You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Matus UHLAR - fantomas <uh...@fantomas.sk> on 2023/05/30 16:15:01 UTC

authres missing when ran from spamass-milter

Hello,

I happily use spamass-milter to filter spam at SMTP time.
Prior to spamass-milter, I use pyspf-milter/opendkim/opendmarc milters to 
mark if mail passes coresponding checks.

I also use authres plugin to use these results. However, it does not work 
when receiving mail.

I tried debugging both spamass-milter and spamd, and I see that the headers 
are indeed there:


May 30 17:57:03 fantomas spamd[1101]: authres: no Authentication-Results headers found from internal
May 30 17:57:03 fantomas spamd[1101]: rules: [...] Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=xxx.sk
May 30 17:57:03 fantomas spamd[1101]: rules: [...]
May 30 17:57:03 fantomas spamd[1101]: rules: [...] Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=192.0.2.1
May 30 17:57:03 fantomas spamd[1101]: rules: [...]
May 30 17:57:03 fantomas spamd[1101]: rules: [...] Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF  authorized) smtp.mailfrom=xxx.sk (client-ip=192.0.2.1;  helo=smtp8.xxx.sk; envelope-from=yyy@xxx.sk; receiver=<UNKNOWN>)

Does anyone have an idea why spamd misses these?


when I pipe message to spamd manually, those headers are there and AUTHRES matches:

X-Spam-Status: No, score=-0.9 required=5.0 tests=AUTHRES_SPF_PASS,BAYES_00,
         DCC_CHECK,DMARC_MISSING,KAM_DMARC_STATUS,KAM_NUMSUBJECT,RDNS_NONE,
         SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no
         autolearn_force=no version=4.0.0


-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watkins.  -- Daffy Duck & Porky Pig

Re: authres missing when ran from spamass-milter

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

>> > Matus UHLAR - fantomas:
>> > > that will need spamass-milter change.
>>
>> On 31.05.23 13:52, David Bürgin wrote:
>> > Have you tried setting:
>> >
>> > authres_trusted_authserv fantomas.fantomas.sk
>>
>> I did. that's why it works then checking later.
>>
>> > I think this should work without changing anything in the milter …

>Matus UHLAR - fantomas:
>> milter adds own synthetised Received: header at the very beginning, which is
>> mosts possibly the correct reason.
>>
>> spamass-milter should add this header behind locally added
>> Authentication-Results: headers, but it needs change in spamass-milter.

On 31.05.23 15:23, David Bürgin wrote:
>I understand, but I still think AuthRes can do this without a change in
>the milter. Note the doc for authres_trusted_authserv:

>> Use strongly recommended, possibly along with authres_networks all.

>So, if you set:
>
>authres_networks all
>authres_trusted_authserv fantomas.fantomas.sk
>
>then the relative position of ‘Received’ and ‘Authentication-Results’
>headers shouldn’t matter. You just have strip out forged results in an
>earlier milter. I’ll try it out some other time.

I'm not going to trust remote Authentication-Results: headers. Especially 
not if they set contain my local hostname.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...

Re: authres missing when ran from spamass-milter

Posted by David Bürgin <db...@gluet.ch>.

Matus UHLAR - fantomas:
> > Matus UHLAR - fantomas:
> > > that will need spamass-milter change.
> 
> On 31.05.23 13:52, David Bürgin wrote:
> > Have you tried setting:
> > 
> > authres_trusted_authserv fantomas.fantomas.sk
> 
> I did. that's why it works then checking later.
> 
> > I think this should work without changing anything in the milter …
> 
> milter adds own synthetised Received: header at the very beginning, which is
> mosts possibly the correct reason.
> 
> spamass-milter should add this header behind locally added
> Authentication-Results: headers, but it needs change in spamass-milter.

I understand, but I still think AuthRes can do this without a change in
the milter. Note the doc for authres_trusted_authserv:

> Use strongly recommended, possibly along with authres_networks all.

So, if you set:

authres_networks all
authres_trusted_authserv fantomas.fantomas.sk

then the relative position of ‘Received’ and ‘Authentication-Results’
headers shouldn’t matter. You just have strip out forged results in an
earlier milter. I’ll try it out some other time.

Re: authres missing when ran from spamass-milter

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 01.06.23 06:09, Loren Wilton wrote:
>This is not an area I know anything about, so I may be completely wrong.
>That said, I seem to remember a conversation very like this some years back.
>If I remember correctly, someone found some switch that could be set 
>to get spamass-milter to add the Received header before calling the 
>other milters.

The synthetised Received: header is sent to spamd, it's not added to mail 
itself (postfix adds it later).

And it's sent as first header, so spamd first sees Received: header 
synthetised by spamass-milter and then headers added by other milters.

>Even if there isn't a switch, maybe it would only take a few lines of 
>code change in spamass-milter to put out the Received header earlier.

spamass-milter must first send (only) trusted Authentication-Results: 
and then synthetised Received: headers.

I'm afraid that wouldn't be just few lines of code.
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.

Re: authres missing when ran from spamass-milter

Posted by Loren Wilton <lw...@earthlink.net>.

This is not an area I know anything about, so I may be completely wrong.
That said, I seem to remember a conversation very like this some years back.
If I remember correctly, someone found some switch that could be set to get 
spamass-milter to add the Received header before calling the other milters.
Even if there isn't a switch, maybe it would only take a few lines of code 
change in spamass-milter to put out the Received header earlier.

Re: authres missing when ran from spamass-milter

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

>On Wed, 31 May 2023, Matus UHLAR - fantomas wrote:
>>milter adds own synthetised Received: header at the very beginning, 
>>which is mosts possibly the correct reason. spamass-milter should 
>>add this header behind locally added Authentication-Results: 
>>headers, but it needs change in spamass-milter.

On 31.05.23 09:19, Dave Funk wrote:
>tl;dr if those 'Authentication-Results: headers' are generated by the 
>MTA itself the milter may not ever see them.
>
>Which agent in the whole MTA system is adding those 
>'Authentication-Results: headers'?
>Is it the master MTA itself (EG: postfix or sendmail) or is it some 
>other milter component?

Headers are added by previous milter components. 

>A milter can only work with what it's handed by the master MTA, if the 
>Authentication-Results: headers aren't in its input stream then it 
>cannot work with them.
>In the original sendmail incarnation of the milter API it was designed 
>so that a milter received the message input stream -before- local 
>headers were added, thus the need for spamassassin 'glue' milters to 
>do that Received: header synthesis.

This is what spamass-milter does. It does see headers added by former 
milters, but not yet the Received: header added by local postfix, so it must 
synthetize one.

this is documented and consistent with sendmail functionality:
http://www.postfix.org/MILTER_README.html#when-inspect

>If those Authentication-Results: headers are being generated by 
>another milter then the solution is easy, just set the MTA 
>configuration to run that milter before the spamassassin 'glue' 
>milter. Milter results are chained so any headers explicitly added by 
>one milter are passed on to succeeding milters.
>
>If those headers are being generated by the MTA then it may not be 
>possible for milters to see them with out hacking the MTA itself.

THe problem is that while spamass-milter generates Received: header as the 
first of  headers, before Authentication-Results: added by other milters.
So, while spamassassin does see those headers, it does not trust them.

One possible fix is to add Received: headers AFTER locally added 
Authentication-Results, which requires parsing those headers and only 
trusting those that match local hostname (and hope they don't come fake)

Another possible fix is to add local Received: header by postfix and not 
spamass-milter. This requires changing both postfix and spamass-milter.

This would otoh make those headers fully trusted, but incompatible with 
sendmail.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS$\*.*

Re: authres missing when ran from spamass-milter

Posted by Dave Funk <db...@engineering.uiowa.edu>.

On Wed, 31 May 2023, Matus UHLAR - fantomas wrote:

[snip..]
> milter adds own synthetised Received: header at the very beginning, which is 
> mosts possibly the correct reason. 
> spamass-milter should add this header behind locally added 
> Authentication-Results: headers, but it needs change in spamass-milter.
>

tl;dr if those 'Authentication-Results: headers' are generated by the MTA itself 
the milter may not ever see them.

Which agent in the whole MTA system is adding those 'Authentication-Results: 
headers'?
Is it the master MTA itself (EG: postfix or sendmail) or is it some other milter 
component?

A milter can only work with what it's handed by the master MTA, if the 
Authentication-Results: headers aren't in its input stream then it cannot work 
with them.
In the original sendmail incarnation of the milter API it was designed so that a 
milter received the message input stream -before- local headers were added, thus 
the need for spamassassin 'glue' milters to do that Received: header synthesis.

If those Authentication-Results: headers are being generated by another milter 
then the solution is easy, just set the MTA configuration to run that milter 
before the spamassassin 'glue' milter. Milter results are chained so any headers 
explicitly added by one milter are passed on to succeeding milters.

If those headers are being generated by the MTA then it may not be possible for 
milters to see them with out hacking the MTA itself.

-- 
Dave Funk                               University of Iowa
<dbfunk (at) engineering.uiowa.edu>     College of Engineering
319/335-5751   FAX: 319/384-0549        1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin         Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: authres missing when ran from spamass-milter

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

>Matus UHLAR - fantomas:
>> that will need spamass-milter change.

On 31.05.23 13:52, David Bürgin wrote:
>Have you tried setting:
>
>authres_trusted_authserv fantomas.fantomas.sk

I did. that's why it works then checking later.

>I think this should work without changing anything in the milter …

milter adds own synthetised Received: header at the very beginning, which is 
mosts possibly the correct reason. 

spamass-milter should add this header behind locally added 
Authentication-Results: headers, but it needs change in spamass-milter.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.

Re: authres missing when ran from spamass-milter

Posted by David Bürgin <db...@gluet.ch>.

Matus UHLAR - fantomas:
> that will need spamass-milter change.

Have you tried setting:

authres_trusted_authserv fantomas.fantomas.sk

I think this should work without changing anything in the milter …

Re: authres missing when ran from spamass-milter

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

>Matus UHLAR - fantomas:
>> I happily use spamass-milter to filter spam at SMTP time.
>> Prior to spamass-milter, I use pyspf-milter/opendkim/opendmarc milters to mark if mail passes coresponding checks.
>>
>> I also use authres plugin to use these results. However, it does not work when receiving mail.
>>
>> I tried debugging both spamass-milter and spamd, and I see that the headers are indeed there:
>>
>>
>> May 30 17:57:03 fantomas spamd[1101]: authres: no Authentication-Results headers found from internal
>> May 30 17:57:03 fantomas spamd[1101]: rules: [...] Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=xxx.sk
>> May 30 17:57:03 fantomas spamd[1101]: rules: [...]
>> May 30 17:57:03 fantomas spamd[1101]: rules: [...] Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=192.0.2.1
>> May 30 17:57:03 fantomas spamd[1101]: rules: [...]
>> May 30 17:57:03 fantomas spamd[1101]: rules: [...] Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF  authorized) smtp.mailfrom=xxx.sk (client-ip=192.0.2.1;  helo=smtp8.xxx.sk; envelope-from=yyy@xxx.sk; receiver=<UNKNOWN>)
>>
>> Does anyone have an idea why spamd misses these?
>>
>>
>> when I pipe message to spamd manually, those headers are there and AUTHRES matches:
>>
>> X-Spam-Status: No, score=-0.9 required=5.0 tests=AUTHRES_SPF_PASS,BAYES_00,
>>         DCC_CHECK,DMARC_MISSING,KAM_DMARC_STATUS,KAM_NUMSUBJECT,RDNS_NONE,
>>         SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no
>>         autolearn_force=no version=4.0.0

On 30.05.23 18:48, David Bürgin wrote:
>Did you check if the ‘Authentication-Results’ headers are above the
>‘Received’ header generated by the milter? Per your own observation in
>an older thread:
>
>https://lists.apache.org/thread/q1vvoqvfv3fxjhwjzbjztq1y85hyn3mk

hmm, that may be that.
spamass-milter seems to put generated Received: header before Authentication-Results: added by other milters.

May 30 17:57:03 fantomas spamd[1101]: rules: ran header rule __DOS_RELAYED_EXT ======> got hit: "Received: from smtp8.xxx.sk (smtp8.xxx.sk [192.0.2.1]) by fantomas.fantomas.sk (Postfix 3.5.18/8.13.0) with SMTP id unknown Tue, 30 May 2>
May 30 17:57:03 fantomas spamd[1101]: rules: [...]
May 30 17:57:03 fantomas spamd[1101]: rules: [...] Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=nextra.sk

that will need spamass-milter change.
thanks for noticing.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watkins.  -- Daffy Duck & Porky Pig

Re: authres missing when ran from spamass-milter

Posted by David Bürgin <db...@gluet.ch>.

Matus UHLAR - fantomas:
> I happily use spamass-milter to filter spam at SMTP time.
> Prior to spamass-milter, I use pyspf-milter/opendkim/opendmarc milters to mark if mail passes coresponding checks.
> 
> I also use authres plugin to use these results. However, it does not work when receiving mail.
> 
> I tried debugging both spamass-milter and spamd, and I see that the headers are indeed there:
> 
> 
> May 30 17:57:03 fantomas spamd[1101]: authres: no Authentication-Results headers found from internal
> May 30 17:57:03 fantomas spamd[1101]: rules: [...] Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=xxx.sk
> May 30 17:57:03 fantomas spamd[1101]: rules: [...]
> May 30 17:57:03 fantomas spamd[1101]: rules: [...] Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=192.0.2.1
> May 30 17:57:03 fantomas spamd[1101]: rules: [...]
> May 30 17:57:03 fantomas spamd[1101]: rules: [...] Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF  authorized) smtp.mailfrom=xxx.sk (client-ip=192.0.2.1;  helo=smtp8.xxx.sk; envelope-from=yyy@xxx.sk; receiver=<UNKNOWN>)
> 
> Does anyone have an idea why spamd misses these?
> 
> 
> when I pipe message to spamd manually, those headers are there and AUTHRES matches:
> 
> X-Spam-Status: No, score=-0.9 required=5.0 tests=AUTHRES_SPF_PASS,BAYES_00,
>         DCC_CHECK,DMARC_MISSING,KAM_DMARC_STATUS,KAM_NUMSUBJECT,RDNS_NONE,
>         SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no
>         autolearn_force=no version=4.0.0

Did you check if the ‘Authentication-Results’ headers are above the
‘Received’ header generated by the milter? Per your own observation in
an older thread:

https://lists.apache.org/thread/q1vvoqvfv3fxjhwjzbjztq1y85hyn3mk

(To be sure I’m not currently using AuthRes, so don’t know if relevant.)