Spamassassin fails after 410+ days?
I am running Freebsd 10.0, with Postfix, Dovecot, MySql, and Spamassassin 3.4.0(Perl 5.16.3). This is the second time this has happened to me. All ran fine for roughly 410 days, then Spamassassin stop flagging emails, and has all kinds of errors in the log. Nothing was touched on the system other than restarting daemons from time to time. No upgrading, no nothing basically. Now all the sudden, I get this in my spamassassin.log May 19 10:06:34 my spamd[82620]: Argument "" isn't numeric in numeric lt (<) at /usr/local/lib/perl5/site_perl/5.16/mach/NetAddr/IP/Lite.pm line 827. May 19 10:06:34 my spamd[82620]: Use of uninitialized value in bitwise and (&) at /usr/local/lib/perl5/site_perl/5.16/mach/NetAddr/IP/Lite.pm line 1332. May 19 10:06:34 my spamd[82620]: Use of uninitialized value in bitwise and (&) at /usr/local/lib/perl5/site_perl/5.16/mach/NetAddr/IP/Lite.pm line 1332. May 19 10:06:34 my spamd[82620]: Use of uninitialized value in 1's complement (~) at /usr/local/lib/perl5/site_perl/5.16/mach/NetAddr/IP/Lite.pm line 1333. May 19 10:06:34 my spamd[82620]: Use of uninitialized value in bitwise or (|) at /usr/local/lib/perl5/site_perl/5.16/mach/NetAddr/IP/Lite.pm line 1333. May 19 10:06:34 my spamd[82620]: spamd: error: Bad arg length for NetAddr::IP::Util::sub128, length is 0, should be 128 at /usr/local/lib/perl5/site_perl/5.16/mach/NetAddr/IP/Lite.pm line 1336. May 19 10:06:34 my spamd[82620]: , continuing at /usr/local/bin/spamd line 1383. May 19 10:06:34 my spamd[82619]: prefork: child states: II Spamassin line from rc.conf: spamd_flags="-u spamfilter -x -i -l -A IP Redacted,127.0.0.1,localhost,::1 -m 15 --virtual-config-dir=/usr/local/etc/mail/spamassassin/"
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017 22:40:41 +0200 Benny Pedersen wrote: > problem with rfcs for dmarc is that its not possible to whitelist > maillists servers so thay never reject on policy reject, what would > happend if we all reject on a single domain that have policy > reject ?, then no one would be subscripbed at the end, if one like to > follow own rules on reject > > it would be nice if dmarc could handle reject policy better if spf > passed, maybe lua scripted ? There is a better solution: http://arc-spec.org/.
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017, David Jones wrote: From: David B Funk On Fri, 19 May 2017, RW wrote: On Fri, 19 May 2017 14:13:22 -0500 (CDT) David B Funk wrote: ne. My read on this is that "@ena.com" is living dangerously. They publish SPF records and DMARC records (with p=reject) but do NOT DKIM sign their mail. Most of them pass DKIM, a minority aren't signed. Urgg, I see that now. I looked at a few of David Jones' posts to this list and saw that they weren't DKIM signed, so I extrapolated that to a general asumption. They are DKIM signed so something must be striping the headers. I see that they're using Office-365. This is one of the issues I have with 0-365, it's a black box which is hard to second guess. Sometimes they DKIM sign, some times they don't. Sometimes they will score incoming messasge that are properly DKIM signed as spam (for no reason other than the DKIM signature, as far as I can tell). Bottom line; If you put yourself at the mercy of Office-365, using a DKIM policy of "reject" is risky. I don't. Our inbound to and outbound from Office 365 is handled by our own mail servers that are properly DKIM signing. I have been reviewing DMARC reports for years now to make sure we had good SPF, DKIM and DMARC before recently moving to p=reject. Dave I hate to break it to you but you are at the mercy of Office-365 and its erratic DKIM policy. The message from you that I'm replying to here (both the one that came directly to me and the copy I got thru the Apache list server) are -totally- devoid of DKIM headers. (If you'd like to see it I can put it up in paste-bin.) Looking at some of your other posts to this list, many of them do have DKIM headers but not all. The interesting part is that the DKIM headers are interpolated with the O-365 headers so it looks like O-365 is taking your original message, stripping off the DKIM headers and sometimes re-adding them. Good luck with this, welcome to the O-365 world. Dave -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Somewhat OT: DMARC and this list
Alan Hodgson skrev den 2017-05-19 22:34: Well, it's not the list. Others' signatures are coming through fine. problem is that dkim is not showing to apache.org mailserver, so downstream testing dmarc rejects, undesired config in many ways I had to tell OpenDMARC to whitelist ena.com to get anything from you. i have to allow all sender in postfix to allow junc.eu to send forged mails to me, same as i need to use whitelist_from *@junc.eu to ensure my own postting to maillist not jump in the junk folder :=) in opendmarc you should not whitelist mfrom domains with reject, but more whitelist maillists ips, but i have hoped this would be more simple to make work stable ? but whitelist based on ip, disable dmarc pass testing :/ if there would be a public change to dmarc, it would be nice to see if arc is ever needed, if dkim was never breaked all parts of dmarc and arc is unneeded in everyday work i still find it ironical that dmarc maillists breaks dkim, or even take ownerships on mfrom, yark
Re: Somewhat OT: DMARC and this list
David Jones skrev den 2017-05-19 21:36: SPF:PASS with IP 96.5.1.12 DKIM: PASS with domain ena.com DMARC: PASS authentication-results: spamassassin.apache.org; dkim=none (message not signed) header.d=none;spamassassin.apache.org; dmarc=none action=none header.from=ena.com; is something in your mailchain remove signed dkim ? I guess the envelope-from is changed to the Mailman list which would break the SPF alignment and it could be stripping out the DKIM headers if you all are saying it's not there. no no no no and no, maillists does not break spf, what happend is that domain change on every mta, so it could still pass spf even if your own domain is not spf protected, but as you see it is really a forwared mail til maillist that pass spf on apache.org this is spf, but you miss still to dkim sign to the maillist, this is your error if you like to make dmarc reject policy problem with rfcs for dmarc is that its not possible to whitelist maillists servers so thay never reject on policy reject, what would happend if we all reject on a single domain that have policy reject ?, then no one would be subscripbed at the end, if one like to follow own rules on reject it would be nice if dmarc could handle reject policy better if spf passed, maybe lua scripted ? I guess I will have to sign up with my personal email address that doesn't have p=reject. I guess as more an more domains move to p=reject, then this is going to be a real problem. Mailing lists are going to have to evolve how they send or something. p=reject is fine, but missing dkim on that policy is not working i still have to see docs on why this is not supported at all https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/ good page that does not help much on how to configure dmarc to not reject maillists even for domain with policy reject
Re: Somewhat OT: DMARC and this list
On Friday 19 May 2017 20:11:42 David Jones wrote: > >Urgg, I see that now. I looked at a few of David Jones' posts to this list > >and saw that they weren't DKIM signed, so I extrapolated that to a general > >asumption. > > They are DKIM signed so something must be striping the headers. > Well, it's not the list. Others' signatures are coming through fine. I had to tell OpenDMARC to whitelist ena.com to get anything from you.
Re: Somewhat OT: DMARC and this list
>From: David B Funk >On Fri, 19 May 2017, RW wrote: >> On Fri, 19 May 2017 14:13:22 -0500 (CDT) >> David B Funk wrote: >> >> ne. >>> >>> My read on this is that "@ena.com" is living dangerously. They >>> publish SPF records and DMARC records (with p=reject) but do NOT DKIM >>> sign their mail. >> >> Most of them pass DKIM, a minority aren't signed. >Urgg, I see that now. I looked at a few of David Jones' posts to this list and >saw that they weren't DKIM signed, so I extrapolated that to a general >asumption. They are DKIM signed so something must be striping the headers. >I see that they're using Office-365. This is one of the issues I have with >0-365, it's a black box which is hard to second guess. >Sometimes they DKIM sign, some times they don't. >Sometimes they will score incoming messasge that are properly DKIM signed as >spam (for no reason other than the DKIM signature, as far as I can tell). >Bottom line; If you put yourself at the mercy of Office-365, using a DKIM >policy >of "reject" is risky. I don't. Our inbound to and outbound from Office 365 is handled by our own mail servers that are properly DKIM signing. I have been reviewing DMARC reports for years now to make sure we had good SPF, DKIM and DMARC before recently moving to p=reject. Dave
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017, RW wrote: On Fri, 19 May 2017 14:13:22 -0500 (CDT) David B Funk wrote: ne. My read on this is that "@ena.com" is living dangerously. They publish SPF records and DMARC records (with p=reject) but do NOT DKIM sign their mail. Most of them pass DKIM, a minority aren't signed. Urgg, I see that now. I looked at a few of David Jones' posts to this list and saw that they weren't DKIM signed, so I extrapolated that to a general asumption. I see that they're using Office-365. This is one of the issues I have with 0-365, it's a black box which is hard to second guess. Sometimes they DKIM sign, some times they don't. Sometimes they will score incoming messasge that are properly DKIM signed as spam (for no reason other than the DKIM signature, as far as I can tell). Bottom line; If you put yourself at the mercy of Office-365, using a DKIM policy of "reject" is risky. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Somewhat OT: DMARC and this list
>From: RW >On Fri, 19 May 2017 14:13:22 -0500 (CDT) >David B Funk wrote: >ne. >> >> My read on this is that "@ena.com" is living dangerously. They >> publish SPF records and DMARC records (with p=reject) but do NOT DKIM >> sign their mail. >Most of them pass DKIM, a minority aren't signed. My edge mail servers are DKIM signing properly for ena.com. I am able to send to Gmail and "Show Original" says: SPF:PASS with IP 96.5.1.12 DKIM: PASS with domain ena.com DMARC: PASS I guess the envelope-from is changed to the Mailman list which would break the SPF alignment and it could be stripping out the DKIM headers if you all are saying it's not there. I guess I will have to sign up with my personal email address that doesn't have p=reject. I guess as more an more domains move to p=reject, then this is going to be a real problem. Mailing lists are going to have to evolve how they send or something. Dave
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017 14:13:22 -0500 (CDT) David B Funk wrote: ne. > > My read on this is that "@ena.com" is living dangerously. They > publish SPF records and DMARC records (with p=reject) but do NOT DKIM > sign their mail. Most of them pass DKIM, a minority aren't signed.
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017, Dianne Skoll wrote: Hi, Tons of list traffic keeps getting quarantined because of DMARC. For example, a recent message from David Jones : DMARC policy for domain ena.com suggests Rejection as DMARC_POLICY_REJECT, but quarantined due to rule settings $ host -t txt _dmarc.ena.com _dmarc.ena.com descriptive text "v=DMARC1\; p=reject\; sp=reject\; rua=mailto:dm...@ena.net\;"; (In this instance, we've overridden the DMARC policy and converted it to quarantine instead of reject, so I was able to retrieve the email, but...) I'm pretty sure Mailman can do DMARC-munging. Can ezmlm do the equivalent of Mailman's "ALLOW_FROM_IS_LIST" feature? Regards, Dianne. My read on this is that "@ena.com" is living dangerously. They publish SPF records and DMARC records (with p=reject) but do NOT DKIM sign their mail. In general it's dangerous to expect SPF to work thru a maillist or other forwarder. Often DKIM will but you cannot count on it (particularly if the list engages in Subject munging). If they're only going to use SPF then publishing a DMARC policy of "reject" is risky. See: https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/ Please let me know if I'm misinterpreting the signs. Dave -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017 12:00:29 -0700 Alan Hodgson wrote: > This is actually one of the few mailing lists that a DMARC p=reject > domain can send anything to. Assuming they DKIM-sign their mail, of > course. Yep. > I would argue that setting a DMARC p=reject policy without working > DKIM is fundamentally broken idea on the sender's part. Seconded. The gluing of SPF onto DMARC is a mess. Regards, Dianne.
Re: Somewhat OT: DMARC and this list
On Friday 19 May 2017 14:47:56 Dianne Skoll wrote: > On Fri, 19 May 2017 20:43:39 +0200 > > Benny Pedersen wrote: > > some maillists break DKIM, forkus on that first, not last ! > > Thank you for not adding any value to the conversation. The > domain in question is not using DKIM. > This is actually one of the few mailing lists that a DMARC p=reject domain can send anything to. Assuming they DKIM-sign their mail, of course. I would argue that setting a DMARC p=reject policy without working DKIM is fundamentally broken idea on the sender's part. They can't send bounces or vacation messages or anything else with a null envelope sender, for starters. Or send anything to anyone who forwards their mail to Gmail, at least I guess you can whitelist them if you care enough.
Re: Somewhat OT: DMARC and this list
Dianne Skoll skrev den 2017-05-19 20:47: Thank you for not adding any value to the conversation. The domain in question is not using DKIM. okay, my fault then, but this is not a error if not using reject, but it is if dmarc policy is reject hope its clear now
Re: Somewhat OT: DMARC and this list
David Jones skrev den 2017-05-19 20:38: so let me open a Jira ticket to see if we need to get that setting enabled. Authentication-Results: linode.junc.eu; dmarc=fail (p=reject dis=none) header.from=ena.com Authentication-Results: linode.junc.eu; dkim=none; dkim-atps=neutral where is the dkim signing ? hopefullly mailman stops removing dkim keys header try post on postfix maillist, did it fail there ?, if yes make local bug fix on it, if it did get dmarc pass be happy
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017 20:43:39 +0200 Benny Pedersen wrote: > some maillists break DKIM, forkus on that first, not last ! Thank you for not adding any value to the conversation. The domain in question is not using DKIM. Regards, Dianne.
Re: Somewhat OT: DMARC and this list
Dianne Skoll skrev den 2017-05-19 20:30: I'm pretty sure Mailman can do DMARC-munging. Can ezmlm do the equivalent of Mailman's "ALLOW_FROM_IS_LIST" feature? some maillists break DKIM, forkus on that first, not last ! if you get this message here with DMARC fail, blame the maillist break DKIM but i am pretty sure it gets DMARC pass on my mail returned here time will tell :=) mailman sooks btw on dkim/dmarc
Re: Somewhat OT: DMARC and this list
>From: Dianne Skoll >Tons of list traffic keeps getting quarantined because of DMARC. For >example, a recent message from David Jones : >DMARC policy for domain ena.com suggests Rejection as >DMARC_POLICY_REJECT, but quarantined due to rule settings >$ host -t txt _dmarc.ena.com >_dmarc.ena.com descriptive text "v=DMARC1\; p=reject\; sp=reject\; >rua=mailto:dm...@ena.net\;"; >(In this instance, we've overridden the DMARC policy and converted it >to quarantine instead of reject, so I was able to retrieve the email, but...) >I'm pretty sure Mailman can do DMARC-munging. Can ezmlm do the equivalent >of Mailman's "ALLOW_FROM_IS_LIST" feature? I found this: https://blogs.apache.org/infra/entry/dmarc_filtering_on_lists_that so let me open a Jira ticket to see if we need to get that setting enabled. Dave
Somewhat OT: DMARC and this list
Hi, Tons of list traffic keeps getting quarantined because of DMARC. For example, a recent message from David Jones : DMARC policy for domain ena.com suggests Rejection as DMARC_POLICY_REJECT, but quarantined due to rule settings $ host -t txt _dmarc.ena.com _dmarc.ena.com descriptive text "v=DMARC1\; p=reject\; sp=reject\; rua=mailto:dm...@ena.net\;"; (In this instance, we've overridden the DMARC policy and converted it to quarantine instead of reject, so I was able to retrieve the email, but...) I'm pretty sure Mailman can do DMARC-munging. Can ezmlm do the equivalent of Mailman's "ALLOW_FROM_IS_LIST" feature? Regards, Dianne.
Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service
>Would it be beneficial to add a local.cf config option to allow SA to >specify a different DNS server rather than what the OS is using in >/etc/resolv.conf? Nevermind. David Funk just posted about "dns_server" that I wasn't able to find earlier. Seems like setting that would be the best option for those where the /etc/resolv.conf is being managed. I will update the wiki page with this config option. Dave
Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service
David Jones wrote: Would it be beneficial to add a local.cf config option to allow SA to specify a different DNS server rather than what the OS is using in /etc/resolv.conf? IIRC it does, and a quick scan of the Mail::SpamAssassin::Conf man page turned up: dns_server ip-addr-port (default: entries provided by Net::DNS) Specifies an IP address of a DNS server, and optionally its port number. The dns_server directive may be specified multiple times, each entry adding to a list of available resolving name servers. The ip-addr-port argument can either be an IPv4 or IPv6 address, optionally enclosed in brackets, and optionally followed by a colon and a port number. In absence of a port number a standard port number 53 is assumed. When an IPv6 address is specified along with a port number, the address must be enclosed in brackets to avoid parsing ambiguity regarding a colon separator. A scoped link-local IP address is allowed (assuming underlying modules allow it). Examples : dns_server 127.0.0.1 dns_server 127.0.0.1:53 dns_server [127.0.0.1]:53 dns_server [::1]:53 dns_server fe80::1%lo0 dns_server [fe80::1%lo0]:53 In absence of dns_server directives, the list of name servers is provided by Net::DNS module, which typically obtains the list from /etc/resolv.conf, but this may be platform dependent. Please consult the Net::DNS::Resolver documentation for details. -kgd
Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service
>From: Robert Kudyba >> Wiki page updated and simplified. >> https://wiki.apache.org/spamassassin/CachingNameserver >For Fedora, since NetworkMangler (as many are fond to call it) is enabled >by default it might be worthwhile to mention this comment at, but note that >/etc/resolv.conf will be managed by dnssec-trigger daemon: >https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver >#How_to_get_Unbound_and_dnssec-trigger_running >"If you use NetworkManager, configure it to use unbound. Add the >following line into /etc/NetworkManager/NetworkManager.conf >dns=unbound" The wiki says to search for details in other online articles like that link. I would prefer not to try to keep up with every little detail like this on this wiki page since it seems to only get updated every 3 years. In fact, I was already thinking about removing any detail and just mention the DNS servers so there are no details to become invalid in a year or two like the reference to njabl.org. Would it be beneficial to add a local.cf config option to allow SA to specify a different DNS server rather than what the OS is using in /etc/resolv.conf? Dave
Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service
On Fri, 19 May 2017, John Hardin wrote: On Thu, 18 May 2017, Rob McEwen wrote: In many cases, they explain to me that their settings got auto-overwritten by their hoster - who just HAD to switch their resolv.conf file back to 8.8.8.8 cron. job. Wouldn't the SA config parameter "dns_server" over-ride what's in the resolv.conf, or doesn't that work for RBL queries? EG, set: dns_server 127.0.0.1 in your local.cf file and don't worry about what's in the resolv.conf -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service
On Thu, 18 May 2017, Rob McEwen wrote: In many cases, they explain to me that their settings got auto-overwritten by their hoster - who just HAD to switch their resolv.conf file back to 8.8.8.8 cron. job. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- News flash: Lowest Common Denominator down 50 points --- 50 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service
> > Wiki page updated and simplified. > > https://wiki.apache.org/spamassassin/CachingNameserver For Fedora, since NetworkMangler (as many are fond to call it) is enabled by default it might be worthwhile to mention this comment at, but note that /etc/resolv.conf will be managed by dnssec-trigger daemon: https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver#How_to_get_Unbound_and_dnssec-trigger_running "If you use NetworkManager, configure it to use unbound. Add the following line into /etc/NetworkManager/NetworkManager.conf dns=unbound"
Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service
From: Matus UHLAR - fantomas >On 18.05.17 17:05, Robert Kudyba wrote: >> The link to http://njabl.org/rsync.html is broken at the moment. >njabl.org is dead four (4) years >On 18.05.17 14:39, John Hardin wrote: >>I think this part of the wiki page may not be stressed stongly enough: >[...] >>/* Disable forwarding for DNSBL queries */ >[...] >>zone "combined.njabl.org" { type forward; forward first; forwarders {}; }; >see above >>zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; >>}; >rfc-ignorant.org is dead for years. Wiki page updated and simplified. https://wiki.apache.org/spamassassin/CachingNameserver
Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service
On 18.05.17 17:05, Robert Kudyba wrote: The link to http://njabl.org/rsync.html is broken at the moment. njabl.org is dead four (4) years On 18.05.17 14:39, John Hardin wrote: I think this part of the wiki page may not be stressed stongly enough: [...] /* Disable forwarding for DNSBL queries */ [...] zone "combined.njabl.org" { type forward; forward first; forwarders {}; }; see above zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; }; rfc-ignorant.org is dead for years. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler