Postfix permit_sasl_authenticated before content_filter

Darwick

7/22/24, 10:32 AM

I have a postfix + dovecot + spamassassin setup which works great, but I would like to bypass all outgoing messages (sasl authenticated) from spam filtering. I must do something wrong, because I already implemented permit_sasl_authenticated in my main.cf but looks like it does not work.

My main.cf relevant part:

# SASL Auth for SMTP relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = ...
broken_sasl_auth_clients = yes

# DKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

# transports
dovecot_destination_recipient_limit = 1
local_recipient_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

# restrictions
smtpd_relay_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    defer_unauth_destination

smtpd_recipient_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_non_fqdn_hostname
    reject_non_fqdn_sender
    reject_non_fqdn_recipient
    reject_unauth_destination
    reject_unauth_pipelining
    reject_unknown_recipient_domain
    reject_unverified_recipient
    reject_invalid_hostname

My master.cf relevant part:

smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin
smtps     inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no

spamassassin unix -     n       n       -       -       pipe
  user=mail:mail argv=/usr/bin/spamc -u ${recipient} -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

If I try to insert everything what is in main.cf to master.cf with -o option, it also does not help. What could be the solution to achive this? No other milters are used, only DKIM. So no amavis, clamav or something.

1 + 2

linux

postfix

spamassassin

dovecot

AlexD

7/22/24, 12:32 PM

https://www.postfix.org/FILTER_README.html#remote_only

Darwick

7/22/24, 1:16 PM

It is not good at all, only if I connect with SASL from fixed IP address. Otherwise, I need to change everytime.

Score:1

Server

Esa Jokinen

7/22/24, 4:29 PM

SASL authenticated users should be using the smtps defined in master.cf for submission. You can remove the content filter for SMTPS from there by removing the line -o content_filter=spamassassin in that section.

+ 2

Darwick

7/22/24, 7:30 PM

And what if an SMTP server connects to SSL because it can? Then the spamassassin filter will be bypassed for them also.

Esa Jokinen

7/23/24, 2:54 AM

The smtps should only be allowed for SASL authenticated users. Other MTAs are using STARTTLS on port 25.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Postfix permit_sasl_authenticated before content_filter

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.