Loading ...
Sorry, an error occurred while loading the content.
 

Re: Creating a dummy filter

Expand Messages
  • Camron W. Fox
    ... Stefan, Except we aren t using amavis and spamassassin processes traffic on our DMZ. Virus scanning is done on the interior mail servers with amavisd-new
    Message 1 of 17 , Sep 1, 2008
      Stefan Palme wrote:
      > On Fri, 2008-08-29 at 09:39 -1000, Camron W. Fox wrote:
      >> Noel Jones wrote:
      >>> Camron W. Fox wrote:
      >>>> Alle,
      >>>>
      >>>> We would like to filter all internal email so that it bypasses
      >>>> SpamAssassin. We have set up per_client_filters using:
      >>>>
      >>>> smtpd_client_restrictions =
      >>>> check_client_access cidr:/etc/postfix/per_client_filter
      >>>>
      >>>> == per_client_filter:
      >>>> 0.0.0.0/0 FILTER spamassassin:
      >>>> 10.0.0.0/8 FILTER dummy:
      >>>> ...
      >>>>
      >>> Note that order matters in a cidr: table. First match wins; everything
      >>> matches 0.0.0.0/0. Put the catchall last, more specific entries earlier.
      >>> http://www.postfix.org/cidr_table.5.html
      >>>
      >>>> The spamassasin filter works fine, but how do we create a dummy
      >>>> filter that just does a bypass of all the internal emails?
      >>>>
      >>> Why send them through a filter at all if you don't want them filtered?
      >>> Use DUNNO as the table result.
      >>>
      >>> 10.0.0.0/8 DUNNO
      >>> 0.0.0.0/0 FILTER...
      >>>
      >> Noel,
      >>
      >> So this will accomplish what we want?
      >>
      >> 10.0.0.0/0 DUNNO
      >> 0.0.0.0/0 FILTER spamassassin:
      >
      >
      > Maybe not exactly. We have a similar setup. The problem here is,
      > that mails handed out to spamassassin (in our case its amavisd-new)
      > is reinjected by amavisd-new to postfix via localhost:10025. All
      > mails bypassing amavisd-new must be "manually" reinjected to port
      > 10025 to accomplish address rewriting etc. (all the stuff that is
      > done AFTER content filtering).
      >
      > So your setup would look like this:
      >
      > 10.0.0.0/0 FILTER smtp:[127.0.0.1]:10025
      > 0.0.0.0/0 FILTER spamassassin:
      >
      > Regards
      > -stefan-
      >
      >

      Stefan,

      Except we aren't using amavis and spamassassin processes traffic on our
      DMZ. Virus scanning is done on the interior mail servers with
      amavisd-new and ClamAV:

      root@rb4:/etc/postfix [1002/2]# grep spamassassin master.cf
      smtp inet n - n - - smtpd -o
      content_filter=spamassassin
      spamassassin
      unix - n n - - pipe
      user=nobody argv=/usr/bin/spamc -e /usr/lib/sendmail -oi -f
      ${sender} ${recipient}

      Best Regards,
      Camron

      Camron W. Fox
      Hilo Office
      High Performance Computing Group
      Fujitsu America, INC.
      E-mail: cwfox@...
    • Noel Jones
      ... The DUNNO solution described earlier will work for any setup that doesn t use content_filter = something in main.cf or the receiving smtpd listener. So
      Message 2 of 17 , Sep 1, 2008
        Camron W. Fox wrote:
        > Stefan Palme wrote:
        >> On Fri, 2008-08-29 at 09:39 -1000, Camron W. Fox wrote:
        >>> Noel Jones wrote:
        >>>> Camron W. Fox wrote:
        >>>>> Alle,
        >>>>>
        >>>>> We would like to filter all internal email so that it bypasses
        >>>>> SpamAssassin. We have set up per_client_filters using:
        >>>>>
        >>>>> smtpd_client_restrictions =
        >>>>> check_client_access cidr:/etc/postfix/per_client_filter
        >>>>>
        >>>>> == per_client_filter:
        >>>>> 0.0.0.0/0 FILTER spamassassin:
        >>>>> 10.0.0.0/8 FILTER dummy:
        >>>>> ...
        >>>>>
        >>>> Note that order matters in a cidr: table. First match wins;
        >>>> everything matches 0.0.0.0/0. Put the catchall last, more specific
        >>>> entries earlier.
        >>>> http://www.postfix.org/cidr_table.5.html
        >>>>
        >>>>> The spamassasin filter works fine, but how do we create a dummy
        >>>>> filter that just does a bypass of all the internal emails?
        >>>>>
        >>>> Why send them through a filter at all if you don't want them
        >>>> filtered? Use DUNNO as the table result.
        >>>>
        >>>> 10.0.0.0/8 DUNNO
        >>>> 0.0.0.0/0 FILTER...
        >>>>
        >>> Noel,
        >>>
        >>> So this will accomplish what we want?
        >>>
        >>> 10.0.0.0/0 DUNNO
        >>> 0.0.0.0/0 FILTER spamassassin:
        >>
        >>
        >> Maybe not exactly. We have a similar setup. The problem here is,
        >> that mails handed out to spamassassin (in our case its amavisd-new)
        >> is reinjected by amavisd-new to postfix via localhost:10025. All
        >> mails bypassing amavisd-new must be "manually" reinjected to port
        >> 10025 to accomplish address rewriting etc. (all the stuff that is
        >> done AFTER content filtering).
        >>
        >> So your setup would look like this:
        >>
        >> 10.0.0.0/0 FILTER smtp:[127.0.0.1]:10025
        >> 0.0.0.0/0 FILTER spamassassin:
        >>
        >> Regards
        >> -stefan-
        >>
        >>
        >
        > Stefan,
        >
        > Except we aren't using amavis and spamassassin processes traffic on
        > our DMZ. Virus scanning is done on the interior mail servers with
        > amavisd-new and ClamAV:
        >
        > root@rb4:/etc/postfix [1002/2]# grep spamassassin master.cf
        > smtp inet n - n - - smtpd -o
        > content_filter=spamassassin
        > spamassassin
        > unix - n n - - pipe
        > user=nobody argv=/usr/bin/spamc -e /usr/lib/sendmail -oi -f ${sender}
        > ${recipient}
        >
        > Best Regards,
        > Camron
        >
        > Camron W. Fox
        > Hilo Office
        > High Performance Computing Group
        > Fujitsu America, INC.
        > E-mail: cwfox@...
        >

        The DUNNO solution described earlier will work for any setup
        that doesn't use "content_filter = something" in main.cf or
        the receiving smtpd listener.

        So it should work fine for you.

        --
        Noel Jones
      • Camron W. Fox
        ... Alle, I tested this and it seemed to work with no problems. When I implemented it on the production servers, I started to see these messages: access table
        Message 3 of 17 , Sep 26, 2008
          Noel Jones wrote:
          > Camron W. Fox wrote:
          >> Stefan Palme wrote:
          >>> On Fri, 2008-08-29 at 09:39 -1000, Camron W. Fox wrote:
          >>>> Noel Jones wrote:
          >>>>> Camron W. Fox wrote:
          >>>>>> Alle,
          >>>>>>
          >>>>>> We would like to filter all internal email so that it bypasses
          >>>>>> SpamAssassin. We have set up per_client_filters using:
          >>>>>>
          >>>>>> smtpd_client_restrictions =
          >>>>>> check_client_access cidr:/etc/postfix/per_client_filter
          >>>>>>
          >>>>>> == per_client_filter:
          >>>>>> 0.0.0.0/0 FILTER spamassassin:
          >>>>>> 10.0.0.0/8 FILTER dummy:
          >>>>>> ...
          >>>>>>
          >>>>> Note that order matters in a cidr: table. First match wins;
          >>>>> everything matches 0.0.0.0/0. Put the catchall last, more specific
          >>>>> entries earlier.
          >>>>> http://www.postfix.org/cidr_table.5.html
          >>>>>
          >>>>>> The spamassasin filter works fine, but how do we create a
          >>>>>> dummy filter that just does a bypass of all the internal emails?
          >>>>>>
          >>>>> Why send them through a filter at all if you don't want them
          >>>>> filtered? Use DUNNO as the table result.
          >>>>>
          >>>>> 10.0.0.0/8 DUNNO
          >>>>> 0.0.0.0/0 FILTER...
          >>>>>
          >>>> Noel,
          >>>>
          >>>> So this will accomplish what we want?
          >>>>
          >>>> 10.0.0.0/0 DUNNO
          >>>> 0.0.0.0/0 FILTER spamassassin:
          >>>
          >>>
          >>> Maybe not exactly. We have a similar setup. The problem here is,
          >>> that mails handed out to spamassassin (in our case its amavisd-new)
          >>> is reinjected by amavisd-new to postfix via localhost:10025. All
          >>> mails bypassing amavisd-new must be "manually" reinjected to port
          >>> 10025 to accomplish address rewriting etc. (all the stuff that is
          >>> done AFTER content filtering).
          >>>
          >>> So your setup would look like this:
          >>>
          >>> 10.0.0.0/0 FILTER smtp:[127.0.0.1]:10025
          >>> 0.0.0.0/0 FILTER spamassassin:
          >>>
          >>> Regards
          >>> -stefan-
          >>>
          >>>
          >>
          >> Stefan,
          >>
          >> Except we aren't using amavis and spamassassin processes traffic
          >> on our DMZ. Virus scanning is done on the interior mail servers with
          >> amavisd-new and ClamAV:
          >>
          >> root@rb4:/etc/postfix [1002/2]# grep spamassassin master.cf
          >> smtp inet n - n - - smtpd -o
          >> content_filter=spamassassin
          >> spamassassin
          >> unix - n n - - pipe
          >> user=nobody argv=/usr/bin/spamc -e /usr/lib/sendmail -oi -f
          >> ${sender} ${recipient}
          >>
          >> Best Regards,
          >> Camron
          >>
          >> Camron W. Fox
          >> Hilo Office
          >> High Performance Computing Group
          >> Fujitsu America, INC.
          >> E-mail: cwfox@...
          >>
          >
          > The DUNNO solution described earlier will work for any setup that
          > doesn't use "content_filter = something" in main.cf or the receiving
          > smtpd listener.
          >
          > So it should work fine for you.
          >

          Alle,

          I tested this and it seemed to work with no problems. When I
          implemented it on the production servers, I started to see these messages:

          access table cidr:/etc/postfix/per_client_filter entry "10.1.2.3"
          requires transport:destination

          I cannot tell if this mail is being bounced or not. Any help would be
          appreciated.

          Best Regards,
          Camron

          --
          Camron W. Fox
          Hilo Office
          High Performance Computing Group
          Fujitsu America, INC.
          E-mail: cwfox@...
        • Sahil Tandon
          ... Typo in your per_client_filter CIDR? Show us. -- Sahil Tandon
          Message 4 of 17 , Sep 26, 2008
            Camron W. Fox <cwfox@...> wrote:

            > access table cidr:/etc/postfix/per_client_filter entry "10.1.2.3" requires
            > transport:destination

            Typo in your per_client_filter CIDR? Show us.

            --
            Sahil Tandon <sahil@...>
          • Camron W. Fox
            ... Sorry, it was shown in the inline above: 133.40.0.0/16 FILTER DUNNO 0.0.0.0/0 FILTER spamassassin: Best Regards, Camron
            Message 5 of 17 , Sep 26, 2008
              Sahil Tandon wrote:
              > Camron W. Fox <cwfox@...> wrote:
              >
              >> access table cidr:/etc/postfix/per_client_filter entry "10.1.2.3" requires
              >> transport:destination
              >
              > Typo in your per_client_filter CIDR? Show us.
              >
              Sorry, it was shown in the inline above:

              133.40.0.0/16 FILTER DUNNO
              0.0.0.0/0 FILTER spamassassin:

              Best Regards,
              Camron
            • Sahil Tandon
              ... DUNNO is not a filter; that s why Postfix is complaining. See access(5): http://www.postfix.org/access.5.html -- Sahil Tandon
              Message 6 of 17 , Sep 26, 2008
                Camron W. Fox <cwfox@...> wrote:

                > Sahil Tandon wrote:
                >> Camron W. Fox <cwfox@...> wrote:
                >>
                >>> access table cidr:/etc/postfix/per_client_filter entry "10.1.2.3"
                >>> requires transport:destination
                >>
                >> Typo in your per_client_filter CIDR? Show us.
                >>
                > Sorry, it was shown in the inline above:
                >
                > 133.40.0.0/16 FILTER DUNNO

                DUNNO is not a filter; that's why Postfix is complaining. See
                access(5):

                http://www.postfix.org/access.5.html

                --
                Sahil Tandon <sahil@...>
              • Camron W. Fox
                ... So it should be this: 133.40.0.0/16 DUNNO 0.0.0.0/0 FILTER spamassassin: Best Regards, Camron -- Camron W. Fox Hilo Office High Performance Computing Group
                Message 7 of 17 , Sep 26, 2008
                  Sahil Tandon wrote:
                  > Camron W. Fox <cwfox@...> wrote:
                  >
                  >> Sahil Tandon wrote:
                  >>> Camron W. Fox <cwfox@...> wrote:
                  >>>
                  >>>> access table cidr:/etc/postfix/per_client_filter entry "10.1.2.3"
                  >>>> requires transport:destination
                  >>> Typo in your per_client_filter CIDR? Show us.
                  >>>
                  >> Sorry, it was shown in the inline above:
                  >>
                  >> 133.40.0.0/16 FILTER DUNNO
                  >
                  > DUNNO is not a filter; that's why Postfix is complaining. See
                  > access(5):
                  >
                  > http://www.postfix.org/access.5.html
                  >
                  So it should be this:

                  133.40.0.0/16 DUNNO
                  0.0.0.0/0 FILTER spamassassin:

                  Best Regards,
                  Camron

                  --
                  Camron W. Fox
                  Hilo Office
                  High Performance Computing Group
                  Fujitsu America, INC.
                  E-mail: cwfox@...
                • Sahil Tandon
                  ... Yes. -- Sahil Tandon
                  Message 8 of 17 , Sep 26, 2008
                    Camron W. Fox <cwfox@...> wrote:

                    >>>>> access table cidr:/etc/postfix/per_client_filter entry "10.1.2.3"
                    >>>>> requires transport:destination
                    >>>> Typo in your per_client_filter CIDR? Show us.
                    >>>>
                    >>> Sorry, it was shown in the inline above:
                    >>>
                    >>> 133.40.0.0/16 FILTER DUNNO
                    >>
                    >> DUNNO is not a filter; that's why Postfix is complaining. See
                    >> access(5):
                    >>
                    >> http://www.postfix.org/access.5.html
                    >>
                    > So it should be this:
                    >
                    > 133.40.0.0/16 DUNNO
                    > 0.0.0.0/0 FILTER spamassassin:

                    Yes.

                    --
                    Sahil Tandon <sahil@...>
                  • Camron W. Fox
                    ... So, What happened to the mail that met the FILTER DUNNO criteria of the incorrect config? Best Regards, Camron Camron W. Fox Hilo Office High Performance
                    Message 9 of 17 , Sep 26, 2008
                      Sahil Tandon wrote:
                      > Camron W. Fox <cwfox@...> wrote:
                      >
                      >>>>>> access table cidr:/etc/postfix/per_client_filter entry "10.1.2.3"
                      >>>>>> requires transport:destination
                      >>>>> Typo in your per_client_filter CIDR? Show us.
                      >>>>>
                      >>>> Sorry, it was shown in the inline above:
                      >>>>
                      >>>> 133.40.0.0/16 FILTER DUNNO
                      >>> DUNNO is not a filter; that's why Postfix is complaining. See
                      >>> access(5):
                      >>>
                      >>> http://www.postfix.org/access.5.html
                      >>>
                      >> So it should be this:
                      >>
                      >> 133.40.0.0/16 DUNNO
                      >> 0.0.0.0/0 FILTER spamassassin:
                      >
                      > Yes.
                      >
                      So,

                      What happened to the mail that met the "FILTER DUNNO" criteria of the
                      incorrect config?

                      Best Regards,
                      Camron

                      Camron W. Fox
                      Hilo Office
                      High Performance Computing Group
                      Fujitsu America, INC.
                      E-mail: cwfox@...
                    • Sahil Tandon
                      ... Your logs will tell you. You could also see if it s lurking in the mailq. -- Sahil Tandon
                      Message 10 of 17 , Sep 26, 2008
                        Camron W. Fox <cwfox@...> wrote:

                        > What happened to the mail that met the "FILTER DUNNO" criteria of the
                        > incorrect config?

                        Your logs will tell you. You could also see if it's lurking in the
                        mailq.

                        --
                        Sahil Tandon <sahil@...>
                      Your message has been successfully submitted and would be delivered to recipients shortly.