How to exclude internal networks from DNS based checks?

[Jason Voorhees <jv...@gmail.com>]

Hello guys:

I'm an old spamassassin user but not an experienced one indeed. I have
a Zimbra server and a dedicated antispam with MailScanner like this:

Zimbra: 192.168.1.25
Antispam: 192.168.1.5

All incoming and outgoing mail traffic goes through my antispam box.
Well, I have already working DNS based checks like "skip_rbl_checks 0"
and/or "RDNS_NONE" working fine for external mail servers. However, I
don't know how to make an exclusion for my internal network
(192.168.1.0/24).

On my Antispam box this is what I tried to put in
/etc/mail/spamassassin/MailScanner.cf:

skip_rbl_checks 0
trusted_networks 127.0.0.1 192.168.1.0/24
internal_networks 192.168.1.25

I've configured a local named service on my antispam box to make sure
that 192.168.1.5 and 192.168.1.25 have a correct rDNS configuration
(in both directions). I even configured local resolution of those IPs
in /etc/hosts

However, I can see that SpamAssassin is still scoring all my outgoing
emails like this:

RDNS_NONE  0.97
RCVD_IN_BRBL_LASTEXT 1.45

How can I effectively avoid these kind of DNS checks for my LAN?

Thanks in advance.

Re: How to exclude internal networks from DNS based checks?

[RW <rw...@googlemail.com>]

On Wed, 31 Aug 2016 14:13:41 -0500
Jason Voorhees wrote:

> Hello guys:
> 
> I'm an old spamassassin user but not an experienced one indeed. I have
> a Zimbra server and a dedicated antispam with MailScanner like this:
> 
> Zimbra: 192.168.1.25
> Antispam: 192.168.1.5
> 
> All incoming and outgoing mail traffic goes through my antispam box.
> Well, I have already working DNS based checks like "skip_rbl_checks 0"
> and/or "RDNS_NONE" working fine for external mail servers. However, I
> don't know how to make an exclusion for my internal network
> (192.168.1.0/24).
> 
> On my Antispam box this is what I tried to put in
> /etc/mail/spamassassin/MailScanner.cf:
> 
> skip_rbl_checks 0
> trusted_networks 127.0.0.1 192.168.1.0/24
> internal_networks 192.168.1.25

Since these are non-public you shouldn't need to define either. I'm
assuming here that the strange way you've split the addresses between
internal and trusted is simply a mistake rather than something subtle.


> I've configured a local named service on my antispam box to make sure
> that 192.168.1.5 and 192.168.1.25 have a correct rDNS configuration
> (in both directions). I even configured local resolution of those IPs
> in /etc/hosts

That's shouldn't be needed. 

> However, I can see that SpamAssassin is still scoring all my outgoing
> emails like this:

Do you actually mean it's scoring all your outgoing mail, or does this
happen when you send yourself emails? We need to see some headers, and
preferably from an email that's received by a different mail system. 

It would also help to know which IP address caused
RCVD_IN_BRBL_LASTEXT, e.g. by putting X-Spam-Report on all mail. I'd be
surprised if it's actually a private IP address as you've implied.  

Re: How to exclude internal networks from DNS based checks?

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 31.08.16 14:13, Jason Voorhees wrote:
>I'm an old spamassassin user but not an experienced one indeed. I have
>a Zimbra server and a dedicated antispam with MailScanner like this:
>
>Zimbra: 192.168.1.25
>Antispam: 192.168.1.5
>
>All incoming and outgoing mail traffic goes through my antispam box.
>Well, I have already working DNS based checks like "skip_rbl_checks 0"
>and/or "RDNS_NONE" working fine for external mail servers. However, I
>don't know how to make an exclusion for my internal network
>(192.168.1.0/24).
>
>On my Antispam box this is what I tried to put in
>/etc/mail/spamassassin/MailScanner.cf:
>
>skip_rbl_checks 0
>trusted_networks 127.0.0.1 192.168.1.0/24
>internal_networks 192.168.1.25
>
>I've configured a local named service on my antispam box to make sure
>that 192.168.1.5 and 192.168.1.25 have a correct rDNS configuration
>(in both directions). I even configured local resolution of those IPs
>in /etc/hosts
>
>However, I can see that SpamAssassin is still scoring all my outgoing
>emails like this:
>
>RDNS_NONE  0.97
>RCVD_IN_BRBL_LASTEXT 1.45
>
>How can I effectively avoid these kind of DNS checks for my LAN?

RDNS_NONE may hit because of SMTP client sending mail through zimbra.
do they use authentication?

could you provide us the (text version) of mail headers?

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

Re: How to exclude internal networks from DNS based checks?

[David Jones <dj...@ena.com>]

>From: Jason Voorhees <jv...@gmail.com>
  
>Hello guys:

>I'm an old spamassassin user but not an experienced one indeed. I have
>a Zimbra server and a dedicated antispam with MailScanner like this:

>Zimbra: 192.168.1.25
>Antispam: 192.168.1.5

>All incoming and outgoing mail traffic goes through my antispam box.
>Well, I have already working DNS based checks like "skip_rbl_checks 0"
>and/or "RDNS_NONE" working fine for external mail servers. However, I
>don't know how to make an exclusion for my internal network
>(192.168.1.0/24).

>On my Antispam box this is what I tried to put in
>/etc/mail/spamassassin/MailScanner.cf:

>skip_rbl_checks 0
>trusted_networks 127.0.0.1 192.168.1.0/24
>internal_networks 192.168.1.25

>I've configured a local named service on my antispam box to make sure
>that 192.168.1.5 and 192.168.1.25 have a correct rDNS configuration
>(in both directions). I even configured local resolution of those IPs
>in /etc/hosts

>However, I can see that SpamAssassin is still scoring all my outgoing
>emails like this:

>RDNS_NONE  0.97
>RCVD_IN_BRBL_LASTEXT 1.45

>How can I effectively avoid these kind of DNS checks for my LAN?

>Thanks in advance.
  
I would need to see the actual headers, santized is fine, with the real public
IPs to give an accurate answer.

In general, edge mail servers, like your MailScanner server should have
public IPs native on them.  If you have it NAT'd then you will need to make
sure it's a two-way or dedicated one-to-one NAT so traffic initiated from
your server actually shows up as the same IP of the inbound NAT.

I have found a lot of people that don't realize this NAT issue which will
give your mail server two identities essentially meaning you will never be
able to get the FCrDNS to completely match up with the SMTP HELO.

Got to http://whatismyip.com from your MailScanner server and make
sure that IP shows up the same as the inbound NAT IP.  Then put that IP
into http://multirbl.valli.org/ and make sure the top FCrDNS section is
green.  While you are there, make sure your IP is not listed on RBLs and
that the senderscore.org score is above 90.

P.S.  trusted_networks and internal_networks are very important to
setup correctly.  trusted_networks usually contains you internal_
networks plus other networks one hop away that you want to skip
some checks and trust a little more.  If you relay for other networks
then they should be in the trusted_networks so the last-external
checks will work like you want.

Dave