Re: [bitfolk] Whitelist mail by domain

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMHugo Mills at <-
MMAndy Smith at ->
Author: Andy Smith
Date:  
To: users
Subject: Re: [bitfolk] Whitelist mail by domain

Reply to this message
gpg: Signature made Mon Mar 28 16:03:57 2022 UTC
gpg: using DSA key 0E4236CB52951E14536066222099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hello,

On Mon, Mar 28, 2022 at 04:29:00PM +0100, Hugo Mills wrote:
>    I've just had a brief interchange with a small charity that uses
> DigitalOcean for some of their systems. A password-change mail
> from their website was binned by my exim instance, for a score of
> 8.8 given to it by the Bitfolk SpamAssassin (5.0 of that for
> coming from Digital Ocean).

Does the email have a DKIM_VALID_AU report from BitFolk's
SpamAssassin? If so, I am happy to add the domain that's in the
From: address to the allowlist. This would indicate that the content
and source of the email are as intended by the domain owners.

Failing that, if it has an SPF_PASS report then I may be able to
allowlist *by envelope sender*, if the envelope sender also is
unique to them. That would indicate that the domain owner expects
emails with that envelope sender to come from that source.

As an aside, I think that even if one were to decide that mail from
Digital Ocean doesn't deserve to be scored, 3.8 points is still too
high for their email and there's probably something they could do
about that. 

>    Can anyone suggest how, if at all, I can whitelist mail from that
> particular domain in my (Debian) exim4 config

If the email's envelope sender is unique to them, then you could add
a match for it to a file like /etc/exim4/local_sender_allowlist, and
then at the place where you consider an email's SA score you can
exempt senders that match local_sender_allowlist from consideration.

In Debian there is already in
/etc/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions
machinery for checking the envelope sender against the file
CONFDIR/local_sender_whitelist so you could use or copy that
approach.

You'll probably have to look in the Received headers for the
envelope-from.

Depending upon how you have configured your Exim it may already be
checking that file before considering the SA score.

There is no way at the moment for a user to alter the way BitFolk's
SpamAssassin works so you either have to act upon its score or not.

> I'm using the Bitfolk SpamAssassin and therefore have no control
> over it?

A big issue that we could possibly alleviate by somehow working out
how to do per-user SpamAssassin configuration. It's not something I
am keen to do as I would rather encourage people to run their own
anti-spam system (or sign up to a paid service that does that).

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting
This message was posted to the following mailing lists:
users
Mailing List Info | Nearby Messages		<-Re: [bitfolk] Whitelist mail by domainRe: [bitfolk] Whitelist mail by domain->
Bitfolk Mailing List Archive administrated by List AdminLurker (version 2.3)