Re: Problems with whitelist_from_rcvd
Ignore the text immediately after the from, in this case SUB.MYDOMAIN.MAIL. That is _not_ rDNS data, that is whatever the client sent in its SMTP HELO, and can be _anything_. If you see the correct hostname there it just means that computer is sending its correct hostname when it says HELO. To illustrate, I pulled this out of your message to the list, it is not edited in any way: Received: from localhost (unknown [213.108.33.133]) by highlink.ru (Postfix) with ESMTP id 37F236A818D for users@spamassassin.apache.org; Mon, 5 Oct 2009 10:28:48 +0400 (MSD) I'm pretty sure 213.108.33.133's rDNS does not say localhost. The (unknown [12.12.12.12]) is the DNS data about the client as your MTA sees it, and the fact that it says unknown means that for some reason it cannot perform rDNS on that IP address, or perhaps its rDNS is explicitly set to unknown. If rDNS was working you'd see something like: Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by ga.impsec.org (8.13.7/8.13.7) with SMTP id n956Tp8L020518 for jhar...@impsec.org; Sun, 4 Oct 2009 23:29:55 -0700 Exactly how are you checking the rDNS of that IP address? Can you demonstrate? For example, here are rDNS lookups on the two IP addresses from my examples above: jhar...@dendarii ~ $ host 213.108.33.133 133.33.108.213.in-addr.arpa domain name pointer 133.33.108.213.hl.ru. jhar...@dendarii ~ $ host 140.211.11.3 3.11.211.140.in-addr.arpa domain name pointer hermes.apache.org. I note that the first does have an rDNS, even though the Received: header from the MTA in the example above says unknown. Are you performing your rDNS tests on the MTA computer? It looks to me like the DNS setup on it is misconfigured somehow and it can't perform rDNS queries successfully. What I do (all commands on the mail-server, where SA is installed): # host SUB.MYDOMAIN.MAIL SUB.MYDOMAIN.MAIL has address 12.12.12.12 # host 12.1204.68.58 12.12.12.12.in-addr.arpa domain name pointer SUB.MYDOMAIN.MAIL. host does not produce anything else but a single row -- С уважением, Igor Bogomazov Игорь Богомазов Главный технический специалист HighLink Ltd. St-Petersburg, Russia 8(812)334-12-12 [доб. 220] 8(963)344-44-38 (Билайн) http://www.hl.ru signature.asc Description: PGP signature
Re: Problems with whitelist_from_rcvd
On Tue, 6 Oct 2009, Igor Bogomazov wrote: Exactly how are you checking the rDNS of that IP address? Can you demonstrate? Are you performing your rDNS tests on the MTA computer? It looks to me like the DNS setup on it is misconfigured somehow and it can't perform rDNS queries successfully. What I do (all commands on the mail-server, where SA is installed): # host SUB.MYDOMAIN.MAIL SUB.MYDOMAIN.MAIL has address 12.12.12.12 # host 12.1204.68.58 12.12.12.12.in-addr.arpa domain name pointer SUB.MYDOMAIN.MAIL. host does not produce anything else but a single row Okay, good. That proves that host's rDNS is properly set up. Can you run that command on the same computer that your _MTA_ is running on? The MTA is what is doing the rDNS lookups for the Received: header. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If healthcare is a Right means that the government is obligated to provide the people with hospitals, physicians, treatments and medications at low or no cost, then the right to free speech means the government is obligated to provide the people with printing presses and public address systems, the right to freedom of religion means the government is obligated to build churches for the people, and the right to keep and bear arms means the government is obligated to provide the people with guns, all at low or no cost. --- 5 days since a sunspot last seen - EPA blames CO2 emissions
Re: Problems with whitelist_from_rcvd
On Fri, 2 Oct 2009, Bill Landry wrote: John Hardin wrote: On Fri, 2 Oct 2009, Igor Bogomazov wrote: I've checked rDNS of the prefix.domain.mail with 'host' utility - it's all right. You don't check rDNS using host, you check it using dig -x host.ip.addr.here Why not, they come up with the same thing?: I apologize; I don't use host and I looked at the man page for an explicit reverse option and didn't see one, and jumped to the wrong conclusion. Igor, can you show us how you used host and what it output? Here's both headers, tagged Received: Received: by MYDOMAIN.MAIL (Postfix, from userid 1002) id F0E8D9B801A; Fri, 2 Oct 2009 12:08:13 +0400 (MSD) Received: from SUB.MYDOMAIN.MAIL (unknown [12.12.12.12]) by highlink.ru (Postfix) with ESMTP id 9562D6A82F5 for some...@somewhere; Fri, 2 Oct 2009 12:08:13 +0400 (MSD) I suppose the last one is in use. SUB.MYDOMAIN.MAIL with IP 12.12.12.12, right? I can check rDNS of the IP-address and it is really SUB.MYDOMAIN.MAIL. Sorry, about host: # host SUB.MYDOMAIN.MAIL SUB.MYDOMAIN.MAIL has address 12.12.12.12 host does not produce anything else but a single row -- С уважением, Igor Bogomazov Игорь Богомазов Главный технический специалист HighLink Ltd. St-Petersburg, Russia 8(812)334-12-12 [доб. 220] 8(963)344-44-38 (Билайн) http://www.hl.ru signature.asc Description: PGP signature
Re: Problems with whitelist_from_rcvd
On Mon, 5 Oct 2009, Igor Bogomazov wrote: John Hardin wrote: On Fri, 2 Oct 2009, Igor Bogomazov wrote: I've checked rDNS of the prefix.domain.mail with 'host' utility - it's all right. Igor, can you show us how you used host and what it output? Here's both headers, tagged Received: Neither of these illustrate how you are checking your rDNS data. Received: by MYDOMAIN.MAIL (Postfix, from userid 1002) id F0E8D9B801A; Fri, 2 Oct 2009 12:08:13 +0400 (MSD) Received: from SUB.MYDOMAIN.MAIL (unknown [12.12.12.12]) by highlink.ru (Postfix) with ESMTP id 9562D6A82F5 for some...@somewhere; Fri, 2 Oct 2009 12:08:13 +0400 (MSD) I suppose the last one is in use. SUB.MYDOMAIN.MAIL with IP 12.12.12.12, right? I can check rDNS of the IP-address and it is really SUB.MYDOMAIN.MAIL. Ignore the text immediately after the from, in this case SUB.MYDOMAIN.MAIL. That is _not_ rDNS data, that is whatever the client sent in its SMTP HELO, and can be _anything_. If you see the correct hostname there it just means that computer is sending its correct hostname when it says HELO. To illustrate, I pulled this out of your message to the list, it is not edited in any way: Received: from localhost (unknown [213.108.33.133]) by highlink.ru (Postfix) with ESMTP id 37F236A818D for users@spamassassin.apache.org; Mon, 5 Oct 2009 10:28:48 +0400 (MSD) I'm pretty sure 213.108.33.133's rDNS does not say localhost. The (unknown [12.12.12.12]) is the DNS data about the client as your MTA sees it, and the fact that it says unknown means that for some reason it cannot perform rDNS on that IP address, or perhaps its rDNS is explicitly set to unknown. If rDNS was working you'd see something like: Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by ga.impsec.org (8.13.7/8.13.7) with SMTP id n956Tp8L020518 for jhar...@impsec.org; Sun, 4 Oct 2009 23:29:55 -0700 Exactly how are you checking the rDNS of that IP address? Can you demonstrate? For example, here are rDNS lookups on the two IP addresses from my examples above: jhar...@dendarii ~ $ host 213.108.33.133 133.33.108.213.in-addr.arpa domain name pointer 133.33.108.213.hl.ru. jhar...@dendarii ~ $ host 140.211.11.3 3.11.211.140.in-addr.arpa domain name pointer hermes.apache.org. I note that the first does have an rDNS, even though the Received: header from the MTA in the example above says unknown. Are you performing your rDNS tests on the MTA computer? It looks to me like the DNS setup on it is misconfigured somehow and it can't perform rDNS queries successfully. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Therapeutic Phrenologist - send email for affordable rate schedule. --- Approximately 9181140 firearms legally purchased in the U.S. this year
Re: Problems with whitelist_from_rcvd
On fre 02 okt 2009 10:34:55 CEST, Igor Bogomazov wrote And the appropriate mail header seems to be correct: Received: from prefix.domain.mail (unknown [12.12.12.12]) What's the matter? unknown reverse dns is postfix answer for not found reverse dns, so host was in the test you did wrong host 12.12.12.12 gives unknown dig unknown gives 12.12.12.12 ? prefix.domain.mail is the helo header -- xpoint
Re: Problems with whitelist_from_rcvd
From: Igor Bogomazov b...@hl.ru Date: Fri, 2 Oct 2009 12:34:55 +0400 When I add the string like: whitelist_from s...@domain.mail it works OK. But: whitelist_from_rcvd s...@domain.mail prefix.domain.mail doesn't work. I've checked rDNS of the prefix.domain.mail with 'host' utility - it's all right. And the appropriate mail header seems to be correct: Received: from prefix.domain.mail (unknown [12.12.12.12]) What's the matter? It is hard to say for sure without seeing actual received headers. You need to use the last external relay used by the email. From man Mail::SpamAssassin::Conf. whitelist_from_rcvd ... This string is matched against the reverse DNS lookup used during the handover from the internet to your internal network's mail exchangers. It can either be the full hostname, or the domain component of that hostname. ... The easiest way to figure out which one to use is to add a Relay header using: add_header all Relay trusted=_RELAYSTRUSTED_, untrusted=_RELAYSUNTRUSTED_ Then get the RDNS from the first untrusted=[ip=... rdns=RDNS ...] relay. If the RDNS is blank then the whitelist_from_rcvd won't work. Your internal_networks and trusted_networks needs to be setup correctly. -jeff
Re: Problems with whitelist_from_rcvd
On Fri, 2 Oct 2009, Igor Bogomazov wrote: whitelist_from_rcvd s...@domain.mail prefix.domain.mail doesn't work. I've checked rDNS of the prefix.domain.mail with 'host' utility - it's all right. You don't check rDNS using host, you check it using dig -x host.ip.addr.here And the appropriate mail header seems to be correct: Received: from prefix.domain.mail (unknown [12.12.12.12]) What's the matter? The (unknown [12.12.12.12]) part shows that rDNS for that IP address is _not_ configured, or that DNS on your MTA cannot resolve it for some reason. The text after from is the string used in the client's HELO, which can be anything at all and cannot be trusted for authentication. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You cannot bring about prosperity by discouraging thrift. You cannot help small men by tearing down big men. You cannot strengthen the weak by weakening the strong. You cannot lift the wage-earner by pulling down the wage-payer. You cannot help the poor man by destroying the rich. You cannot keep out of trouble by spending more than your income. You cannot further the brotherhood of man by inciting class hatred. You cannot establish security on borrowed money. You cannot build character and courage by taking away men's initiative and independence. You cannot help men permanently by doing for them what they could and should do for themselves. -- William J. H. Boetcker --- Approximately 9081780 firearms legally purchased in the U.S. this year
Re: Problems with whitelist_from_rcvd
John Hardin wrote: You don't check rDNS using host, you check it using dig -x host.ip.addr.here Actually, unless your DNS configuration is doing something bizarre, they should give back the same basic info - dig is just a lot more verbose: [kdeu...@turboprop ~]$ host 209.91.179.62 62.179.91.209.in-addr.arpa domain name pointer deepnet.cx. [kdeu...@turboprop ~]$ dig -x 209.91.179.62 ; DiG 9.2.4 -x 209.91.179.62 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62009 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;62.179.91.209.in-addr.arpa.IN PTR ;; ANSWER SECTION: 62.179.91.209.in-addr.arpa. 892 IN PTR deepnet.cx. ;; AUTHORITY SECTION: 179.91.209.in-addr.arpa. 890IN NS ns3.vianet.ca. 179.91.209.in-addr.arpa. 890IN NS ns4.vianet.ca. 179.91.209.in-addr.arpa. 890IN NS ns1.vianet.ca. 179.91.209.in-addr.arpa. 890IN NS ns2.vianet.ca. ;; ADDITIONAL SECTION: ns1.vianet.ca. 22 IN A 209.91.128.30 ns2.vianet.ca. 22 IN A 204.187.89.10 ns3.vianet.ca. 22 IN A 209.91.174.60 ns4.vianet.ca. 22 IN A 204.187.88.5 ;; Query time: 2 msec ;; SERVER: 209.91.179.154#53(209.91.179.154) ;; WHEN: Fri Oct 2 10:33:50 2009 ;; MSG SIZE rcvd: 213 [kdeu...@turboprop ~]$ dig -x 209.91.179.62 +short deepnet.cx. [kdeu...@turboprop ~]$ (The AUTHORITY and ADDITIONAL sections may not be returned depending on your DNS cache; BIND returns the above, DJB's dnscache doesn't return either.) -kgd, wearing his ISP DNS admin hat
Re: Problems with whitelist_from_rcvd
John Hardin wrote: On Fri, 2 Oct 2009, Igor Bogomazov wrote: whitelist_from_rcvd s...@domain.mail prefix.domain.mail doesn't work. I've checked rDNS of the prefix.domain.mail with 'host' utility - it's all right. You don't check rDNS using host, you check it using dig -x host.ip.addr.here Why not, they come up with the same thing?: host 207.210.83.140 140.83.210.207.in-addr.arpa domain name pointer ga.impsec.org. dig -x 207.210.83.140 +short ga.impsec.org. Bill
Re: Problems with whitelist_from_rcvd
On Fri, 2 Oct 2009, Kris Deugau wrote: John Hardin wrote: You don't check rDNS using host, you check it using dig -x host.ip.addr.here Actually, unless your DNS configuration is doing something bizarre, they should give back the same basic info - dig is just a lot more verbose: -kgd, wearing his ISP DNS admin hat ...I stand corrected. Thanks. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws assume a violent criminal will obey the law. --- Approximately 9085920 firearms legally purchased in the U.S. this year
Re: Problems with whitelist_from_rcvd
On Fri, 2 Oct 2009, Bill Landry wrote: John Hardin wrote: On Fri, 2 Oct 2009, Igor Bogomazov wrote: I've checked rDNS of the prefix.domain.mail with 'host' utility - it's all right. You don't check rDNS using host, you check it using dig -x host.ip.addr.here Why not, they come up with the same thing?: I apologize; I don't use host and I looked at the man page for an explicit reverse option and didn't see one, and jumped to the wrong conclusion. Igor, can you show us how you used host and what it output? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws assume a violent criminal will obey the law. --- Approximately 9088680 firearms legally purchased in the U.S. this year