You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rense Buijen <re...@chess.nl> on 2007/08/22 14:21:02 UTC
Email forwarding and RBL trouble
Hello all,
I have two mailservers, a primary and a secondary MX.
The primary MX is a spamassassin (3.2.3 on Ubuntu Linux) box that is
placed inline of a MS Exchange machine.
Spamassassin is doing a good job, especialy with the RBL's I am using.
The backup MX is a simple EXIM which does only forwarding (to the
spamassassin box) without any spam control.
This setup should be simple yet effective, if the Pri MX dies, the
forwarder will hold all the mail and wait until the SA box is back up
and then send the queued mail to it. It will then be filtered again,
that way I dont have to sync whitelists, greylist databases and all my
rules to the second MX.
The problem now lies with the RBL's, when the SA box dies, the mail will
be queued on my Exim box and when service is restored, it will forward
it again BUT the last "Received from:" path will be of course the Exim
host IP. SA will then do a lookup on the wrong IP. Basically I want my
Exim box (second mx) to be invisible or need the headers to be rewritten
so Spamassassin does a correct lookup on the IP BEFORE it got to the SA.
I've heard about SRS, I don't know precisely if that will do the trick
for me, anyone has some more information, tips or tricks? It's rather
complex matter and I can't find any good documentation on how to solve
this problem.
Kind regards,
Rense
Re: Email forwarding and RBL trouble
Posted by Ben O'Hara <bo...@gmail.com>.
Thats the one
Ben
On 8/22/07, Rense Buijen <re...@chess.nl> wrote:
>
> ...thats it? So it will skip the IP of the second MX and do an RBL check
> against the IP who'm delivered it to the second MX? COOL! I thought it
> would just ignore everything and pass on the mail.... Thanks!
>
> Ben O'Hara wrote:
> > On 8/22/07, *Rense Buijen* <rense.buijen@chess.nl
> > <ma...@chess.nl>> wrote:
> >
> > Hi Pawel,
> >
> > I dont think I can check the recipient, if it doesnt exist the
> > mailserver should send a normal bounce like every mailserver does,
> > right? So does the primary machine (Exchange) I dont see a
> > problem with
> > that.
> >
> > Do you know if there is another good setup without having to sync
> > all my
> > antispam stuff to my second MX? I would really just use forwarding
> if
> > that is possible. Can I not rewrite the last "Received" header? That
> > should work maybe?
> >
> >
> >
> > You dont have to, add your secondary mx to trusted_networks on the
> > primary and it will know the fact to do the RBL lookups on the host
> > that sent the mail to the secondary MX rather than the secondary mx
> > itself.
> >
> > Ben
> >
> > Kind regards,
> >
> > Rense
> >
> > Pawel Sasin wrote:
> > > Hi
> > >> I cannot utilize the trusted_networks settings because I cannot
> > trust
> > >> the mail that my backup MX sends to me.
> > >>
> > >> The backup MX does NO filtering at all, it just accepts ALL
> > mail that
> > >> has a certain destination domain and then forwards it to the
> > Primary
> > >> MX where SA is running, SA is doing all the filtering and
> > >> white/black/grey-listing.
> > >>
> > >> When SA is down (the Pri MX), it will just hold it until it
> > gets back
> > >> up. So basically all mail that comes from my second MX should be
> > >> checked for spam and virus, it has not capabilities of it's
> > own. It's
> > >> working like a charm were it not for my black/white/grey-lists
> and
> > >> the RBL's now all do lookups on the last known IP which is my
> > >> secondary MX.
> > >>
> > >> I don't think I am the first to utilize this method of
> > redundancy so
> > >> I figured there must be a way, I just dont know how :)
> > >> So please advice further, your (and everyones) help is greatly
> > >> appreciated.
> > >
> > > SA checks all 'Received' headers against RBLs.
> > >
> > > If you add secondary MX to trusted_networks, SA will just skip the
> > > header from your exim and continue with the rest.
> > >
> > > But there is another problem with such config:
> > > 1. see the numbers here http://nolisting.org/
> > > 2. does your dumb exim (secondary mx) check if the recipent
> address
> > > exists?
> > >
> > > If not you will end up sending tons of bounce messages to innocent
> > > people from your secondary MX. Even if it does, your primary MX
> can
> > > refuse a spammy message and then you will be generating even more
> > > bounce messages. This is not acceptable and you will end up in
> some
> > > RBLs yourself.
> > >
> >
> >
> > --
> > Met vriendelijke groeten,
> >
> > Rense Buijen
> > Chess Service Management
> > Tel.: 023-5149250
> > Email: Servicedesk@chess.nl <ma...@chess.nl>
> >
> >
> >
> >
> > --
> > "A Scientist will earn a living by taking a really difficult problem
> > and spends many years solving it, an engineer earns a living by
> > finding really difficult problems and side stepping them"
>
>
> --
> Met vriendelijke groeten,
>
> Rense Buijen
> Chess Service Management
> Tel.: 023-5149250
> Email: Servicedesk@chess.nl
>
>
--
"A Scientist will earn a living by taking a really difficult problem and
spends many years solving it, an engineer earns a living by finding really
difficult problems and side stepping them"
Re: Email forwarding and RBL trouble
Posted by Rense Buijen <re...@chess.nl>.
Hi Pawel,
I dont think I can check the recipient, if it doesnt exist the
mailserver should send a normal bounce like every mailserver does,
right? So does the primary machine (Exchange) I dont see a problem with
that.
Do you know if there is another good setup without having to sync all my
antispam stuff to my second MX? I would really just use forwarding if
that is possible. Can I not rewrite the last "Received" header? That
should work maybe?
Kind regards,
Rense
Pawel Sasin wrote:
> Hi
>> I cannot utilize the trusted_networks settings because I cannot trust
>> the mail that my backup MX sends to me.
>>
>> The backup MX does NO filtering at all, it just accepts ALL mail that
>> has a certain destination domain and then forwards it to the Primary
>> MX where SA is running, SA is doing all the filtering and
>> white/black/grey-listing.
>>
>> When SA is down (the Pri MX), it will just hold it until it gets back
>> up. So basically all mail that comes from my second MX should be
>> checked for spam and virus, it has not capabilities of it's own. It's
>> working like a charm were it not for my black/white/grey-lists and
>> the RBL's now all do lookups on the last known IP which is my
>> secondary MX.
>>
>> I don't think I am the first to utilize this method of redundancy so
>> I figured there must be a way, I just dont know how :)
>> So please advice further, your (and everyones) help is greatly
>> appreciated.
>
> SA checks all 'Received' headers against RBLs.
>
> If you add secondary MX to trusted_networks, SA will just skip the
> header from your exim and continue with the rest.
>
> But there is another problem with such config:
> 1. see the numbers here http://nolisting.org/
> 2. does your dumb exim (secondary mx) check if the recipent address
> exists?
>
> If not you will end up sending tons of bounce messages to innocent
> people from your secondary MX. Even if it does, your primary MX can
> refuse a spammy message and then you will be generating even more
> bounce messages. This is not acceptable and you will end up in some
> RBLs yourself.
>
--
Met vriendelijke groeten,
Rense Buijen
Chess Service Management
Tel.: 023-5149250
Email: Servicedesk@chess.nl
Re: Email forwarding and RBL trouble
Posted by Pawel Sasin <ps...@wp-sa.pl>.
Hi
> I cannot utilize the trusted_networks settings because I cannot trust
> the mail that my backup MX sends to me.
>
> The backup MX does NO filtering at all, it just accepts ALL mail that
> has a certain destination domain and then forwards it to the Primary
> MX where SA is running, SA is doing all the filtering and
> white/black/grey-listing.
>
> When SA is down (the Pri MX), it will just hold it until it gets back
> up. So basically all mail that comes from my second MX should be
> checked for spam and virus, it has not capabilities of it's own. It's
> working like a charm were it not for my black/white/grey-lists and the
> RBL's now all do lookups on the last known IP which is my secondary MX.
>
> I don't think I am the first to utilize this method of redundancy so I
> figured there must be a way, I just dont know how :)
> So please advice further, your (and everyones) help is greatly
> appreciated.
SA checks all 'Received' headers against RBLs.
If you add secondary MX to trusted_networks, SA will just skip the
header from your exim and continue with the rest.
But there is another problem with such config:
1. see the numbers here http://nolisting.org/
2. does your dumb exim (secondary mx) check if the recipent address exists?
If not you will end up sending tons of bounce messages to innocent
people from your secondary MX. Even if it does, your primary MX can
refuse a spammy message and then you will be generating even more bounce
messages. This is not acceptable and you will end up in some RBLs yourself.
--
p.
WIRTUALNA POLSKA SA, ul. Traugutta 115c, 80-226 Gdansk; NIP: 957-07-51-216;
Sad Rejonowy Gdansk-Polnoc KRS 0000068548, kapital zakladowy 62.880.024 zlotych (w calosci wplacony)
Re: Email forwarding and RBL trouble
Posted by Rense Buijen <re...@chess.nl>.
Mathhias,
The problem is that when the mail enters the backup MX, we dont know if
that mail is blacklisted at for instance spamcop.
So if the backup mx accepts the mail (because it's dumb and it will
accept it), and my primary mx (SA) has set the backup mx as trusted
network/source, the mail will be delivered while it should not have
been. You see the problem? SA cannot see if the mail that has been
forwarded by my backup MX is valid (black/whitelisted) or not because it
cannot check the IP against the RBL, it will lookup the wrong IP. And it
should do this because there is NO rbl checking on the backup MX itself...
Matthias Leisi wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Rense Buijen schrieb:
>
>
>> Thank you for your (quick) reply.
>> I cannot utilize the trusted_networks settings because I cannot trust
>> the mail that my backup MX sends to me.
>>
>
> But your backup MX is "trusted" in the sense that it will not forge
> sender addresses, Received: lines etc. -- that's what trusted_networks
> basically implies.
>
> If trusted_networks etc are set correctly, SA will recognize your backup
> MX, and will not apply any RBL checks to it's IP address. The
> Mail::SpamAssassin::Conf man-page has all the dirty details, including
> those of internal_networks
>
>
>> The backup MX does NO filtering at all, it just accepts ALL mail that
>> has a certain destination domain and then forwards it to the Primary MX
>> where SA is running, SA is doing all the filtering and
>> white/black/grey-listing.
>>
>
> You should ensure that connections from your backup MX are not
> grey/blacklisted at the MTA level (don't know whether you're already
> doing it, but just to mention it...).
>
> - -- Matthias
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFGzDfTxbHw2nyi/okRAq7jAKCbKv8IknFw2Nmse3l3LTszN7OyYgCfY28l
> XAA+s+kES1B4mbmcvK2VE24=
> =95OW
> -----END PGP SIGNATURE-----
>
>
--
Met vriendelijke groeten,
Rense Buijen
Chess Service Management
Tel.: 023-5149250
Email: Servicedesk@chess.nl
Re: Email forwarding and RBL trouble
Posted by Matthias Leisi <ma...@leisi.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rense Buijen schrieb:
> Thank you for your (quick) reply.
> I cannot utilize the trusted_networks settings because I cannot trust
> the mail that my backup MX sends to me.
But your backup MX is "trusted" in the sense that it will not forge
sender addresses, Received: lines etc. -- that's what trusted_networks
basically implies.
If trusted_networks etc are set correctly, SA will recognize your backup
MX, and will not apply any RBL checks to it's IP address. The
Mail::SpamAssassin::Conf man-page has all the dirty details, including
those of internal_networks
> The backup MX does NO filtering at all, it just accepts ALL mail that
> has a certain destination domain and then forwards it to the Primary MX
> where SA is running, SA is doing all the filtering and
> white/black/grey-listing.
You should ensure that connections from your backup MX are not
grey/blacklisted at the MTA level (don't know whether you're already
doing it, but just to mention it...).
- -- Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFGzDfTxbHw2nyi/okRAq7jAKCbKv8IknFw2Nmse3l3LTszN7OyYgCfY28l
XAA+s+kES1B4mbmcvK2VE24=
=95OW
-----END PGP SIGNATURE-----
Re: Email forwarding and RBL trouble
Posted by Rense Buijen <re...@chess.nl>.
Hi Matthias,
Thank you for your (quick) reply.
I cannot utilize the trusted_networks settings because I cannot trust
the mail that my backup MX sends to me.
The backup MX does NO filtering at all, it just accepts ALL mail that
has a certain destination domain and then forwards it to the Primary MX
where SA is running, SA is doing all the filtering and
white/black/grey-listing.
When SA is down (the Pri MX), it will just hold it until it gets back
up. So basically all mail that comes from my second MX should be checked
for spam and virus, it has not capabilities of it's own. It's working
like a charm were it not for my black/white/grey-lists and the RBL's now
all do lookups on the last known IP which is my secondary MX.
I don't think I am the first to utilize this method of redundancy so I
figured there must be a way, I just dont know how :)
So please advice further, your (and everyones) help is greatly appreciated.
Kind regards,
Rense
Matthias Leisi wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Rense Buijen schrieb:
>
>
>> The problem now lies with the RBL's, when the SA box dies, the mail will
>> be queued on my Exim box and when service is restored, it will forward
>> it again BUT the last "Received from:" path will be of course the Exim
>> host IP. SA will then do a lookup on the wrong IP. Basically I want my
>> Exim box (second mx) to be invisible or need the headers to be rewritten
>> so Spamassassin does a correct lookup on the IP BEFORE it got to the SA.
>>
>
> trusted_networks, internal_networks etc. will make sure that your "main"
> SA correctly recognises your backup box as trustworthy.
>
>
>> I've heard about SRS, I don't know precisely if that will do the trick
>> for me, anyone has some more information, tips or tricks? It's rather
>> complex matter and I can't find any good documentation on how to solve
>> this problem.
>>
>
> SRS is a completely different beast (basically it fixes forwarding which
> is partially broken by SPF). As long as you only have troubles with IP
> addresses, SRS would not solve any issue for you.
>
> - -- Matthias
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFGzC5uxbHw2nyi/okRAgtsAJ9kyqrwaZ0waBswmcuV0jsO3HWbUACggovQ
> 7DPNJbxhSleg+Dkbvh66qd0=
> =gIn9
> -----END PGP SIGNATURE-----
>
>
--
Met vriendelijke groeten,
Rense Buijen
Chess Service Management
Tel.: 023-5149250
Email: Servicedesk@chess.nl
Re: Email forwarding and RBL trouble
Posted by Rense Buijen <re...@chess.nl>.
Hi Matthias,
Thank you for your (quick) reply.
I cannot utilize the trusted_networks settings because I cannot trust
the mail that my backup MX sends to me.
The backup MX does NO filtering at all, it just accepts ALL mail that
has a certain destination domain and then forwards it to the Primary MX
where SA is running, SA is doing all the filtering and
white/black/grey-listing.
When SA is down (the Pri MX), it will just hold it until it gets back
up. So basically all mail that comes from my second MX should be checked
for spam and virus, it has not capabilities of it's own. It's working
like a charm were it not for my black/white/grey-lists and the RBL's now
all do lookups on the last known IP which is my secondary MX.
I don't think I am the first to utilize this method of redundancy so I
figured there must be a way, I just dont know how :)
So please advice further, your (and everyones) help is greatly appreciated.
Kind regards,
Rense
Matthias Leisi wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Rense Buijen schrieb:
>
>
>> The problem now lies with the RBL's, when the SA box dies, the mail will
>> be queued on my Exim box and when service is restored, it will forward
>> it again BUT the last "Received from:" path will be of course the Exim
>> host IP. SA will then do a lookup on the wrong IP. Basically I want my
>> Exim box (second mx) to be invisible or need the headers to be rewritten
>> so Spamassassin does a correct lookup on the IP BEFORE it got to the SA.
>>
>
> trusted_networks, internal_networks etc. will make sure that your "main"
> SA correctly recognises your backup box as trustworthy.
>
>
>> I've heard about SRS, I don't know precisely if that will do the trick
>> for me, anyone has some more information, tips or tricks? It's rather
>> complex matter and I can't find any good documentation on how to solve
>> this problem.
>>
>
> SRS is a completely different beast (basically it fixes forwarding which
> is partially broken by SPF). As long as you only have troubles with IP
> addresses, SRS would not solve any issue for you.
>
> - -- Matthias
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFGzC5uxbHw2nyi/okRAgtsAJ9kyqrwaZ0waBswmcuV0jsO3HWbUACggovQ
> 7DPNJbxhSleg+Dkbvh66qd0=
> =gIn9
> -----END PGP SIGNATURE-----
>
>
--
Met vriendelijke groeten,
Rense Buijen
Chess Service Management
Tel.: 023-5149250
Email: Servicedesk@chess.nl
Re: Email forwarding and RBL trouble
Posted by Matthias Leisi <ma...@leisi.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rense Buijen schrieb:
> The problem now lies with the RBL's, when the SA box dies, the mail will
> be queued on my Exim box and when service is restored, it will forward
> it again BUT the last "Received from:" path will be of course the Exim
> host IP. SA will then do a lookup on the wrong IP. Basically I want my
> Exim box (second mx) to be invisible or need the headers to be rewritten
> so Spamassassin does a correct lookup on the IP BEFORE it got to the SA.
trusted_networks, internal_networks etc. will make sure that your "main"
SA correctly recognises your backup box as trustworthy.
> I've heard about SRS, I don't know precisely if that will do the trick
> for me, anyone has some more information, tips or tricks? It's rather
> complex matter and I can't find any good documentation on how to solve
> this problem.
SRS is a completely different beast (basically it fixes forwarding which
is partially broken by SPF). As long as you only have troubles with IP
addresses, SRS would not solve any issue for you.
- -- Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFGzC5uxbHw2nyi/okRAgtsAJ9kyqrwaZ0waBswmcuV0jsO3HWbUACggovQ
7DPNJbxhSleg+Dkbvh66qd0=
=gIn9
-----END PGP SIGNATURE-----