SA dns_server option
Hi all. I have a short question about the dns_server option of SA. Is this option used when SA is called from Amavis and there isn't any spamd process running? To be more clear: should I also be forced to add the IP address of the caching DNS server to /etc/resolv.conf or the option would be sufficient? Thanks in advance. Best regards, Matteo
Re: SA dns_server option
On 12/02/2014 12:32 PM, Matteo Dessalvi wrote: Hi all. I have a short question about the dns_server option of SA. Is this option used when SA is called from Amavis and there isn't any spamd process running? To be more clear: should I also be forced to add the IP address of the caching DNS server to /etc/resolv.conf or the option would be sufficient? Thanks in advance. Best regards, Matteo No matter how hard I look, I can't find a dns_server option in SA's conf did you mean dns_available ?? ( http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.txt ) or is this an Amavis option (I don't know Amavis)
Re: SA dns_server option
On 12/02/2014 01:16 PM, Axb wrote: On 12/02/2014 12:32 PM, Matteo Dessalvi wrote: Hi all. I have a short question about the dns_server option of SA. Is this option used when SA is called from Amavis and there isn't any spamd process running? To be more clear: should I also be forced to add the IP address of the caching DNS server to /etc/resolv.conf or the option would be sufficient? Thanks in advance. Best regards, Matteo No matter how hard I look, I can't find a dns_server option in SA's conf did you mean dns_available ?? ( http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.txt ) or is this an Amavis option (I don't know Amavis) doh.. there it is dns_server dns_server ip-addr-port (default: entries provided by Net::DNS) Specifies an IP address of a DNS server, and optionally its port number. The *dns_server* directive may be specified multiple times, each entry adding to a list of available resolving name servers. The *ip-addr-port* argument can either be an IPv4 or IPv6 address, optionally enclosed in brackets, and optionally followed by a colon and a port number. In absence of a port number a standard port number 53 is assumed. When an IPv6 address is specified along with a port number, the address must be enclosed in brackets to avoid parsing ambiguity regarding a colon separator, Examples : dns_server 127.0.0.1 dns_server 127.0.0.1:53 dns_server [127.0.0.1]:53 dns_server [::1]:53 In absence of *dns_server* directives, the list of name servers is provided by Net::DNS module, which typically obtains the list from /etc/resolv.conf, but this may be platform dependent. Please consult the Net::DNS::Resolver documentation for details. You don't need to specify one unless you need the specials in the config
Re: SA dns_server option
Yes, I have read the docs but I was not sure if SA, when used through Amavis, would use such option. Nevermind, I pushed up the log verbosity of my DNS caching service and it looks like SA is using it. So, problem solved :-). Thanks. Best regards, Matteo On 02.12.2014 13:18, Axb wrote: doh.. there it is dns_server dns_server ip-addr-port (default: entries provided by Net::DNS) Specifies an IP address of a DNS server, and optionally its port number. The *dns_server* directive may be specified multiple times, each entry adding to a list of available resolving name servers. The *ip-addr-port* argument can either be an IPv4 or IPv6 address, optionally enclosed in brackets, and optionally followed by a colon and a port number. In absence of a port number a standard port number 53 is assumed. When an IPv6 address is specified along with a port number, the address must be enclosed in brackets to avoid parsing ambiguity regarding a colon separator, Examples : dns_server 127.0.0.1 dns_server 127.0.0.1:53 dns_server [127.0.0.1]:53 dns_server [::1]:53 In absence of *dns_server* directives, the list of name servers is provided by Net::DNS module, which typically obtains the list from /etc/resolv.conf, but this may be platform dependent. Please consult the Net::DNS::Resolver documentation for details. You don't need to specify one unless you need the specials in the config
Re: SA dns_server option
Matteo Dessalvi wrote: I have a short question about the dns_server option of SA. Is this option used when SA is called from Amavis and there isn't any spamd process running? Yes it is. To be more clear: should I also be forced to add the IP address of the caching DNS server to /etc/resolv.conf or the option would be sufficient? The dns_server only affects SpamAssassin. If you want other applications on that host to also use the same recursive name server, its address needs to be in /etc/resolv.conf. For example DKIM validation is done by amavisd calling Net::DNS directly, which has no idea about SpamAssassin settings. Similarly a milter or MTA. Yes, I have read the docs but I was not sure if SA, when used through Amavis, would use such option. Nevermind, I pushed up the log verbosity of my DNS caching service and it looks like SA is using it. So, problem solved :-). Mark
Re: SA dns_server option
Am 02.12.2014 um 14:16 schrieb Mark Martinec: Matteo Dessalvi wrote: I have a short question about the dns_server option of SA. Is this option used when SA is called from Amavis and there isn't any spamd process running? Yes it is. To be more clear: should I also be forced to add the IP address of the caching DNS server to /etc/resolv.conf or the option would be sufficient? The dns_server only affects SpamAssassin. If you want other applications on that host to also use the same recursive name server, its address needs to be in /etc/resolv.conf. For example DKIM validation is done by amavisd calling Net::DNS directly, which has no idea about SpamAssassin settings. Similarly a milter or MTA i would recommend setup unbound on 127.0.0.1, let do it recursion directly and configure internal zones as forwarders which can also including a forwarding to a rbldnsd running on 127.0.0.1 using a different port so /etc/resolv.conf just contains 127.0.0.1 see below how that could look like * one source for all services * local caching * no problems with DNS blacklists by doing recursion instead share a forwarder exceeding limits __ minimal-responses: yes interface: 127.0.0.1 access-control: 127.0.0.0/8 allow local-zone: 192.in-addr.arpa. nodefault forward-zone: name: dnsbl.thelounge.net forward-addr: 127.0.0.1@1053 forward-zone: name: thelounge.net forward-addr: 192.168.196.6 forward-addr: 192.168.196.106 stub-zone: name: 192.in-addr.arpa. stub-addr: 192.168.196.6 stub-addr: 192.168.196.106 __ signature.asc Description: OpenPGP digital signature
Re: SA dns_server option
For example DKIM validation is done by amavisd calling Net::DNS directly A nitpick: Actually, amavisd is calling Mail::DKIM when DKIM validation is enabled, which in turn calls Net::DNS. The validation result is then passed to SpamAssassin's DKIM plugin, so that it doesn't need to do the validation again. Mark
Re: SA dns_server option
Hi. @Mark: thanks for the explanations about Amavis/SA. @Reindl: thanks, I am indeed using unbound as a DNS caching server. Interesting the option 'minimal-responses', I would check that. Regards, Matteo On 02.12.2014 14:16, Mark Martinec wrote: Matteo Dessalvi wrote: I have a short question about the dns_server option of SA. Is this option used when SA is called from Amavis and there isn't any spamd process running? Yes it is. To be more clear: should I also be forced to add the IP address of the caching DNS server to /etc/resolv.conf or the option would be sufficient? The dns_server only affects SpamAssassin. If you want other applications on that host to also use the same recursive name server, its address needs to be in /etc/resolv.conf. For example DKIM validation is done by amavisd calling Net::DNS directly, which has no idea about SpamAssassin settings. Similarly a milter or MTA. Mark
Re: SA dns_server option
Am 02.12.2014 um 15:20 schrieb Matteo Dessalvi:
@Mark: thanks for the explanations about Amavis/SA.
@Reindl: thanks, I am indeed using unbound as a DNS
caching server. Interesting the option 'minimal-responses',
I would check that
it's damned useful, Google using it also on their public NS
a drop of 25%-30% DNS traffic on our auth-nameservers
for BIND minimal-responses yes; inside options {}
the only drawback is that dig no longer resolves MX hostnames and so
on to the IP until you ask explicit, well for that i wrote a
web-interface answering any possible question of a domain
signature.asc
Description: OpenPGP digital signature
Re: SA dns_server option
Axb skrev den 2014-12-02 13:16: No matter how hard I look, I can't find a dns_server option in SA's conf oh are you living in belgium ? :) did you mean dns_available ?? next line after that is dns_server ( http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.txt ) or is this an Amavis option (I don't know Amavis) possible you see incorrect config file # dns_server ip-addr-port (default: entries provided by Net::DNS) dns_server 127.0.0.1 ip-addr-port should just be ip-addr:port imho, if only defined ip-addr it defaults to port 53 may santa be with this maillist here
