You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by PGNd <de...@pgnd.us> on 2015/06/26 18:36:56 UTC
sent mail IDs untrusted relays correctly; forwarded email does not ?
On my local server, I have SA running from within postfix+amavisd
My TRUST PATH works for 'sent-directly-to-me' mail. For 'forwarded-to-me' mail, it incorrectly IDs my own internal IPs as untrusted relays.
How do I teach SA to correctly NOT id my own servers as untrusted?
Details ...
If I send from a remote TO my local server,
FROM myname@operamail.com -> TO postmaster@DDDD1.com
with TRST PATH
clear_trusted_networks
clear_internal_networks
internal_networks 127.0.0.0/8 192.168.1.100/24 192.168.2.100/24 X.X.X.142/32 X.X.X.143/32
trusted_networks 192.168.1.100/24 192.168.2.100/24 X.X.X.142/32 X.X.X.143/32 66.111.4.0/24 82.221.106.240/29
untrusted relays are correctly identified in the mail received @ postmaster@DDDD1.com
X-Spam-Relays-Untrusted:
[ ip=66.111.4.29 rdns=out5-smtp.messagingengine.com
helo=out5-smtp.messagingengine.com by=mailhost.DDDD.com ident= envfrom=
intl=0 id= auth= msa=0 ]
[ ip=10.202.2.43 rdns=compute3.nyi.internal
helo=compute3.internal by=mailout.nyi.internal ident= envfrom= intl=0
id=2F39520771 auth= msa=0 ]
[ ip=10.202.2.214 rdns= helo=web4
by=compute3.internal ident= envfrom= intl=0 id= auth= msa=0 ]
BUT, if I *FORWARD* an email from the remote
FROM other@DDDD1.com -> TO myname@operamail.com
AUTO-FORWARD FROM myname@operamail.com -> TO postmaster@DDDD1.com
ALL my internal relays are now seen as untrusted
X-Spam-Relays-Untrusted:
[ ip=66.111.4.223
rdns=forward1-smtp.messagingengine.com helo=forward1-smtp.messagingengine.com
by=mailhost.DDDD.com ident= envfrom= intl=0 id= auth= msa=0 ]
[ ip=10.202.2.84 rdns=imap34.nyi.internal helo=imap34.nyi.internal
by=mailforward.nyi.internal ident= envfrom= intl=0 id=8A5B1218A8 auth= msa=0 ]
[ ip=10.202.2.42 rdns=compute2.nyi.internal helo=compute2.internal
by=sloti34d2t10 ident= envfrom= intl=0 id= auth=LMTPA msa=0 ] [
ip=10.202.2.202 rdns= helo=mx3 by=compute2.internal ident= envfrom= intl=0
id= auth= msa=0 ]
[ ip=127.0.0.1 rdns=localhost helo=mx3.messagingengine.com
by=mx3.nyi.internal ident= envfrom= intl=0 id=E3F81C003B auth= msa=0 ]
[ ip=127.0.0.1 rdns=localhost helo=mx3.nyi.internal by=mx3.messagingengine.com
ident= envfrom= intl=0 id=01AA0B67021.837A3C00DC auth= msa=0 ]
[ ip=X.X.X.142 rdns=mail.DDDD.com helo=mailhost.DDDD.com
by=mx3.messagingengine.com ident= envfrom= intl=0 id=837A3C00DC auth= msa=0 ]
[ ip=127.0.0.1 rdns=localhost helo=localhost by=mailhost.DDDD.com ident=
envfrom= intl=0 id=1226A64511 auth= msa=0 ]
[ ip=192.168.1.100 rdns=
helo=amavis-feed.mail.DDDD.com by=localhost ident= envfrom= intl=0
id=q_TiKdHdHvcA auth= msa=0 ]
[ ip=192.168.2.100
rdns=internal.mail-backend.DDDD.com helo=mail-backend.DDDD.com
by=mailhost.DDDD.com ident= envfrom= intl=0 id=DD95E62B44 auth= msa=0 ]
[ ip=127.0.0.1 rdns=localhost helo=mail-backend.DDDD.com
by=mail-backend.DDDD.com ident= envfrom= intl=0 id=2F3D0102846 auth= msa=0 ]
[ ip=127.0.0.1 rdns=localhost helo=localhost by=mail-backend.DDDD.com ident=
envfrom= intl=0 id=D3CFB102849 auth= msa=0 ] [ ip=10.0.0.1
rdns=smtp-auth.mail-backend.DDDD.com helo=smtp-auth.mail-backend.DDDD.com
by=mail-backend.DDDD.com ident= envfrom= intl=0 id=55501102846 auth=ESMTPSA
msa=0 ]
Re: sent mail IDs untrusted relays correctly; forwarded email does not ?
Posted by PGNd <de...@pgnd.us>.
On Fri, Jun 26, 2015, at 02:01 PM, RW wrote:
> The received headers are parsed top to bottom; once an untrusted server
> is identified the chain of trust is broken and nothing below that can
> be trusted. Spammers can and do forge headers.
Got it.
Which leads back to the question you raised ... why is that 66.111.4.29, in 66.111.4.0/24, not trusted?
Re: sent mail IDs untrusted relays correctly; forwarded email does
not ?
Posted by RW <rw...@googlemail.com>.
On Fri, 26 Jun 2015 13:34:59 -0700
PGNd wrote:
>
>
> On Fri, Jun 26, 2015, at 01:23 PM, RW wrote:
> > They shouldn't be trusted unless there is a chain of trust. They
> > don't matter anyway since they are from the original relay before
> > the email was forwarded.
>
> I thought that 'chain of trust' was established by their inclusion in
> the internal_networks/trusted_networks. Apparently not ...
>
> What's the correct means/place to establish that chain of trust?
The received headers are parsed top to bottom; once an untrusted server
is identified the chain of trust is broken and nothing below that can
be trusted. Spammers can and do forge headers.
> If they "don't matter anyway" since they're from prior hop, should
> they not be ignored, rather than parsed & identified as untrusted?
They might be useful, otherwise they are informational.
Re: sent mail IDs untrusted relays correctly; forwarded email does not ?
Posted by PGNd <de...@pgnd.us>.
On Fri, Jun 26, 2015, at 01:23 PM, RW wrote:
> They shouldn't be trusted unless there is a chain of trust. They don't
> matter anyway since they are from the original relay before the email
> was forwarded.
I thought that 'chain of trust' was established by their inclusion in the internal_networks/trusted_networks. Apparently not ...
What's the correct means/place to establish that chain of trust?
If they "don't matter anyway" since they're from prior hop, should they not be ignored, rather than parsed & identified as untrusted?
> > internal_networks 127.0.0.0/8 192.168.1.100/24
> > 192.168.2.100/24 X.X.X.142/32 X.X.X.143/32
> > trusted_networks 192.168.1.100/24 192.168.2.100/24
> > X.X.X.142/32 X.X.X.143/32 66.111.4.0/24 82.221.106.240/29
>
> > X-Spam-Relays-Untrusted:
> > [ ip=66.111.4.29 rdns=out5-smtp.messagingengine.com
> > helo=out5-smtp.messagingengine.com
> What's actually odd here is that 66.111.4.29 is in 66.111.4.0/24 and so
> should be trusted.
Well, now, that's a good point. I hadn't yet looked past the other problem ...
Re: sent mail IDs untrusted relays correctly; forwarded email does
not ?
Posted by RW <rw...@googlemail.com>.
On Fri, 26 Jun 2015 09:36:56 -0700
PGNd wrote:
> On my local server, I have SA running from within postfix+amavisd
>
> My TRUST PATH works for 'sent-directly-to-me' mail. For
> 'forwarded-to-me' mail, it incorrectly IDs my own internal IPs as
> untrusted relays.
>
> How do I teach SA to correctly NOT id my own servers as untrusted?
>
They shouldn't be trusted unless there is a chain of trust. They don't
matter anyway since they are from the original relay before the email
was forwarded.
> internal_networks 127.0.0.0/8 192.168.1.100/24
> 192.168.2.100/24 X.X.X.142/32 X.X.X.143/32
> trusted_networks 192.168.1.100/24 192.168.2.100/24
> X.X.X.142/32 X.X.X.143/32 66.111.4.0/24 82.221.106.240/29
> X-Spam-Relays-Untrusted:
> [ ip=66.111.4.29 rdns=out5-smtp.messagingengine.com
> helo=out5-smtp.messagingengine.com
What's actually odd here is that 66.111.4.29 is in 66.111.4.0/24 and so
should be trusted.