You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by digitalsushi <mi...@iol.unh.edu> on 2007/06/20 15:47:22 UTC
a rule to allow authenticated users stopped working, unless run at
user level
Greetings and salutations,
We use sendmail, spamassassin, and the spamass-milter at our site. If a
user authenticates, we give them -100 spam points. After a somewhat recent
update, we discovered our rule is not matched any longer. The details:
Using
$ spamassassin --version
SpamAssassin version 3.2.1 (gentoo)
running on Perl version 5.8.8
And previously 3.1.8
being run via spamass-milter configured in sendmail 8.14.0, we have in our
/etc/spamassassin/local.cf configuration:
header LOCAL_AUTH_RCVD2 ALL =~ /(authenticated bits=0)/
score LOCAL_AUTH_RCVD2 -100.0
spamd starts with: SPAMD_OPTS="-m 50 -c -H -u spamc"
If I send this email:
#start
From: xxx@iol.unh.edu
To: Mike Cross <mi...@io.iol.unh.edu>
Subject: test
Date: Tue, 19 Jun 2007 12:38:41 -0400
Return-Path: <xx...@iol.unh.edu>
Received: from [192.168.15.109] (c-24-61-193-245.hsd1.nh.comcast.net
[24.61.193.245])
(authenticated bits=0)
by postal.iol.unh.edu (8.14.0/8.14.0) with ESMTP id l5JFE2AY006703
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <xx...@iol.unh.edu>; Tue, 19 Jun 2007 11:14:02 -0400
Message-ID: <46...@iol.unh.edu>
Date: Tue, 19 Jun 2007 11:14:04 -0400
From: xxx@iol.unh.edu
Reply-To: xxx@iol.unh.edu
Organization: UNH-IOL
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: xxx@iol.unh.edu
Subject: spam test
Content-Type: multipart/mixed; boundary="----------=_4677F2BE.7E5AE742"
Content-Transfer-Encoding: 7bit
#end
through spamassassin as a user by running
spamassassin < test.email
then the lines in the configuration file are applied as they properly match
the "(authenticated bits=0)":
#start
X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on
postal.iol.unh.edu
X-Spam-Level:
X-Spam-Status: No, score=-96.7 required=8.0 tests=ALL_TRUSTED,
HEADER_COUNT_SUBJECT,INVALID_DATE,LOCAL_AUTH_RCVD2 autolearn=ham
version=3.2.1
From: xxx@iol.unh.edu
To: Mike Cross <mi...@io.iol.unh.edu>
Subject: test
Date: Tue, 19 Jun 2007 12:38:41 -0400
Return-Path: <xx...@iol.unh.edu>
Received: from [192.168.15.109] (c-24-61-193-245.hsd1.nh.comcast.net
[24.61.193.245])
(authenticated bits=0)
by postal.iol.unh.edu (8.14.0/8.14.0) with ESMTP id l5JFE2AY006703
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <xx...@iol.unh.edu>; Tue, 19 Jun 2007 11:14:02 -0400
Message-ID: <46...@iol.unh.edu>
Date: Tue, 19 Jun 2007 11:14:04 -0400
From: xxx@iol.unh.edu
Reply-To: xxx@iol.unh.edu
Organization: UNH-IOL
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: xxx@iol.unh.edu
Subject: spam test
Content-Type: multipart/mixed; boundary="----------=_4677F2BE.7E5AE742"
Content-Transfer-Encoding: 7bit
#end
The problem is that the configuration does not apply to emails sent through
the MTA. If we try to match other components in that header, it works.
It was working globally in the previous iteration (I apologize I don't have
which specific version of spamassassin this was)
I have a suspicion we're zoomed in too close to see what the issue is. Any
hints? If the method we're using to accomplish this requirement is stupid,
I'm listening... thanks folks!
--
View this message in context: http://www.nabble.com/a-rule-to-allow-authenticated-users-stopped-working%2C-unless-run-at-user-level-tf3952490.html#a11213738
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: a rule to allow authenticated users stopped working, unless run
at user level
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
digitalsushi wrote:
> I've changed my sendmail configuration to be more verbose about the
> authentication information.
>
> To add to this, I've discovered that it can match any token in the Received:
> line that does NOT include an equals sign in it:
spamass-milter probably isn't checking the macros for or adding the auth
and TLS lines. I know older versions of spamass-milter didn't... I
don't know if/when it was ever fixed.
Daryl
> Received: from [132.177.124.246] (doombox.iol.unh.edu [132.177.124.246])
> (user=mikecrelay mech=PLAIN bits=0)
> by postal.iol.unh.edu (8.14.0/8.14.0) with ESMTP id l5KFMexj024714
> (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
> for <mi...@iol.unh.edu>; Wed, 20 Jun 2007 11:22:41 -0400
>
> Examples that will not match:
>
> user=mikecrelay
> mech=PLAIN
> bits=0
> version=TLSv1/SSLv3
> cipher=DHE-RSA-AES256-SHA
> bits=256
> verify=NOT
>
> Every other token matches my test filters ok.
>
>
Re: a rule to allow authenticated users stopped working, unless run
at user level
Posted by digitalsushi <mi...@iol.unh.edu>.
We figured it out. Wanted to post something back for the next guy-
there's a patch for spamass-milter. We simplified it down to always
allowing authenticated users.
in the spamass-milter 0.3.1 soure code, in the file called
spamass-milter.cpp, search for a couple lines that look like
struct context *sctx = (struct context *)smfi_getpriv(ctx);
char *queueid;
directly after this, put
if( smfi_getsymval(ctx, "{auth_type}") !=NULL ){
return SMFIS_ACCEPT;
}
and save and recompile.
But make sure you actually send the tokens to the milter! In your
sendmail.mc file, make sure to define something like
define(`confMILTER_MACROS_ENVFROM', ``i, {auth_type}, {auth_authen},
{auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}'')dnl
or it won't even show up!
Thank you for the hints. We wouldn't have figured it out without them.
--
View this message in context: http://www.nabble.com/a-rule-to-allow-authenticated-users-stopped-working%2C-unless-run-at-user-level-tf3952490.html#a11243044
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: a rule to allow authenticated users stopped working, unless run
at user level
Posted by "John D. Hardin" <jh...@impsec.org>.
On Wed, 20 Jun 2007, digitalsushi wrote:
> header BLAH Received =~ /blah/
> score BLAH -800.0
>
> And it's not picking it up. So I really have no idea what the
> pattern is.
N.B.: if you're using a plugin/milter to have the MTA pass messages to
SA during the SMTP phase (i.e. before they've actually been accepted
for delivery) then the plugin may not be adding the "local" received
header (maybe not in the format you expect, maybe not at all).
I'm not sure how you'd verify whether this is what is happening.
You'll need to have a look at the documentation for the plugin/milter
and perhaps contact its author.
Someone else here may be able to provide more specific advice - I run
SA from procmail. :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
I would buy a Mac today if I was not working at Microsoft.
-- James Allchin, Microsoft VP of Platforms
-----------------------------------------------------------------------
14 days until The 231st anniversary of the Declaration of Independence
Re: a rule to allow authenticated users stopped working, unless run
at user level
Posted by digitalsushi <mi...@iol.unh.edu>.
One last update and I'll shut up for a bit.
I've updated my server to make my Received headers look literally like this:
Received: from [132.177.124.246] (doombox.iol.unh.edu [132.177.124.246])
(user=mikecrelay mech=PLAIN bits=0)
blah
by postal.iol.unh.edu (8.14.0/8.14.0) with ESMTP id l5KFveCk000817
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <mi...@iol.unh.edu>; Wed, 20 Jun 2007 11:57:40 -0400
And i told spamassassin to match:
header BLAH Received =~ /blah/
score BLAH -800.0
And it's not picking it up. So I really have no idea what the pattern is.
thanks
--
View this message in context: http://www.nabble.com/a-rule-to-allow-authenticated-users-stopped-working%2C-unless-run-at-user-level-tf3952490.html#a11216588
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: a rule to allow authenticated users stopped working, unless run
at user level
Posted by digitalsushi <mi...@iol.unh.edu>.
I've changed my sendmail configuration to be more verbose about the
authentication information.
To add to this, I've discovered that it can match any token in the Received:
line that does NOT include an equals sign in it:
Received: from [132.177.124.246] (doombox.iol.unh.edu [132.177.124.246])
(user=mikecrelay mech=PLAIN bits=0)
by postal.iol.unh.edu (8.14.0/8.14.0) with ESMTP id l5KFMexj024714
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <mi...@iol.unh.edu>; Wed, 20 Jun 2007 11:22:41 -0400
Examples that will not match:
user=mikecrelay
mech=PLAIN
bits=0
version=TLSv1/SSLv3
cipher=DHE-RSA-AES256-SHA
bits=256
verify=NOT
Every other token matches my test filters ok.
--
View this message in context: http://www.nabble.com/a-rule-to-allow-authenticated-users-stopped-working%2C-unless-run-at-user-level-tf3952490.html#a11215794
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: a rule to allow authenticated users stopped working, unless run
at user level
Posted by "John D. Hardin" <jh...@impsec.org>.
On Wed, 20 Jun 2007, digitalsushi wrote:
> header LOCAL_AUTH_RCVD2 ALL =~ /(authenticated bits=0)/
That's vulnerable to forgery.
If you're checking Received headers this way to whitelist, you
*really* want to include your local hostname and/or IP information in
the RE. That will make it much less spoofable.
> Received: from [192.168.15.109] (c-24-61-193-245.hsd1.nh.comcast.net
> [24.61.193.245])
> (authenticated bits=0)
> by postal.iol.unh.edu (8.14.0/8.14.0) with ESMTP id l5JFE2AY006703
> (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
> for <xx...@iol.unh.edu>; Tue, 19 Jun 2007 11:14:02 -0400
e.g.:
Received =~ /authenticated bits.+ by postal\.iol\.unh\.edu/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
I would buy a Mac today if I was not working at Microsoft.
-- James Allchin, Microsoft VP of Platforms
-----------------------------------------------------------------------
14 days until The 231st anniversary of the Declaration of Independence