|Main Archive Page > Month Archives > spamassassin-users archives|
On 6/9/10 7:40 AM, Karsten Bräckelmann wrote:
> On Wed, 2010-06-09 at 01:51 -0400, Louis Guillaume wrote:
>> Recently I've had a lot of reports of returned mail from authenticated
>> users. The messages are being bounced on the way out.
> You forgot to provide the reason (SA rules hit) for the messages being
> scored above the threshold. We absolutely need them to help you.
They are various, and all valid. The rule evaluation is not the issue
here, it's the fact that the messages should never be passed through SA
to begin with.
The objective now is to tell spamass-milter to ignore authenticated
users, and I have not found anything to say how this is done.
> Anyway, if they are really properly authenticated, they should trigger
> ALL_TRUSTED and hardly anything else. The sparse information given
> hints, this either is a mis-configuration, or your users are really
> sending spam.
This does NOT happen. Not sure where this can be configured, but
authenticated users don't get ALL_TRUSTED unless their IP address or
network is white-listed explicitly.
>> I understand that SA checks outbound messages, but I have discovered two
>> things, one of them rather disturbing:
>> 1. I cannot find a way to simply trust authenticated users'
>> messages. I would like to whitelist all messages that are
>> sent by authenticated users. Yes I understand that a
>> compromised user account can be a problem for me, but I
>> need this as a starting point. Is there a way?
> Just do not pass outgoing messages by authenticated users to SA. The
> ultimate trust. This is a configuration issue with your MTA, which
> should simply bypass SA.
Yes - this is what I'm now researching.
>> OS: NetBSD-5
> Is that vanilla upstream spamass-milter 0.3.1? Or does it include the
> fix  for the Received header regression  in 0.3.1? This bug causes
> problems with SA.
It's the vanilla one. Now why on earth would such a bug not be committed
to the released version? This is 4 years ago! Is everyone just sucking
it up and patching their version locally?