Re: Smtp auth and trusted_networks

2014-07-11 Thread Matus UHLAR - fantomas 

On 10.07.14 18:36, Nick I wrote:

In the following example our mx received message with ESMTPSA from 1.1.1.1
and that ip detected as trusted.
Our trusted_networks list do not have this ip configured.

I need to run rbl check against 1.1.1.1.
Is there any settings to not add authenticated host to trusted hosts ?


isn't the whole point of authenticaTION to avoid scanning the authenticated
IP in blacklists?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.

Re: Smtp auth and trusted_networks

2014-07-11 Thread Kevin A. McGrail 

On 7/10/2014 5:55 PM, Giampaolo Tomassoni wrote:

Il 2014-07-10 17:36 Nick I ha scritto:


Hi

In the following example our mx received message with ESMTPSA from 
1.1.1.1 and that ip detected as trusted.

Our trusted_networks list do not have this ip configured.

I need to run rbl check against 1.1.1.1.
Is there any settings to not add authenticated host to trusted hosts ?

We use SpamAssassin version 3.3.1.


You case is exactly what the patch in bug#6430 
(https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6430) attempts 
to cover.


Unfortunately, that patch never went into any SA version, so you have 
to apply it by yourself if you really need to let your MX act as an 
MSA in case of authenticated submissions.


If you use amavis, there is another option: move mail submission to 
another instance of your smtp daemon and configure it to submit 
received (and authenticated) message to an amavis channel you prepared 
for outgoing mail.


Regards,

Giampaolo 
If you use that patch and it works, please weigh in on the bugzilla or 
at least on the list.  The patch was considered pretty esoteric and 
didn't justify yet another option in the code.  But if people need it 
and use it, we will of course reconsider.

Re: Smtp auth and trusted_networks

2014-07-11 Thread Nick I 
I implemented your patch, but unfortunatelly it did not work for me.
Authenticated sender IP address was recognised as trusted.

I still need to have 'smtpd_sasl_authenticated_header = yes' in my postfix
so i commented out these 3 lines.
And it does work for my installation.

---
/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Message/Metadata/Received.pm.orig
2010-03-16 14:49:21.0 +
+++
/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Message/Metadata/Received.pm
2014-07-11 17:20:21.497687731 +
@@ -389,9 +389,9 @@
   # with ASMTP (Authenticated SMTP) is used by Earthlink, Exim 4.34, and
others
   # with HTTP should only be authenticated webmail sessions
   # with HTTPU is used by Communigate Pro with Pronto! webmail interface
-  if (/ by /  / with (ESMTPA|ESMTPSA|LMTPA|LMTPSA|ASMTP|HTTPU?)(?:
|$)/i) {
-$auth = $1;
-  }
+#if (/ by /  / with (ESMTPA|ESMTPSA|LMTPA|LMTPSA|ASMTP|HTTPU?)(?:
|$)/i) {
+#  $auth = $1;
+#}
   # Courier v0.47 and possibly others
   elsif (/^from .*?(?:\]\)|\)\]) \(AUTH: (LOGIN|PLAIN|DIGEST-MD5|CRAM-MD5)
\S+(?:, .*?)?\) by /) {
 $auth = $1;


Thanks All for the help.

2014-07-11 17:26 GMT+03:00 Kevin A. McGrail kmcgr...@pccc.com:

 On 7/10/2014 5:55 PM, Giampaolo Tomassoni wrote:

 Il 2014-07-10 17:36 Nick I ha scritto:

  Hi

 In the following example our mx received message with ESMTPSA from
 1.1.1.1 and that ip detected as trusted.
 Our trusted_networks list do not have this ip configured.

 I need to run rbl check against 1.1.1.1.
 Is there any settings to not add authenticated host to trusted hosts ?

 We use SpamAssassin version 3.3.1.


 You case is exactly what the patch in bug#6430 (
 https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6430) attempts to
 cover.

 Unfortunately, that patch never went into any SA version, so you have to
 apply it by yourself if you really need to let your MX act as an MSA in
 case of authenticated submissions.

 If you use amavis, there is another option: move mail submission to
 another instance of your smtp daemon and configure it to submit received
 (and authenticated) message to an amavis channel you prepared for outgoing
 mail.

 Regards,

 Giampaolo

 If you use that patch and it works, please weigh in on the bugzilla or at
 least on the list.  The patch was considered pretty esoteric and didn't
 justify yet another option in the code.  But if people need it and use it,
 we will of course reconsider.

Submitting to RBL

2014-07-11 Thread Asai 

Greetings,

I've been looking for ways to submit spams to some RBL, but URIBL seems 
to not be accepting any submissions at this time.  Are there any others 
that anyone could recommend that I could submit to?  Some of the spam 
that's getting through the filters is just the same thing over and over 
again, and has a very low spam score, but it's still spam.  Although I'm 
training SA via sa-learn, it's still getting through.


Any insights appreciated.
Thanks!

--
--Asai

production MTA not doing URIBL lookups, why?

2014-07-11 Thread Quanah Gibson-Mount 
For some reason, my production MTA is not doing URIBL lookups for spam 
scoring, for no obvious reason.  If I run a message through via the command 
line, I see the same behavior.  If I run it through a test server, I see 
URIBL scores hit like mad.


I do not appear to be blocked on my production MTA:

[zimbra@edge01 ~]$ host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text permanent testpoint

Message scoring for an obvious spam on prod gets:

No, score=-0.8 required=5.0 tests=HTML_FONT_LOW_CONTRAST,
   HTML_IMAGE_RATIO_06,HTML_MESSAGE,RP_MATCHES_RCVD,T_DKIM_INVALID,
   UNPARSEABLE_RELAY autolearn=unavailable autolearn_force=no version=3.4.0


On my test server, I get:

   Yes, score=8.2 required=5.0 tests=DKIM_SIGNED,
   HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_06,HTML_MESSAGE,
   RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL,

RP_MATCHES_RCVD,SPF_HELO_PASS,T_DKIM_INVALID,UNPARSEABLE_RELAY,URIBL_BLACK,
   URIBL_DBL_SPAM,URIBL_SBL,URIBL_SBL_A autolearn=no autolearn_force=no
   version=3.4.0

Obviously, I'd like my production server to be catching spam. ;)

--Quanah

--

Quanah Gibson-Mount
Server Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: production MTA not doing URIBL lookups, why?

2014-07-11 Thread Jeremy McSpadden 
What does a debug output show ? On both .. Pastebin

--
Jeremy McSpadden
Flux Labs | http://www.fluxlabs.nethttp://www.fluxlabs.net/ | Endless 
Solutions
Office : 850-250-5590x501tel:850-250-5590;501 | Cell : 
850-890-2543tel:850-890-2543 | Fax : 850-254-2955tel:850-254-2955

On Jul 11, 2014, at 4:34 PM, Quanah Gibson-Mount 
qua...@zimbra.commailto:qua...@zimbra.com wrote:

For some reason, my production MTA is not doing URIBL lookups for spam scoring, 
for no obvious reason.  If I run a message through via the command line, I see 
the same behavior.  If I run it through a test server, I see URIBL scores hit 
like mad.

I do not appear to be blocked on my production MTA:

[zimbra@edge01 ~]$ host -tTXT 2.0.0.127.multi.uribl.comhttp://multi.uribl.com
2.0.0.127.multi.uribl.comhttp://multi.uribl.com descriptive text permanent 
testpoint

Message scoring for an obvious spam on prod gets:

No, score=-0.8 required=5.0 tests=HTML_FONT_LOW_CONTRAST,
  HTML_IMAGE_RATIO_06,HTML_MESSAGE,RP_MATCHES_RCVD,T_DKIM_INVALID,
  UNPARSEABLE_RELAY autolearn=unavailable autolearn_force=no version=3.4.0


On my test server, I get:

  Yes, score=8.2 required=5.0 tests=DKIM_SIGNED,
  HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_06,HTML_MESSAGE,
  RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL,
RP_MATCHES_RCVD,SPF_HELO_PASS,T_DKIM_INVALID,UNPARSEABLE_RELAY,URIBL_BLACK,
  URIBL_DBL_SPAM,URIBL_SBL,URIBL_SBL_A autolearn=no autolearn_force=no
  version=3.4.0

Obviously, I'd like my production server to be catching spam. ;)

--Quanah

--

Quanah Gibson-Mount
Server Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: production MTA not doing URIBL lookups, why?

2014-07-11 Thread John Hardin 

On Fri, 11 Jul 2014, Quanah Gibson-Mount wrote:


Message scoring for an obvious spam on prod gets:

No, score=-0.8 required=5.0 tests=HTML_FONT_LOW_CONTRAST,
   HTML_IMAGE_RATIO_06,HTML_MESSAGE,RP_MATCHES_RCVD,T_DKIM_INVALID,
   UNPARSEABLE_RELAY autolearn=unavailable autolearn_force=no version=3.4.0


On my test server, I get:

   Yes, score=8.2 required=5.0 tests=DKIM_SIGNED,
   HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_06,HTML_MESSAGE,
   RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL,
RP_MATCHES_RCVD,SPF_HELO_PASS,T_DKIM_INVALID,UNPARSEABLE_RELAY,URIBL_BLACK,
   URIBL_DBL_SPAM,URIBL_SBL,URIBL_SBL_A autolearn=no autolearn_force=no
   version=3.4.0


Prod also misses DKIM_SIGNED and SPF_HELO_PASS. Network tests disabled, 
maybe?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The third basic rule of firearms safety:
  Keep your booger hook off the bang switch!
---
 5 days until the 69th anniversary of the dawn of the Atomic Age

Re: production MTA not doing URIBL lookups, why?

2014-07-11 Thread Quanah Gibson-Mount 
--On Friday, July 11, 2014 4:44 PM -0700 John Hardin jhar...@impsec.org 
wrote:



Prod also misses DKIM_SIGNED and SPF_HELO_PASS. Network tests disabled,
maybe?


Nope.  Found the issue however.

On my prod servers, I had the following set:

dns_available test: 10.110.0.108 10.110.0.109 10.210.0.166

which are the IP addresses for my DNS servers.  Unfortunately, with this 
line, SA always decides I don't have DNS for reasons that are beyond me, 
and then turns off the DNS checks.  I've now changed it to:


dns_available yes

and things work as desired.  So be very wary of telling SA to test DNS, 
because there's definitely something utterly broken there.


--Quanah


--

Quanah Gibson-Mount
Server Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: production MTA not doing URIBL lookups, why?

2014-07-11 Thread RW 
On Fri, 11 Jul 2014 16:00:57 -0700
Quanah Gibson-Mount wrote:

 --On Friday, July 11, 2014 4:44 PM -0700 John Hardin
 jhar...@impsec.org wrote:
 
  Prod also misses DKIM_SIGNED and SPF_HELO_PASS. Network tests
  disabled, maybe?
 
 Nope.  Found the issue however.
 
 On my prod servers, I had the following set:
 
 dns_available test: 10.110.0.108 10.110.0.109 10.210.0.166
 
 which are the IP addresses for my DNS servers.  


Those are supposed to domains to look-up as a test, not the IP addresses
of DNS servers.


 Unfortunately, with
 this line, SA always decides I don't have DNS for reasons that are
 beyond me, 

It's clearly documented on the man page.

Re: production MTA not doing URIBL lookups, why?

2014-07-11 Thread Quanah Gibson-Mount 
--On Saturday, July 12, 2014 1:18 AM +0100 RW rwmailli...@googlemail.com 
wrote:



Unfortunately, with
this line, SA always decides I don't have DNS for reasons that are
beyond me,


It's clearly documented on the man page.


Ah, yeah, I see that.  I misread the first bit:

By default, SpamAssassin will query some default hosts on the internet to 
attempt to check if DNS is working or not.


as meaning that if I put in the test line, it'd change to querying the DNS 
servers I specified. :P


--Quanah

--

Quanah Gibson-Mount
Server Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration