You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Robert Fitzpatrick <li...@webtent.net> on 2007/01/23 23:51:04 UTC

whitelist_from_rcvd

I have the following in my local.cf file, but some messages get blocked
still, see my log entries below. I use amavisd-new and it seems those in
the log that show localhost as the client pass through and those
directly from the blackberry get blocked. Not sure why all would not be
coming from the amavisd localhost, can someone tell me what is going on?
Perhaps my whitelist_from_rcvd line is wrong? I want anything coming
from a user at culin.com using their blackberry to bypass filtering.

whitelist_from_rcvd *@curlin.com blackberry.com

Passed message:
esmtp# grep 085E237B4B1 /var/log/maillog
Jan 23 17:08:10 esmtp postfix/smtpd[96238]: 085E237B4B1: client=localhost.ky.webtent.net[127.0.0.1]
Jan 23 17:08:10 esmtp postfix/cleanup[99277]: 085E237B4B1: message-id=<88...@bwe038-cell00.bisx.prod.on.blackberry>
Jan 23 17:08:10 esmtp postfix/qmgr[23779]: 085E237B4B1: from=<rg...@curlin.com>, size=4457, nrcpt=1 (queue active)
Jan 23 17:08:10 esmtp amavis[98912]: (98912-18) Passed CLEAN, [216.9.248.50] <rg...@curlin.com> -> <rg...@curlin.com>, Message-ID: <88...@bwe038-cell00.bisx.prod.on.blackberry>, mail_id: DJ-O0Sgt8iGF, Hits: 3.314, queued_as: 085E237B4B1, 1893 ms
Jan 23 17:08:10 esmtp postfix/smtp[99281]: 2EA9337B471: to=<rg...@curlin.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=0.32/0/0/1.9, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=98912-18, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 085E237B4B1)
Jan 23 17:08:10 esmtp postfix/smtp[99287]: 085E237B4B1: to=<rg...@curlin.com>, relay=71.16.138.218[71.16.138.218]:25, delay=0.51, delays=0.11/0/0.17/0.24, dsn=2.0.0, status=sent (250 OK)
Jan 23 17:08:10 esmtp postfix/qmgr[23779]: 085E237B4B1: removed

Blocked message:
esmtp# grep 1B36837B4BB /var/log/maillog
Jan 23 17:13:43 esmtp postfix/smtpd[99612]: 1B36837B4BB: client=smtp01.bis.na.blackberry.com[216.9.248.48]
Jan 23 17:13:43 esmtp postfix/cleanup[99710]: 1B36837B4BB: message-id=<20...@bwe053-cell00.bisx.prod.on.blackberry>
Jan 23 17:13:43 esmtp postfix/qmgr[23779]: 1B36837B4BB: from=<rg...@curlin.com>, size=53198, nrcpt=2 (queue active)
Jan 23 17:13:45 esmtp postfix/smtp[98957]: 1B36837B4BB: to=<jf...@curlin.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.2, delays=0.84/0/0/2.4, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=99667-12, BOUNCE)
Jan 23 17:13:45 esmtp postfix/smtp[98957]: 1B36837B4BB: to=<rg...@curlin.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.2, delays=0.84/0/0/2.4, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=99667-12, BOUNCE)
Jan 23 17:13:45 esmtp postfix/qmgr[23779]: 1B36837B4BB: removed
esmtp# grep 2049971341-1169590408-cardhu_blackberry /var/log/maillog
Jan 23 17:13:43 esmtp postfix/cleanup[99710]: 1B36837B4BB: message-id=<20...@bwe053-cell00.bisx.prod.on.blackberry>
Jan 23 17:13:45 esmtp amavis[99667]: (99667-12) Blocked SPAM, [216.9.248.48] <rg...@curlin.com> -> <jf...@curlin.com>, quarantine: spam-Q7bNs8B0f6e6.gz, Message-ID: <20...@bwe053-cell00.bisx.prod.on.blackberry>, mail_id: Q7bNs8B0f6e6, Hits: 4.757, 2370 ms

-- 
Robert

Re: whitelist_from_rcvd

Posted by Robert Fitzpatrick <li...@webtent.net>.

Matt Kettler wrote:
> Robert Fitzpatrick wrote:
>   
>> I have the following in my local.cf file, but some messages get blocked
>> still, see my log entries below. I use amavisd-new and it seems those in
>> the log that show localhost as the client pass through and those
>> directly from the blackberry get blocked. Not sure why all would not be
>> coming from the amavisd localhost, can someone tell me what is going on?
>> Perhaps my whitelist_from_rcvd line is wrong? I want anything coming
>> from a user at culin.com using their blackberry to bypass filtering.
>>
>> whitelist_from_rcvd *@curlin.com blackberry.com
>>
>> Passed message:
>>   
>>     
> <snip useless mail logs>
>
> My guess is one of the following two has occured, in order of likelyhood:
>
> 1) that SA doesn't have the right trusted_networks. (if your MX server
> has a private IP  (ie: static NAT) you *MUST* declare trusted_networks
> manually. The auto-guesser won't handle this scenario properly)
> 2) SA can't parse your received headers.
>
> You can test this by running one of the messages through spamassassin
> -D. If you need help, post the debug info here
Thanks, I am running static NAT, but with public IP addresses. The MX 
server does not have a private IP, it has a public IP address using NAT 
policies for outbound traffic in the firewall for proper rDNS. The 
configuration of the SonicWall firewall allows us to use multiple public 
subnets behind one WAN port.

The only message I have to run through SA is a blocked one, sorry, but 
how do I capture the debug output to file for posting here? I tried the 
following and got a copy of the file:

I did see some things referencing headers in the debug:

[38446] dbg: rules: running header regexp tests; score so far=0

[38446] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<"

[38446] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<20...@bwe053-cell00.bisx.prod.on.blackberry>

[38446] dbg: rules: "

[38446] dbg: rules: ran header rule __CT ======> got hit: "m"

[38446] dbg: rules: ran header rule __TOCC_EXISTS ======> got hit: """

[38446] dbg: rules: ran header rule __HAS_SUBJECT ======> got hit: "F"

[38446] dbg: rules: ran header rule __MSGID_OK_HEX ======> got hit: "96205411"

[38446] dbg: rules: ran header rule __BOUNCE_RP1 ======> got hit: "<>"

[38446] dbg: rules: ran header rule __SARE_WHITELIST_FLAG ======> got hit: """

[38446] dbg: rules: ran header rule __HAS_RCVD ======> got hit: "f"

[38446] dbg: rules: ran header rule __FROM_ENCODED_B64 ======> got hit: "=?UTF-8?B?"

[38446] dbg: rules: ran header rule __CTYPE_HAS_BOUNDARY ======> got hit: "boundary"

[38446] dbg: rules: ran header rule __MIME_VERSION ======> got hit: "1"

[38446] dbg: rules: ran header rule __RATWARE_0_TZ_DATE ======> got hit: " +0000"

[38446] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "2049971341"

Thanks,

Robert

Re: whitelist_from_rcvd

Posted by Matt Kettler <mk...@verizon.net>.

Robert Fitzpatrick wrote:
> I have the following in my local.cf file, but some messages get blocked
> still, see my log entries below. I use amavisd-new and it seems those in
> the log that show localhost as the client pass through and those
> directly from the blackberry get blocked. Not sure why all would not be
> coming from the amavisd localhost, can someone tell me what is going on?
> Perhaps my whitelist_from_rcvd line is wrong? I want anything coming
> from a user at culin.com using their blackberry to bypass filtering.
>
> whitelist_from_rcvd *@curlin.com blackberry.com
>
> Passed message:
>   
<snip useless mail logs>

My guess is one of the following two has occured, in order of likelyhood:

1) that SA doesn't have the right trusted_networks. (if your MX server
has a private IP  (ie: static NAT) you *MUST* declare trusted_networks
manually. The auto-guesser won't handle this scenario properly)
2) SA can't parse your received headers.

You can test this by running one of the messages through spamassassin
-D. If you need help, post the debug info here.