You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by martin f krafft <us...@mass.madduck.net> on 2006/06/06 14:01:13 UTC
Re: Problem with false-positives for SASL users
Regarding the issue I raised in February (to which I have not yet
found an answer), you may be interested in checking out the last
paragraph of http://blog.madduck.net/geek/2006.06.06-delayed-mail,
which also includes a link to postfix patch addressing the issue.
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
invalid/expired pgp (sub)keys? use subkeys.pgp.net as keyserver!
spamtraps: madduck.bogus@madduck.net
i wish this wish not to be granted!
-- achilles (hofstadter's geb)
Re: Problem with false-positives for SASL users
Posted by Mark Martinec <Ma...@ijs.si>.
> > It is only a partial solution. It covers only one method
> > of authorizing roaming users for submitting mail to their
> > organization's MSA. It would be much better to have
> > a more general solution, trusting MSA to do its job
> > (see parallel thread "internal/trusted again, MSA tested
> > for SPF?")
> Agreed in the case of a totally separate MSA host.
Right. If it is not separate I agree this remains
to be a more difficult problem.
> Although in that case, I'm not sure about what benefit there is
> to scanning the mail at all.
Here are some good reasons to spam-scan (and virus-scan) outgoing mail:
- an internal host (or a roaming laptop) may become infected, turned into a
spam-spewing zombie or a virus-propagating host. It is wise to catch them
as soon as possible, better in-house, blocking pollution from spreading
and retaining company face. It also facilitates locating such a host.
- internal user may intentionaly start sending spam. Letting administrator
become aware of it can lead to educating users about company policy.
An in-house bounce can make a good-faith user rephrase his mail and
avoid risking it to be junked on the recipient's side.
- letting Bayes auto-learn on both outgoing and incoming mail leads
to a better database, with more high-quality samples of ham.
- and a shameless plug: amavisd-new-2.4.2 introduced pen-pals whitelisting
scheme (based on a database of all recent mail messages), reducing spam
score on replies to previous outgoing mail if sender/recipient address pair
exactly matches previous recipient/sender pair. For this to work mail must
pass through a content filter in both directions. Btw, it could just as
well be made into a SA plugin, it was just easier for me to use existing
infrastructure. If someone cares to write a SA plugin implementation
of the same mechanism, I have no objections. More on that in 2.4.2
release notes: http://www.ijs.si/software/amavisd/release-notes.txt
Mark
Re: Problem with false-positives for SASL users
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Mark Martinec wrote:
>> What do you have to do to get that "Authenticated sender:" line? It's
>> not unpatched Postfix, is it? I know the Wietse was against such info
>> being provided.
>>> Apparently postfix 2.3 will support auth tokens.
>> Any link document that? I'd like to add it to the wiki.
>
> http://www.postfix.org/postconf.5.html#smtpd_sasl_authenticated_header
Thanks.
>>>> Why can't everyone just support RFC 3848 or mimic Sendmail?!? So much
>>>> for "drop in replacement". :)
>
> It is only a partial solution. It covers only one method
> of authorizing roaming users for submitting mail to their
> organization's MSA. It would be much better to have
> a more general solution, trusting MSA to do its job
> (see parallel thread "internal/trusted again, MSA tested
> for SPF?")
Agreed in the case of a totally separate MSA host. Although in that
case, I'm not sure about what benefit there is to scanning the mail at all.
Daryl
Re: Problem with false-positives for SASL users
Posted by Mark Martinec <Ma...@ijs.si>.
> What do you have to do to get that "Authenticated sender:" line? It's
> not unpatched Postfix, is it? I know the Wietse was against such info
> being provided.
> > Apparently postfix 2.3 will support auth tokens.
> Any link document that? I'd like to add it to the wiki.
http://www.postfix.org/postconf.5.html#smtpd_sasl_authenticated_header
> >> Why can't everyone just support RFC 3848 or mimic Sendmail?!? So much
> >> for "drop in replacement". :)
It is only a partial solution. It covers only one method
of authorizing roaming users for submitting mail to their
organization's MSA. It would be much better to have
a more general solution, trusting MSA to do its job
(see parallel thread "internal/trusted again, MSA tested
for SPF?")
Mark
Re: Problem with false-positives for SASL users
Posted by "Jamie L. Penman-Smithson" <li...@silverdream.org>.
On 1 Jul 2006, at 00:32, Daryl C. W. O'Shea wrote:
> Jamie L. Penman-Smithson wrote:
>> It's better to look at the 'Authenticated sender':
>> Received: from bar.example.org (bar.example.org [127.0.0.1])
>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>> (Client did not present a certificate)
>> (Authenticated sender: sender.example.net)
>> by foo.example.net (Postfix) with ESMTP id 44A8959ED6B0
>> for <re...@example.com>; Fri, 30 Jun 2006 08:02:00 +0100 (BST)
>
> What do you have to do to get that "Authenticated sender:" line?
> It's not unpatched Postfix, is it? I know the Wietse was against
> such info being provided.
>
> Do you have a link on how to do this. I'd like to add it to the wiki.
You use the smtpd_sasl_authenticated_header option:
smtpd_sasl_authenticated_header (default: no)
Report the SASL authenticated user name in the smtpd(8) Received
message header.
This feature is available in Postfix 2.3 and later.
[main.cf]
smtpd_sasl_authenticated_header = yes
>>> Why can't everyone just support RFC 3848 or mimic Sendmail?!? So
>>> much for "drop in replacement". :)
>> Apparently postfix 2.3 will support auth tokens.
>
> Any link document that? I'd like to add it to the wiki.
It was a passing comment on a mailing list, I couldn't find anything
official from Wietse.
I'm not sure whether it is referring to the
smtpd_sasl_authenticated_header option in 2.3, since I don't know how
different this is to sendmail's auth tokens?
-j
Re: Problem with false-positives for SASL users
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Jamie L. Penman-Smithson wrote:
> It's better to look at the 'Authenticated sender':
>
> Received: from bar.example.org (bar.example.org [127.0.0.1])
> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
> (Client did not present a certificate)
> (Authenticated sender: sender.example.net)
> by foo.example.net (Postfix) with ESMTP id 44A8959ED6B0
> for <re...@example.com>; Fri, 30 Jun 2006 08:02:00 +0100 (BST)
What do you have to do to get that "Authenticated sender:" line? It's
not unpatched Postfix, is it? I know the Wietse was against such info
being provided.
Do you have a link on how to do this. I'd like to add it to the wiki.
>> Why can't everyone just support RFC 3848 or mimic Sendmail?!? So much
>> for "drop in replacement". :)
>
> Apparently postfix 2.3 will support auth tokens.
Any link document that? I'd like to add it to the wiki.
Daryl
Re: Problem with false-positives for SASL users
Posted by "Jamie L. Penman-Smithson" <li...@silverdream.org>.
On 30 Jun 2006, at 23:25, Daryl C. W. O'Shea wrote:
> martin f krafft wrote:
<snip>
>>> Sure you do... at least auth headers that you know you added.
>>> Your problem is that Postfix doesn't include RFC 3848 style (or
>>> any) auth tokens.
>
> This TLS line is only added when someone authenticates
> successfully, right?
>
> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>
> What about this SSL line (from the first post in this thread)?
>
> (using SSLv3 with cipher RC4-MD5 (128/128 bits))
>
> How are these lines getting added? Are they third party patches to
> Postfix? Does Postfix yet include any auth tokens in the main code
> base?
It's better to look at the 'Authenticated sender':
Received: from bar.example.org (bar.example.org [127.0.0.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
(Authenticated sender: sender.example.net)
by foo.example.net (Postfix) with ESMTP id 44A8959ED6B0
for <re...@example.com>; Fri, 30 Jun 2006 08:02:00 +0100 (BST)
> Why can't everyone just support RFC 3848 or mimic Sendmail?!? So
> much for "drop in replacement". :)
Apparently postfix 2.3 will support auth tokens.
-j
Re: Problem with false-positives for SASL users
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
martin f krafft wrote:
> also sprach Daryl C. W. O'Shea <sp...@dostech.ca> [2006.06.06.2021 +0200]:
>> If you provide a full set of received headers that are being
>> passed to SA, someone can help you out with the correct settings.
>
> I am having difficulties recreating the problem. Sometimes SA will
> happily include the RBL checks, sometimes I bet the DNS is just too
> slow and they're left out.
>
> Anyway, please have a look at
> http://madduck.net/~madduck/scratch/msg3. It lists RCVD_IN_NJABL_DUL
> as successful, which just should not happen. In the end, SA is
> right, but I came in via TLS...
>
>> Sure you do... at least auth headers that you know you added.
>> Your problem is that Postfix doesn't include RFC 3848 style (or
>> any) auth tokens.
This TLS line is only added when someone authenticates successfully, right?
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
What about this SSL line (from the first post in this thread)?
(using SSLv3 with cipher RC4-MD5 (128/128 bits))
How are these lines getting added? Are they third party patches to
Postfix? Does Postfix yet include any auth tokens in the main code base?
Why can't everyone just support RFC 3848 or mimic Sendmail?!? So much
for "drop in replacement". :)
Daryl
Re: Problem with false-positives for SASL users
Posted by martin f krafft <us...@mass.madduck.net>.
also sprach Daryl C. W. O'Shea <sp...@dostech.ca> [2006.06.06.2021 +0200]:
> If you provide a full set of received headers that are being
> passed to SA, someone can help you out with the correct settings.
I am having difficulties recreating the problem. Sometimes SA will
happily include the RBL checks, sometimes I bet the DNS is just too
slow and they're left out.
Anyway, please have a look at
http://madduck.net/~madduck/scratch/msg3. It lists RCVD_IN_NJABL_DUL
as successful, which just should not happen. In the end, SA is
right, but I came in via TLS...
> Sure you do... at least auth headers that you know you added.
> Your problem is that Postfix doesn't include RFC 3848 style (or
> any) auth tokens.
>
> I think I heard (actually I may have dreamt) that a then future,
> now recent, version of Postfix would include such auth tokens.
> The last thing I do recall for sure though is something along the
> lines of Wietse saying "it's nobody's business if, or how, or who
> as, you authenticated". I don't see anything on the Postfix site
> about support for this.
Also see http://dev.riseup.net/privacy/postfix/
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
spamtraps: madduck.bogus@madduck.net
"the 'volatile' keyword
is implemented syntactically
but not semantically"
-- documentation of m$ visual c, around 1992
Re: Problem with false-positives for SASL users
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
martin f krafft wrote:
> also sprach Daryl C. W. O'Shea <sp...@dostech.ca> [2006.06.06.1848 +0200]:
>> Really? That makes no sense to me. I don't see anything in your
>> example header that we use as auth tokens. Actually, I don't see any
>> auth tokens. What's to stop someone from connecting with SSL but not
>> authenticating?
>
> Well, true. Given that I am actually calling SA after amavisd,
> 127.0.0.1 will always be the relay. I think I thus just effectively
> disabled all of SA. :)
Yeah, it sounds like you may have messed up your trust path settings
enough to prevent your problem. :)
If you provide a full set of received headers that are being passed to
SA, someone can help you out with the correct settings.
> And I don't want to filter on auth headers because what's to keep
> spammers from adding them?
Sure you do... at least auth headers that you know you added. Your
problem is that Postfix doesn't include RFC 3848 style (or any) auth tokens.
I think I heard (actually I may have dreamt) that a then future, now
recent, version of Postfix would include such auth tokens. The last
thing I do recall for sure though is something along the lines of Wietse
saying "it's nobody's business if, or how, or who as, you
authenticated". I don't see anything on the Postfix site about support
for this.
>> What version of SA are you using?
>
> 3.1.0a-2
Hrm. Matt Kettler has said that he's seen a difference between
1.2.3.4/32 and 1.2.3.4. Now I believe you're saying you've seen 127.
not include 127.0.0.1. I'm still not sure how that'd happen with
current code.
Daryl
Re: Problem with false-positives for SASL users
Posted by martin f krafft <us...@mass.madduck.net>.
also sprach Daryl C. W. O'Shea <sp...@dostech.ca> [2006.06.06.1848 +0200]:
> Really? That makes no sense to me. I don't see anything in your
> example header that we use as auth tokens. Actually, I don't see any
> auth tokens. What's to stop someone from connecting with SSL but not
> authenticating?
Well, true. Given that I am actually calling SA after amavisd,
127.0.0.1 will always be the relay. I think I thus just effectively
disabled all of SA. :)
And I don't want to filter on auth headers because what's to keep
spammers from adding them?
> What version of SA are you using?
3.1.0a-2
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
spamtraps: madduck.bogus@madduck.net
in the beginning was the word,
and the word was content-type: text/plain
Re: Problem with false-positives for SASL users
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
martin f krafft wrote:
> also sprach martin f krafft <us...@mass.madduck.net> [2006.06.06.1401 +0200]:
>> Regarding the issue I raised in February (to which I have not yet
>> found an answer)
>
> I am sorry (again), I only just saw
> http://mail-archives.apache.org/mod_mbox/spamassassin-users/200602.mbox/%3c20060223105945.2D21A5902EC@radish.jmason.org%3e
>
> this does *indeed* work. At least it seems to.
Really? That makes no sense to me. I don't see anything in your
example header that we use as auth tokens. Actually, I don't see any
auth tokens. What's to stop someone from connecting with SSL but not
authenticating?
> One thing though: specifying
>
> internal_networks 127.
>
> does not work. I have to specify 127.0.0.1/32 to make it work, which
> is not a problem really.
Either should cover 127.0.0.1 (although adding an internal_networks
entry without a trusted_networks entry that covers it is always wrong).
What version of SA are you using?
Daryl
Re: Problem with false-positives for SASL users
Posted by martin f krafft <us...@mass.madduck.net>.
also sprach martin f krafft <us...@mass.madduck.net> [2006.06.06.1401 +0200]:
> Regarding the issue I raised in February (to which I have not yet
> found an answer)
I am sorry (again), I only just saw
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200602.mbox/%3c20060223105945.2D21A5902EC@radish.jmason.org%3e
this does *indeed* work. At least it seems to.
One thing though: specifying
internal_networks 127.
does not work. I have to specify 127.0.0.1/32 to make it work, which
is not a problem really.
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
spamtraps: madduck.bogus@madduck.net
never trust an operating system
for which you do not have the source.
-- source unknown
Re: Problem with false-positives for SASL users
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
martin f krafft wrote:
> also sprach martin f krafft <us...@mass.madduck.net> [2006.06.06.1401 +0200]:
>> Regarding the issue I raised in February (to which I have not yet
>> found an answer), you may be interested in checking out the last
>> paragraph of http://blog.madduck.net/geek/2006.06.06-delayed-mail,
>> which also includes a link to postfix patch addressing the issue.
>
> http://blog.madduck.net/geek/2006.06.30-postfix-auth-anonymisation
Can someone *please* provide me with samples of the authenticated
headers referenced in blog link:
/^Received: from ([-._[:alnum:]]+ \([-._[:alnum:]]+
\[[.[:digit:]]{7,15}\]\))
[[:space:]]+\(Authenticated sender: ([^)]+)\)
[[:space:]]+by (seamus\.madduck\.net) \(([^)]+)\)
with (E?SMTP) id ([A-F[:digit:]]+)
[[:space:]]+for <([^>]+)>; (.*)/
Daryl
Re: Problem with false-positives for SASL users
Posted by martin f krafft <us...@mass.madduck.net>.
also sprach martin f krafft <us...@mass.madduck.net> [2006.06.06.1401 +0200]:
> Regarding the issue I raised in February (to which I have not yet
> found an answer), you may be interested in checking out the last
> paragraph of http://blog.madduck.net/geek/2006.06.06-delayed-mail,
> which also includes a link to postfix patch addressing the issue.
http://blog.madduck.net/geek/2006.06.30-postfix-auth-anonymisation
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
spamtraps: madduck.bogus@madduck.net
linux: because a pc is a terrible thing to waste
Re: Problem with false-positives for SASL users
Posted by martin f krafft <us...@mass.madduck.net>.
also sprach martin f krafft <us...@mass.madduck.net> [2006.06.06.1401 +0200]:
> Regarding the issue I raised in February (to which I have not yet
> found an answer)
Sorry, that would be
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200602.mbox/%3C20060223104646.GA26980@lapse.madduck.net%3E
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
spamtraps: madduck.bogus@madduck.net
"micro$oft productivity software"
- see reductio ad absurdum, conclusions.