Hi.
> is it not possible to simply say all mail eminating from machine x do
> not scan for spam??
Sure possible, no tricks ;) Simply add host conditions to your ACLs.
If your hubs are the only spam-scanner-enabled entities, then put the
logic onto them. Declare static host lists like this:
hostlist hosts_not_to_scan = 192.168.0.0/24 : 10.0.1.0/24
Then, in the SMTP DATA ACL:
warn message = X-Spam-Score: $spam_score
spam = nobody:true
!hosts = +hosts_not_to_scan
And that's almost all. The scanner will be skipped if the mail being
originated from list `hosts_not_to_scan'. Usually, if you are not ISP,
you can only scan mail from the outside (world). What to do next, is
your choice, you can even reject the mail at the SMTP time. Verb `warn'
adds headers, while `deny' rejects mail with 55x. See specs. I do not
recommend 55x because of possible fault-positives. But, in general, I do
not recommend bouncing the message in any way other than 55x at the
front-end server. If you accept the message, then pass it or just
discard, but do not generate bounce.
As an alternative, you can use more complex approach (system routes the
message in a special way based on spam score, and does not use own
headers at all):
begin acl
# This is a sub-ACL
acl_spam_test:
warn set acl_m0 = unchecked
deny hosts = +hosts_not_to_scan
accept spam = nobody:true/defer_ok
set acl_m0 = $spam_score_int
deny
# Somewhere in the DATA ACL
acl_data:
#...
warn message = X-Spam-Score: $spam_score
acl = acl_spam_test
# ...
begin routers
# Somewhere in the routers
spam_trap:
driver = redirect
no_verify
domains = ...
condition = ${if and{{!eq{$acl_m0}{unchecked}}{>{$acl_m0}{50}}}
{yes}{no}}
data = junk-folder-address@???
# ...
As you can see, $acl_m0 contains $spam_score_int or `unchecked'. Don't
be confused with `deny' in a sub-ACL: it has different meaning there.
Router `spam_trap' does not use any headers. That is good because you do
not care about header forging/collision - many systems use X-Spam-XXX
headers. Any defers with spamd are marked by `unchecked' (introduced by
"Andrew - Supernews" for callout defer check). But be advised, if the
scanner skipped due to hosts_not_to_scan, $acl_m0 contains the same
string `unchecked'. This could be changed to `skipped' like this:
acl_spam_test:
warn set acl_m0 = skipped
deny hosts = +hosts_not_to_scan
warn set acl_m0 = defer
accept spam = nobody:true/defer_ok
set acl_m0 = $spam_score_int
deny
The above samples can help you to glue the spam scanning results to the
routing logic more safely and tightly.
> Things get worse if you remember that DATA ACL does
> > not allow you to perform recipient-based (per-domain) logic. Assume
that
> > a message originated from one of the internals have two RCPT: one
should
> > go to the world, and one should go to the internal.
> >
> > Well, are the above assumptions correct?
> > There are still some tricky things you can do ;-)
> im intrigued about these tricky things you speak of.... :D
These tricks are useful for some complex environments and are based on
secure headers. If you have a distributed SMTP processing group, you can
mark the message with a special header (that uses SHA1). All members of
the group share the same secret. No matter how message passes the group,
every member has a way to determine if the message is being scanned
already by some other member. If you really need this, I'll try to
figure this out.
Though no need for this if you do not have any hub-to-hub traffic.
I hope, the information was useful to you ;-)
Take care.
