Re: Odd results when using whitelisting

[Reindl Harald <h....@thelounge.net>]

Am 24.05.2016 um 18:49 schrieb Nick Howitt:
> Hi,
> I'm using SpamAssassin v3.3.1-3 on ClearOS 6.7 (a CentOS derivative) and
> I believe it is invoked by amavis-new. I have a whitelist line in local.cf:
>
>     whitelist_from *@avivaemail.co.uk @m.avivaemail.co.uk *@tomtom.com
>     *@dpd.co.uk *@clearos.com *@peacocks-mail.com

most of them has SPF, others maybe DKIM or both

so don't use "whitelist_from" which opens the door for forging senders 
and completly bypass your filter for no good reason

just use "whitelist_auth" instead

> In e-mail headers from clearos.com I get the following:

dunno about your issue, maybe amavisd is part of it
URIBL_BLOCKED - you really really should fix that

it harms your results masive since you mostly get nor responses from 
DNSBL, DNSL and also builtin DNSWL which are in palce to reduce false 
positives

http://uribl.com/refused.shtml

*never* use a forwarind/ISP nameserver for a inbound MX

> This looks OK with the X-Spam entries.
>
> From peacocks-mail.com I get:
>
> In this case there are no X-Spam entries, as if whitelisting completely
> bypasses spamassassin but both go through amavisd-new. Can you help me
> understand what is happening?

Re: Odd results when using whitelisting

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

>On 2016-05-24 21:40, Nick Howitt wrote:
>> Ok, but how does it help me? From what I've read it seems dnsmasq can
>>only do recursion. If I keep dnsmasq then I would need to point it to
>>another iterative DNS resolver running on my box such as PowerDNS or
>>BIND rather than to OpenDNS or have I misunderstood? Is there
>>something simple I can do with dnamasq or OpenDNS?

Nick, you would do some of us (at least me) a favor, if you used plaintext
mail, not html to mailing lists.

On 24.05.16 22:28, Benny Pedersen wrote:
>all you need to make sure is that if you have dnsmasq you only miss 
>one single change
>
>/etc/resolv.conf
>nameserver 127.0.0.1
>
>thats all, make sure it does not change on boot

it's apparently configured like that.

The problem is that dnsmasq forwards to upstream DNS server(s), which is
(are) most probably blacklisted.

Simply said, for spam filtering you need own recursive DNS server, and ISP
that allows you to use it, and doesn't redirect DNS traffic to its servers.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines. 

Re: Odd results when using whitelisting

[Benny Pedersen <me...@junc.eu>]

On 2016-05-24 22:33, Nick Howitt wrote:

>> /etc/resolv.conf
>> nameserver 127.0.0.1
>> 
>> thats all, make sure it does not change on boot
>  I've already got it (but the man pages says it ignores it!) but then
> I've got OpenDNS after.

one more fail then, you must not use opendns

else you will see uribl_blocked

dnsmasq must not have forwarding dns servers either

Re: Odd results when using whitelisting

[Benny Pedersen <me...@junc.eu>]

On 2016-05-24 21:40, Nick Howitt wrote:

>  Ok, but how does it help me? From what I've read it seems dnsmasq can
> only do recursion. If I keep dnsmasq then I would need to point it to
> another iterative DNS resolver running on my box such as PowerDNS or
> BIND rather than to OpenDNS or have I misunderstood? Is there
> something simple I can do with dnamasq or OpenDNS?

all you need to make sure is that if you have dnsmasq you only miss one 
single change

/etc/resolv.conf
nameserver 127.0.0.1

thats all, make sure it does not change on boot

Re: Odd results when using whitelisting

[Reindl Harald <h....@thelounge.net>]

Am 24.05.2016 um 21:44 schrieb Reindl Harald:
>
>
> Am 24.05.2016 um 21:40 schrieb Nick Howitt:
>> On 24/05/2016 19:11, Reindl Harald wrote:
>>>
>>> Am 24.05.2016 um 20:05 schrieb Nick Howitt:
>>>>> http://uribl.com/refused.shtml
>>>> Thanks for the link. I use OpenDNS and it looks like it is being
>>>> blocked. My mailserver is my gateway and only runs dnsmasq rather than
>>>> bind and I am only a home user, so, from your link, I fall under the
>>>> low
>>>> volume user section. Is there anyting reasonable I can do?
>>>
>>> when you dnsmasq forwards queries to any other dns server instead
>>> doing recursion itself the server you ask is contacting the rbl and
>>> *any other* user using the same dns-server raises the count
>>>
>>> the RBL server *never* will see your IP and can't distinct between you
>>> and other users
>>>
>>>>> *never* use a forwarind/ISP nameserver for a inbound MX
>>>> If I understand you, I don't. I have my own domain and my mx record
>>>> points to my dyndns FQDN
>>>
>>> if you dnsmasq forward to OpenDNS you do
>>>
>>> http://www.windowsnetworking.com/articles-tutorials/netgeneral/Understanding-DNS-Recursion.html
>>>
>>>
>> Ok, but how does it help me? From what I've read it seems dnsmasq can
>> only do recursion. If I keep dnsmasq then I would need to point it to
>> another iterative DNS resolver running on my box such as PowerDNS or
>> BIND rather than to OpenDNS or have I misunderstood? Is there something
>> simple I can do with dnamasq or OpenDNS?
>
> no idea why you insist in dnsmasq and especially opendns
> a unbound or bind default setup does recursion
> __________________________________
>
> "dnsmasq can only do recursion" - jesus NO - when you did something like
> below it is a forwarding server - just try to UNDERSTAND the link above
> explaining HWAT dns-recursion is - IT IS NOT "use a specific nameserver
> like below for resolving"
> __________________________________
>

https://en.wikipedia.org/wiki/OpenDNS#Discontinued_advertising

independent that they don't do it now (as far as i can see) THIS IS 
NOTHING a dns provider ever should do and BREAKS MAIL HEAVILY because of 
missing NXDOMAIN respones

opendns has NOTHING to do with "open" or "opensource"

OpenDNS is a company and service which extends the Domain Name System 
(DNS) by adding features such as phishing protection and optional 
content filtering to traditional recursive DNS services

THIS IS NOT FOR INBOUND MAILSERVERS
THIS IS NOT RECURSION
THIS BREAKS SPAMFILTERING
https://en.wikipedia.org/wiki/OpenDNS#Name_Server_IP_Addresses

Re: Odd results when using whitelisting

[Reindl Harald <h....@thelounge.net>]

Am 24.05.2016 um 22:30 schrieb Benny Pedersen:
> On 2016-05-24 21:44, Reindl Harald wrote:
>
>> no-resolv
>> strict-order
>> server=208.67.222.222
>> server=208.67.222.220
>
> will fail with uribl.com and others

tell me something new or why do you think i did put the headline "THAT 
IS A BULLSHIT SETUP ON A INBOUND-MX" before?

Re: Odd results when using whitelisting

[Reindl Harald <h....@thelounge.net>]

Am 24.05.2016 um 22:34 schrieb Nick Howitt:
> On 24/05/2016 21:30, Benny Pedersen wrote:
>>
>> On 2016-05-24 21:44, Reindl Harald wrote:
>>
>>> no-resolv
>>> strict-order
>>> server=208.67.222.222
>>> server=208.67.222.220
>>
>> will fail with uribl.com and others
> Oh bunk :-(

i explained magnitude times *why* this is wrong and that you need to 
learn what dns-recursion is and why it is needed - if it's with my 
previous mail still unclear i would recommend refrain from running a 
mailserver - seriously

Re: Odd results when using whitelisting

[Benny Pedersen <me...@junc.eu>]

On 2016-05-24 21:44, Reindl Harald wrote:

> no-resolv
> strict-order
> server=208.67.222.222
> server=208.67.222.220

will fail with uribl.com and others

Re: Odd results when using whitelisting

[Reindl Harald <h....@thelounge.net>]

Am 26.05.2016 um 14:19 schrieb Nick Howitt:
> I'm finding it hard here. I am using preconfigured distro where Postfix,
> amavis and SA are all supplied as a working set up as is dnsmasq. There
> is no expectation that the users need to "go under the hood" to fix or
> change things. In my case I've tinkered a lot with the distro, a bit
> with the postfix set up to harden it further and I've tightened up on
> dnsmasq but I've never learnt about amavis of SA. It is like when you
> buy a car, you expect it to work. If the fuel injection fails and you
> look at it; it does not then mean you are an expert at gearbox problems.
> Sadly, it seems here you have to be an expert at everything before you
> are allowed to post.

no, it would have been enough instead of contradict mutliple times by 
*continuing pretend* your machine don't do dns-forwarding when everybody 
with the sligtest clue knows for sure it does saying "thank you", doing 
your homework and use google to solve it, well to be honest a start woul 
dhabe neen just *read* the links i posted which explains some basics - 
impossible that you have read and understood some of them in the time 
where you responded with "how does that help me"

the other option would have been going to the fools of the distribution 
which makes dnsmasq part of a setup containing Aavis/SpamAssassin, point 
them to the problem and expect them to solve it while consider switch to 
something tied together by clueless people

what was the lesson: don't trust preconfigured crap, it's not better 
than a random commercial blackbox

Re: Odd results when using whitelisting

[Nick Howitt <ni...@howitts.co.uk>]

On 26/05/2016 13:19, Nick Howitt wrote:
>
>
>>  OK, I've been heavily shot at for my set up which is totally
>> irrelevant to the question I posed and not a pleasant experience. Is
>> there any possibility of some help with the problem I posted about?
>>
>> Matus snuck in the most likely answer a while back - message size.
>>
>> In Amavis it look as if the relevant option is:
>>
>> $sa_mail_body_size_limit
>>
>> I don't use Amavis so can't comment much but I believe that would be
>> the relevant setting to change. Google suggests that it may be as low
>> as 200kb. SpamAssassin defaults to 500kb. Of course you may still get
>> messages over that size. I use FuGlu to connect SA and that leaves a
>> handy message telling me scanning was skipped due to message size. You
>> don't have that but as you have no SA headers at all in the sample you
>> posted I'd assume it never got scanned and message size is the most
>> common culprit.
>>
> Hi Kevin,
>
> Thanks for that. I guess I missed the reply while I was being flamed 
> for not knowing everything about everything and not running my own DNS 
> resolver.
> I'll check that when I get home but I doubt it is the setting. The 
> message size was only about 39kB in total and bigger messages are 
> being scanned successfully.
>
Now at home, my $sa_mail_body_size_limit is set to 500*1024 which seems 
an odd way of going about things but looks like it is valid. All my 
peacocks-mail.com messages have been less than 80kB.

I'm going to see if I can get a test case with a debug log so I can post 
to amavis's list. Unfortunately what was my known test case passed 
through SA fine today so I need to find another reliable one.

Re: Odd results when using whitelisting

[Reindl Harald <h....@thelounge.net>]

Am 30.05.2016 um 16:35 schrieb Nick Howitt:
> Just for a bit of closure, it looks like when you use amavisd-new with
> SA, it is amavisd-new and not SA which is adding the X-Spam headers. In
> /etc/amavisd/api.conf there is a parameter, $sa_tag_level_deflt,
> defaulted to -99, below which no X-Spam headers are set. If you
> whitelist, you start at -100. So, if the rest of the tests total to less
> than 1, you will not get an X-Spam header. This can be confirmed by
> playing around with this parameter and by upping the amavisd log level
> so you can see the results of all the spam tests for each e-mail even if
> it does not get the X-Spam headers.

well, the next time save us from your arrogance like below and accept 
that people with knowledge are knowing what they are talking about 
because otherwise you won't need to ask :-)

Am 26.05.2016 um 12:22 schrieb Nick Howitt:
 > On 2016-05-26 10:08, Reindl Harald wrote:
 >> like above with the SA-setting *you do not read* what others are
 >> answering - you are likely on the wrong mailing-list because you are
 >> runnung *AMAVIS* which is not a pure spamassassin and can skip SA
 >> based on several settings
 > I get the drift. SA is perfect and has no bugs
 > so it is not worth doing any diagnostics. The
 > people on the amavis lists will acknowledge this
 > and assume, therefore, that it is their product
 > causing the issue. There is no chance that the
 > amavis people will say it is an SA issue

> On 26/05/2016 07:17, Nick Howitt wrote:
>>
>> On 26/05/2016 00:29, Reindl Harald wrote:
>>>
>>> Am 25.05.2016 um 21:58 schrieb Nick Howitt:
>>>>> and what is the problem run a local unbound on port 1053 and just add
>>>>> "dns_server [127.0.0.1]:1053" to your SA-configuration when one thinks
>>>>> he is capable to run his own servers?
>>>> I've tried looking and failed. Any chance of pointing me to where this
>>>> is documented?
>>>
>>> seriously?
>>>
>>> unbound.conf:
>>>  interface: 127.0.0.1
>>>  port: 1053
>>>
>>> /etc/mail/spamassassin/local.cf:
>>> dns_server [127.0.0.1]:1053
>>>
>>> https://www.google.com/search?q=unbound.conf
>>> https://www.google.com/search?q=spamassassin+dns_server
>>>
>> Seriously, yes. I'd found and set up unbound OK, if you'd read another
>> of my posts. I had not found it for SA. Not good searching, but I had
>> not - and I'd tried a few of the links on google and the some man pages.
>>
>> OK, I've been heavily shot at for my set up which is totally
>> irrelevant to the question I posed and not a pleasant experience. Is
>> there any possibility of some help with the problem I posted about?

Re: Odd results when using whitelisting

[Bowie Bailey <Bo...@BUC.com>]

On 5/30/2016 10:35 AM, Nick Howitt wrote:
> Just for a bit of closure, it looks like when you use amavisd-new with 
> SA, it is amavisd-new and not SA which is adding the X-Spam headers. 
> In /etc/amavisd/api.conf there is a parameter, $sa_tag_level_deflt, 
> defaulted to -99, below which no X-Spam headers are set. If you 
> whitelist, you start at -100. So, if the rest of the tests total to 
> less than 1, you will not get an X-Spam header. This can be confirmed 
> by playing around with this parameter and by upping the amavisd log 
> level so you can see the results of all the spam tests for each e-mail 
> even if it does not get the X-Spam headers.

Amavisd-new only uses SA to generate a score for the message.  It has 
it's own settings for tagging and rejection thresholds, writes its own 
headers, and can mark a message as spam/ham or reject it based on its 
own whitelists, blacklists, and many other settings.

The bottom line is this: If you have a problem with the actual score 
being generated, look at SA.  If you have a problem with the header 
markup or with messages being rejected or let through without scanning, 
look at Amavisd.

-- 
Bowie

Re: Odd results when using whitelisting

[Nick Howitt <ni...@howitts.co.uk>]

Just for a bit of closure, it looks like when you use amavisd-new with 
SA, it is amavisd-new and not SA which is adding the X-Spam headers. In 
/etc/amavisd/api.conf there is a parameter, $sa_tag_level_deflt, 
defaulted to -99, below which no X-Spam headers are set. If you 
whitelist, you start at -100. So, if the rest of the tests total to less 
than 1, you will not get an X-Spam header. This can be confirmed by 
playing around with this parameter and by upping the amavisd log level 
so you can see the results of all the spam tests for each e-mail even if 
it does not get the X-Spam headers.

Nick

On 26/05/2016 07:17, Nick Howitt wrote:
>
>
> On 26/05/2016 00:29, Reindl Harald wrote:
>>
>>
>> Am 25.05.2016 um 21:58 schrieb Nick Howitt:
>>>> and what is the problem run a local unbound on port 1053 and just add
>>>> "dns_server [127.0.0.1]:1053" to your SA-configuration when one thinks
>>>> he is capable to run his own servers?
>>> I've tried looking and failed. Any chance of pointing me to where this
>>> is documented?
>>
>> seriously?
>>
>> unbound.conf:
>>  interface: 127.0.0.1
>>  port: 1053
>>
>> /etc/mail/spamassassin/local.cf:
>> dns_server [127.0.0.1]:1053
>>
>> https://www.google.com/search?q=unbound.conf
>> https://www.google.com/search?q=spamassassin+dns_server
>>
> Seriously, yes. I'd found and set up unbound OK, if you'd read another 
> of my posts. I had not found it for SA. Not good searching, but I had 
> not - and I'd tried a few of the links on google and the some man pages.
>
> OK, I've been heavily shot at for my set up which is totally 
> irrelevant to the question I posed and not a pleasant experience. Is 
> there any possibility of some help with the problem I posted about?
>

Re: Odd results when using whitelisting

[Reindl Harald <h....@thelounge.net>]

Am 26.05.2016 um 12:22 schrieb Nick Howitt:
> On 2016-05-26 10:08, Reindl Harald wrote:
>> how often where you asked to stop post HTML mails?
>> and yes, rules are made by people asked for help
>>
> I try

lol - so you don't see the message you compose before hit "send"?

> but I use multiple machines and don't always remember which I've
> set explicitly to use plain text.

what's the purpose of a HTML mail in general when you don't format anything?

> Please don't treat me like a numpty. I am not. Head over to the ClearOS
> forums and look for nickh and see how I respond to all sorts of people
> from beginners upwards asking for help.

given how many mails from several people it took that you understand 
basics like dns-recursion while *pretend* you are not forwarding......

given how helpless you act in case of basic configurations where you get 
even posted the needed config lines you just need to paste into your 
config file - and *seriously* when you don't know where your config 
files for your mailservices are give up running your own mailserver 
because i don#t want to know which other mistakes you make or already 
made on a internet facing machine

mailservers are not something to be configured by everybody and his brother

>> like above with the SA-setting *you do not read* what others are
>> answering - you are likely on the wrong mailing-list because you are
>> runnung *AMAVIS* which is not a pure spamassassin and can skip SA
>> based on several settings
> I get the drift. SA is perfect and has no bugs

childish polemic

> so it is not worth doing
> any diagnostics.

damned when there are no SA headers then SA was not called and why it 
was not called depends on the glue (amavis in your case)

> The people on the amavis lists will acknowledge this
> and assume, therefore, that it is their product causing the issue. There
> is no chance that the amavis people will say it is an SA issue

when SA is not called at all it's not an SA issue while it's most likely 
a *configuration iusse* and not a bug at all, not in SA and not in 
amavis but somewhere in your or the clearos configuration

Re: Odd results when using whitelisting

[Nick Howitt <ni...@howitts.co.uk>]

On 2016-05-26 10:08, Reindl Harald wrote:
> how often where you asked to stop post HTML mails?
> and yes, rules are made by people asked for help
> 
I try, but I use multiple machines and don't always remember which I've 
set explicitly to use plain text. In theory I've set up something in the 
shared address book which should have forced plain test on all machines 
I use. There must be another setting interfering with it or something 
else but it is something I have to investigate. I can only do that when 
it is pointed out that it is not working. Thanks for pointing it out.

Please don't treat me like a numpty. I am not. Head over to the ClearOS 
forums and look for nickh and see how I respond to all sorts of people 
from beginners upwards asking for help.

> Am 26.05.2016 um 08:17 schrieb Nick Howitt:
>> On 26/05/2016 00:29, Reindl Harald wrote:
>>> 
>>> Am 25.05.2016 um 21:58 schrieb Nick Howitt:
>>>>> and what is the problem run a local unbound on port 1053 and just 
>>>>> add
>>>>> "dns_server [127.0.0.1]:1053" to your SA-configuration when one 
>>>>> thinks
>>>>> he is capable to run his own servers?
>>>> I've tried looking and failed. Any chance of pointing me to where 
>>>> this
>>>> is documented?
>>> 
>>> seriously?
>>> 
>>> unbound.conf:
>>>  interface: 127.0.0.1
>>>  port: 1053
>>> 
>>> /etc/mail/spamassassin/local.cf:
>>> dns_server [127.0.0.1]:1053
>>> 
>>> https://www.google.com/search?q=unbound.conf
>>> https://www.google.com/search?q=spamassassin+dns_server
>>> 
>> Seriously, yes. I'd found and set up unbound OK, if you'd read another
>> of my posts. I had not found it for SA. Not good searching, but I had
>> not - and I'd tried a few of the links on google and the some man 
>> pages.
> 
> jesus christ *i posted* you the setting and you even quoted it above
> 
> sorry, i can not hand holding more and usually it's required to be not
> completly helpless if you think you are capable to running a server
> 
>> OK, I've been heavily shot at for my set up which is totally 
>> irrelevant
>> to the question I posed and not a pleasant experience. Is there any
>> possibility of some help with the problem I posted about?
> 
> like above with the SA-setting *you do not read* what others are
> answering - you are likely on the wrong mailing-list because you are
> runnung *AMAVIS* which is not a pure spamassassin and can skip SA
> based on several settings
I get the drift. SA is perfect and has no bugs so it is not worth doing 
any diagnostics. The people on the amavis lists will acknowledge this 
and assume, therefore, that it is their product causing the issue. There 
is no chance that the amavis people will say it is an SA issue.

Re: Odd results when using whitelisting

[Reindl Harald <h....@thelounge.net>]

how often where you asked to stop post HTML mails?
and yes, rules are made by people asked for help

Am 26.05.2016 um 08:17 schrieb Nick Howitt:
> On 26/05/2016 00:29, Reindl Harald wrote:
>>
>> Am 25.05.2016 um 21:58 schrieb Nick Howitt:
>>>> and what is the problem run a local unbound on port 1053 and just add
>>>> "dns_server [127.0.0.1]:1053" to your SA-configuration when one thinks
>>>> he is capable to run his own servers?
>>> I've tried looking and failed. Any chance of pointing me to where this
>>> is documented?
>>
>> seriously?
>>
>> unbound.conf:
>>  interface: 127.0.0.1
>>  port: 1053
>>
>> /etc/mail/spamassassin/local.cf:
>> dns_server [127.0.0.1]:1053
>>
>> https://www.google.com/search?q=unbound.conf
>> https://www.google.com/search?q=spamassassin+dns_server
>>
> Seriously, yes. I'd found and set up unbound OK, if you'd read another
> of my posts. I had not found it for SA. Not good searching, but I had
> not - and I'd tried a few of the links on google and the some man pages.

jesus christ *i posted* you the setting and you even quoted it above

sorry, i can not hand holding more and usually it's required to be not 
completly helpless if you think you are capable to running a server

> OK, I've been heavily shot at for my set up which is totally irrelevant
> to the question I posed and not a pleasant experience. Is there any
> possibility of some help with the problem I posted about?

like above with the SA-setting *you do not read* what others are 
answering - you are likely on the wrong mailing-list because you are 
runnung *AMAVIS* which is not a pure spamassassin and can skip SA based 
on several settings

Re: Odd results when using whitelisting

[Nick Howitt <ni...@howitts.co.uk>]

>  OK, I've been heavily shot at for my set up which is totally
> irrelevant to the question I posed and not a pleasant experience. Is
> there any possibility of some help with the problem I posted about?
> 
> Matus snuck in the most likely answer a while back - message size.
> 
> In Amavis it look as if the relevant option is:
> 
> $sa_mail_body_size_limit
> 
> I don't use Amavis so can't comment much but I believe that would be
> the relevant setting to change. Google suggests that it may be as low
> as 200kb. SpamAssassin defaults to 500kb. Of course you may still get
> messages over that size. I use FuGlu to connect SA and that leaves a
> handy message telling me scanning was skipped due to message size. You
> don't have that but as you have no SA headers at all in the sample you
> posted I'd assume it never got scanned and message size is the most
> common culprit.
> 
Hi Kevin,

Thanks for that. I guess I missed the reply while I was being flamed for 
not knowing everything about everything and not running my own DNS 
resolver.
I'll check that when I get home but I doubt it is the setting. The 
message size was only about 39kB in total and bigger messages are being 
scanned successfully.

I'll try researching amavis more and then perhaps try their mailing 
lists.

I'm finding it hard here. I am using preconfigured distro where Postfix, 
amavis and SA are all supplied as a working set up as is dnsmasq. There 
is no expectation that the users need to "go under the hood" to fix or 
change things. In my case I've tinkered a lot with the distro, a bit 
with the postfix set up to harden it further and I've tightened up on 
dnsmasq but I've never learnt about amavis of SA. It is like when you 
buy a car, you expect it to work. If the fuel injection fails and you 
look at it; it does not then mean you are an expert at gearbox problems. 
Sadly, it seems here you have to be an expert at everything before you 
are allowed to post.

Nick

Re: Odd results when using whitelisting

[Reindl Harald <h....@thelounge.net>]

Am 25.05.2016 um 21:58 schrieb Nick Howitt:
>> and what is the problem run a local unbound on port 1053 and just add
>> "dns_server [127.0.0.1]:1053" to your SA-configuration when one thinks
>> he is capable to run his own servers?
> I've tried looking and failed. Any chance of pointing me to where this
> is documented?

seriously?

unbound.conf:
  interface: 127.0.0.1
  port: 1053

/etc/mail/spamassassin/local.cf:
dns_server [127.0.0.1]:1053

https://www.google.com/search?q=unbound.conf
https://www.google.com/search?q=spamassassin+dns_server

Re: Odd results when using whitelisting

[Nick Howitt <ni...@howitts.co.uk>]

> and what is the problem run a local unbound on port 1053 and just add 
> "dns_server [127.0.0.1]:1053" to your SA-configuration when one thinks 
> he is capable to run his own servers?
I've tried looking and failed. Any chance of pointing me to where this 
is documented?

Re: Odd results when using whitelisting

[Reindl Harald <h....@thelounge.net>]

Am 24.05.2016 um 22:24 schrieb Nick Howitt:
> On 24/05/2016 20:44, Reindl Harald wrote:
>>
>> Am 24.05.2016 um 21:40 schrieb Nick Howitt:
>>> On 24/05/2016 19:11, Reindl Harald wrote:
>>>>
>>>> Am 24.05.2016 um 20:05 schrieb Nick Howitt:
>>>>>> http://uribl.com/refused.shtml
>>>>> Thanks for the link. I use OpenDNS and it looks like it is being
>>>>> blocked. My mailserver is my gateway and only runs dnsmasq rather than
>>>>> bind and I am only a home user, so, from your link, I fall under
>>>>> the low
>>>>> volume user section. Is there anyting reasonable I can do?
>>>>
>>>> when you dnsmasq forwards queries to any other dns server instead
>>>> doing recursion itself the server you ask is contacting the rbl and
>>>> *any other* user using the same dns-server raises the count
>>>>
>>>> the RBL server *never* will see your IP and can't distinct between you
>>>> and other users
>>>>
>>>>>> *never* use a forwarind/ISP nameserver for a inbound MX
>>>>> If I understand you, I don't. I have my own domain and my mx record
>>>>> points to my dyndns FQDN
>>>>
>>>> if you dnsmasq forward to OpenDNS you do
>>>>
>>>> http://www.windowsnetworking.com/articles-tutorials/netgeneral/Understanding-DNS-Recursion.html
>>>>
>>>>
>>> Ok, but how does it help me? From what I've read it seems dnsmasq can
>>> only do recursion. If I keep dnsmasq then I would need to point it to
>>> another iterative DNS resolver running on my box such as PowerDNS or
>>> BIND rather than to OpenDNS or have I misunderstood? Is there something
>>> simple I can do with dnamasq or OpenDNS?
>>
>> no idea why you insist in dnsmasq and especially opendns
>> a unbound or bind default setup does recursion
>> __________________________________
>>
>> "dnsmasq can only do recursion" - jesus NO - when you did something
>> like below it is a forwarding server - just try to UNDERSTAND the link
>> above explaining HWAT dns-recursion is - IT IS NOT "use a specific
>> nameserver like below for resolving"
>> __________________________________
>>
>> THAT IS A BULLSHIT SETUP ON A INBOUND-MX
>>
>> https://www.dd-wrt.com/wiki/index.php/OpenDNS
>>
>> ption 2 - Configure DNSMasq for OpenDNS DNS forwarding
>>
>>     Go to Services tab » Services sub tab » Services Management
>> section » DNSMasq sub section
>>     Enable both DNSMasq and Local DNS options
>>     In the Additional DNSMasq Options text box, enter:
>>
>> no-resolv
>> strict-order
>> server=208.67.222.222
>> server=208.67.222.220
>>
> Thanks for the info. Each time I've received a reply I've tried to do a
> quick but of research on the internet. Clearly I got it wrong about
> dnsmasq and I'll give a try adding "no-resolv" to my configuration. The
> other bits I already have. I'm afraid I can't be an expert at everything.

stay on list!

that above is *as said* a bullshit setup for a incoming mailserver and 
"no-resolv" is just for ignore /etc/resolv.conf

mabye you still don#t understand the problem:

everytime you receive a mail SpamAssassin checks if the IP is listed on 
serveral blacklists and whitelists by asking your resolver, if that 
points to "208.67.222.222" NOT YOU but "208.67.222.222" asks the 
DNSBL/DNSWL servers and others using "208.67.222.222" triggers the same 
leading in "208.67.222.22" making the dns-requests for you and half of 
the world and so "208.67.222.22" exceeds the free limit

> My reluctance to move away from dnsmasq is that it is integrated into
> the ClearOS webconfig and acts as a DHCP server as well. Replacing it
> with BIND will break bits of the webconfig and I don't have the skills
> to fix it

and what is the problem run a local unbound on port 1053 and just add 
"dns_server [127.0.0.1]:1053" to your SA-configuration when one thinks 
he is capable to run his own servers?

https://wiki.apache.org/spamassassin/CachingNameserver

Re: Odd results when using whitelisting

[Reindl Harald <h....@thelounge.net>]

Am 24.05.2016 um 21:40 schrieb Nick Howitt:
> On 24/05/2016 19:11, Reindl Harald wrote:
>>
>> Am 24.05.2016 um 20:05 schrieb Nick Howitt:
>>>> http://uribl.com/refused.shtml
>>> Thanks for the link. I use OpenDNS and it looks like it is being
>>> blocked. My mailserver is my gateway and only runs dnsmasq rather than
>>> bind and I am only a home user, so, from your link, I fall under the low
>>> volume user section. Is there anyting reasonable I can do?
>>
>> when you dnsmasq forwards queries to any other dns server instead
>> doing recursion itself the server you ask is contacting the rbl and
>> *any other* user using the same dns-server raises the count
>>
>> the RBL server *never* will see your IP and can't distinct between you
>> and other users
>>
>>>> *never* use a forwarind/ISP nameserver for a inbound MX
>>> If I understand you, I don't. I have my own domain and my mx record
>>> points to my dyndns FQDN
>>
>> if you dnsmasq forward to OpenDNS you do
>>
>> http://www.windowsnetworking.com/articles-tutorials/netgeneral/Understanding-DNS-Recursion.html
>>
> Ok, but how does it help me? From what I've read it seems dnsmasq can
> only do recursion. If I keep dnsmasq then I would need to point it to
> another iterative DNS resolver running on my box such as PowerDNS or
> BIND rather than to OpenDNS or have I misunderstood? Is there something
> simple I can do with dnamasq or OpenDNS?

no idea why you insist in dnsmasq and especially opendns
a unbound or bind default setup does recursion
__________________________________

"dnsmasq can only do recursion" - jesus NO - when you did something like 
below it is a forwarding server - just try to UNDERSTAND the link above 
explaining HWAT dns-recursion is - IT IS NOT "use a specific nameserver 
like below for resolving"
__________________________________

THAT IS A BULLSHIT SETUP ON A INBOUND-MX

https://www.dd-wrt.com/wiki/index.php/OpenDNS

ption 2 - Configure DNSMasq for OpenDNS DNS forwarding

     Go to Services tab » Services sub tab » Services Management section 
» DNSMasq sub section
     Enable both DNSMasq and Local DNS options
     In the Additional DNSMasq Options text box, enter:

no-resolv
strict-order
server=208.67.222.222
server=208.67.222.220

Re: Odd results when using whitelisting

[Reindl Harald <h....@thelounge.net>]

Am 24.05.2016 um 20:05 schrieb Nick Howitt:
>> http://uribl.com/refused.shtml
> Thanks for the link. I use OpenDNS and it looks like it is being
> blocked. My mailserver is my gateway and only runs dnsmasq rather than
> bind and I am only a home user, so, from your link, I fall under the low
> volume user section. Is there anyting reasonable I can do?

when you dnsmasq forwards queries to any other dns server instead doing 
recursion itself the server you ask is contacting the rbl and *any 
other* user using the same dns-server raises the count

the RBL server *never* will see your IP and can't distinct between you 
and other users

>> *never* use a forwarind/ISP nameserver for a inbound MX
> If I understand you, I don't. I have my own domain and my mx record
> points to my dyndns FQDN

if you dnsmasq forward to OpenDNS you do

http://www.windowsnetworking.com/articles-tutorials/netgeneral/Understanding-DNS-Recursion.html

Re: Odd results when using whitelisting

[David Jones <dj...@ena.com>]

>I used the "Authoritative, validating, recursive caching DNS (example
>2)" section of this guide: https://calomel.org/unbound_dns.html but
>omitted the forward-zone, local-zone and local-data sections and did a
>couple of other parameters differently.

PowerDNS Recursor is very easy to install and the default config should
work perfectly as a recursive DNS server for a mail server.

Re: Odd results when using whitelisting

[Nick Howitt <ni...@howitts.co.uk>]

I used the "Authoritative, validating, recursive caching DNS (example 
2)" section of this guide: https://calomel.org/unbound_dns.html but 
omitted the forward-zone, local-zone and local-data sections and did a 
couple of other parameters differently.

On 25/05/2016 21:24, Vincent Fox wrote:
>
>
> I've been using dnsmasq myself on a list server, with DHCP
> disabled, and configured to answer only localhost, for caching.
> The stock package seems limited to 10,000 entries BTW.
> But it seemed fairly bug-free as opposed to nscd, and simple
> to setup unlike BIND.
>
> Gladly switch to something else.  Thanks for mentioning unbound
> I had never heard of this before.
>
>
> ________________________________________
> From: Nick Howitt <ni...@howitts.co.uk>
> Sent: Wednesday, May 25, 2016 11:11:24 AM
> To: David Jones; SA-Users
> Subject: Re: Odd results when using whitelisting
>
> This thread is so fragmented now I am not sure which message to reply to.
>
> I've now installed unbound and configured dnsmasq to hand its DNS
> queries to unbound on port 1053. It looks like I could stop dnsmasq from
> doing dns completely (by setting port to 0), but the ClearOS webconfig
> interfaces with hosts which I am not sure if unbound works with, and, in
> any case, changing hosts through the webconfig triggers a dnsmasq reload
> rather than an unbound reload, so I can have dnsmasq handling the LAN
> (hosts) then handing over to unbound for the WAN.
>
> Now I've done this, is there any chance of some help with the main bit
> of my original query which is why do some whitelisted e-mails not get
> X-Spam headers when others do.
>
> Sorry to all for using html e-mails. Some lists don't mind them and I
> generally prefer them so use them by default. This should appear in
> plain-text only.
>
> On 25/05/2016 17:52, David Jones wrote:
>>> From: Bill Cole <sa...@billmail.scconsult.com>
>>> Sent: Wednesday, May 25, 2016 10:09 AM
>>> To: SA-Users
>>> Subject: Re: Odd results when using whitelisting
>>> On 24 May 2016, at 15:58, David Jones wrote:
>>>> Dnsmasq is a very powerful DNS server
>> I meant that it has lots of options and can do some pretty slick
>> stuff.   It can handle a heavy load too.  It's used all over the place
>> not just in home routers / blue plastic boxes.
>>
>>> LOL. Its man page (see
>>> http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) opens with
>>> the implied admission that it isn't even a "real" DNS server: which it
>>> isn't. It's a bloatware DNS proxy. For many years its default
>>> configuration made it an open resolver with no mitigation for DNS
>>> amplification attacks and it is still being distributed that way by some
>>> packagers.
>>> BIND is a "very powerful" DNS server. It also sucks much less than it
>>> used to but has such a rococo feature set that it probably shouldn't be
>>> used by anyone who doesn't treat DNS as an artistic medium. Using it for
>>> straightforward caching and autonomous recursive resolution is a
>>> widespread practice in the same way that using full-size SUV's for
>>> suburban commuting is a widespread practice.
>>> Unbound is a very good recursive resolution and caching DNS server,
>>> which is the functionality one actually needs on a modern mail server
>>> (or on the same physical LAN) to keep DNS from being a bottleneck.
>>> Because it is not an authoritative server, it lacks much of BIND's
>>> "power" along with most of the features that have been involved in the
>>> last dozen or so BIND vulnerabilities.
>> I prefer PowerDNS recursor over BIND and Unbound which is definitely
>> a very powerful DNS recursive server.  Dnsmasq could be setup to forward
>> to pdns-recursor to solve this problem.
>>
>>>> so I am sure it can be configured to do full recursive lookups
>> Ok.  I was wrong.
>>
>>> See the cited man page, which almost clearly says otherwise:
>>>          Dnsmasq is a DNS query forwarder: it it [sic] not capable of
>>> recursively
>>>          answering arbitrary queries starting from the root servers
>>> For its design target, Dnsmasq is an acceptable hack: a local DNS cache
>>> for small routers serving typical home networks that also does DHCP. It
>>> simply isn't fit for a mail server using modern anti-spam measures, not
>>> just because it must forward to a real DNS server on the other side of a
>>> WAN link and usually at least 2 routing hops which is probably
>>> URIBL_BLOCKED anyway, but also because it is normally run on devices
>>> that have very tight memory constraints, limiting its cache.
>> The OP wants to continue to use dnsmasq because it's integrated
>> into his distro tightly so I recommend he setup a recursive DNS server
>> like pdns-recursor, BIND, unbound, etc. on a different port and forward
>> dnsmasq to it.  I expect his mail flow is very light so this will work fine.

Re: Odd results when using whitelisting

[Vincent Fox <vb...@ucdavis.edu>]

I've been using dnsmasq myself on a list server, with DHCP
disabled, and configured to answer only localhost, for caching.
The stock package seems limited to 10,000 entries BTW.
But it seemed fairly bug-free as opposed to nscd, and simple
to setup unlike BIND.

Gladly switch to something else.  Thanks for mentioning unbound
I had never heard of this before.


________________________________________
From: Nick Howitt <ni...@howitts.co.uk>
Sent: Wednesday, May 25, 2016 11:11:24 AM
To: David Jones; SA-Users
Subject: Re: Odd results when using whitelisting

This thread is so fragmented now I am not sure which message to reply to.

I've now installed unbound and configured dnsmasq to hand its DNS
queries to unbound on port 1053. It looks like I could stop dnsmasq from
doing dns completely (by setting port to 0), but the ClearOS webconfig
interfaces with hosts which I am not sure if unbound works with, and, in
any case, changing hosts through the webconfig triggers a dnsmasq reload
rather than an unbound reload, so I can have dnsmasq handling the LAN
(hosts) then handing over to unbound for the WAN.

Now I've done this, is there any chance of some help with the main bit
of my original query which is why do some whitelisted e-mails not get
X-Spam headers when others do.

Sorry to all for using html e-mails. Some lists don't mind them and I
generally prefer them so use them by default. This should appear in
plain-text only.

On 25/05/2016 17:52, David Jones wrote:
>> From: Bill Cole <sa...@billmail.scconsult.com>
>> Sent: Wednesday, May 25, 2016 10:09 AM
>> To: SA-Users
>> Subject: Re: Odd results when using whitelisting
>> On 24 May 2016, at 15:58, David Jones wrote:
>>> Dnsmasq is a very powerful DNS server
> I meant that it has lots of options and can do some pretty slick
> stuff.   It can handle a heavy load too.  It's used all over the place
> not just in home routers / blue plastic boxes.
>
>> LOL. Its man page (see
>> http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) opens with
>> the implied admission that it isn't even a "real" DNS server: which it
>> isn't. It's a bloatware DNS proxy. For many years its default
>> configuration made it an open resolver with no mitigation for DNS
>> amplification attacks and it is still being distributed that way by some
>> packagers.
>> BIND is a "very powerful" DNS server. It also sucks much less than it
>> used to but has such a rococo feature set that it probably shouldn't be
>> used by anyone who doesn't treat DNS as an artistic medium. Using it for
>> straightforward caching and autonomous recursive resolution is a
>> widespread practice in the same way that using full-size SUV's for
>> suburban commuting is a widespread practice.
>> Unbound is a very good recursive resolution and caching DNS server,
>> which is the functionality one actually needs on a modern mail server
>> (or on the same physical LAN) to keep DNS from being a bottleneck.
>> Because it is not an authoritative server, it lacks much of BIND's
>> "power" along with most of the features that have been involved in the
>> last dozen or so BIND vulnerabilities.
> I prefer PowerDNS recursor over BIND and Unbound which is definitely
> a very powerful DNS recursive server.  Dnsmasq could be setup to forward
> to pdns-recursor to solve this problem.
>
>>> so I am sure it can be configured to do full recursive lookups
> Ok.  I was wrong.
>
>> See the cited man page, which almost clearly says otherwise:
>>         Dnsmasq is a DNS query forwarder: it it [sic] not capable of
>> recursively
>>         answering arbitrary queries starting from the root servers
>> For its design target, Dnsmasq is an acceptable hack: a local DNS cache
>> for small routers serving typical home networks that also does DHCP. It
>> simply isn't fit for a mail server using modern anti-spam measures, not
>> just because it must forward to a real DNS server on the other side of a
>> WAN link and usually at least 2 routing hops which is probably
>> URIBL_BLOCKED anyway, but also because it is normally run on devices
>> that have very tight memory constraints, limiting its cache.
> The OP wants to continue to use dnsmasq because it's integrated
> into his distro tightly so I recommend he setup a recursive DNS server
> like pdns-recursor, BIND, unbound, etc. on a different port and forward
> dnsmasq to it.  I expect his mail flow is very light so this will work fine.

Re: Odd results when using whitelisting

[Nick Howitt <ni...@howitts.co.uk>]

This thread is so fragmented now I am not sure which message to reply to.

I've now installed unbound and configured dnsmasq to hand its DNS 
queries to unbound on port 1053. It looks like I could stop dnsmasq from 
doing dns completely (by setting port to 0), but the ClearOS webconfig 
interfaces with hosts which I am not sure if unbound works with, and, in 
any case, changing hosts through the webconfig triggers a dnsmasq reload 
rather than an unbound reload, so I can have dnsmasq handling the LAN 
(hosts) then handing over to unbound for the WAN.

Now I've done this, is there any chance of some help with the main bit 
of my original query which is why do some whitelisted e-mails not get 
X-Spam headers when others do.

Sorry to all for using html e-mails. Some lists don't mind them and I 
generally prefer them so use them by default. This should appear in 
plain-text only.

On 25/05/2016 17:52, David Jones wrote:
>> From: Bill Cole <sa...@billmail.scconsult.com>
>> Sent: Wednesday, May 25, 2016 10:09 AM
>> To: SA-Users
>> Subject: Re: Odd results when using whitelisting
>> On 24 May 2016, at 15:58, David Jones wrote:
>>> Dnsmasq is a very powerful DNS server
> I meant that it has lots of options and can do some pretty slick
> stuff.   It can handle a heavy load too.  It's used all over the place
> not just in home routers / blue plastic boxes.
>
>> LOL. Its man page (see
>> http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) opens with
>> the implied admission that it isn't even a "real" DNS server: which it
>> isn't. It's a bloatware DNS proxy. For many years its default
>> configuration made it an open resolver with no mitigation for DNS
>> amplification attacks and it is still being distributed that way by some
>> packagers.
>> BIND is a "very powerful" DNS server. It also sucks much less than it
>> used to but has such a rococo feature set that it probably shouldn't be
>> used by anyone who doesn't treat DNS as an artistic medium. Using it for
>> straightforward caching and autonomous recursive resolution is a
>> widespread practice in the same way that using full-size SUV's for
>> suburban commuting is a widespread practice.
>> Unbound is a very good recursive resolution and caching DNS server,
>> which is the functionality one actually needs on a modern mail server
>> (or on the same physical LAN) to keep DNS from being a bottleneck.
>> Because it is not an authoritative server, it lacks much of BIND's
>> "power" along with most of the features that have been involved in the
>> last dozen or so BIND vulnerabilities.
> I prefer PowerDNS recursor over BIND and Unbound which is definitely
> a very powerful DNS recursive server.  Dnsmasq could be setup to forward
> to pdns-recursor to solve this problem.
>
>>> so I am sure it can be configured to do full recursive lookups
> Ok.  I was wrong.
>
>> See the cited man page, which almost clearly says otherwise:
>>         Dnsmasq is a DNS query forwarder: it it [sic] not capable of
>> recursively
>>         answering arbitrary queries starting from the root servers
>> For its design target, Dnsmasq is an acceptable hack: a local DNS cache
>> for small routers serving typical home networks that also does DHCP. It
>> simply isn't fit for a mail server using modern anti-spam measures, not
>> just because it must forward to a real DNS server on the other side of a
>> WAN link and usually at least 2 routing hops which is probably
>> URIBL_BLOCKED anyway, but also because it is normally run on devices
>> that have very tight memory constraints, limiting its cache.
> The OP wants to continue to use dnsmasq because it's integrated
> into his distro tightly so I recommend he setup a recursive DNS server
> like pdns-recursor, BIND, unbound, etc. on a different port and forward
> dnsmasq to it.  I expect his mail flow is very light so this will work fine.

Re: Odd results when using whitelisting

[David Jones <dj...@ena.com>]

>From: Bill Cole <sa...@billmail.scconsult.com>
>Sent: Wednesday, May 25, 2016 10:09 AM
>To: SA-Users
>Subject: Re: Odd results when using whitelisting

>On 24 May 2016, at 15:58, David Jones wrote:

>> Dnsmasq is a very powerful DNS server

I meant that it has lots of options and can do some pretty slick
stuff.   It can handle a heavy load too.  It's used all over the place
not just in home routers / blue plastic boxes.

>LOL. Its man page (see
>http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) opens with
>the implied admission that it isn't even a "real" DNS server: which it
>isn't. It's a bloatware DNS proxy. For many years its default
>configuration made it an open resolver with no mitigation for DNS
>amplification attacks and it is still being distributed that way by some
>packagers.

>BIND is a "very powerful" DNS server. It also sucks much less than it
>used to but has such a rococo feature set that it probably shouldn't be
>used by anyone who doesn't treat DNS as an artistic medium. Using it for
>straightforward caching and autonomous recursive resolution is a
>widespread practice in the same way that using full-size SUV's for
>suburban commuting is a widespread practice.

>Unbound is a very good recursive resolution and caching DNS server,
>which is the functionality one actually needs on a modern mail server
>(or on the same physical LAN) to keep DNS from being a bottleneck.
>Because it is not an authoritative server, it lacks much of BIND's
>"power" along with most of the features that have been involved in the
>last dozen or so BIND vulnerabilities.

I prefer PowerDNS recursor over BIND and Unbound which is definitely
a very powerful DNS recursive server.  Dnsmasq could be setup to forward
to pdns-recursor to solve this problem.

>> so I am sure it can be configured to do full recursive lookups

Ok.  I was wrong.

>See the cited man page, which almost clearly says otherwise:

>        Dnsmasq is a DNS query forwarder: it it [sic] not capable of
>recursively
>        answering arbitrary queries starting from the root servers

>For its design target, Dnsmasq is an acceptable hack: a local DNS cache
>for small routers serving typical home networks that also does DHCP. It
>simply isn't fit for a mail server using modern anti-spam measures, not
>just because it must forward to a real DNS server on the other side of a
>WAN link and usually at least 2 routing hops which is probably
>URIBL_BLOCKED anyway, but also because it is normally run on devices
>that have very tight memory constraints, limiting its cache.

The OP wants to continue to use dnsmasq because it's integrated
into his distro tightly so I recommend he setup a recursive DNS server
like pdns-recursor, BIND, unbound, etc. on a different port and forward
dnsmasq to it.  I expect his mail flow is very light so this will work fine.

Re: Odd results when using whitelisting

[Bill Cole <sa...@billmail.scconsult.com>]

On 24 May 2016, at 15:58, David Jones wrote:

> Dnsmasq is a very powerful DNS server

LOL. Its man page (see 
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) opens with 
the implied admission that it isn't even a "real" DNS server: which it 
isn't. It's a bloatware DNS proxy. For many years its default 
configuration made it an open resolver with no mitigation for DNS 
amplification attacks and it is still being distributed that way by some 
packagers.

BIND is a "very powerful" DNS server. It also sucks much less than it 
used to but has such a rococo feature set that it probably shouldn't be 
used by anyone who doesn't treat DNS as an artistic medium. Using it for 
straightforward caching and autonomous recursive resolution is a 
widespread practice in the same way that using full-size SUV's for 
suburban commuting is a widespread practice.

Unbound is a very good recursive resolution and caching DNS server, 
which is the functionality one actually needs on a modern mail server 
(or on the same physical LAN) to keep DNS from being a bottleneck. 
Because it is not an authoritative server, it lacks much of BIND's 
"power" along with most of the features that have been involved in the 
last dozen or so BIND vulnerabilities.

> so I am sure it can be configured to do full recursive lookups

See the cited man page, which almost clearly says otherwise:

	Dnsmasq is a DNS query forwarder: it it [sic] not capable of 
recursively
	answering arbitrary queries starting from the root servers

For its design target, Dnsmasq is an acceptable hack: a local DNS cache 
for small routers serving typical home networks that also does DHCP. It 
simply isn't fit for a mail server using modern anti-spam measures, not 
just because it must forward to a real DNS server on the other side of a 
WAN link and usually at least 2 routing hops which is probably 
URIBL_BLOCKED anyway, but also because it is normally run on devices 
that have very tight memory constraints, limiting its cache.

Re: Odd results when using whitelisting

[RW <rw...@googlemail.com>]

On Tue, 24 May 2016 19:58:32 +0000
David Jones wrote:

> Dnsmasq is a very powerful DNS server so I am sure it can be
> configured to do full recursive lookups but this is not a common
> configuration for dnsmasq. 

This has come-up before and it can't.

Re: Odd results when using whitelisting

[David Jones <dj...@ena.com>]

*never* use a forwarind/ISP nameserver for a inbound MX
> If I understand you, I don't. I have my own domain and my mx record points to my dyndns FQDN

What you mentioned above is hosting your own domain's DNS to the Internet and has nothing to do with how your ClearOS server is resolving it's own lookups for Internet domains like apache.org, google.com,
ena.com, etc.
You need to find how to disable forwarding within dnsmasq to make dnsmasq do it's own full recursive lookup.  As long as you point to any other DNS server, you are at risk of having your DNS queries combined with others which will put your email server over the free query limits by many RBLs.

DNS 101
=======
DNS forwarding is when you point to another DNS server in /etc/resolv.conf (or /etc/dnsmasq-resolv.conf when using dnsmasq).
DNS recursion is when you do your own full recursive DNS lookup.  (Similar to running 'dig +trace google.com' from the command line.)  This would be 127.0.0.1 in the /etc/resolv.conf then whatever DNS server is listening on 127.0.0.1 or 0.0.0.0 port 53 does not forward to another DNS server like Google or OpenDNS.

Dnsmasq is a very powerful DNS server so I am sure it can be configured to do full recursive lookups but this is not a common configuration for dnsmasq.  I prefer PowerDNS recursor which is very easy to install on most distros.  You just need to work out the listening interfaces or IPs so dnsmasq listens only on 127.0.0.1 and the other DNS server (BIND, PDNS recursor, unbound, etc.) only listens on your interface IP.  Then you would setup dnsmasq-resolv.conf to point to that interface IP.