Mailing List Archive

Mail to local users
When I send an mail from my home machine to a user who is local to my mail server, SpamAssassin (via spmass-milter) tags the mail as spam entirely because my home IP is in the PBL blacklist. Which of course, it is and it should be.

However, since the mail is actually originating on my server with an authenticated connection, it seems the RBL check should be able to be avoided?

Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
Sun, 16 Jun 2019 15:26:32 -0600
(envelope-from <kreme@kreme.com>)

X-Spam-Status: Yes, score=7.3 required=5.0 tests=BAYES_50,NO_FM_NAME_IP_HOSTN,
RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,TO_NO_BRKTS_DYNIP
autolearn=no autolearn_force=no version=3.4.2

Obviously I do not want to lower the scores for the three criteria that put me over the limit on these emails, but similarly I do not want my mail to other people on the server getting tagged as spam (nor there mail to me). I have my current IP in the SpamAssassin-milter with the -I flag, but the IP changes and this isn’t a solution for others sending mail to local accounts from local accounts.

Postfix main.cf:
smtpd_milters =
unix:/var/run/spamass-milter.sock,
milter_connect_macros = j {daemon_name} v {if_name} _
#milter_default_action = tempfail
milter_default_action = accept

/usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -e -i 65.121.55.40/29 -i 73.14.161.160 -i 127.0.0.1 -r 10

Seems like the -I fall should be taking care of this for me, at present. But how do I tell spamass-milter not to check for PBL and other similar tests on mails from local users to local users?



--
The whole thing that makes a mathematician's life worthwhile is
that he gets the grudging admiration of three or four colleagues
Re: Mail to local users [ In reply to ]
On 16 Jun 2019, at 16:06, Reindl Harald <h.reindl@thelounge.net> wrote:
> Am 16.06.19 um 23:41 schrieb @lbutlr:
>> When I send an mail from my home machine to a user who is local to my mail server, SpamAssassin (via spmass-milter) tags the mail as spam entirely because my home IP is in the PBL blacklist. Which of course, it is and it should be.
>
>> Obviously I do not want to lower the scores for the three criteria that put me over the limit on these emails, but similarly I do not want my mail to other people on the server getting tagged as spam (nor there mail to me). I have my current IP in the SpamAssassin-milter with the -I flag, but the IP changes and this isn’t a solution for others sending mail to local accounts from local accounts.
>
> there is only one proepr solution for trusted clients with changing IP's
> and that's always: use smtp authentication

I am.

>> However, since the mail is actually originating on my server with an authenticated connection, it seems the RBL check should be able to be avoided?

All submission go to port 587 for 465 and all submission connections are authenticated.

But spamass-milter/Spamassassin is still tagging that mail because ti went from my machine directly to the server that hosts the destination email.


--
On the other hand, you have different fingers.
Re: Mail to local users [ In reply to ]
On 6/16/19 4:41 PM, @lbutlr wrote:
> When I send an mail from my home machine to a user who is local to my mail server, SpamAssassin (via spmass-milter) tags the mail as spam entirely because my home IP is in the PBL blacklist. Which of course, it is and it should be.
>
> However, since the mail is actually originating on my server with an authenticated connection, it seems the RBL check should be able to be avoided?
>
> Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
> by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
> Sun, 16 Jun 2019 15:26:32 -0600
> (envelope-from <kreme@kreme.com>)
>
> X-Spam-Status: Yes, score=7.3 required=5.0 tests=BAYES_50,NO_FM_NAME_IP_HOSTN,
> RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,TO_NO_BRKTS_DYNIP
> autolearn=no autolearn_force=no version=3.4.2
>
> Obviously I do not want to lower the scores for the three criteria that put me over the limit on these emails, but similarly I do not want my mail to other people on the server getting tagged as spam (nor there mail to me). I have my current IP in the SpamAssassin-milter with the -I flag, but the IP changes and this isn’t a solution for others sending mail to local accounts from local accounts.
>
> Postfix main.cf:
> smtpd_milters =
> unix:/var/run/spamass-milter.sock,
> milter_connect_macros = j {daemon_name} v {if_name} _
> #milter_default_action = tempfail
> milter_default_action = accept
>
> /usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -e -i 65.121.55.40/29 -i 73.14.161.160 -i 127.0.0.1 -r 10
>
> Seems like the -I fall should be taking care of this for me, at present. But how do I tell spamass-milter not to check for PBL and other similar tests on mails from local users to local users?
>
>
Find the header being added by your Postfix MTA and add a rule to
subtract points for authenticated senders.  It should have "ESMTPSA"
when sent by an authenticated account.

header   LOCAL AUTH_SENDER     Received =~ /\.example\.com \(Postfix\)
with ESMTPSA/
score    LOCAL_AUTH_SENDER     -4.0

Also, try adding that IP to your internal_networks and see how the
scoring changes:

internal_networks 73.14.161.160

You may want to meta rule that with something else unique in the headers
to prevent

Dave
Re: Mail to local users [ In reply to ]
On 16 Jun 2019, at 17:01, David Jones <djones@ena.com> wrote:
> Find the header being added by your Postfix MTA and add a rule to
> subtract points for authenticated senders. It should have "ESMTPSA"
> when sent by an authenticated account.

The header postfix added was in the first post and does not have ESMTPSA in it

> header LOCAL AUTH_SENDER Received =~ /\.example\.com \(Postfix\)
> with ESMTPSA/
> score LOCAL_AUTH_SENDER -4.0
>
> Also, try adding that IP to your internal_networks and see how the
> scoring changes:
>
> internal_networks 73.14.161.160

And that IP is in spamass-milter in a -i directive.

/usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -e -i 65.121.55.40/29 -i 73.14.161.160 -i 127.0.0.1 -r 10

So it should never have tagged the email in the first place, right?


--
O is for OLIVE run through with an awl
P is for PRUE trampled flat in a brawl
Re: Mail to local users [ In reply to ]
On 16 Jun 2019, at 20:16, @lbutlr wrote:

> On 16 Jun 2019, at 17:01, David Jones <djones@ena.com> wrote:
>> Find the header being added by your Postfix MTA and add a rule to
>> subtract points for authenticated senders. It should have "ESMTPSA"
>> when sent by an authenticated account.
>
> The header postfix added was in the first post and does not have
> ESMTPSA in it
>
>> header LOCAL AUTH_SENDER Received =~ /\.example\.com
>> \(Postfix\)
>> with ESMTPSA/
>> score LOCAL_AUTH_SENDER -4.0
>>
>> Also, try adding that IP to your internal_networks and see how the
>> scoring changes:
>>
>> internal_networks 73.14.161.160
>
> And that IP is in spamass-milter in a -i directive.
>
> /usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u
> spamd -e -i 65.121.55.40/29 -i 73.14.161.160 -i 127.0.0.1 -r 10
>
> So it should never have tagged the email in the first place, right?

Based solely on reading the man page for spamass-milter, I think you are
right. However, I think you should try collapsing the -i arguments into
just one comma-delimited list, to see if that form actually works as
expected. You might want to use the support resources at
http://savannah.nongnu.org/projects/spamass-milt/ to get help, since
spamass-milter isn't part of the SA project.

I also recommend setting trusted_networks, internal_networks, and
msa_networks correctly and requiring authenticated submission such that
SA can identify trusted mail rather than skip it.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Re: Mail to local users [ In reply to ]
On Sun, 16 Jun 2019, @lbutlr wrote:

> When I send an mail from my home machine to a user who is local to my
> mail server, SpamAssassin (via spmass-milter) tags the mail as spam
> entirely because my home IP is in the PBL blacklist. Which of course, it
> is and it should be.

How is SA glued into your MTA?

is there any way within that glue to recognize email originating locally
and skip scanning it entirely (vs. trying to configure SA to give it a
passing score)?

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
2 days until SWMBO's Birthday
Re: Mail to local users [ In reply to ]
On 16.06.19 15:41, @lbutlr wrote:
>When I send an mail from my home machine to a user who is local to my mail
> server, SpamAssassin (via spmass-milter) tags the mail as spam entirely
> because my home IP is in the PBL blacklist. Which of course, it is and it
> should be.
>
>However, since the mail is actually originating on my server with an
> authenticated connection, it seems the RBL check should be able to be
> avoided?
>
>Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
> by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
> Sun, 16 Jun 2019 15:26:32 -0600
> (envelope-from <kreme@kreme.com>)

if the mail was authenticated, it should contain ESMTPA or ESMTPSA instead
of SMTP.

Note that spamass-milter fakes the first Received: header (because milter
must get message as it is received from mail client), but lack of "A" in the
SMTP indicates that your mail is not really authenticated.

>Obviously I do not want to lower the scores for the three criteria that put
> me over the limit on these emails, but similarly I do not want my mail to
> other people on the server getting tagged as spam (nor there mail to me).
> I have my current IP in the SpamAssassin-milter with the -I flag, but the
> IP changes and this isn’t a solution for others sending mail to local
> accounts from local accounts.


>Postfix main.cf:
>smtpd_milters =
> unix:/var/run/spamass-milter.sock,
>milter_connect_macros = j {daemon_name} v {if_name} _
>#milter_default_action = tempfail
>milter_default_action = accept
>
>/usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -e -i 65.121.55.40/29 -i 73.14.161.160 -i 127.0.0.1 -r 10
>
>Seems like the -I fall should be taking care of this for me, at present.

should, if auth works.

> But how do I tell spamass-milter not to check for PBL and other similar
> tests on mails from local users to local users?

don't. This is exactly what spammers try for years to avoid being detected.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
Re: Mail to local users [ In reply to ]
@lbutlr schrieb am 16.06.2019 um 23:41:
> Seems like the -I fall should be taking care of this for me, at present. But how do I tell spamass-milter not to check for PBL and other similar tests on mails from local users to local users?
With postfix, best practice for locally submitted mail is to

1. submit authenticated mail to a different port than 25. Standard port
for submission is 587.
2. On submission port, configure the smtpd daemon to not
spamassassin-scan submitted mail

Since you seem to use spamass-milter, I can give my server as example
how you might do this. With milter, you implement before-queue spam
filtering according to http://www.postfix.org/MILTER_README.html. If you
need after-queue inspecting, consult
http://www.postfix.org/FILTER_README.html and
http://www.postfix.org/SMTPD_PROXY_README.html.
I also includes clamav virus scanning and dkim-signing and verification
with opendkim as milter.

You need to configure main.cf and some local smtpd options in master.cf.
If you want to quickly get to the point of all this, scroll to the last
paragraph of this mail.

Configure smtpd restrictions in /etc/postfix/main.cf:
This implements best practice according to
http://www.postfix.org/SMTPD_ACCESS_README.html. It became rather long,
but posting only an excerpt of the *_restrictions checklist makes it all
pointless. The checklist makes use of the current postfix features for
access control, junk mail control and relay control. It's a strict but
not paranoid restrictions collection suited for at least a tiny or small
mail server. It may be that bigger mail servers need to make it more
forgiving, but on the other hand this might be achieved by writing
offenders to the several local black- and whitelists that are accessed.


# order of restriction list evaluation: client, helo, sender, relay,
recipient, data or end-of-data

# all client commands
smtpd_client_restrictions =
  check_client_access hash:/etc/postfix/client_access

# HELO/EHLO
smtpd_helo_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  check_helo_access hash:/etc/postfix/helo_checks

# MAIL FROM
smtpd_sender_restrictions =
  check_sender_access hash:/etc/postfix/sender_checks,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain

# RCPT TO
# relay policy
smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination

# RCPT TO
# spam blocking policy
smtpd_recipient_restrictions =
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  permit_mynetworks,
  permit_sasl_authenticated,
  check_recipient_access hash:/etc/postfix/recipient_access,
  check_client_access hash:/etc/postfix/rbl_whitelist,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client b.barracudacentral.org,
  check_policy_service unix:private/policyd-spf

# DATA
smtpd_data_restrictions =
  reject_unauth_pipelining

mua_recipient_restrictions =
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  permit_sasl_authenticated,
  reject


Configure smtpd milter-related options in /etc/postfix/main.cf:

# milter setup
milter_connect_macros = j {daemon_name} v _
milter_default_action = accept

# milters for the public port 25 smtpd daemon (dkim sign, dmarc check,
virus scan, spam detection)
smtpd_milters =
  unix:/var/run/opendkim-postfix/sock,
  unix:/var/run/opendmarc-postfix/sock,
  unix:/var/run/clamav-milter/clamav-milter.socket,
  unix:/run/spamass-milter/postfix/sock

# milters for mail submissions from local applications (dkim sign)
non_smtpd_milters =
  unix:/var/run/opendkim-postfix/sock

# milters for the submission smtpd daemon (dkim sign, virus scan)
mua_milters =
  unix:/var/run/opendkim-postfix/sock,
  unix:/var/run/clamav-milter/clamav-milter.socket


Finally, configure the submission smtpd daemon in /etc/postfix/master.cf:

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=$mua_recipient_restrictions
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_milters=$mua_milters

With these local options in master.cf you exclude spamass-milter
processing from mails submitted on the submission port ($mua_milters)
but instead do dkim-signing. The changed smtpd_recipient_restrictions
allows authenticated submissions only and doesn't reject mail from
blocklists, so anyone from a dial-up network range, such as you and
everybody from his home, is allowed to submit without penalty.
Re: Mail to local users [ In reply to ]
On 17 Jun 2019, at 02:07, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:
>> But how do I tell spamass-milter not to check for PBL and other similar
>> tests on mails from local users to local users?
>
> don't. This is exactly what spammers try for years to avoid being detected.

Spammers are not local users on my system.

It appears that switching from dovecot LDA to dovecot LMTP has changed the appearance of the headers from local users. I’ll go check on the dovecot list.

Here’s what the received header used to look like:

Received: from [10.0.5.3] (c-71-229-144-93.hsd1.co.comcast.net [71.229.144.93])
by mail.covisp.net (Postfix) with ESMTPS id B67B8118AD59
for <kreme@kreme.com>; Sun, 16 Aug 2009 22:19:02 -0600 (MDT)

As opposed to now:

Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
Sun, 16 Jun 2019 15:26:32 -0600
(envelope-from <kreme@kreme.com>)

The first has an ESMTPS id and the other has SMTP id unknown.


--
Help me, Obi-wan Kenobi. You're my only hope.
Re: Mail to local users [ In reply to ]
On Mon, 17 Jun 2019 08:30:09 -0600
@lbutlr wrote:

> It appears that switching from dovecot LDA to dovecot LMTP has
> changed the appearance of the headers from local users. I’ll go check
> on the dovecot list.
>
> Here’s what the received header used to look like:
>
> Received: ...(Postfix) with ESMTPS id
> As opposed to now:
>
> Received: ...(Postfix 3.4.5/8.13.0) with SMTP

> The first has an ESMTPS id and the other has SMTP id unknown.

The headers are added by postfix.

Postfix passes mail to Dovecot LDA or LMTP after the milter has
run.
Re: Mail to local users [ In reply to ]
On 17 Jun 2019, at 11:06, Reindl Harald <h.reindl@thelounge.net> wrote:
> Am 17.06.19 um 16:30 schrieb @lbutlr:
>> Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
>> by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
>> Sun, 16 Jun 2019 15:26:32 -0600
>> (envelope-from <kreme@kreme.com>)
>>
>> The first has an ESMTPS id and the other has SMTP id unknown.
>
> a) ESMTPS is *not* authentication

I didn’t say it was, but the change in the header seems to be triggering spamass-milter in ways that it was not being triggered before.

On 17 Jun 2019, at 02:07, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:
> if the mail was authenticated, it should contain ESMTPA or ESMTPSA instead
> of SMTP.
>
> Note that spamass-milter fakes the first Received: header (because milter
> must get message as it is received from mail client), but lack of "A" in the
> SMTP indicates that your mail is not really authenticated.

The message WAS sent via an authenticated connection:

Jun 16 15:26:32 mail postfix/submit/smtpd[52711]: 45RnTh0J8KzdrvJ: client=c-73-14-161-160.hsd1.co.comcast.net[73.14.161.160], sasl_method=PLAIN, sasl_username=kreme@kreme.com
Jun 16 15:26:32 mail postfix/cleanup[52845]: 45RnTh0J8KzdrvJ: message-id=<0C3BE5F6-C5B4-4B07-853D-FAD6DCBB68C1@kreme.com>
Jun 16 15:26:33 mail postfix/qmgr[27634]: 45RnTh0J8KzdrvJ: from=<kreme@kreme.com>, size=3259, nrcpt=2 (queue active)
Jun 16 15:26:33 mail postfix/lmtp[53026]: 45RnTh0J8KzdrvJ: to=<mumble>, orig_to=<mumble>, relay=mail.covisp.net[private/dovecot-lmtp], delay=1.9, delays=1.7/0.01/0.19/0.01, dsn=2.0.0, status=sent (250 2.0.0 <mumble> 1QOYNQm0Bl1fzwAAIdGjjQ:2 Saved)
Jun 16 15:26:33 mail postfix/qmgr[27634]: 45RnTh0J8KzdrvJ: removed


--
Try to realize it's all within yourself/No one else can make you change
Re: Mail to local users [ In reply to ]
On Mon, 17 Jun 2019, @lbutlr wrote:

>
> On 17 Jun 2019, at 11:06, Reindl Harald <h.reindl@thelounge.net> wrote:
>> Am 17.06.19 um 16:30 schrieb @lbutlr:
>>> Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
>>> by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
>>> Sun, 16 Jun 2019 15:26:32 -0600
>>> (envelope-from <kreme@kreme.com>)
>>>
>>> The first has an ESMTPS id and the other has SMTP id unknown.
>>
>> a) ESMTPS is *not* authentication
>
> I didn’t say it was, but the change in the header seems to be triggering spamass-milter in ways that it was not being triggered before.
>
> On 17 Jun 2019, at 02:07, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:
>> if the mail was authenticated, it should contain ESMTPA or ESMTPSA instead
>> of SMTP.
>>
>> Note that spamass-milter fakes the first Received: header (because milter
>> must get message as it is received from mail client), but lack of "A" in the
>> SMTP indicates that your mail is not really authenticated.
>
> The message WAS sent via an authenticated connection:
>
> Jun 16 15:26:32 mail postfix/submit/smtpd[52711]: 45RnTh0J8KzdrvJ: client=c-73-14-161-160.hsd1.co.comcast.net[73.14.161.160], sasl_method=PLAIN, sasl_username=kreme@kreme.com
> Jun 16 15:26:32 mail postfix/cleanup[52845]: 45RnTh0J8KzdrvJ: message-id=<0C3BE5F6-C5B4-4B07-853D-FAD6DCBB68C1@kreme.com>
> Jun 16 15:26:33 mail postfix/qmgr[27634]: 45RnTh0J8KzdrvJ: from=<kreme@kreme.com>, size=3259, nrcpt=2 (queue active)
> Jun 16 15:26:33 mail postfix/lmtp[53026]: 45RnTh0J8KzdrvJ: to=<mumble>, orig_to=<mumble>, relay=mail.covisp.net[private/dovecot-lmtp], delay=1.9, delays=1.7/0.01/0.19/0.01, dsn=2.0.0, status=sent (250 2.0.0 <mumble> 1QOYNQm0Bl1fzwAAIdGjjQ:2 Saved)
> Jun 16 15:26:33 mail postfix/qmgr[27634]: 45RnTh0J8KzdrvJ: removed

Are you feeding spamass-milter the necessary information (via milter-macros in
your MTA config) so that -it- knows that particular session is authenticated? It
needs that info if it's going to synthesize the correct header so that
SpamAssassin knows that session was authenticated.

Specifically:
In your config for Milter.macros.envfrom you need to include "{auth_type},
{auth_authen}, {auth_ssf}, {auth_author}" (note that is sendmail syntax,
translate into postfix as appropriate).

If you don't pass those {auth_*} macros into spamass-milter it has no way to
know a particular session is authenticated.



--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Mail to local users [ In reply to ]
On Mon, 17 Jun 2019, David B Funk wrote:

> Are you feeding spamass-milter the necessary information (via milter-macros
> in your MTA config) so that -it- knows that particular session is
> authenticated? It needs that info if it's going to synthesize the correct
> header so that SpamAssassin knows that session was authenticated.
>
> Specifically:
> In your config for Milter.macros.envfrom you need to include "{auth_type},
> {auth_authen}, {auth_ssf}, {auth_author}" (note that is sendmail syntax,
> translate into postfix as appropriate).
>
> If you don't pass those {auth_*} macros into spamass-milter it has no way to
> know a particular session is authenticated.

Taking a quick look at the source code for spamass-milter (I use a different
milter) I can see that it explicitly needs '{auth_type}' and '{auth_ssf}'
so you can ignore {auth_authen} & {auth_author}.

But with out that '{auth_type}' macro info it assumes the session isn't
authenticated, and won't pass that on to SA.


--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Mail to local users [ In reply to ]
On Jun 17, 2019, at 12:28 PM, David B Funk <dbfunk@engineering.uiowa.edu> wrote:
> Taking a quick look at the source code for spamass-milter (I use a different milter) I can see that it explicitly needs '{auth_type}' and '{auth_ssf}’ so you can ignore {auth_authen} & {auth_author}.

The default settings for postfix include:

$ postconf -d milter_mail_macros
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}

Which are not overridden in my configuration.

I do not see that postfix supports {auth_ssf}

<http://www.postfix.org/MILTER_README.html>


--
Bart: That was the worst day of my life Homer: That was the worst day of
your life SO FAR.
Re: Mail to local users [ In reply to ]
On 17 Jun 2019, at 14:28, David B Funk wrote:

> Taking a quick look at the source code for spamass-milter (I use a
> different milter) I can see that it explicitly needs '{auth_type}' and
> '{auth_ssf}'
> so you can ignore {auth_authen} & {auth_author}.

That's an unfortunate design choice.

The {auth_ssf} macro is (almost?) always going to be 0 and I suspect
that it's impossible for it to be anything else, since that would
indicate a "security layer" handled via SASL, which nobody really does.
If one is not supporting GSSAPI via SASL, it is not even hypothetically
possible to negotiate a security layer in SASL because it appears that
no other registered SASL mechanism supports any security layer; they
mostly just say "do this inside TLS."

If I were a user of spamass-milter, I would report that requirement as a
bug.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Mail to local users [ In reply to ]
>On 17 Jun 2019, at 02:07, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:
>>> But how do I tell spamass-milter not to check for PBL and other similar
>>> tests on mails from local users to local users?
>>
>> don't. This is exactly what spammers try for years to avoid being detected.

On 17.06.19 08:30, @lbutlr wrote:
>Spammers are not local users on my system.

local users don't send via SMTP so they can't appear in PBL.
Users who send via SMTP from host that is in PBL are not local.

Spammers often send mail from remote hosts (often listed in PBL), directly
to your local MTA, using your From: address.

>It appears that switching from dovecot LDA to dovecot LMTP has changed the
> appearance of the headers from local users. I’ll go check on the dovecot
> list.
>
>Here’s what the received header used to look like:
>
>Received: from [10.0.5.3] (c-71-229-144-93.hsd1.co.comcast.net [71.229.144.93])
> by mail.covisp.net (Postfix) with ESMTPS id B67B8118AD59
> for <kreme@kreme.com>; Sun, 16 Aug 2009 22:19:02 -0600 (MDT)
>
>As opposed to now:
>
>Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
> by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
> Sun, 16 Jun 2019 15:26:32 -0600
> (envelope-from <kreme@kreme.com>)
>
>The first has an ESMTPS id and the other has SMTP id unknown.

as already explained on the postfix-user list, this has nothing to do with
the LDA, as it contains information how postfix received the message - not
how it processes the mail further (who is passed to).

Apparently the latter example is received via spamass-milter, missing queue
ID and containing strange version. The Received: header may be faked by
spamass-milter. do you use -x option for SA?



--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse
Re: Mail to local users [ In reply to ]
On 17 Jun 2019, at 11:32, @lbutlr <kremels@kreme.com> wrote:
> The message WAS sent via an authenticated connection:
>
> Jun 16 15:26:32 mail postfix/submit/smtpd[52711]: 45RnTh0J8KzdrvJ: client=c-73-14-161-160.hsd1.co.comcast.net[73.14.161.160], sasl_method=PLAIN, sasl_username=kreme@kreme.com
> Jun 16 15:26:32 mail postfix/cleanup[52845]: 45RnTh0J8KzdrvJ: message-id=<0C3BE5F6-C5B4-4B07-853D-FAD6DCBB68C1@kreme.com>

Solution was ridiculously simple.

I added

-o smtpd_milters=
-o milter_connect_macros=

To submission and smpts in master.cf

(I doubt the second line is needed, but eh… it’s not going to hurt)
Re: Mail to local users [ In reply to ]
On 18 Jun 2019, at 22:45, @lbutlr wrote:

> Solution was ridiculously simple.
>
> I added
>
> -o smtpd_milters=
> -o milter_connect_macros=
>
> To submission and smpts in master.cf
>
> (I doubt the second line is needed, but eh… it’s not going to hurt)

You did post on postfix-users how you set in master.cf submission and smtps services (see verbatim of this below):

#v+
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_path=private/auth
-o syslog_name=postfix/submit
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_data_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject

smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_path=private/auth
-o smtpd_data_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
#v-

IMHO, you should have put ‘-o milter_macro_daemon_name=ORIGINATING’ to services to let milters know the mail stream from authenticated connections is considered local.

hth

--
matt [at] lv223.org
GPG key ID: 7D91A8CA
Re: Mail to local users [ In reply to ]
?On Jun 19, 2019, at 04:56, Matt Anton <matt@lv223.org> wrote:
>
> IMHO, you should have put ‘-o milter_macro_daemon_name=ORIGINATING’ to services to let milters know the mail stream from authenticated connections is considered local.

That’s something to keep in mind, for sure, but I have one milter and I am not concerned about spam originating from my local users, all of whom I can personally thump if needed. ????

Disabling the milter entirely on the authenticated ports accomplishes what I need.