[milters] Archive

Lists Index Date Thread Search

Article: 1016
From: Anthony Howe
Date: 2010-08-24 09:44:38 -0400
Subject: Re: milter-spamc/sender Connect:ip whitelist not working

On 24/08/2010 14:42, Andrew Lyon whispered from the shadows...:
> Hi,
> 
> I have whitelisted the ip address of one of my servers which needs to
> bypass all milter checks, I expected that milter-sender and spamc
> would then allow that host to send messages without any filtering, but
> the access entry doesn't seem to have any effect.
> 
> I've tried:
> 
> x.x.x.x OK

Note that untagged entries have long since been deprecated by Sendmail.
So don't you should not rely on them as they may disappear any time. If
you really want to continue with them and depending on the version of
libsnert, see configure option --enable-access-tagless.

> Connect:x.x.x.x OK
> milter-sender-Connect:x.x.x.x OK

Either of these should work.

milter-sender connect white listing should work, but for milter-spamc,
that code may missing (long story).

Quick solution is in milter-spamc.c (version 1.15) after line 445 (which
should be within a switch statement) insert:

	case SMDB_ACCESS_OK:
		smfLog(SMF_LOG_TRACE, TAG_FORMAT "sender %s white listed", TAG_ARGS,
args[0]);
		return SMFIS_ACCEPT;

(Note not tested.)

> Rebuilt access.db but when I connect from that ip the usual callback
> checks are applied.

How is the access.db rebuilt exactly? This might influence the milter's
ability to detect the update.

http://www.snertsoft.info/lists/article.php?l=milters&d=2005-09&f=722

Make sure to use only "overwrite in place".

> What is the correct method to exclude an ip address from all milter
> and sendmail filtering?

For example milter-sender and milter-spamc should both pick up:

	Connect:192.0.2.1	OK

Assume the connecting host is 192.0.2.1. Alternatively

	milter-sender-connect:192.0.2.1	OK
	milter-spamc-connect:192.0.2.1	OK

Are equivalent to the first one, though they have higher priority than
Connect:

Restart one of the milters with verbose=info,db to see the series of
access.db lookups made. Its very verbose. Note that you need to make
sure that your maillog is configured for debug level output or that you
direct debug level output to a separate file.

1. Edit /etc/syslog.conf,

2. a) either add

	mail.debug		/var/log/maillog.debug

You might need to "touch /var/log/maillog.debug" first.

2. b) or replace

	mail.info		/var/log/maillog
with
	mail.*			/var/log/maillog

3. Save.

4. Then pkill -HUP syslogd.

Personally I like option b) since then I have the sendmail log lines
interweaved with the milter's. But for temporary debugging, option a) is
probably wiser for high-volume machines.

-- 
Anthony C Howe            Skype: SirWumpus                  SnertSoft
+33 6 11 89 73 78       Twitter: SirWumpus      BarricadeMX & Milters
http://snert.com/      http://nanozen.info/     http://snertsoft.com/

Lists Index Date Thread Search