You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by PGNd <de...@pgnd.us> on 2015/06/26 18:36:56 UTC

sent mail IDs untrusted relays correctly; forwarded email does not ?

On my local server, I have SA running from within postfix+amavisd

My TRUST PATH works for 'sent-directly-to-me' mail.  For 'forwarded-to-me' mail, it incorrectly IDs my own internal IPs as untrusted relays.

How do I teach SA to correctly NOT id my own servers as untrusted?

Details ...

If I send from a remote TO my local server, 

	FROM myname@operamail.com -> TO postmaster@DDDD1.com

with TRST PATH

	clear_trusted_networks
	clear_internal_networks
	internal_networks  127.0.0.0/8 192.168.1.100/24 192.168.2.100/24 X.X.X.142/32 X.X.X.143/32
	trusted_networks               192.168.1.100/24 192.168.2.100/24 X.X.X.142/32 X.X.X.143/32 66.111.4.0/24 82.221.106.240/29

untrusted relays are correctly identified in the mail received @ postmaster@DDDD1.com

	X-Spam-Relays-Untrusted:
		[ ip=66.111.4.29 rdns=out5-smtp.messagingengine.com
			helo=out5-smtp.messagingengine.com by=mailhost.DDDD.com ident= envfrom=
			intl=0 id= auth= msa=0 ]
		[ ip=10.202.2.43 rdns=compute3.nyi.internal
			helo=compute3.internal by=mailout.nyi.internal ident= envfrom= intl=0
			id=2F39520771 auth= msa=0 ]
		[ ip=10.202.2.214 rdns= helo=web4
			by=compute3.internal ident= envfrom= intl=0 id= auth= msa=0 ]

BUT, if I *FORWARD* an email from the remote

	FROM other@DDDD1.com -> TO myname@operamail.com
	AUTO-FORWARD FROM myname@operamail.com -> TO postmaster@DDDD1.com

ALL my internal relays are now seen as untrusted

	X-Spam-Relays-Untrusted:
		[ ip=66.111.4.223
			rdns=forward1-smtp.messagingengine.com helo=forward1-smtp.messagingengine.com
			by=mailhost.DDDD.com ident= envfrom= intl=0 id= auth= msa=0 ]
		[ ip=10.202.2.84 rdns=imap34.nyi.internal helo=imap34.nyi.internal
			by=mailforward.nyi.internal ident= envfrom= intl=0 id=8A5B1218A8 auth= msa=0 ]
		[ ip=10.202.2.42 rdns=compute2.nyi.internal helo=compute2.internal
			by=sloti34d2t10 ident= envfrom= intl=0 id= auth=LMTPA msa=0 ] [
			ip=10.202.2.202 rdns= helo=mx3 by=compute2.internal ident= envfrom= intl=0
			id= auth= msa=0 ]

		[ ip=127.0.0.1 rdns=localhost helo=mx3.messagingengine.com
			by=mx3.nyi.internal ident= envfrom= intl=0 id=E3F81C003B auth= msa=0 ]
		[ ip=127.0.0.1 rdns=localhost helo=mx3.nyi.internal by=mx3.messagingengine.com
			ident= envfrom= intl=0 id=01AA0B67021.837A3C00DC auth= msa=0 ]
		[ ip=X.X.X.142 rdns=mail.DDDD.com helo=mailhost.DDDD.com
			by=mx3.messagingengine.com ident= envfrom= intl=0 id=837A3C00DC auth= msa=0 ]
		[ ip=127.0.0.1 rdns=localhost helo=localhost by=mailhost.DDDD.com ident=
			envfrom= intl=0 id=1226A64511 auth= msa=0 ]
		[ ip=192.168.1.100 rdns=
			helo=amavis-feed.mail.DDDD.com by=localhost ident= envfrom= intl=0
			id=q_TiKdHdHvcA auth= msa=0 ]
		[ ip=192.168.2.100
			rdns=internal.mail-backend.DDDD.com helo=mail-backend.DDDD.com
			by=mailhost.DDDD.com ident= envfrom= intl=0 id=DD95E62B44 auth= msa=0 ]
		[ ip=127.0.0.1 rdns=localhost helo=mail-backend.DDDD.com
			by=mail-backend.DDDD.com ident= envfrom= intl=0 id=2F3D0102846 auth= msa=0 ]
		[ ip=127.0.0.1 rdns=localhost helo=localhost by=mail-backend.DDDD.com ident=
			envfrom= intl=0 id=D3CFB102849 auth= msa=0 ] [ ip=10.0.0.1
			rdns=smtp-auth.mail-backend.DDDD.com helo=smtp-auth.mail-backend.DDDD.com
			by=mail-backend.DDDD.com ident= envfrom= intl=0 id=55501102846 auth=ESMTPSA
			msa=0 ]

Re: sent mail IDs untrusted relays correctly; forwarded email does not ?

Posted by PGNd <de...@pgnd.us>.

On Fri, Jun 26, 2015, at 02:01 PM, RW wrote:
> The received headers are parsed top to bottom; once an untrusted server
> is identified the chain of trust is broken and nothing below that can
> be trusted. Spammers can and do forge headers.

Got it.

Which leads back to the question you raised ... why is that 66.111.4.29, in 66.111.4.0/24, not trusted?

Re: sent mail IDs untrusted relays correctly; forwarded email does not ?

Posted by RW <rw...@googlemail.com>.

On Fri, 26 Jun 2015 13:34:59 -0700
PGNd wrote:

> 
> 
> On Fri, Jun 26, 2015, at 01:23 PM, RW wrote:
> > They shouldn't be trusted unless there is a chain of trust. They
> > don't matter anyway since they are from the original relay before
> > the email was forwarded.
> 
> I thought that 'chain of trust' was established by their inclusion in
> the internal_networks/trusted_networks.  Apparently not ...
> 
> What's the correct means/place to establish that chain of trust?

The received headers are parsed top to bottom; once an untrusted server
is identified the chain of trust is broken and nothing below that can
be trusted. Spammers can and do forge headers.

> If they "don't matter anyway" since they're from prior hop, should
> they not be ignored, rather than parsed & identified as untrusted? 

They might be useful, otherwise they are informational.

Re: sent mail IDs untrusted relays correctly; forwarded email does not ?

Posted by PGNd <de...@pgnd.us>.

On Fri, Jun 26, 2015, at 01:23 PM, RW wrote:
> They shouldn't be trusted unless there is a chain of trust. They don't
> matter anyway since they are from the original relay before the email
> was forwarded.

I thought that 'chain of trust' was established by their inclusion in the internal_networks/trusted_networks.  Apparently not ...

What's the correct means/place to establish that chain of trust?

If they "don't matter anyway" since they're from prior hop, should they not be ignored, rather than parsed & identified as untrusted?

> > 	internal_networks  127.0.0.0/8 192.168.1.100/24
> > 192.168.2.100/24 X.X.X.142/32 X.X.X.143/32
> > trusted_networks               192.168.1.100/24 192.168.2.100/24
> > X.X.X.142/32 X.X.X.143/32 66.111.4.0/24 82.221.106.240/29
> 
> > 	X-Spam-Relays-Untrusted:
> > 		[ ip=66.111.4.29 rdns=out5-smtp.messagingengine.com
> > 			helo=out5-smtp.messagingengine.com

> What's actually odd here is that 66.111.4.29 is in 66.111.4.0/24 and so
> should be trusted.

Well, now, that's a good point.  I hadn't yet looked past the other problem ...

Re: sent mail IDs untrusted relays correctly; forwarded email does not ?

Posted by RW <rw...@googlemail.com>.

On Fri, 26 Jun 2015 09:36:56 -0700
PGNd wrote:

> On my local server, I have SA running from within postfix+amavisd
> 
> My TRUST PATH works for 'sent-directly-to-me' mail.  For
> 'forwarded-to-me' mail, it incorrectly IDs my own internal IPs as
> untrusted relays.
> 
> How do I teach SA to correctly NOT id my own servers as untrusted?
> 

They shouldn't be trusted unless there is a chain of trust. They don't
matter anyway since they are from the original relay before the email
was forwarded.



> 	internal_networks  127.0.0.0/8 192.168.1.100/24
> 192.168.2.100/24 X.X.X.142/32 X.X.X.143/32
> trusted_networks               192.168.1.100/24 192.168.2.100/24
> X.X.X.142/32 X.X.X.143/32 66.111.4.0/24 82.221.106.240/29

> 	X-Spam-Relays-Untrusted:
> 		[ ip=66.111.4.29 rdns=out5-smtp.messagingengine.com
> 			helo=out5-smtp.messagingengine.com


What's actually odd here is that 66.111.4.29 is in 66.111.4.0/24 and so
should be trusted.