[Mimedefang] white listing $senders

Wed Jul 7 21:38:29 EDT 2004

Jeffrey Goldberg wrote:
[snip...]

> To mimedefang-filter I've added the following two functions
> 
> sub filter_sender {
>   my ($sender, $ip, $hostname, $helo) = @_;
>   return('ACCEPT_AND_NO_MORE_FILTERING', "Sender whitelisted")
>        if is_whitelisted($sender, $ip);
> 
>   return ('CONTINUE', "ok");
> }
> 
> sub is_whitelisted {
>   my ($sender, $ip) = @_;
>   my ($whitelistfile) = '/var/spool/MIMEDefang/whitelist.txt' ;
> 
>   return true if ($ip =~ /^192\.168/ );
> 
>   if(open (WHITELIST, "< $whitelistfile" )) {
>      @whitelist = <WHITELIST> ;
>      return true if grep { /\b$sender$/i } @whitelist ;
>   }
> 
>   return false;
> }
> 
> 
[snip...]

> 
> I have a couple of questions.
> 
> (1) Other than my forgetting to chomp are there other errors in the code
>     that people notice.
> 
One thing I noticed is that you are storing your file in
/var/spool/MIMEDefang.  if you have your system configured as
recommended with /var/spool/MIMEDefang being on a tmpfs or RAMdisk, then
you'll obviously need to have some sort of external way to make sure
this information isn't hosed if you lose power or reboot the machine (etc.)

also, although the file handle should be closed once the script exits,
it's usually good practice (in my opinion) to close your file handles
when you're done with them.

so, in sub is_whitelisted, just before you return you may want to
close(WHITELIST);

if you're only going to whitelist based on senders who publish SPF, you
should (if you haven't already) look into using Mail::SPF::Query.  if
your intention is to whitelist any sender who's publishing SPF records,
then you could probably save yourself a lot of trouble by just
"whitelisting" based on the results of Mail::SPF::Query as opposed to
keeping a local flat-file.  otherwise you could use the results of
Mail::SPF::Query in conjunction with your flat-file read to determine if
the mail should be scanned or not.

> (2) Will the whitelist file be opened anew with every incoming mail? or
>     will it only be opened when the mutliplexor starts a slave?
> 
the way you have it configured here, everytime filter_sender is called
your whitelist file will be opened.

> (3) If the answer to (2) is "every time" is there something I can to fix
>     that while still keeping the whitelist in an external file?
> 

you may want to consider using embedded perl.  then you could setup your
  filehandles in filter_initialize and just reference them as approprite
in filter_sender.

> (4) I'm using bayes autolearn for spamassassin, if I by-pass spamassassin
>     with this whitelisting am I depriving the autolearn system with
>     important information?
> 

obviously, any information you don't pass thru the bayes autolearn
facility is depriving it from information. whether or not it's important
information is dependant on the contents of the mail and your auto-learn
criteria.

> I also have a few policy questions.
> 
>  (4) What I'm doing will exempt whitelisted mail not only from defanging,
>      bad extention checks and SpamAssassin, but also from virus scanning.
>      Is that stupid?  Note that at the site in question almost all (but
>      not all) email users are on Linux.  Of the few MS-Windows users,
>      almost everyone (but not everyone) is using a Mozilla based MUA.
>      (But I know that there is at least one Outhouse user still, and
>      that is not going to change).

Firstly,  I personally am a little uneasy with setting up whitelisting
facilities based on fields that could potentially be exploited or
forged. You may want to keep that in mind when setting up your
whitelisting.  I prefer to do my sender whitelisting (per se) based on
SMTP AUTH.  My mail server doesn't have any "local" senders (i.e. from
the box itself) and is located in a co-lo so there's no local network to
authenticate against.  since all of my users are remote (and world-wide)
the only useful way for me to determine if scanning should be done is by
checking SMTP AUTH.

My policy decisions are such that I scan every piece of mail thru my
server for viruses.  even outgoing mail that has been SMTP AUTH'd.  the
overhead is minimal and it only takes ONE virus mail to cause a problem
so, if you even only have 1 machine that could possibly send a virus,
you're better off scanning than not (in my opinion).

I do, however, skip spam scanning from my authenticated users as i know
my users don't send spam. YMMV

hope this is useful information.

alan