You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marcus Schopen <li...@localguru.de> on 2016/12/16 21:41:49 UTC
trusted_networks and internal_networks confusion
Hi,
I have configuration problems with trusted_networks and
internal_networks when forwarding my office mails to my private server,
because one server in the trust chain is also a submission server.
My current setup is simple (SA runs on my private server =
MY_SERVER_IP):
trusted_networks MY_SERVER_IP
Forwarded mails via the office mail servers go this way, headers from to
to down:
Received: from smtp-out.myoffice.de by MY_SERVER_IP
Received: from mx.myoffice.de by smtp-out.myoffice.de
Received: from spamhost.de by mx.myoffice.de
To get a trusty path I put mx.myoffice.de and smtp-out.myoffice.de to
trusted_networks on my server:
trusted_networks MY_SERVER_IP
trusted_networks smtp-out.myoffice.de
trusted_networks mx.myoffice.de
The problem is, that smtp-out.myoffice.de is also a submission server
for dialup clients. Headers from to to down:
Received: from smtp-out.myoffice.de by MY_SERVER_IP
Received: from dialup-client-IP by smtp-out.myoffice.de
So if I set smtp-out.myoffice.de to trusted_networks without having
internal_networks defined, internal_networks is set to trusted_networks
which means dialup client IPs, that connect to smtp-out.myoffice.de will
be checked against RBL/DUL lists by my SA and get blocked. I tried to
remove the submission server from internal_networks to set
trusted_networks and internal_networks, but in that case RBL checks seem
not to run on the originate spamhost IP in case for forwarding:
trusted_networks MY_SERVER_IP
trusted_networks smtp-out.myoffice.de
trusted_networks mx.myoffice.de
internal_networks MY_SERVER_IP
internal_networks mx.myoffice.de
Any ideas?
Ciao
Marcus
Re: trusted_networks and internal_networks confusion
Posted by RW <rw...@googlemail.com>.
On Sat, 17 Dec 2016 20:51:01 +0100
Marcus Schopen wrote:
> > SpamAssassin usually deals with this problem by looking for
> > authentication in the header, but that's not recorded here.
>
> There is no auth hint in the header when using the submission server.
>
> Received: from [192.168.178.25] ([my dynamic IP]) by
> smtp-out.myoffice.de (Oracle Communications Messaging Server
> 7.0.5.37.0 64bit (built Jan 25 2016)) with ESMTPPA id
> <0OIA00E6KOQ65A80@smtp-out,myoffice> for ich@test.de;
> Fri, 16 Dec 2016 21:25:20 +0100 (CET)
Authentication is commonly indicated by the A in "with ESMTPA".
I don't know what the second P in ESMTPPA is for, but it seems to be
the source of your problem.
Re: trusted_networks and internal_networks confusion
Posted by Marcus Schopen <li...@localguru.de>.
Hi,
Am Samstag, den 17.12.2016, 13:17 +0000 schrieb RW:
> On Fri, 16 Dec 2016 22:41:49 +0100
> Marcus Schopen wrote:
>
>
> > The problem is, that smtp-out.myoffice.de is also a submission server
> > for dialup clients. Headers from to to down:
> >
> > Received: from smtp-out.myoffice.de by MY_SERVER_IP
> > Received: from dialup-client-IP by smtp-out.myoffice.de
>
> SpamAssassin usually deals with this problem by looking for
> authentication in the header, but that's not recorded here.
There is no auth hint in the header when using the submission server.
Received: from [192.168.178.25] ([my dynamic IP]) by
smtp-out.myoffice.de (Oracle Communications Messaging Server
7.0.5.37.0 64bit (built Jan 25 2016)) with ESMTPPA id
<0OIA00E6KOQ65A80@smtp-out,myoffice> for ich@test.de;
Fri, 16 Dec 2016 21:25:20 +0100 (CET)
I think they manipulate the header or have a proxy, because the smtp
host in my mailclient is smtp.myoffice.de (with a another IP) and not
smtp-out.myoffice.de. But smtp-out.myoffice.de comes up as the first
connecting host for the mail client.
> I think your best option is to leave it in internal_networks and write
> a custom rule to take some points off when it's submission.
Good idea, something like if smtp-out.myoffice.de is the first trusted
(header from down to top) 10 points off. How can I do that or what would
you think?
Ciao!
Re: trusted_networks and internal_networks confusion
Posted by RW <rw...@googlemail.com>.
On Fri, 16 Dec 2016 22:41:49 +0100
Marcus Schopen wrote:
> The problem is, that smtp-out.myoffice.de is also a submission server
> for dialup clients. Headers from to to down:
>
> Received: from smtp-out.myoffice.de by MY_SERVER_IP
> Received: from dialup-client-IP by smtp-out.myoffice.de
SpamAssassin usually deals with this problem by looking for
authentication in the header, but that's not recorded here.
I think your best option is to leave it in internal_networks and write
a custom rule to take some points off when it's submission.