Here is what I've done:
      - add two service entries to master.cf
      # Train for spam
      dspam-spam            unix      -      n      n      -      -      pipe
         flags=Rhq user=dspam argv=/usr/sbin/dspam --client --user ${user}@${nexthop} --class=spam --source=error
      # Train for ham
      dspam-nospam          unix      -      n      n      -      -      pipe
         flags=Rhq user=dspam argv=/usr/sbin/dspam --client --user ${user}@${nexthop} --class=innocent --source=error

      Create transport map for addresses like user-spam@... and user-nospam@....  I host
      several domains so I went for regular expression:
      # grep transport_maps /etc/postfix/main.cf
      transport_maps = regexp:/etc/postfix/transport.dspam
      # cat /etc/postfix/transport.dspam
      /^.*-spam@(.*)$/i       dspam-spam:{$2}
      /^.*-nospam@(.*)$/i     dspam-nospam:{$2}

      I do not have local users, all my users are virtual and are stored in LDAP.  But I do not want to setup retrain aliases
      for each LDAP stored user:
      dn uid=sales,ou=users,dc=example.org,ou=mail,dc=example,dc=org
      mail: sales@...
      mailAlternateAddress: sales-spam@...
      mailAlternateAddress: sales-nospam@...

      So I went for canonical maps:
      # grep canonical_maps /etc/postfix/main.cf
      canonical_maps = regexp:/etc/postfix/dspam-maps
      # cat /etc/postfix/dspam-maps
      /^(.*)-spam@(.*)$/i     $1@$2
      /^(.*)-nospam@(.*)$/i   $1@$2

      But how do I implement access control for these aliases.  I mean that how do I restrict a malicious user from feeding
      sales-spam@... with legitimate messages and vice versa?  Is it possible some how to restrict access
      to these aliases only to owner of mailbox? E.g. I do not want to allow sales@... feed marketing-spam@...
      with legitimate mail.

      If someone has similiar setup I also would like to know is it useful at all, or most of them do not care about filter retraining.
    • Show all 4 messages in this topic