[Mimedefang] Authenticated Users Filter modification (especially for POP BEFORE AUTH users) for SA & Blacklist issue

[Kevin A. McGrail]

I have users that are sending email on our mail server.  Since this mail
server is the end-destination for some domains, the email stops there and is
not relayed anywhere else.  However, when the email is passed off to
SpamAssassin, SA checks the various RBLs and sees that this email is in them
because it came directly from the user to the server and isn't in a
trusted_network, etc.

After thinking about how to solve the problem, I decided that users that
have authenticated to send email should be exempted from SA checks.  This
may not scale for everyone but all our users are not going to send spam.  We
still check for virii though.  *I very much want comments on this line of
thought*

Anyway, our system uses pop before smtp authentication to prevent SPAM from
relaying so I've modded my filter to read the popauth database to see if we
can bypass SpamAssassin altogether (see above).


Here's my first pass at the situation below.  Comments very much
appreciated,

KAM


http://www.peregrinehw.com/downloads/MIMEDefang/contrib/POP_before_SMTP_modification

POP Before Auth Tie in to MIMEDefang

by Kevin A. McGrail (kmcgrail at pccc.com)

Maintained at: http://www.pccc.com/downloads/


Add (or modify) these four routines to your mimedefang subfilter.  They will
utilize the POP before Auth
database (see
http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/INSTALL).

sub filter_initialize {
  #SETUP A TIE TO THE POP BEFORE SMTP AUTH DATABASE
  use DB_File;

  our ($popauthdbfile, $popauthdb);
  $popauthdbfile = "/etc/mail/popauth.db";

  $popauthdb = &opendb_read($popauthdbfile);
}

# FUNCTION TO TIE READONLY TO A DB_FILE
sub opendb_read($$) {
  my ($dbfile) = @_;
  my (%db);

  tie (%db, "DB_File", $dbfile, O_RDONLY, 0, $DB_HASH) ||
md_syslog('critical', "Could not tie to database: $dbfile!");
  return \%db;
}

sub cleanup {
  #CLOSE TIE TO POP BEFORE SMTP AUTH
  &closedb($popauthdb);
}

# FUNCTION TO CLOSE TO A TIED DB_FILE
sub closedb($) {
  my ($db) = @_;
  untie %$db;
}


These function will allow your mimedefang filter to detect whether an email
was sent using POP Before SMTP
Authentication.  I then used that information to add a header to the email
and to set a variable $popauth
to true in my filter_end routine.


    #ADD A POP BEFORE SMTP HEADER (& remove any pre-existing ones)
    my ($popauth) = 0;
    action_delete_header("X-Pop-Before-SMTP-Auth");
    if ($popauthdb->{$RelayAddr}) {
      action_change_header("X-Pop-Before-SMTP-Auth","$RelayAddr");
      $popauth++;
    }

Now, I use the existence of this header to bypass calling SpamAssassin.  If
you are calling SpamAssassin
from your filter, simply add a check for the variable $popauth:

   if ($Features{"SpamAssassin"} and $popauth < 1) {

Otherwise, you modify your procmail recipe.  For example, I use a
server-wide procmailrc recipe
in /etc/procmailrc.  The following recipe would pass emails to spamd that
are less than 256K in size and
do not have the header we added above


    DROPPRIVS=yes

    :0fw
    * < 256000
    * !^X-Pop-Before-SMTP-Auth
          | /usr/bin/spamc -f

          :0e
          {
             EXITCODE=$?
          }