You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Helmut Schneider <ju...@gmx.de> on 2016/04/11 16:55:58 UTC
Fixing ALL_TRUSTED=-1
Hi,
for more than 6 months I'm trying to fix ALL_TRUSTED=-1 without success.
I have read https://wiki.apache.org/spamassassin/TrustPath and
https://wiki.apache.org/spamassassin/FixingAllTrusted carefully, put
trusted_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
internal_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
add_header all RelaysUntrusted _RELAYSUNTRUSTED_ (this does not seem to
work at all, no header seems added)
into local.cf and still ALL_TRUSTED gets fired. Any help would be
appreciated.
mail:~$ sudo spamassassin -V
SpamAssassin version 3.4.0
running on Perl version 5.18.2
mail:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Codename: trusty
mail:~$
Received: from XXX ([172.20.8.31])
by XXX (IBM Domino Release 9.0.1FP4)
with ESMTP id 2016041115014726-193867 ;
Mon, 11 Apr 2016 15:01:47 +0200
Received: from localhost (localhost [127.0.0.1])
by XXX (Postfix) with ESMTP id 3BD0618E
for <XXX>; Mon, 11 Apr 2016 15:01:43 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at XXX
X-Spam-Flag: NO
X-Spam-Score: 5.607
X-Spam-Level: *****
X-Spam-Status: No, score=5.607 tagged_above=-9999 required=6.3
tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, INTERNETX_UCE=5,
MIME_HTML_ONLY=0.723, MISSING_MID=0.497, SPF_HELO_PASS=-0.001,
T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no autolearn_force=no
Authentication-Results: XXX (amavisd-new);
domainkeys=neutral (2048-bit key) reason="invalid (bad identity)"
header.sender=XXX@ncrprop.biz
header.d=ncrprop.biz; dkim=pass (2048-bit key) header.d=ncrprop.biz
Received: from XXX ([127.0.0.1])
by localhost (XXX [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id rzCBYBjiHHbC for <XXX>;
Mon, 11 Apr 2016 15:01:32 +0200 (CEST)
Received: from XXX (XXX [172.20.12.10])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by XXX (Postfix) with ESMTPS
for <XXX>; Mon, 11 Apr 2016 15:01:32 +0200 (CEST)
Received: from mail6.bemta5.messagelabs.com
(mail6.bemta5.messagelabs.com [195.245.231.135])
by XXX (Postfix) with ESMTP id 63B4C335
for <XXX>; Mon, 11 Apr 2016 15:01:32 +0200 (CEST)
Received: from [85.158.139.19] by server-11.bemta-5.messagelabs.com id
BD/80-27787-C20AB075; Mon, 11 Apr 2016 13:01:32 +0000
X-Brightmail-Tracker:
H4sIAAAAAAAAA+NgFtrDIsWRWlGSWpSXmKPExsWSfmGmkK72Au5
wgyVt8hYzt5o7MHosm7CYPYAxijUzLym/IoE148KtPSwFTWIVN479ZmpgbBTpYuTkkBAwkJj
x
dj4zhK0s8XzTZ7YuRi4OFoGTzBInj2xnhXCaWSR6Jr1mA6niFRCUODnzCQuILSygLXFo+x1W
E
JtNQEdi3paNYLaIgLTEpgmvwKYKCRhL/Jz4ByzOIqAg8fLdKUaIXjWJnS97wGYyC+hKnD6+j
Q
XClpfY/nYOWK+AgIDEgaaJYL2cQHbb5WOsExj5ZyE5YxaS9llI2hcwMq9i1ChOLSpLLdI1NN
J
LKspMzyjJTczM0TU0MNXLTS0uTkxPzUlMKtZLzs/dxAgMQwYg2MHYN8v5EKMkB5OSKG/CXO5
w
Ib6k/JTKjMTijPii0pzU4kOMMhwcShK8B+cB5QSLUtNTK9Iyc4ARAZOW4OBREuFdDJLmLS5I
z
C3OTIdInWI05vh09MFaJo5n3TP3MAmx5OXnpUqJ834FKRUAKc0ozYMbBIvUS4yyUsK8jECnC
f
EUpBblZpagyr9iFOdgVBLmXQIyhSczrwRu3yugU5iATnn2jxPklJJEhJRUA6Ns3Ee3Dbfmpc
7
mecCeuKHF4qbb70INmU/ce0pesj4NWbTx3Z++c+pLH/HcZRN86Tc7o+j/Fc0vqiwq0qmPmS3
/
mKm94Pb9++O5xRGVLY2G6X3pux88fvlN4px87cfAsNWJiQf2P9JKWn34jeeljP1ezJXfBc4Y
W
LgrTJzAvqHH7LZt0dl7nE+VWIozEg21mIuKEwF0Fbe9zwIAAA==
X-Env-Sender: XXX@ncrprop.biz
X-Msg-Ref: server-12.tower-178.messagelabs.com!1460379690!32840337!1
X-Originating-IP: [103.208.153.18]
X-SpamReason: No, hits=2.7 required=7.0 tests=msgid: No Message-ID,
HTML_60_70,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,
received_headers: No Received headers
X-StarScan-Received:
X-StarScan-Version: 8.28; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 4785 invoked from network); 11 Apr 2016 13:01:31 -0000
Received: from unknown (HELO ns2.Host1.yourdomainname.com)
(103.208.153.18)
by server-12.tower-178.messagelabs.com with SMTP; 11 Apr 2016
13:01:31 -0000
X-Sender: "Sonam Singh"
<s....@lead2loan.win>
X-Receiver: XXX
DomainKey-Signature: a=rsa-sha1; c=simple; d=ncrprop.biz;
h=From:To:Subject; q=dns; s=jsmtp
;
b=j8TzR3hoYHUafVg9yI0iyVfuGnrFlWf3/D8TdvVWoHxShJW6kPhZkgAAPzynTB79KtzOJb
adDxZ437AC+/dePYCtQx5DLVSuPNGGP8l/B0HgkVZ7gs8Rlbv1SlbTEEDFPkIDhhBzBCgy2f
ORIToDXhJVd4fW+NeIeReZ2ZCHcjD6AxMcac/2uIniGz34CHWqkellaF+ckP3p/LrTt+R8Ua
bKqG/mqOq+Rbxea1Poam6ORIAYhAekOrhQchzsVXC7jvc0eSWJB6F2CLGoxQEEwzqbAcc1Fc
nzFPi2Ps6JW3hJ9vyMEtSK6j0wPkj/hsdR71NnBfDGfs4E9roRuYw0lQ==;
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ncrprop.biz;
h=From:To:Subject;
q=dns/txt; s=jsmtp ; t=1460379276;
bh=A9wE/QPGFnmy8ntNIHK6uqqeU/Q=;
b=Rp+RKP73ntQxhIU0tNJyX4RW1N2yLciYAC9+rK+Be0UO1qHPBBl/W+6on/Xtz/cXlBYdyY
evEsLtIVz4vNkbsBlwGLDmk8YTuwMesYxbqSuJyWy0AyAZZJrRVt7W5RfCSk7Q4zKlLSyds/
JWXzJVHYzB4VFbDKaQz+IggX+HRl9pYjthdl8harDbdLndsdFcp2WH0WoA9jQi6J40R3xHyr
h/q97ra7RTxYGcN1LUCEweUqD4hJ13/SfKUeFJriL48gXL3c4Tjs4IhF/r+1G+b11Vduano1
LVjZzup5Bf7MtlcqL7kI1bKZykH41ANfQGivGalIr1ucSVG7qgquzopg==
MIME-Version: 1.0
Sender: XXX@ncrprop.biz
From: "Sonam Singh"
<s....@lead2loan.win>
To: XXX
Reply-To: "Sonam Singh"
<mo...@dhomez.win>
Date: 11 Apr 2016 18:24:36 +0530
Subject: Need approval to move forward
Priority: normal
Importance: High
X-MIMETrack: Itemize by SMTP Server on XXX(Release 9.0.1FP4|June 07,
2015) at
11.04.2016 15:01:47,
Serialize by Notes Client on XXX(Release 9.0.1FP1
SHF309|June 12, 2014) at 11.04.2016 16:42:03,
Serialize complete at 11.04.2016 16:42:03
X-TNEFEvaluated: 1
Message-ID: <OF...@LocalDomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=Windows-1252
Re: Fixing ALL_TRUSTED=-1
Posted by Bowie Bailey <Bo...@BUC.com>.
On 4/11/2016 12:02 PM, Helmut Schneider wrote:
> Bowie Bailey wrote:
>
>> On 4/11/2016 10:55 AM, Helmut Schneider wrote:
>>> Hi,
>>>
>>> for more than 6 months I'm trying to fix ALL_TRUSTED=-1 without
>>> success.
>>>
>>> I have read https://wiki.apache.org/spamassassin/TrustPath and
>>> https://wiki.apache.org/spamassassin/FixingAllTrusted carefully, put
>>>
>>> trusted_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
>>> internal_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
>>> add_header all RelaysUntrusted RELAYSUNTRUSTED (this does not seem
>>> to work at all, no header seems added)
>>>
>>> into local.cf and still ALL_TRUSTED gets fired. Any help would be
>>> appreciated.
>> Step one is to make sure you're putting the settings into the right
>> file. Run this to check if you are using the right file:
>>
>> $ spamassassin -D config --lint 2>&1 | grep local.cf
>> Apr 11 11:40:56.509 [6692] dbg: config: read file
>> /etc/mail/spamassassin/local.cf
>>
>> Once you have your settings in the right file, then make sure you
>> have restarted amavisd-new to load the new settings.
> mail:~$ spamassassin -D config --lint 2>&1 | grep local.cf
> Apr 11 17:54:12.525 [31265] dbg: config: read file
> /usr/share/spamassassin/local.cf
> Apr 11 17:54:12.526 [31265] dbg: config: read file
> /etc/spamassassin/local.cf
> mail:~$ grep -iE '(^trusted|internal)' /etc/spamassassin/local.cf
> trusted_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
> internal_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
> mail:~$ grep -iE '(^trusted|internal)' /usr/share/spamassassin/local.cf
> mail:~$
>
> Restarted amavisd-new?! I guess I restarted the server more than 20
> times within the last 6 months ;)
I just specified that because people frequently don't realize that
amavisd uses SA internally instead of calling spamd. As a result, spamd
is irrelevant and you have to restart amavisd to update the rules.
That being said, I don't know why your setup isn't working. Everything
looks normal to me from what I can see. Amavisd also does not respect
all of SA's settings, but I don't think that is the case with the
trusted_networks, internal_networks, and ALL_TRUSTED. That *IS* why the
add_header entry didn't work. Amavisd adds its own headers and ignores
any header settings from SA.
--
Bowie
Re: Fixing ALL_TRUSTED=-1
Posted by Helmut Schneider <ju...@gmx.de>.
Bowie Bailey wrote:
> On 4/11/2016 10:55 AM, Helmut Schneider wrote:
> > Hi,
> >
> > for more than 6 months I'm trying to fix ALL_TRUSTED=-1 without
> > success.
> >
> > I have read https://wiki.apache.org/spamassassin/TrustPath and
> > https://wiki.apache.org/spamassassin/FixingAllTrusted carefully, put
> >
> > trusted_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
> > internal_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
> > add_header all RelaysUntrusted RELAYSUNTRUSTED (this does not seem
> > to work at all, no header seems added)
> >
> > into local.cf and still ALL_TRUSTED gets fired. Any help would be
> > appreciated.
>
> Step one is to make sure you're putting the settings into the right
> file. Run this to check if you are using the right file:
>
> $ spamassassin -D config --lint 2>&1 | grep local.cf
> Apr 11 11:40:56.509 [6692] dbg: config: read file
> /etc/mail/spamassassin/local.cf
>
> Once you have your settings in the right file, then make sure you
> have restarted amavisd-new to load the new settings.
mail:~$ spamassassin -D config --lint 2>&1 | grep local.cf
Apr 11 17:54:12.525 [31265] dbg: config: read file
/usr/share/spamassassin/local.cf
Apr 11 17:54:12.526 [31265] dbg: config: read file
/etc/spamassassin/local.cf
mail:~$ grep -iE '(^trusted|internal)' /etc/spamassassin/local.cf
trusted_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
internal_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
mail:~$ grep -iE '(^trusted|internal)' /usr/share/spamassassin/local.cf
mail:~$
Restarted amavisd-new?! I guess I restarted the server more than 20
times within the last 6 months ;)
Re: Fixing ALL_TRUSTED=-1
Posted by Bowie Bailey <Bo...@BUC.com>.
On 4/11/2016 10:55 AM, Helmut Schneider wrote:
> Hi,
>
> for more than 6 months I'm trying to fix ALL_TRUSTED=-1 without success.
>
> I have read https://wiki.apache.org/spamassassin/TrustPath and
> https://wiki.apache.org/spamassassin/FixingAllTrusted carefully, put
>
> trusted_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
> internal_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
> add_header all RelaysUntrusted _RELAYSUNTRUSTED_ (this does not seem to
> work at all, no header seems added)
>
> into local.cf and still ALL_TRUSTED gets fired. Any help would be
> appreciated.
Step one is to make sure you're putting the settings into the right
file. Run this to check if you are using the right file:
$ spamassassin -D config --lint 2>&1 | grep local.cf
Apr 11 11:40:56.509 [6692] dbg: config: read file
/etc/mail/spamassassin/local.cf
Once you have your settings in the right file, then make sure you have
restarted amavisd-new to load the new settings.
--
Bowie
Re: Fixing ALL_TRUSTED=-1
Posted by Reindl Harald <h....@thelounge.net>.
Am 12.04.2016 um 15:03 schrieb Helmut Schneider:
> Amavisd runs chrooted, how can I debug SA while running from amavisd?
why are you running it chrooted?
you know how easy it is to miss important things in the jail or fail
them to update properly - especially in a complex setup?
just make your operating system and configuration read-only with
something like systemd-units and "ReadOnlyDirectories=/etc"
as well as "ReadOnlyDirectories=/usr" and on outdated setups also /bin
and /sbin and you have a similar protection for your installation with
less chances that something silently breaks and be it your /dev/urandom
ist not proper available and all cryptographic code is prone to fail
Re: Fixing ALL_TRUSTED=-1
Posted by Helmut Schneider <ju...@gmx.de>.
Helmut Schneider wrote:
> Bill Cole wrote:
>
> > On 12 Apr 2016, at 9:03, Helmut Schneider wrote:
> >
> > > Bill Cole wrote:
> > >
> > > > Pipe that message into "spamassassin -t -D
> > > > dns,received-header,metadata" *running as the same user that
> > > > runs your Amavisd* and examine the first ~20 line of the debug
> > > > output, which will show you how SA is parsing those Received
> > > > headers as well as what version of Net::DNS you're using.
> > >
> > > Good point! Running spamassassin from command line works fine and
> > > does not trigger ALL_TRUSTED:
> > >
> > > Apr 12 09:49:27.475 [13767] dbg: metadata:
> > > X-Spam-Relays-Untrusted: [ ip=193.109.254.103
> > > rdns=mail6.bemta14.messagelabs.com
> > > helo=mail6.bemta14.messagelabs.com by=XX ident= envfrom= intl=0
> > > id=0423F30E auth= msa=0 ] [ ip=85.158.140.195 rdns= helo=
> > > by=server-10.bemta-14.messagelabs.com ident= envfrom= intl=0
> > > id=04/85-02972-8943C075 auth= msa=0 ] [ ip=104.47.100.68
> > > rdns=mail-ma1ind01on0068.outbound.protection.outlook.com
> > > helo=IND01-MA1-obe.outbound.protection.outlook.com
> > > by=server-9.tower-193.messagelabs.com ident= envfrom= intl=0 id=
> > > auth= msa=0 ] [ ip=115.114.122.40 rdns=115.114.122.40
> > > helo=115.114.122.40 by=BM1PR01MB0596.INDPRD01.PROD.OUTLOOK.COM
> > > ident= envfrom= intl=0 id=15.1.453.26 auth= msa=0 ] [
> > > ip=115.114.122.40 rdns= helo= by= ident= envfrom= intl=0 id=
> > > auth= msa=0 ]
> > >
> > > Amavisd runs chrooted, how can I debug SA while running from
> > > amavisd?
> >
> > I cannot say, as I do not run Amavisd. There seem to be instructions
> > at https://www.ijs.si/software/amavisd/README.chroot.txt
>
> Unfortunately I contributed many of those instructions myself. I'll
> try strace. Thank you.
Too bad, the issue also occurs without chroot. So I'll head over to the
amavisd-new list.
Re: Fixing ALL_TRUSTED=-1
Posted by Helmut Schneider <ju...@gmx.de>.
Bill Cole wrote:
> On 12 Apr 2016, at 9:03, Helmut Schneider wrote:
>
> > Bill Cole wrote:
> >
> > > Pipe that message into "spamassassin -t -D
> > > dns,received-header,metadata" *running as the same user that runs
> > > your Amavisd* and examine the first ~20 line of the debug output,
> > > which will show you how SA is parsing those Received headers as
> > > well as what version of Net::DNS you're using.
> >
> > Good point! Running spamassassin from command line works fine and
> > does not trigger ALL_TRUSTED:
> >
> > Apr 12 09:49:27.475 [13767] dbg: metadata: X-Spam-Relays-Untrusted:
> > [ ip=193.109.254.103 rdns=mail6.bemta14.messagelabs.com
> > helo=mail6.bemta14.messagelabs.com by=XX ident= envfrom= intl=0
> > id=0423F30E auth= msa=0 ] [ ip=85.158.140.195 rdns= helo=
> > by=server-10.bemta-14.messagelabs.com ident= envfrom= intl=0
> > id=04/85-02972-8943C075 auth= msa=0 ] [ ip=104.47.100.68
> > rdns=mail-ma1ind01on0068.outbound.protection.outlook.com
> > helo=IND01-MA1-obe.outbound.protection.outlook.com
> > by=server-9.tower-193.messagelabs.com ident= envfrom= intl=0 id=
> > auth= msa=0 ] [ ip=115.114.122.40 rdns=115.114.122.40
> > helo=115.114.122.40 by=BM1PR01MB0596.INDPRD01.PROD.OUTLOOK.COM
> > ident= envfrom= intl=0 id=15.1.453.26 auth= msa=0 ] [
> > ip=115.114.122.40 rdns= helo= by= ident= envfrom= intl=0 id= auth=
> > msa=0 ]
> >
> > Amavisd runs chrooted, how can I debug SA while running from
> > amavisd?
>
> I cannot say, as I do not run Amavisd. There seem to be instructions
> at https://www.ijs.si/software/amavisd/README.chroot.txt
Unfortunately I contributed many of those instructions myself. I'll try
strace. Thank you.
Re: Fixing ALL_TRUSTED=-1
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 12 Apr 2016, at 9:03, Helmut Schneider wrote:
> Bill Cole wrote:
>
>> On 11 Apr 2016, at 10:55, Helmut Schneider wrote:
>>
>>> Hi,
>>>
>>> for more than 6 months I'm trying to fix ALL_TRUSTED=-1 without
>>> success.
>>
>> Did it just start showing up 6 months ago on a previously-working
>> SpamAssassin installation, of was SA just set up 6 months ago and has
>> been broken the whole time?
>
> I don't recall that it ever worked.
Good: that implies that it is unlikely to be the result of upgrading
Net::DNS to a version that breaks SA 3.4.0
>>> Received: from XXX (XXX [172.20.12.10])
>>> (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
>>> (No client certificate requested)
>>> by XXX (Postfix) with ESMTPS
>>> for <XXX>; Mon, 11 Apr 2016 15:01:32 +0200 (CEST)
>>
>> Pipe that message into "spamassassin -t -D
>> dns,received-header,metadata" *running as the same user that runs
>> your Amavisd* and examine the first ~20 line of the debug output,
>> which will show you how SA is parsing those Received headers as well
>> as what version of Net::DNS you're using.
>
> Good point! Running spamassassin from command line works fine and does
> not trigger ALL_TRUSTED:
>
> Apr 12 09:49:27.475 [13767] dbg: metadata: X-Spam-Relays-Untrusted: [
> ip=193.109.254.103 rdns=mail6.bemta14.messagelabs.com
> helo=mail6.bemta14.messagelabs.com by=XX ident= envfrom= intl=0
> id=0423F30E auth= msa=0 ] [ ip=85.158.140.195 rdns= helo=
> by=server-10.bemta-14.messagelabs.com ident= envfrom= intl=0
> id=04/85-02972-8943C075 auth= msa=0 ] [ ip=104.47.100.68
> rdns=mail-ma1ind01on0068.outbound.protection.outlook.com
> helo=IND01-MA1-obe.outbound.protection.outlook.com
> by=server-9.tower-193.messagelabs.com ident= envfrom= intl=0 id= auth=
> msa=0 ] [ ip=115.114.122.40 rdns=115.114.122.40 helo=115.114.122.40
> by=BM1PR01MB0596.INDPRD01.PROD.OUTLOOK.COM ident= envfrom= intl=0
> id=15.1.453.26 auth= msa=0 ] [ ip=115.114.122.40 rdns= helo= by=
> ident=
> envfrom= intl=0 id= auth= msa=0 ]
>
> Amavisd runs chrooted, how can I debug SA while running from amavisd?
I cannot say, as I do not run Amavisd. There seem to be instructions at
https://www.ijs.si/software/amavisd/README.chroot.txt and Mark Martinec
has been sighted posting here.
My GUESS is that you don't have copies of your settings (e.g. local.cf)
inside the chroot jail. It is also possible that the jail is missing
device or socket nodes needed but I think that would be unlikely to
cause a subtle problem.
Re: Fixing ALL_TRUSTED=-1
Posted by Helmut Schneider <ju...@gmx.de>.
Bill Cole wrote:
> On 11 Apr 2016, at 10:55, Helmut Schneider wrote:
>
> > Hi,
> >
> > for more than 6 months I'm trying to fix ALL_TRUSTED=-1 without
> > success.
>
> Did it just start showing up 6 months ago on a previously-working
> SpamAssassin installation, of was SA just set up 6 months ago and has
> been broken the whole time?
I don't recall that it ever worked.
> > Received: from XXX (XXX [172.20.12.10])
> > (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
> > (No client certificate requested)
> > by XXX (Postfix) with ESMTPS
> > for <XXX>; Mon, 11 Apr 2016 15:01:32 +0200 (CEST)
>
> Pipe that message into "spamassassin -t -D
> dns,received-header,metadata" *running as the same user that runs
> your Amavisd* and examine the first ~20 line of the debug output,
> which will show you how SA is parsing those Received headers as well
> as what version of Net::DNS you're using.
Good point! Running spamassassin from command line works fine and does
not trigger ALL_TRUSTED:
Apr 12 09:49:27.475 [13767] dbg: metadata: X-Spam-Relays-Untrusted: [
ip=193.109.254.103 rdns=mail6.bemta14.messagelabs.com
helo=mail6.bemta14.messagelabs.com by=XX ident= envfrom= intl=0
id=0423F30E auth= msa=0 ] [ ip=85.158.140.195 rdns= helo=
by=server-10.bemta-14.messagelabs.com ident= envfrom= intl=0
id=04/85-02972-8943C075 auth= msa=0 ] [ ip=104.47.100.68
rdns=mail-ma1ind01on0068.outbound.protection.outlook.com
helo=IND01-MA1-obe.outbound.protection.outlook.com
by=server-9.tower-193.messagelabs.com ident= envfrom= intl=0 id= auth=
msa=0 ] [ ip=115.114.122.40 rdns=115.114.122.40 helo=115.114.122.40
by=BM1PR01MB0596.INDPRD01.PROD.OUTLOOK.COM ident= envfrom= intl=0
id=15.1.453.26 auth= msa=0 ] [ ip=115.114.122.40 rdns= helo= by= ident=
envfrom= intl=0 id= auth= msa=0 ]
Amavisd runs chrooted, how can I debug SA while running from amavisd?
Re: Fixing ALL_TRUSTED=-1
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 11 Apr 2016, at 10:55, Helmut Schneider wrote:
> Hi,
>
> for more than 6 months I'm trying to fix ALL_TRUSTED=-1 without
> success.
Did it just start showing up 6 months ago on a previously-working
SpamAssassin installation, of was SA just set up 6 months ago and has
been broken the whole time?
> I have read https://wiki.apache.org/spamassassin/TrustPath and
> https://wiki.apache.org/spamassassin/FixingAllTrusted carefully, put
>
> trusted_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
> internal_networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
> add_header all RelaysUntrusted _RELAYSUNTRUSTED_ (this does not seem
> to
> work at all, no header seems added)
>
> into local.cf and still ALL_TRUSTED gets fired. Any help would be
> appreciated.
>
> mail:~$ sudo spamassassin -V
> SpamAssassin version 3.4.0
> running on Perl version 5.18.2
There have been some issues fixed since 3.4.0 that MIGHT be related to
this, particularly if you're using Net::DNS v1.0x where x<5. The details
of that are rather arcane and involve problematic code on both sides,
but it can be fixed IF that's the root cause.
The next step you should try in figuring this out is to strip down the
message to what Amavisd was given by removing everything before this
header:
> Received: from XXX (XXX [172.20.12.10])
> (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
> (No client certificate requested)
> by XXX (Postfix) with ESMTPS
> for <XXX>; Mon, 11 Apr 2016 15:01:32 +0200 (CEST)
Pipe that message into "spamassassin -t -D dns,received-header,metadata"
*running as the same user that runs your Amavisd* and examine the first
~20 line of the debug output, which will show you how SA is parsing
those Received headers as well as what version of Net::DNS you're using.
One oddity I noticed in your example that may cause trouble is that
there was no Return-Path header or any other header that SpamAssassin
would use in lieu of an explicit "envelope_sender_header" setting, until
deep into the headers where SA may not be looking. That should not be
capable of causing a wrong ALL_TRUSTED result, but it is something you
should try to fix.