Re: Mail to local users
On Jun 19, 2019, at 04:56, Matt Anton wrote: > > IMHO, you should have put ‘-o milter_macro_daemon_name=ORIGINATING’ to > services to let milters know the mail stream from authenticated connections > is considered local. That’s something to keep in mind, for sure, but I have one milter and I am not concerned about spam originating from my local users, all of whom I can personally thump if needed. Disabling the milter entirely on the authenticated ports accomplishes what I need.
Re: Mail to local users
On 18 Jun 2019, at 22:45, @lbutlr wrote: > Solution was ridiculously simple. > > I added > > -o smtpd_milters= > -o milter_connect_macros= > > To submission and smpts in master.cf > > (I doubt the second line is needed, but eh… it’s not going to hurt) You did post on postfix-users how you set in master.cf submission and smtps services (see verbatim of this below): #v+ submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_path=private/auth -o syslog_name=postfix/submit -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_data_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_path=private/auth -o smtpd_data_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes #v- IMHO, you should have put ‘-o milter_macro_daemon_name=ORIGINATING’ to services to let milters know the mail stream from authenticated connections is considered local. hth -- matt [at] lv223.org GPG key ID: 7D91A8CA signature.asc Description: OpenPGP digital signature
Re: Mail to local users
On 17 Jun 2019, at 11:32, @lbutlr wrote: > The message WAS sent via an authenticated connection: > > Jun 16 15:26:32 mail postfix/submit/smtpd[52711]: 45RnTh0J8KzdrvJ: > client=c-73-14-161-160.hsd1.co.comcast.net[73.14.161.160], sasl_method=PLAIN, > sasl_username=kr...@kreme.com > Jun 16 15:26:32 mail postfix/cleanup[52845]: 45RnTh0J8KzdrvJ: > message-id=<0c3be5f6-c5b4-4b07-853d-fad6dcbb6...@kreme.com> Solution was ridiculously simple. I added -o smtpd_milters= -o milter_connect_macros= To submission and smpts in master.cf (I doubt the second line is needed, but eh… it’s not going to hurt)
Re: Mail to local users
On 17 Jun 2019, at 02:07, Matus UHLAR - fantomas wrote: But how do I tell spamass-milter not to check for PBL and other similar tests on mails from local users to local users? don't. This is exactly what spammers try for years to avoid being detected. On 17.06.19 08:30, @lbutlr wrote: Spammers are not local users on my system. local users don't send via SMTP so they can't appear in PBL. Users who send via SMTP from host that is in PBL are not local. Spammers often send mail from remote hosts (often listed in PBL), directly to your local MTA, using your From: address. It appears that switching from dovecot LDA to dovecot LMTP has changed the appearance of the headers from local users. I’ll go check on the dovecot list. Here’s what the received header used to look like: Received: from [10.0.5.3] (c-71-229-144-93.hsd1.co.comcast.net [71.229.144.93]) by mail.covisp.net (Postfix) with ESMTPS id B67B8118AD59 for ; Sun, 16 Aug 2009 22:19:02 -0600 (MDT) As opposed to now: Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160]) by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown; Sun, 16 Jun 2019 15:26:32 -0600 (envelope-from ) The first has an ESMTPS id and the other has SMTP id unknown. as already explained on the postfix-user list, this has nothing to do with the LDA, as it contains information how postfix received the message - not how it processes the mail further (who is passed to). Apparently the latter example is received via spamass-milter, missing queue ID and containing strange version. The Received: header may be faked by spamass-milter. do you use -x option for SA? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse
Re: Mail to local users
On 17 Jun 2019, at 14:28, David B Funk wrote:
Taking a quick look at the source code for spamass-milter (I use a
different milter) I can see that it explicitly needs '{auth_type}' and
'{auth_ssf}'
so you can ignore {auth_authen} & {auth_author}.
That's an unfortunate design choice.
The {auth_ssf} macro is (almost?) always going to be 0 and I suspect
that it's impossible for it to be anything else, since that would
indicate a "security layer" handled via SASL, which nobody really does.
If one is not supporting GSSAPI via SASL, it is not even hypothetically
possible to negotiate a security layer in SASL because it appears that
no other registered SASL mechanism supports any security layer; they
mostly just say "do this inside TLS."
If I were a user of spamass-milter, I would report that requirement as a
bug.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Mail to local users
On Jun 17, 2019, at 12:28 PM, David B Funk wrote:
> Taking a quick look at the source code for spamass-milter (I use a different
> milter) I can see that it explicitly needs '{auth_type}' and '{auth_ssf}’ so
> you can ignore {auth_authen} & {auth_author}.
The default settings for postfix include:
$ postconf -d milter_mail_macros
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr}
{mail_host} {mail_mailer}
Which are not overridden in my configuration.
I do not see that postfix supports {auth_ssf}
--
Bart: That was the worst day of my life Homer: That was the worst day of
your life SO FAR.
Re: Mail to local users
On Mon, 17 Jun 2019, David B Funk wrote:
Are you feeding spamass-milter the necessary information (via milter-macros
in your MTA config) so that -it- knows that particular session is
authenticated? It needs that info if it's going to synthesize the correct
header so that SpamAssassin knows that session was authenticated.
Specifically:
In your config for Milter.macros.envfrom you need to include "{auth_type},
{auth_authen}, {auth_ssf}, {auth_author}" (note that is sendmail syntax,
translate into postfix as appropriate).
If you don't pass those {auth_*} macros into spamass-milter it has no way to
know a particular session is authenticated.
Taking a quick look at the source code for spamass-milter (I use a different
milter) I can see that it explicitly needs '{auth_type}' and '{auth_ssf}'
so you can ignore {auth_authen} & {auth_author}.
But with out that '{auth_type}' macro info it assumes the session isn't
authenticated, and won't pass that on to SA.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Mail to local users
On Mon, 17 Jun 2019, @lbutlr wrote:
On 17 Jun 2019, at 11:06, Reindl Harald wrote:
Am 17.06.19 um 16:30 schrieb @lbutlr:
Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
Sun, 16 Jun 2019 15:26:32 -0600
(envelope-from )
The first has an ESMTPS id and the other has SMTP id unknown.
a) ESMTPS is *not* authentication
I didn’t say it was, but the change in the header seems to be triggering
spamass-milter in ways that it was not being triggered before.
On 17 Jun 2019, at 02:07, Matus UHLAR - fantomas wrote:
if the mail was authenticated, it should contain ESMTPA or ESMTPSA instead
of SMTP.
Note that spamass-milter fakes the first Received: header (because milter
must get message as it is received from mail client), but lack of "A" in the
SMTP indicates that your mail is not really authenticated.
The message WAS sent via an authenticated connection:
Jun 16 15:26:32 mail postfix/submit/smtpd[52711]: 45RnTh0J8KzdrvJ:
client=c-73-14-161-160.hsd1.co.comcast.net[73.14.161.160], sasl_method=PLAIN,
sasl_username=kr...@kreme.com
Jun 16 15:26:32 mail postfix/cleanup[52845]: 45RnTh0J8KzdrvJ:
message-id=<0c3be5f6-c5b4-4b07-853d-fad6dcbb6...@kreme.com>
Jun 16 15:26:33 mail postfix/qmgr[27634]: 45RnTh0J8KzdrvJ:
from=, size=3259, nrcpt=2 (queue active)
Jun 16 15:26:33 mail postfix/lmtp[53026]: 45RnTh0J8KzdrvJ: to=,
orig_to=, relay=mail.covisp.net[private/dovecot-lmtp], delay=1.9,
delays=1.7/0.01/0.19/0.01, dsn=2.0.0, status=sent (250 2.0.0
1QOYNQm0Bl1fzwAAIdGjjQ:2 Saved)
Jun 16 15:26:33 mail postfix/qmgr[27634]: 45RnTh0J8KzdrvJ: removed
Are you feeding spamass-milter the necessary information (via milter-macros in
your MTA config) so that -it- knows that particular session is authenticated? It
needs that info if it's going to synthesize the correct header so that
SpamAssassin knows that session was authenticated.
Specifically:
In your config for Milter.macros.envfrom you need to include "{auth_type},
{auth_authen}, {auth_ssf}, {auth_author}" (note that is sendmail syntax,
translate into postfix as appropriate).
If you don't pass those {auth_*} macros into spamass-milter it has no way to
know a particular session is authenticated.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Mail to local users
On 17 Jun 2019, at 11:06, Reindl Harald wrote: > Am 17.06.19 um 16:30 schrieb @lbutlr: >> Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net >> [73.14.161.160]) >> by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown; >> Sun, 16 Jun 2019 15:26:32 -0600 >> (envelope-from ) >> >> The first has an ESMTPS id and the other has SMTP id unknown. > > a) ESMTPS is *not* authentication I didn’t say it was, but the change in the header seems to be triggering spamass-milter in ways that it was not being triggered before. On 17 Jun 2019, at 02:07, Matus UHLAR - fantomas wrote: > if the mail was authenticated, it should contain ESMTPA or ESMTPSA instead > of SMTP. > > Note that spamass-milter fakes the first Received: header (because milter > must get message as it is received from mail client), but lack of "A" in the > SMTP indicates that your mail is not really authenticated. The message WAS sent via an authenticated connection: Jun 16 15:26:32 mail postfix/submit/smtpd[52711]: 45RnTh0J8KzdrvJ: client=c-73-14-161-160.hsd1.co.comcast.net[73.14.161.160], sasl_method=PLAIN, sasl_username=kr...@kreme.com Jun 16 15:26:32 mail postfix/cleanup[52845]: 45RnTh0J8KzdrvJ: message-id=<0c3be5f6-c5b4-4b07-853d-fad6dcbb6...@kreme.com> Jun 16 15:26:33 mail postfix/qmgr[27634]: 45RnTh0J8KzdrvJ: from=, size=3259, nrcpt=2 (queue active) Jun 16 15:26:33 mail postfix/lmtp[53026]: 45RnTh0J8KzdrvJ: to=, orig_to=, relay=mail.covisp.net[private/dovecot-lmtp], delay=1.9, delays=1.7/0.01/0.19/0.01, dsn=2.0.0, status=sent (250 2.0.0 1QOYNQm0Bl1fzwAAIdGjjQ:2 Saved) Jun 16 15:26:33 mail postfix/qmgr[27634]: 45RnTh0J8KzdrvJ: removed -- Try to realize it's all within yourself/No one else can make you change
Re: Mail to local users
On Mon, 17 Jun 2019 08:30:09 -0600 @lbutlr wrote: > It appears that switching from dovecot LDA to dovecot LMTP has > changed the appearance of the headers from local users. I’ll go check > on the dovecot list. > > Here’s what the received header used to look like: > > Received: ...(Postfix) with ESMTPS id > As opposed to now: > > Received: ...(Postfix 3.4.5/8.13.0) with SMTP > The first has an ESMTPS id and the other has SMTP id unknown. The headers are added by postfix. Postfix passes mail to Dovecot LDA or LMTP after the milter has run.
Re: Mail to local users
On 17 Jun 2019, at 02:07, Matus UHLAR - fantomas wrote: >> But how do I tell spamass-milter not to check for PBL and other similar >> tests on mails from local users to local users? > > don't. This is exactly what spammers try for years to avoid being detected. Spammers are not local users on my system. It appears that switching from dovecot LDA to dovecot LMTP has changed the appearance of the headers from local users. I’ll go check on the dovecot list. Here’s what the received header used to look like: Received: from [10.0.5.3] (c-71-229-144-93.hsd1.co.comcast.net [71.229.144.93]) by mail.covisp.net (Postfix) with ESMTPS id B67B8118AD59 for ; Sun, 16 Aug 2009 22:19:02 -0600 (MDT) As opposed to now: Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160]) by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown; Sun, 16 Jun 2019 15:26:32 -0600 (envelope-from ) The first has an ESMTPS id and the other has SMTP id unknown. -- Help me, Obi-wan Kenobi. You're my only hope.
Re: Mail to local users
@lbutlr schrieb am 16.06.2019 um 23:41:
Seems like the -I fall should be taking care of this for me, at present. But
how do I tell spamass-milter not to check for PBL and other similar tests on
mails from local users to local users?
With postfix, best practice for locally submitted mail is to
1. submit authenticated mail to a different port than 25. Standard port
for submission is 587.
2. On submission port, configure the smtpd daemon to not
spamassassin-scan submitted mail
Since you seem to use spamass-milter, I can give my server as example
how you might do this. With milter, you implement before-queue spam
filtering according to http://www.postfix.org/MILTER_README.html. If you
need after-queue inspecting, consult
http://www.postfix.org/FILTER_README.html and
http://www.postfix.org/SMTPD_PROXY_README.html.
I also includes clamav virus scanning and dkim-signing and verification
with opendkim as milter.
You need to configure main.cf and some local smtpd options in master.cf.
If you want to quickly get to the point of all this, scroll to the last
paragraph of this mail.
Configure smtpd restrictions in /etc/postfix/main.cf:
This implements best practice according to
http://www.postfix.org/SMTPD_ACCESS_README.html. It became rather long,
but posting only an excerpt of the *_restrictions checklist makes it all
pointless. The checklist makes use of the current postfix features for
access control, junk mail control and relay control. It's a strict but
not paranoid restrictions collection suited for at least a tiny or small
mail server. It may be that bigger mail servers need to make it more
forgiving, but on the other hand this might be achieved by writing
offenders to the several local black- and whitelists that are accessed.
# order of restriction list evaluation: client, helo, sender, relay,
recipient, data or end-of-data
# all client commands
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/client_access
# HELO/EHLO
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
check_helo_access hash:/etc/postfix/helo_checks
# MAIL FROM
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_checks,
reject_non_fqdn_sender,
reject_unknown_sender_domain
# RCPT TO
# relay policy
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
# RCPT TO
# spam blocking policy
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
check_recipient_access hash:/etc/postfix/recipient_access,
check_client_access hash:/etc/postfix/rbl_whitelist,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client b.barracudacentral.org,
check_policy_service unix:private/policyd-spf
# DATA
smtpd_data_restrictions =
reject_unauth_pipelining
mua_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_sasl_authenticated,
reject
Configure smtpd milter-related options in /etc/postfix/main.cf:
# milter setup
milter_connect_macros = j {daemon_name} v _
milter_default_action = accept
# milters for the public port 25 smtpd daemon (dkim sign, dmarc check,
virus scan, spam detection)
smtpd_milters =
unix:/var/run/opendkim-postfix/sock,
unix:/var/run/opendmarc-postfix/sock,
unix:/var/run/clamav-milter/clamav-milter.socket,
unix:/run/spamass-milter/postfix/sock
# milters for mail submissions from local applications (dkim sign)
non_smtpd_milters =
unix:/var/run/opendkim-postfix/sock
# milters for the submission smtpd daemon (dkim sign, virus scan)
mua_milters =
unix:/var/run/opendkim-postfix/sock,
unix:/var/run/clamav-milter/clamav-milter.socket
Finally, configure the submission smtpd daemon in /etc/postfix/master.cf:
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_milters=$mua_milters
With these local options in master.cf you exclude spamass-milter
processing from mails submitted on the submission port ($mua_milters)
but instead do dkim-signing. The changed smtpd_recipient_restrictions
allows authenticated submissions only and doesn't reject mail from
blocklists, so anyone from a dial-up network range, such as you and
everybody from his home, is allowed to submit without penalty.
Re: Mail to local users
On 16.06.19 15:41, @lbutlr wrote:
When I send an mail from my home machine to a user who is local to my mail
server, SpamAssassin (via spmass-milter) tags the mail as spam entirely
because my home IP is in the PBL blacklist. Which of course, it is and it
should be.
However, since the mail is actually originating on my server with an
authenticated connection, it seems the RBL check should be able to be
avoided?
Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
Sun, 16 Jun 2019 15:26:32 -0600
(envelope-from )
if the mail was authenticated, it should contain ESMTPA or ESMTPSA instead
of SMTP.
Note that spamass-milter fakes the first Received: header (because milter
must get message as it is received from mail client), but lack of "A" in the
SMTP indicates that your mail is not really authenticated.
Obviously I do not want to lower the scores for the three criteria that put
me over the limit on these emails, but similarly I do not want my mail to
other people on the server getting tagged as spam (nor there mail to me).
I have my current IP in the SpamAssassin-milter with the -I flag, but the
IP changes and this isn’t a solution for others sending mail to local
accounts from local accounts.
Postfix main.cf:
smtpd_milters =
unix:/var/run/spamass-milter.sock,
milter_connect_macros = j {daemon_name} v {if_name} _
#milter_default_action = tempfail
milter_default_action = accept
/usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -e
-i 65.121.55.40/29 -i 73.14.161.160 -i 127.0.0.1 -r 10
Seems like the -I fall should be taking care of this for me, at present.
should, if auth works.
But how do I tell spamass-milter not to check for PBL and other similar
tests on mails from local users to local users?
don't. This is exactly what spammers try for years to avoid being detected.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
Re: Mail to local users
On Sun, 16 Jun 2019, @lbutlr wrote: When I send an mail from my home machine to a user who is local to my mail server, SpamAssassin (via spmass-milter) tags the mail as spam entirely because my home IP is in the PBL blacklist. Which of course, it is and it should be. How is SA glued into your MTA? is there any way within that glue to recognize email originating locally and skip scanning it entirely (vs. trying to configure SA to give it a passing score)? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 2 days until SWMBO's Birthday
Re: Mail to local users
On 16 Jun 2019, at 20:16, @lbutlr wrote: On 16 Jun 2019, at 17:01, David Jones wrote: Find the header being added by your Postfix MTA and add a rule to subtract points for authenticated senders. It should have "ESMTPSA" when sent by an authenticated account. The header postfix added was in the first post and does not have ESMTPSA in it header LOCAL AUTH_SENDER Received =~ /\.example\.com \(Postfix\) with ESMTPSA/ scoreLOCAL_AUTH_SENDER -4.0 Also, try adding that IP to your internal_networks and see how the scoring changes: internal_networks 73.14.161.160 And that IP is in spamass-milter in a -i directive. /usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -e -i 65.121.55.40/29 -i 73.14.161.160 -i 127.0.0.1 -r 10 So it should never have tagged the email in the first place, right? Based solely on reading the man page for spamass-milter, I think you are right. However, I think you should try collapsing the -i arguments into just one comma-delimited list, to see if that form actually works as expected. You might want to use the support resources at http://savannah.nongnu.org/projects/spamass-milt/ to get help, since spamass-milter isn't part of the SA project. I also recommend setting trusted_networks, internal_networks, and msa_networks correctly and requiring authenticated submission such that SA can identify trusted mail rather than skip it. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Re: Mail to local users
On 16 Jun 2019, at 17:01, David Jones wrote: > Find the header being added by your Postfix MTA and add a rule to > subtract points for authenticated senders. It should have "ESMTPSA" > when sent by an authenticated account. The header postfix added was in the first post and does not have ESMTPSA in it > header LOCAL AUTH_SENDER Received =~ /\.example\.com \(Postfix\) > with ESMTPSA/ > scoreLOCAL_AUTH_SENDER -4.0 > > Also, try adding that IP to your internal_networks and see how the > scoring changes: > > internal_networks 73.14.161.160 And that IP is in spamass-milter in a -i directive. /usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -e -i 65.121.55.40/29 -i 73.14.161.160 -i 127.0.0.1 -r 10 So it should never have tagged the email in the first place, right? -- O is for OLIVE run through with an awl P is for PRUE trampled flat in a brawl
Re: Mail to local users
On 6/16/19 4:41 PM, @lbutlr wrote:
> When I send an mail from my home machine to a user who is local to my mail
> server, SpamAssassin (via spmass-milter) tags the mail as spam entirely
> because my home IP is in the PBL blacklist. Which of course, it is and it
> should be.
>
> However, since the mail is actually originating on my server with an
> authenticated connection, it seems the RBL check should be able to be avoided?
>
> Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
> by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
> Sun, 16 Jun 2019 15:26:32 -0600
> (envelope-from )
>
> X-Spam-Status: Yes, score=7.3 required=5.0 tests=BAYES_50,NO_FM_NAME_IP_HOSTN,
> RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,TO_NO_BRKTS_DYNIP
> autolearn=no autolearn_force=no version=3.4.2
>
> Obviously I do not want to lower the scores for the three criteria that put
> me over the limit on these emails, but similarly I do not want my mail to
> other people on the server getting tagged as spam (nor there mail to me). I
> have my current IP in the SpamAssassin-milter with the -I flag, but the IP
> changes and this isn’t a solution for others sending mail to local accounts
> from local accounts.
>
> Postfix main.cf:
> smtpd_milters =
> unix:/var/run/spamass-milter.sock,
> milter_connect_macros = j {daemon_name} v {if_name} _
> #milter_default_action = tempfail
> milter_default_action = accept
>
> /usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -e
> -i 65.121.55.40/29 -i 73.14.161.160 -i 127.0.0.1 -r 10
>
> Seems like the -I fall should be taking care of this for me, at present. But
> how do I tell spamass-milter not to check for PBL and other similar tests on
> mails from local users to local users?
>
>
Find the header being added by your Postfix MTA and add a rule to
subtract points for authenticated senders. It should have "ESMTPSA"
when sent by an authenticated account.
header LOCAL AUTH_SENDER Received =~ /\.example\.com \(Postfix\)
with ESMTPSA/
score LOCAL_AUTH_SENDER -4.0
Also, try adding that IP to your internal_networks and see how the
scoring changes:
internal_networks 73.14.161.160
You may want to meta rule that with something else unique in the headers
to prevent
Dave
Re: Mail to local users
On 16 Jun 2019, at 16:06, Reindl Harald wrote: > Am 16.06.19 um 23:41 schrieb @lbutlr: >> When I send an mail from my home machine to a user who is local to my mail >> server, SpamAssassin (via spmass-milter) tags the mail as spam entirely >> because my home IP is in the PBL blacklist. Which of course, it is and it >> should be. > >> Obviously I do not want to lower the scores for the three criteria that put >> me over the limit on these emails, but similarly I do not want my mail to >> other people on the server getting tagged as spam (nor there mail to me). I >> have my current IP in the SpamAssassin-milter with the -I flag, but the IP >> changes and this isn’t a solution for others sending mail to local accounts >> from local accounts. > > there is only one proepr solution for trusted clients with changing IP's > and that's always: use smtp authentication I am. >> However, since the mail is actually originating on my server with an >> authenticated connection, it seems the RBL check should be able to be >> avoided? All submission go to port 587 for 465 and all submission connections are authenticated. But spamass-milter/Spamassassin is still tagging that mail because ti went from my machine directly to the server that hosts the destination email. -- On the other hand, you have different fingers.
Mail to local users
When I send an mail from my home machine to a user who is local to my mail
server, SpamAssassin (via spmass-milter) tags the mail as spam entirely because
my home IP is in the PBL blacklist. Which of course, it is and it should be.
However, since the mail is actually originating on my server with an
authenticated connection, it seems the RBL check should be able to be avoided?
Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
Sun, 16 Jun 2019 15:26:32 -0600
(envelope-from )
X-Spam-Status: Yes, score=7.3 required=5.0 tests=BAYES_50,NO_FM_NAME_IP_HOSTN,
RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,TO_NO_BRKTS_DYNIP
autolearn=no autolearn_force=no version=3.4.2
Obviously I do not want to lower the scores for the three criteria that put me
over the limit on these emails, but similarly I do not want my mail to other
people on the server getting tagged as spam (nor there mail to me). I have my
current IP in the SpamAssassin-milter with the -I flag, but the IP changes and
this isn’t a solution for others sending mail to local accounts from local
accounts.
Postfix main.cf:
smtpd_milters =
unix:/var/run/spamass-milter.sock,
milter_connect_macros = j {daemon_name} v {if_name} _
#milter_default_action = tempfail
milter_default_action = accept
/usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -e
-i 65.121.55.40/29 -i 73.14.161.160 -i 127.0.0.1 -r 10
Seems like the -I fall should be taking care of this for me, at present. But
how do I tell spamass-milter not to check for PBL and other similar tests on
mails from local users to local users?
--
The whole thing that makes a mathematician's life worthwhile is
that he gets the grudging admiration of three or four colleagues
