You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Nick I <ni...@gmail.com> on 2014/07/10 17:36:45 UTC
Smtp auth and trusted_networks
Hi
In the following example our mx received message with ESMTPSA from 1.1.1.1
and that ip detected as trusted.
Our trusted_networks list do not have this ip configured.
I need to run rbl check against 1.1.1.1.
Is there any settings to not add authenticated host to trusted hosts ?
We use SpamAssassin version 3.3.1.
Jul 10 14:27:34.275 [9780] dbg: received-header: parsed as [ ip=1.1.1.1
rdns=sender1.domain.com helo=mail.domain.com by=mx.domain.com ident=
envfrom= intl=0 id= auth=ESMTPSA msa=0 ]
Jul 10 14:27:34.275 [9780] dbg: received-header: relay 1.1.1.1 trusted? yes
internal? yes msa? no
Jul 10 14:27:34.277 [9780] dbg: received-header: parsed as [ ip=2.2.2.2
rdns= helo= by=mail.domain.com ident= envfrom= intl=0 id= auth= msa=0 ]
Jul 10 14:27:34.277 [9780] dbg: received-header: relay 2.2.2.2 trusted? no
internal? no msa? no
Jul 10 14:27:34.277 [9780] dbg: metadata: X-Spam-Relays-Trusted: [
ip=1.1.1.1 rdns=sender1.domain.com helo=mail.domain.com by=mx.domain.com
ident= envfrom= intl=1 id= auth=ESMTPSA msa=0 ]
Jul 10 14:27:34.277 [9780] dbg: metadata: X-Spam-Relays-Untrusted: [
ip=2.2.2.2 rdns= helo= by=mail.domain.com ident= envfrom= intl=0 id= auth=
msa=0 ]
Jul 10 14:27:34.277 [9780] dbg: metadata: X-Spam-Relays-Internal: [
ip=1.1.1.1 rdns=sender1.domain.com helo=mail.domain.com by=mx.domain.com
ident= envfrom= intl=1 id= auth=ESMTPSA msa=0 ]
Jul 10 14:27:34.277 [9780] dbg: metadata: X-Spam-Relays-External: [
ip=2.2.2.2 rdns= helo= by=mail.domain.com ident= envfrom= intl=0 id= auth=
msa=0 ]
Thanks.
Re: Smtp auth and trusted_networks
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 10.07.14 18:36, Nick I wrote:
>In the following example our mx received message with ESMTPSA from 1.1.1.1
>and that ip detected as trusted.
>Our trusted_networks list do not have this ip configured.
>
>I need to run rbl check against 1.1.1.1.
>Is there any settings to not add authenticated host to trusted hosts ?
isn't the whole point of authenticaTION to avoid scanning the authenticated
IP in blacklists?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.
Re: Smtp auth and trusted_networks
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>Matus UHLAR - fantomas skrev den 2014-07-13 17:14:
>>What do I (or the others) miss here?
On 13.07.14 18:27, Benny Pedersen wrote:
>i yet to see that pbl ips with smtp auth here
any dynamic - dialup, DSL, cable ... ?
they are supposed to use authentication and should not get
RCVD_IN_SORBS_DUL
RCVD_IN_MAPS_DUL
RCVD_IN_PBL
RDNS_DYNAMIC
and metas like:
DYN_RDNS_*
DOS_*_TO_MX
those combined can have score highly over 5.
if you apply the patch, your own customers may get such score and get
blocked (or whatever you do when they have too big score).
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.
Re: Smtp auth and trusted_networks
Posted by Benny Pedersen <me...@junc.eu>.
Matus UHLAR - fantomas skrev den 2014-07-13 17:14:
> What do I (or the others) miss here?
auth smtp users here can have dynamic ip in pbl, that does not mean its
spam sent from them on my postfix, but if my server ip was in pbl it
would be rejected on destinations, that would be my own fault, not smtp
auth faults
i think this patch is completely unnedded if trusted_networks and
internal_networks is doing its job
smtp auth gets all_trusted, and system users get no_relays
i yet to see that pbl ips with smtp auth here
Re: Smtp auth and trusted_networks
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>Matus UHLAR - fantomas skrev den 2014-07-13 12:30:
>>isn't the whole point of authentication to avoid scanning the
>>authenticated
>>IP in blacklists?
On 13.07.14 15:04, Benny Pedersen wrote:
>that would be a fault, since when its sent via smtps or submission it
>would be in trusted_networks,
doesn't the posted patch avoid exactly this?
> but blindly think this is not spam is
>another fault, authenticated just help to know who to blame :)
SA does not blindly think it is spam when it's sent with authentication.
Authentication just causes the sending IP to be scanned in blacklists.
That means, authenticated sending IP should not be scanned for dynamic
lists, so it should not hit blacklists.
This patch seems to remove this behaviour, so all authenticated mail from
dynamic IPs may get too high score...
What do I (or the others) miss here?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
Re: Smtp auth and trusted_networks
Posted by Benny Pedersen <me...@junc.eu>.
Matus UHLAR - fantomas skrev den 2014-07-13 12:30:
> isn't the whole point of authentication to avoid scanning the
> authenticated
> IP in blacklists?
that would be a fault, since when its sent via smtps or submission it
would be in trusted_networks, but blindly think this is not spam is
another fault, authenticated just help to know who to blame :)
Re: Smtp auth and trusted_networks
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 11.07.14 22:20, Nick I wrote:
>I implemented your patch, but unfortunatelly it did not work for me.
>Authenticated sender IP address was recognised as trusted.
>I still need to have 'smtpd_sasl_authenticated_header = yes' in my postfix
>so i commented out these 3 lines.
I still don't understad the point:
isn't the whole point of authentication to avoid scanning the authenticated
IP in blacklists?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
Re: Smtp auth and trusted_networks
Posted by Nick I <ni...@gmail.com>.
I implemented your patch, but unfortunatelly it did not work for me.
Authenticated sender IP address was recognised as trusted.
I still need to have 'smtpd_sasl_authenticated_header = yes' in my postfix
so i commented out these 3 lines.
And it does work for my installation.
---
/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Message/Metadata/Received.pm.orig
2010-03-16 14:49:21.000000000 +0000
+++
/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Message/Metadata/Received.pm
2014-07-11 17:20:21.497687731 +0000
@@ -389,9 +389,9 @@
# with ASMTP (Authenticated SMTP) is used by Earthlink, Exim 4.34, and
others
# with HTTP should only be authenticated webmail sessions
# with HTTPU is used by Communigate Pro with Pronto! webmail interface
- if (/ by / && / with (ESMTPA|ESMTPSA|LMTPA|LMTPSA|ASMTP|HTTPU?)(?:
|$)/i) {
- $auth = $1;
- }
+# if (/ by / && / with (ESMTPA|ESMTPSA|LMTPA|LMTPSA|ASMTP|HTTPU?)(?:
|$)/i) {
+# $auth = $1;
+# }
# Courier v0.47 and possibly others
elsif (/^from .*?(?:\]\)|\)\]) \(AUTH: (LOGIN|PLAIN|DIGEST-MD5|CRAM-MD5)
\S+(?:, .*?)?\) by /) {
$auth = $1;
Thanks All for the help.
2014-07-11 17:26 GMT+03:00 Kevin A. McGrail <KM...@pccc.com>:
> On 7/10/2014 5:55 PM, Giampaolo Tomassoni wrote:
>
>> Il 2014-07-10 17:36 Nick I ha scritto:
>>
>> Hi
>>>
>>> In the following example our mx received message with ESMTPSA from
>>> 1.1.1.1 and that ip detected as trusted.
>>> Our trusted_networks list do not have this ip configured.
>>>
>>> I need to run rbl check against 1.1.1.1.
>>> Is there any settings to not add authenticated host to trusted hosts ?
>>>
>>> We use SpamAssassin version 3.3.1.
>>>
>>
>> You case is exactly what the patch in bug#6430 (
>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6430) attempts to
>> cover.
>>
>> Unfortunately, that patch never went into any SA version, so you have to
>> apply it by yourself if you really need to let your MX act as an MSA in
>> case of authenticated submissions.
>>
>> If you use amavis, there is another option: move mail submission to
>> another instance of your smtp daemon and configure it to submit received
>> (and authenticated) message to an amavis channel you prepared for outgoing
>> mail.
>>
>> Regards,
>>
>> Giampaolo
>>
> If you use that patch and it works, please weigh in on the bugzilla or at
> least on the list. The patch was considered pretty esoteric and didn't
> justify yet another option in the code. But if people need it and use it,
> we will of course reconsider.
>
Re: Smtp auth and trusted_networks
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 7/10/2014 5:55 PM, Giampaolo Tomassoni wrote:
> Il 2014-07-10 17:36 Nick I ha scritto:
>
>> Hi
>>
>> In the following example our mx received message with ESMTPSA from
>> 1.1.1.1 and that ip detected as trusted.
>> Our trusted_networks list do not have this ip configured.
>>
>> I need to run rbl check against 1.1.1.1.
>> Is there any settings to not add authenticated host to trusted hosts ?
>>
>> We use SpamAssassin version 3.3.1.
>
> You case is exactly what the patch in bug#6430
> (https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6430) attempts
> to cover.
>
> Unfortunately, that patch never went into any SA version, so you have
> to apply it by yourself if you really need to let your MX act as an
> MSA in case of authenticated submissions.
>
> If you use amavis, there is another option: move mail submission to
> another instance of your smtp daemon and configure it to submit
> received (and authenticated) message to an amavis channel you prepared
> for outgoing mail.
>
> Regards,
>
> Giampaolo
If you use that patch and it works, please weigh in on the bugzilla or
at least on the list. The patch was considered pretty esoteric and
didn't justify yet another option in the code. But if people need it
and use it, we will of course reconsider.
Re: Smtp auth and trusted_networks
Posted by Giampaolo Tomassoni <gi...@tomassoni.biz>.
Il 2014-07-10 17:36 Nick I ha scritto:
> Hi
>
> In the following example our mx received message with ESMTPSA from
> 1.1.1.1 and that ip detected as trusted.
> Our trusted_networks list do not have this ip configured.
>
> I need to run rbl check against 1.1.1.1.
> Is there any settings to not add authenticated host to trusted hosts ?
>
> We use SpamAssassin version 3.3.1.
You case is exactly what the patch in bug#6430
(https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6430) attempts
to cover.
Unfortunately, that patch never went into any SA version, so you have to
apply it by yourself if you really need to let your MX act as an MSA in
case of authenticated submissions.
If you use amavis, there is another option: move mail submission to
another instance of your smtp daemon and configure it to submit received
(and authenticated) message to an amavis channel you prepared for
outgoing mail.
Regards,
Giampaolo
>
> Jul 10 14:27:34.275 [9780] dbg: received-header: parsed as [ ip=1.1.1.1
> rdns=sender1.domain.com [1] helo=mail.domain.com [2] by=mx.domain.com
> [3] ident= envfrom= intl=0 id= auth=ESMTPSA msa=0 ]
> Jul 10 14:27:34.275 [9780] dbg: received-header: relay 1.1.1.1 trusted?
> yes internal? yes msa? no
> Jul 10 14:27:34.277 [9780] dbg: received-header: parsed as [ ip=2.2.2.2
> rdns= helo= by=mail.domain.com [2] ident= envfrom= intl=0 id= auth=
> msa=0 ]
> Jul 10 14:27:34.277 [9780] dbg: received-header: relay 2.2.2.2 trusted?
> no internal? no msa? no
> Jul 10 14:27:34.277 [9780] dbg: metadata: X-Spam-Relays-Trusted: [
> ip=1.1.1.1 rdns=sender1.domain.com [1] helo=mail.domain.com [2]
> by=mx.domain.com [3] ident= envfrom= intl=1 id= auth=ESMTPSA msa=0 ]
> Jul 10 14:27:34.277 [9780] dbg: metadata: X-Spam-Relays-Untrusted: [
> ip=2.2.2.2 rdns= helo= by=mail.domain.com [2] ident= envfrom= intl=0
> id= auth= msa=0 ]
> Jul 10 14:27:34.277 [9780] dbg: metadata: X-Spam-Relays-Internal: [
> ip=1.1.1.1 rdns=sender1.domain.com [1] helo=mail.domain.com [2]
> by=mx.domain.com [3] ident= envfrom= intl=1 id= auth=ESMTPSA msa=0 ]
> Jul 10 14:27:34.277 [9780] dbg: metadata: X-Spam-Relays-External: [
> ip=2.2.2.2 rdns= helo= by=mail.domain.com [2] ident= envfrom= intl=0
> id= auth= msa=0 ]
>
> Thanks.
Links:
------
[1] http://sender1.domain.com
[2] http://mail.domain.com
[3] http://mx.domain.com