spamassassin rule not firing

[Geert Haustraete <ge...@telenet.be>]

Hello,

I'm running  2 mail servers where one is a backup server in case the 
primary is unreachable. Both are set to include the SPF result in the 
mail header. I have put these rules into my local.cf file.

#Check for SPF headers
header LOCAL_SPF_PASS Received-SPF =~ /^pass/
header LOCAL_SPF_NEUTRAL Received-SPF =~ /^neutral/
header LOCAL_SPF_SOFTFAIL Received-SPF =~ /^softfail/
header LOCAL_SPF_FAIL Received-SPF =~ /^fail/

score LOCAL_SPF_PASS     -0.001
score LOCAL_SPF_NEUTRAL  2.500
score LOCAL_SPF_SOFTFAIL 5.000
score LOCAL_SPF_FAIL     8.000


# Check if mail came first from the secundary mailserver, then there are 
2 SPF records, one pass and one fail, so recalc accordingly
header __SPF_PASS Received-SPF =~ /^pass \((server|srv2)\.ehealth\.be:/
header __SPF_NEUTRAL Received-SPF =~ /^neutral \(server3:/
header __SPF_SOFTFAIL Received-SPF =~ /^softfail \(server3:/
header __SPF_FAIL Received-SPF =~ /^fail \(server3:/
header __RECEIVED_MXSECONDARY Received =~ /mail\.srv2\.ehealth\.be/

meta LOCAL_SPF_PASS2 (__SPF_PASS)
score LOCAL_SPF_PASS2 -0.001

meta LOCAL_SPF_NEUTRAL2 (__SPF_NEUTRAL)
score LOCAL_SPF_NEUTRAL2 -0.001

meta LOCAL_SPF_SOFTFAIL2 (__SPF_SOFTFAIL)
score LOCAL_SPF_SOFTFAIL2 -0.001

meta LOCAL_SPF_FAIL2 (__SPF_FAIL)
score LOCAL_SPF_FAIL2 -0.001

meta LOCAL_SPF_MX2 (__RECEIVED_MXSECONDARY)
score LOCAL_SPF_MX2 -0.001

meta LOCAL_SPF_MXSECUNDARY_PASS_NEUTRAL (__RECEIVED_MXSECONDARY && 
__SPF_PASS && __SPF_NEUTRAL)
score LOCAL_SPF_MXSECUNDARY_PASS_NEUTRAL -2.500

meta LOCAL_SPF_MXSECUNDARY_PASS_SOFTFAIL (__RECEIVED_MXSECONDARY && 
__SPF_PASS && __SPF_SOFTFAIL)
score LOCAL_SPF_MXSECUNDARY_PASS_SOFTFAIL -5.000

meta LOCAL_SPF_MXSECUNDARY_PASS_FAIL (__RECEIVED_MXSECONDARY && 
__SPF_PASS && __SPF_FAIL)
score LOCAL_SPF_MXSECUNDARY_PASS_FAIL -8.000

But I still receive mails tagged as SPAM if they have been relayed by 
the secondary mx, because one rule is not firing as expected. For 
example,  in this mail header:

Return-Path: <x....@ehealth.be>
Delivered-To: x.y@ehealth.be
Received: (qmail 13361 invoked by uid 89); 15 Aug 2011 23:00:30 -0000
DomainKey-Status: no signature
Received: by simscan 1.3.1 ppid: 13309, pid: 13339, t: 15.0550s
          scanners: attach: 1.3.1 clamav: 0.93/m:46 spam: 3.2.4
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on 
server3.higis.eu.org
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.1 required=5.0 
tests=AWL,BAYES_00,LOCAL_SPF_FAIL,
         
LOCAL_SPF_FAIL2,LOCAL_SPF_MX2,MIME_QP_LONG_LINE,RCVD_NUMERIC_HELO,RDNS_NONE
         autolearn=no version=3.2.4
X-Spam-Report:
         *  8.0 LOCAL_SPF_FAIL LOCAL_SPF_FAIL
         *  2.1 RCVD_NUMERIC_HELO Received: contains an IP address used 
for HELO
         * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
         *      [score: 0.0000]
         *  1.4 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 
76 chars
         * -0.0 LOCAL_SPF_FAIL2 LOCAL_SPF_FAIL2
         *  0.1 RDNS_NONE Delivered to trusted network by a host with no 
rDNS
         * -0.0 LOCAL_SPF_MX2 LOCAL_SPF_MX2
         * -3.8 AWL AWL: From: address is in the auto white-list
Received: from unknown (HELO mail.srv2.ehealth.be) (67.219.63.204)
   by server3 with (DHE-RSA-AES256-SHA encrypted) SMTP; 15 Aug 2011 
23:00:14 -0000
Received-SPF: fail (server3: SPF record at bgc.spf.secure-mail.be does 
not designate 67.219.63.204 as permitted sender)
Received: (qmail 13983 invoked from network); 15 Aug 2011 22:13:21 +0200
Received: from relaygateway01.edpnet.net (212.71.1.210)
   by server.ehealth.be with SMTP; 15 Aug 2011 22:13:21 +0200
Received-SPF: pass (server.ehealth.be: SPF record at edpnet.net 
designates 212.71.1.210 as permitted sender)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
AkIAAKJ9SU5NbWcu/2dsb2JhbAAMNoRIlACOZIMhAQEDAQEjVgULCw4DBAEBAQICIwMCAkYJCAYTh3AEqAaRVoEshAsxXwSkCQ
X-IronPort-AV: E=Sophos;i="4.67,375,1309730400";
    d="scan'208";a="26553513"
Received: from 77.109.103.46.adsl.dyn.edpnet.net (HELO [192.168.2.66]) 
([77.109.103.46])
   by relaygateway01.edpnet.net with ESMTP; 15 Aug 2011 22:13:25 +0200
References: <FE...@Gris> 
<90...@GBCOCG220M.eu.Corp.Car.com> 
<3c...@www.ehealth.be> 
<13...@Gris>
In-Reply-To: <13...@Gris>
Mime-Version: 1.0 (iPad Mail 8J2)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
         charset=utf-8
Message-Id: <70...@ehealth.be>
Cc: X Y <x....@ehealth.be>,
  A B <a....@ehealth.be>
X-Mailer: iPad Mail (8J2)
From: X Y <x....@ehealth.be>
Subject: ***SPAM(5.1)*** Re: Offerte JV
Date: Mon, 15 Aug 2011 22:14:39 +0200
To: J V <jv...@telenet.be>
X-Spam-Prev-Subject: Re: Offerte JV

I wonder why I didn't get the metarule LOCAL_SPF_PASS2 and hence also 
the metarule LOCAL_SPF_MXSECUNDARY_PASS_FAIL? The expressions seems 
valid to me but I could be wrong of course.

thx,
Geert

Re: spamassassin rule not firing

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 16.08.11 18:29, Geert Haustraete wrote:
>I'm running  2 mail servers where one is a backup server in case the 
>primary is unreachable. Both are set to include the SPF result in the 
>mail header. I have put these rules into my local.cf file.
>
>#Check for SPF headers
>header LOCAL_SPF_PASS Received-SPF =~ /^pass/
>header LOCAL_SPF_NEUTRAL Received-SPF =~ /^neutral/
>header LOCAL_SPF_SOFTFAIL Received-SPF =~ /^softfail/
>header LOCAL_SPF_FAIL Received-SPF =~ /^fail/
>
>score LOCAL_SPF_PASS     -0.001
>score LOCAL_SPF_NEUTRAL  2.500
>score LOCAL_SPF_SOFTFAIL 5.000
>score LOCAL_SPF_FAIL     8.000

I wonder why do you want to use it this way. I think that proper 
setting of internal_network should just make spamassassion do the SPF 
checks properly.

If not, maybe the SA is confused by Received-SPF: headers provided by 
those servers, which should be easily fixed by setting 
ignore_received_spf_header to 1.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory. 

Re: spamassassin rule not firing

[Benny Pedersen <me...@junc.org>]

On Tue, 16 Aug 2011 18:29:13 +0200, Geert Haustraete wrote:

> I'm running  2 mail servers where one is a backup server in case the
> primary is unreachable. Both are set to include the SPF result in the
> mail header. I have put these rules into my local.cf file.

(snip-rules)

perldoc Mail::SpamAssassin::Plugin::SPF
perldoc Mail::SpamAssassin::Conf

how did you configure the plugin ?

do you use Mail::SPF perl module direct in mta ?

if so the received-spf header can be reused, but make sure you do not 
add own rules to catch it, since this header can be multiple put in by 
the remote spammer, this is avoided by SPF plugin if used correct