You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2019/07/05 06:53:01 UTC
[Bug 7731] New: Add external and msa metadata to RelayCountry
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7731
Bug ID: 7731
Summary: Add external and msa metadata to RelayCountry
Product: Spamassassin
Version: 3.4.2
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Plugins
Assignee: dev@spamassassin.apache.org
Reporter: apache@hege.li
Target Milestone: Undefined
Per users list discussion
David Jones wrote:
> Maybe allow the RelayCountry check to happen on the msa network or the
> first relay?
>
> Or something like trusted_countries that could provide a limit/boundary
> to the trust of trusted_networks?
>
> Compromised accounts often get abused from foreign/unusual countries. I
> have meta rules and DWL/DBL for emails combined with RelayCountry but
> these are useless in this situation.
Perhaps adding new datadata X-Relay-Countries-External would be enough, it
would check all external IPs (vs untrusted for the default
X-Relay-Countries). I think it could use useful in this and other
situations when there are lots of additional trusted networks.
Maybe also the X-Relay-Countries-MSA to check client IPs from msa_networks.
Might even make it to 3.4.3 if KAM wants to delay rc4 just a little bit more.
:-D
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7731] [review] Add external and msa metadata to RelayCountry
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7731
--- Comment #6 from Henrik Krohns <ap...@hege.li> ---
Hmm ok according to documentation, one should not use msa_networks on same as
internal/external border, since msa_networks should only ever accept
authenticated mail.
The question then is, should we perhaps rename this to
X-Relay-Countries-AuthMUA for even more clarity, and include everything from
first authenticated clients, regardless if msa_network is used or not.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7731] [review] Add external and msa metadata to RelayCountry
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7731
Kevin A. McGrail <km...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kmcgrail@apache.org
--- Comment #3 from Kevin A. McGrail <km...@apache.org> ---
I'm +1 on adding it. Please make sure tests pass though as rc3 is performing
well though I'm going to broaden the testing of rc4 to users@ to increase
feedback.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7731] [review] Add external and msa metadata to RelayCountry
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7731
--- Comment #7 from Henrik Krohns <ap...@hege.li> ---
I might be committing this soon. X-Relay-Countries-Auth seems to be the most
clear setting for "MUA".
X-Relay-Countries _RELAYCOUNTRY_
All untrusted relays, this method has been used by default since early SA
versions.
X-Relay-Countries-External _RELAYCOUNTRYEXT_
All external relays. For checking countries exactly at the internal
border. Could be useful when there are many trusted/msa_networks
extending beyond the internal border.
X-Relay-Countries-All _RELAYCOUNTRYALL_
All possible relays (internal + external).
X-Relay-Countries-Auth _RELAYCOUNTRYAUTH_
Auth will contain everything starting from first the relay that used
authentication. For example, this could be used to check for hacked
local users coming in from unexpected countries.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7731] [review] Add external and msa metadata to RelayCountry
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7731
Henrik Krohns <ap...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|REOPENED |RESOLVED
--- Comment #8 from Henrik Krohns <ap...@hege.li> ---
-MUA renamed to X-Relay-Countries-Auth and slight rewrite of documentation.
Sending spamassassin-3.4/UPGRADE
Sending spamassassin-3.4/lib/Mail/SpamAssassin/Plugin/RelayCountry.pm
Sending trunk/UPGRADE
Sending trunk/lib/Mail/SpamAssassin/Plugin/RelayCountry.pm
Transmitting file data ....done
Committing transaction...
Committed revision 1862620.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7731] [review] Add external and msa metadata to RelayCountry
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7731
Henrik Krohns <ap...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |---
Status|RESOLVED |REOPENED
--- Comment #5 from Henrik Krohns <ap...@hege.li> ---
Thinking about it more, I think we should add to MUA only if the MUA used
authentication.
It's possible and probably common that internal_networks and msa_networks are
the same. If we don't check for authentication, MUA will contain random relays
and that's not the spirit of what it's trying to do (checking what countries
authenticated users are coming from).
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7731] [review] Add external and msa metadata to RelayCountry
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7731
Henrik Krohns <ap...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Henrik Krohns <ap...@hege.li> ---
Tests are fine, just a small move of to code own function, otherwise there is
nothing except few new metadata headers.
Sending spamassassin-3.4/UPGRADE
Sending spamassassin-3.4/lib/Mail/SpamAssassin/Plugin/RelayCountry.pm
Transmitting file data ..done
Committing transaction...
Committed revision 1862607.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7731] Add external and msa metadata to RelayCountry
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7731
Henrik Krohns <ap...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |apache@hege.li
Target Milestone|Undefined |3.4.3
--- Comment #1 from Henrik Krohns <ap...@hege.li> ---
Really trivial to implement. Any objections?
X-Relay-Countries - default starting from untrusted boundary
X-Relay-Countries-External - all starting from external boundary
X-Relay-Countries-MSA - all starting from msa boundary
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7731] [review] Add external and msa metadata to RelayCountry
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7731
Henrik Krohns <ap...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Add external and msa |[review] Add external and
|metadata to RelayCountry |msa metadata to
| |RelayCountry
--- Comment #2 from Henrik Krohns <ap...@hege.li> ---
Probably MUA is better description for everything after MSA. I've also added
All, since why not (could be useful in some global multi-mta/msa cases).
I've committed this list to trunk. Please vote to commit to 3.4.3.
X-Relay-Countries _RELAYCOUNTRY_ all untrusted relays
X-Relay-Countries-External _RELAYCOUNTRYEXT_ all external relays
X-Relay-Countries-MUA _RELAYCOUNTRYMUA_ all relays after first MSA
X-Relay-Countries-All _RELAYCOUNTRYALL_ all relays
Sending trunk/UPGRADE
Sending trunk/lib/Mail/SpamAssassin/Plugin/RelayCountry.pm
Transmitting file data ..done
Committing transaction...
Committed revision 1862595.
--
You are receiving this mail because:
You are the assignee for the bug.