HOWTO? Whitelist IP Block + SMTP Auth Users

[stbain]

I looked through the forums and found a few references to whitelisting techniques using the Postfix and Spamassassin configuration files, but I have yet to find a definitive answer or howto on what needs to be done to whitelist my entire network and any SMTP AUTH authenticated senders to ensure their emails never end up in the Junk folder. We have notifications being sent to customers from our webserver and it is getting labeled as [spam].

Anyone have any suggestions or additional resources I need to review?

[JoshuaPrismon]

Quote:

Originally Posted by stbain

I looked through the forums and found a few references to whitelisting techniques using the Postfix and Spamassassin configuration files, but I have yet to find a definitive answer or howto on what needs to be done to whitelist my entire network and any SMTP AUTH authenticated senders to ensure their emails never end up in the Junk folder. We have notifications being sent to customers from our webserver and it is getting labeled as [spam].

Anyone have any suggestions or additional resources I need to review?

I am not sure there is a actual sanctioned way to do this. I believe that it's possible to do it via spamassassin (insert a rule to validate your local address and pass it on). The SMTP Auth case is a bit harder (You might be able to look at the SMTP header to figure out if the first server is yours, but it's going to take some work).

I will try and take a look at this tonight and see if there is a easy way to implement that that I am missing.

[JoshuaPrismon]

I started playing around with this last night. I have more questions then answers, but AFAIK no one has done this yet, and AFAIK it is possible.There are a couple of problems however:

1. For Some reason Zimbra likes to pass everything to amavisd-new as user zimbra. This creates restrictions around single user and poisioned spam databases and whitelists. This might also be a postfix problem, or a deliberate design decision.
2. It's possible to pass auto-white list items to amavis via ldap entries. However these entires are typically for email addresses, not protected ip ranges. I am not sure if Amavis has everything it needs to whitelist based on ip addresses.
3. Thankfully Amavis has seperate spam controls versus virus controls. However, in my opinion while it is safe maybe to give your local users a boost on the spam score, I think you should spam check just in case you have a spam trojan infect a interion machine
4. It is possible to whitelist in spamassassin based on sender domain. However, sender domain is frequently abused by spammers, and this will increase the volume of spam non-trivially.

Zimbra folks, is there a good reason for the single zimbra account for all incoming mail?

[KevinH]

Your webserver and other hosts should be listed in mynetworks. This will auto-whitelsit them.

[dlbewley]

Quote:

4. It is possible to whitelist in spamassassin based on sender domain. However, sender domain is frequently abused by spammers, and this will increase the volume of spam non-trivially.

I'm still evaluating Zimbra, but I currently I do this on my existing postfix box:

In main.cf:
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
check_sender_access hash:$config_directory/access,
hash:$config_directory/sender_checks

And in sender_checks :
# mail from these will be discarded if they do not come from $mynetworks
# except for the loophole created by SASL authentication
.my.domain.com REJECT are you spoofing


So, to retain this functionality I was expecting to setup an SMTP gateway that all mail will be fed through. I'll also have to make sure this gateway can validate addresses an aliases stored in the Zimbra server via LDAP. I'm assuming (*hoping*) that will be possible.