SASL and SPF Fail

[Luis Hernán Otegui <lu...@gmail.com>]

Hi, list, several of my users are beggining to use the SASL method to
send mails trhough the server. The point is that the messages from one
of these users are getting tagged as spam (the lil' bastard uses
Incredimail, so a bunch of another stuff regardind this crappy piece
of software gets his messages over the discard line, but that's
another story. I'll search the list messages, I think I remember a
thread on that issue). Anyway, I've noticed SPF checks of his mails
fail. He's connecting from a network outside ours, so I was wandering
what makes the SPF checks fail, even when he is connecting as a client
to our server...

Thanks,


Luis

-- 
-------------------------------------------------
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-------------------------------------------------

Re: SASL and SPF Fail

[Luis Hernán Otegui <lu...@gmail.com>]

OK, got the picture. Guess I'll go for the upgrade of postfix.

Thanks again,

Luis

2007/6/13, Daryl C. W. O'Shea <sp...@dostech.ca>:
> Luis Hernán Otegui wrote:
> > OK, Daryl, got the point. Made a rule to match my Postfix-2.2 auth
> > headers. Now, a question: how do I assign a score of zero to SPF_FAIL
> > (in order to disable that rule) if my custom rule matches? I guess
> > it's via a META rule, but I can't get it working...
> >
> > Based on the rule published at SA's Wiki, I was thinking of something
> > like this:
> >
> > header LOCAL_AUTH_RCVD    Received =~ /\(authenticated \(\d+ bits\)\)
> > by services04\.student\.cs\.uwaterloo\.ca /
> >
> > meta LOCAL_AUTH_NO_SPF (LOCAL_AUTH_RCVD && SPF_FAIL)
> >
> > But here I lost it. Thought of something like this:
> >
> > score LOCAL_AUTH_NO_SPF -0.693
> >
> > which has the exact reverse score of SPF_FAIL. I think it would be
> > more elegant to zero that rule in this particula case. But I don't
> > know how to do it...
>
> The problem is that SPF_FAIL isn't the only thing that you don't want to
> trigger that could trigger.  Any of the DNSBL tests could hit, too,
> depending on where your roaming users connect from.
>
> If you can't get one of the methods to extend trust to work (getting
> Postfix to insert an auth header in late 2.2 or any 2.3+ or using
> msa_networks in SA 3.2) you're best off not scanning auth'd mail at all
> if you can manage a way to do it.
>
> Otherwise, the UW example of matching on a received header and deducting
>   a score is your last resort.  You might as well make it a fairly large
> negative score since you'll want it to counter both SPF_FAIL and any
> DNSBL tests that hit.  There's no way to use a meta, or anything other
> than a plugin that mucks with SA internals, to zero the score for
> SPF_FAIL as you'd like.
>
>
> Daryl
>


-- 
-------------------------------------------------
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-------------------------------------------------

Re: SASL and SPF Fail

["Daryl C. W. O'Shea" <sp...@dostech.ca>]

Luis Hernán Otegui wrote:
> OK, Daryl, got the point. Made a rule to match my Postfix-2.2 auth
> headers. Now, a question: how do I assign a score of zero to SPF_FAIL
> (in order to disable that rule) if my custom rule matches? I guess
> it's via a META rule, but I can't get it working...
> 
> Based on the rule published at SA's Wiki, I was thinking of something 
> like this:
> 
> header LOCAL_AUTH_RCVD    Received =~ /\(authenticated \(\d+ bits\)\)
> by services04\.student\.cs\.uwaterloo\.ca /
> 
> meta LOCAL_AUTH_NO_SPF (LOCAL_AUTH_RCVD && SPF_FAIL)
> 
> But here I lost it. Thought of something like this:
> 
> score LOCAL_AUTH_NO_SPF -0.693
> 
> which has the exact reverse score of SPF_FAIL. I think it would be
> more elegant to zero that rule in this particula case. But I don't
> know how to do it...

The problem is that SPF_FAIL isn't the only thing that you don't want to 
trigger that could trigger.  Any of the DNSBL tests could hit, too, 
depending on where your roaming users connect from.

If you can't get one of the methods to extend trust to work (getting 
Postfix to insert an auth header in late 2.2 or any 2.3+ or using 
msa_networks in SA 3.2) you're best off not scanning auth'd mail at all 
if you can manage a way to do it.

Otherwise, the UW example of matching on a received header and deducting 
  a score is your last resort.  You might as well make it a fairly large 
negative score since you'll want it to counter both SPF_FAIL and any 
DNSBL tests that hit.  There's no way to use a meta, or anything other 
than a plugin that mucks with SA internals, to zero the score for 
SPF_FAIL as you'd like.


Daryl

Re: SASL and SPF Fail

[Luis Hernán Otegui <lu...@gmail.com>]

OK, Daryl, got the point. Made a rule to match my Postfix-2.2 auth
headers. Now, a question: how do I assign a score of zero to SPF_FAIL
(in order to disable that rule) if my custom rule matches? I guess
it's via a META rule, but I can't get it working...

Based on the rule published at SA's Wiki, I was thinking of something like this:

header LOCAL_AUTH_RCVD    Received =~ /\(authenticated \(\d+ bits\)\)
by services04\.student\.cs\.uwaterloo\.ca /

meta LOCAL_AUTH_NO_SPF (LOCAL_AUTH_RCVD && SPF_FAIL)

But here I lost it. Thought of something like this:

score LOCAL_AUTH_NO_SPF -0.693

which has the exact reverse score of SPF_FAIL. I think it would be
more elegant to zero that rule in this particula case. But I don't
know how to do it...

Thanks


Luis


2007/6/13, Daryl C. W. O'Shea <sp...@dostech.ca>:
> Luis Hernán Otegui wrote:
> > Hi, list, several of my users are beggining to use the SASL method to
> > send mails trhough the server. The point is that the messages from one
> > of these users are getting tagged as spam (the lil' bastard uses
> > Incredimail, so a bunch of another stuff regardind this crappy piece
> > of software gets his messages over the discard line, but that's
> > another story. I'll search the list messages, I think I remember a
> > thread on that issue). Anyway, I've noticed SPF checks of his mails
> > fail. He's connecting from a network outside ours, so I was wandering
> > what makes the SPF checks fail, even when he is connecting as a client
> > to our server...
>
> http://wiki.apache.org/spamassassin/DynablockIssues
>


-- 
-------------------------------------------------
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-------------------------------------------------

Re: SASL and SPF Fail

["Daryl C. W. O'Shea" <sp...@dostech.ca>]

Luis Hernán Otegui wrote:
> Hi, list, several of my users are beggining to use the SASL method to
> send mails trhough the server. The point is that the messages from one
> of these users are getting tagged as spam (the lil' bastard uses
> Incredimail, so a bunch of another stuff regardind this crappy piece
> of software gets his messages over the discard line, but that's
> another story. I'll search the list messages, I think I remember a
> thread on that issue). Anyway, I've noticed SPF checks of his mails
> fail. He's connecting from a network outside ours, so I was wandering
> what makes the SPF checks fail, even when he is connecting as a client
> to our server...

http://wiki.apache.org/spamassassin/DynablockIssues