Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

delay_checks and milter -- access map ignored?

27 views
Skip to first unread message

Josh Grosse

unread,
Dec 16, 2006, 9:14:22 AM12/16/06
to
I have STFAs and cannot find any direct discussion of this. I am
hoping someone can smack me over the head with a clue-by-four.

This milter newbie would like to have postmaster@ and abuse@ e-mail come
through unfiltered. I have greylisting and private blacklists in front
of sendmail.

Tests with eicar show that clamav-milter is being run when abuse@ mail is
sent; I assume that I have a simple configuration error either in my .mc
or in my access map, or both. (I am in the process of running a gtube test
for spamassassin as well, but I expect that it will also fail to bypass
that milter.)

--------
my .mc contains the following spam-related config:

FEATURE(`delay_checks',`friend')dnl
FEATURE(`dnsbl',`zen.spamhaus.org',`',`t')dnl
FEATURE(`dnsbl',`dnsbl.njabl.org',`',`t')dnl
FEATURE(`dnsbl',`bl.spamcop.net',`',`t')dnl
FEATURE(`dnsbl',`dnsbl.sorbs.net',`',`t')dnl
INPUT_MAIL_FILTER(`milter-spamd',
`S=unix:/var/spool/milter-spamd/sock, F=T, T=S:30s;R:2m')dnl
INPUT_MAIL_FILTER(`clamav-milter',
`S=unix:/var/clamav/milter, F=T, T=S:30s;R:5m')dnl
--------
My access map contains:

To:abuse@ OK
To:postmaster@ OK
Spam:abuse@ FRIEND
Spam:postmaster@ FRIEND
--------

Thanks in advance for any pointers / suggestions / laughter.
--
Replying directly will get you locally blacklisted.
Change the address; use my first name in front of the @ if you want to
communicate privately.

Josh Grosse

unread,
Dec 16, 2006, 9:40:36 AM12/16/06
to
On Sat, 16 Dec 2006 09:14:22 -0500, I wrote:

> .. (I am in the process of running a gtube test


> for spamassassin as well, but I expect that it will also fail to bypass
> that milter.)

I should point out that yes, I can circumvent spamassassin's tests by
using whitelist_to in it's local.cf, but I am still hoping to find a way
to bypass both milters, as clamav-milter doesn't seem to have this
capability.

Josh Grosse

unread,
Dec 16, 2006, 10:30:54 AM12/16/06
to
On Sat, 16 Dec 2006 09:14:22 -0500, I wrote:

> ...my .mc contains the following spam-related config:

I neglected to mention: sendmail 8.13.8, clamav 0.88.6.

Bill Cole

unread,
Dec 16, 2006, 11:57:35 AM12/16/06
to
In article <pan.2006.12.16....@jggimi.homeip.net>,
Josh Grosse <spam...@jggimi.homeip.net> wrote:

> On Sat, 16 Dec 2006 09:14:22 -0500, I wrote:
>
> > .. (I am in the process of running a gtube test
> > for spamassassin as well, but I expect that it will also fail to bypass
> > that milter.)
>
> I should point out that yes, I can circumvent spamassassin's tests by
> using whitelist_to in it's local.cf, but I am still hoping to find a way
> to bypass both milters, as clamav-milter doesn't seem to have this
> capability.

The friend/hater options in the access map only apply to spam checks
implemented in sendmail.cf, i.e. DNSBL's but not milters. Milters can be
about doing all sorts of other things and are bound rather loosely into
Sendmail, which makes it infeasible to have Sendmail do per-address
milter exemption.

I'm afraid of starting to sound like a shill for David Skoll, but since
you're using 2 milters to hook into things that MIMEDefang can also
hook, you might want to consider switching. The advantage to using MD is
that with very basic Perl skill, you can make it behave as you please,
and it acts as a configurable and customizable hub for other filtering
tools, including SA and ClamAV

--
Now where did I hide that website...

Kari Hurtta

unread,
Dec 16, 2006, 12:42:27 PM12/16/06
to
Josh Grosse <spam...@jggimi.homeip.net> writes in comp.mail.sendmail:
<...>

> my .mc contains the following spam-related config:
>
> FEATURE(`delay_checks',`friend')dnl
> FEATURE(`dnsbl',`zen.spamhaus.org',`',`t')dnl
> FEATURE(`dnsbl',`dnsbl.njabl.org',`',`t')dnl
> FEATURE(`dnsbl',`bl.spamcop.net',`',`t')dnl
> FEATURE(`dnsbl',`dnsbl.sorbs.net',`',`t')dnl
> INPUT_MAIL_FILTER(`milter-spamd',
> `S=unix:/var/spool/milter-spamd/sock, F=T, T=S:30s;R:2m')dnl
> INPUT_MAIL_FILTER(`clamav-milter',
> `S=unix:/var/clamav/milter, F=T, T=S:30s;R:5m')dnl
> --------
> My access map contains:
>
> To:abuse@ OK
> To:postmaster@ OK
> Spam:abuse@ FRIEND
> Spam:postmaster@ FRIEND
> --------
>
> Thanks in advance for any pointers / suggestions / laughter.

access map not affect to milters any way.

> --
> Replying directly will get you locally blacklisted.
> Change the address; use my first name in front of the @ if you want to
> communicate privately.

/ Kari Hurtta

Josh Grosse

unread,
Dec 16, 2006, 2:45:26 PM12/16/06
to
On Sat, 16 Dec 2006 16:57:35 +0000, Bill Cole wrote:

> The friend/hater options in the access map only apply to spam checks

> implemented in sendmail.cf, i.e. DNSBL's but not milters....

> I'm afraid of starting to sound like a shill for David Skoll, but since
> you're using 2 milters to hook into things that MIMEDefang can also

> hook, you might want to consider switching.....

Thank you for the hint, I'll take a look at MD!

jma...@ttec.com

unread,
Dec 16, 2006, 7:30:50 PM12/16/06
to

Josh Grosse wrote:
> On Sat, 16 Dec 2006 16:57:35 +0000, Bill Cole wrote:
>
> > The friend/hater options in the access map only apply to spam checks
> > implemented in sendmail.cf, i.e. DNSBL's but not milters....
>
> > I'm afraid of starting to sound like a shill for David Skoll, but since
> > you're using 2 milters to hook into things that MIMEDefang can also
> > hook, you might want to consider switching.....
>
> Thank you for the hint, I'll take a look at MD!

You have another four options.

Option 1:

Set a macro in rulesets, configure sendmail to send the macro to the
milters. Add code to the milters to check the macro value before doing
anything.

Option 2: Like option 1 but since Local_check_rcpt doesnt actually run
before the milter receives the recipient, there is still a chance you
depending on your milter, that you may still need the milter-rrres
patch which changes the order of execution.

Option 2:

Patch sendmail with milter-rrres and write sendmail rulesets.

http://www.jmaimon.com/sendmail
http://www.jmaimon.com/sendmail/#milter-rrres.v15

(There are patched sendmail binary/source packages in a debian
repository)

Add this line to your milter config in sendmail.mc

R=C:ConnectLocalHost;R:spamFriend

Put this rulesets in your sendmail.mc

LOCAL_CONFIG
SConnectLocalHost
Rlocalhost $| $* $#abort
Rlocalhost $#abort
Rlocalhost $* $#abort
R127.0.0.1 $#abort
R$* 127.0.0.1i $* $#abort
R$* $| $* $@ $1

SspamFriend
R$* $: $1 $| $&{rcpt_mailer}
R$* $| error $#discard
R$* $| $* $: $1 $| <> $>canonify $1
R$* $| <> $* < @ $+ . > $* $1 $| <> $2 < @ $3 > $4
R$* $| <> $+ < @ $* > $* $: $1 $| <L> $2 < @ $3 > $4 $| <F:
$2@$3 > <D: $3 > <U: $2@>
R$* $| <> $* $: $1 $| <L> $2 $| <U: $2@>
R$* $| <> $* $@ $1
R$* $| <L> $* $| $* $: $1 $| <L> $2 $| $>SearchList <!
Spam> $| $3 <>
R$* $| <L> $* $| <?> $@ $1
R$* $| <L> $* $| <FRIEND> $#discard
R$* $| $* $@ $1


Option 4: Use the milter-rrres patch and add code to the milters
calling smfi_rewrite() or smfi_sm_map()

0 new messages