[rt-users] RE: [Mimedefang] Skip MD for some users

Rich West Rich.West at wesmo.com
Wed Apr 28 11:54:00 EDT 2004


Like a couple of others have said, you really cannot skip the entire 
MILTER process based upon individual users.

However, you can have the MILTER itself (MimeDefang) do the recipient 
check then exit accordingly.

The problem is that you lose a fair amount of efficiency in mail 
processing when you start analyzing the individual recipients.  For low 
volume mail servers, such as personal mail servers and small in-house 
corporate mail servers, this expense is completely unnoticable. :)

For higher volume systems, you really have to balance the benefits vs. 
the costs, where the costs will be that you will need to beef up your 
system(s) signifigantly.

Back to your original question.. for one, you really have to consider 
what you are trying to accomplish.  If you want certain users to avoid 
the ENTIRE concept of passing through MimeDefang (which, by the way, 
MimeDefang does a heck of a lot more than just Mime parsing now-a-days) 
or if you want certain users to avoid PARTS of the MimeDefang process 
(the hand-off to the virus software, the hand-off to Anomy::HTML, or the 
hand-off to the anti-spam software, etc).

In the typical situation, you really do want the user's email to go 
through SOME of the MILTER.  You don't want viruses getting through or 
other malicious code, but you want the HTML filtering of Anomy::HTML and 
the anti-spam filtering of Spamassassin to be capable of being bypassed.

In my case, we run a relatively low-volume mail server, so we feel that 
we can afford any negative impact that per-user recipient scanning will 
cause us.  Also, we have a fixed set of users that we keep in a flat 
text file, and those users are allowed to bypass the SpamAssassin rules.

sub filter_end ($) {
   my($entity) = @_;
   ...
   return if message_rejected();
   foreach $recipient (@Recipients)
   {
      if (&allow_recipient($recipient))
      {
           md_graphdefang_log('mail_in', , $RelayAddr);
           return;
      }
   }

   # Spam checks if SpamAssassin is installed
   if ($Features{"SpamAssassin"}) {
   ...
}

And the "allow_recipient" subroutine looks like:
sub allow_recipient
{
   my($recipient) = shift;
   open(USERS, "cat /my/path/to/users/flatfile | ") or die "Could not 
open /my/path/to/users/flatfile.\n";
   @users = <USERS>;
   foreach $user (@users)
   {
      chop ($user);
      return 1 if ($user = /$recipient/i);
   }
}

Of course, because it is PERL, so you can do a variety of things (Call 
another executable, do mySQL lookups, etc), but keep in mind that you 
want to keep things efficient and FAST.

Now, we put this in filter_end, but I am sure something similar could be 
put in "filter" around the Anomy::HTML stuff providing that @Recipients 
is defined in the "filter" subroutine.

Also, that leads to the question as to why the Anomy::HTML stuff is in 
"filter" rather than in "filter_end" since it is an add-on, similar to 
Spamassassin (but, obviously, with a different purpose..).

I hope this helps!
-Rich

>Hello everyone,
>
>I have MD 2.39 setup with Sendmail 8.12.8 on a RedHat 9 machine.
>Everything works fine for me, but now a few users want to be excluded
>from the Spam scanning that I am doing.  I have tried the solution
>described at:
>http://lists.roaringpenguin.com/pipermail/mimedefang/2002-August/010883.
>html, but the mail for the user that I listed is still being scanned by
>MD.  I don't know if this matters or not, but my MD machine is not the
>actual delivery machine.  It is forwarding mail onto our internal
>Exchange server.
>
>Has anyone had a similar problem?  Is there something that I can do to
>offer more info to the list?
>
>TIA,
>
>Nathan Martinez
>



More information about the rt-users mailing list