Re: private networks are default rbl tested :/

2018-11-06 Thread RW 
On Wed, 07 Nov 2018 00:27:27 +0100
Benny Pedersen wrote:

> RW skrev den 2018-11-06 02:04:
> > On Mon, 05 Nov 2018 23:37:59 +0100
> > Benny Pedersen wrote:
> >   
> >> https://en.wikipedia.org/wiki/Private_network
> >> 
> >> why are this network not default internal_networks trusted_networks
> >> msa_networks  
> > 
> > They are if you let SA guess your networks. If you specify the
> > networks manually you have to specify everything  
> 
> is this dokumented somewhere ?

Yes, under trusted_networks in the main configuration documentation.
  

> >> spamassassin makes many wasted rbl tests with not knowing what to
> >> skip  
> > 
> > Do you have any evidence that that is happening?  
> 
> i will reverse this to, is there any rbl servers with lists
> 192.168.1.1 being blocked ?


Private addresses shouldn't be queried, there is code to ignore them.

Re: private networks are default rbl tested :/

2018-11-06 Thread Benny Pedersen 

RW skrev den 2018-11-06 02:04:

On Mon, 05 Nov 2018 23:37:59 +0100
Benny Pedersen wrote:


https://en.wikipedia.org/wiki/Private_network

why are this network not default internal_networks trusted_networks
msa_networks


They are if you let SA guess your networks. If you specify the networks
manually you have to specify everything


is this dokumented somewhere ?

as i know only 127.0.0.1 is default if none config is done


spamassassin makes many wasted rbl tests with not knowing what to skip


Do you have any evidence that that is happening?


i will reverse this to, is there any rbl servers with lists 192.168.1.1 
being blocked ?



The network configuration would only affect private
addresses that are internal and/or trusted, so it can't be the
mechanism that prevents wasted lookups on private addresses.


would be good this was default in spamassassin local.cf, so users could 
just clear this listnings, or keep good defaults

Re: private networks are default rbl tested :/

2018-11-06 Thread Bill Cole 

On 5 Nov 2018, at 20:04, RW wrote:


On Mon, 05 Nov 2018 23:37:59 +0100
Benny Pedersen wrote:



https://en.wikipedia.org/wiki/Private_network

why are this network not default internal_networks trusted_networks
msa_networks



They are if you let SA guess your networks. If you specify the 
networks

manually you have to specify everything


And the reason for that is simply that not everyone trusts all of the 
machines on reachable RFC1918 networks. For example, I worked for some 
years at a multinational where 10/8 was allocated globally and was 
routed globally. I had a list of specific non-local machines I was 
supposed to trust for outbound relay (and use when my outbounds couldn't 
use the local external link) but there was no way I could also trust the 
tens of thousands of other 10.* machines around the world that could 
very well be compromised personal desktops. I didn't even trust my own 
local personal desktops.

Re: Error running sa-update - cannot refresh mirrors file

2018-11-06 Thread Rodney Baker 
On Friday, 2 November 2018 3:45:08 ACDT RW wrote:
> On Wed, 31 Oct 2018 22:59:55 +1030
> 
> Rodney Baker wrote:
> > On Wednesday, 31 October 2018 7:29:51 ACDT RW wrote:
> > > curl --verbose -L -O --remote-time -g --max-redirs 2
> > > --connect-timeout 30 --max-time 300
> > > http://spamassassin.apache.org/updates/MIRRORED.BY
> > 
> > Here's the output from that command:
> > 
> > 
> > < HTTP/1.1 200 OK
> 
> ...
> 
> > { [data not shown]
> 
> So curl is working.

So, I got the error reported again. I tried running the curl command suggested 
above, and it appeared to complete successfully. I then ran sa-update, and got 
the error message. 


root@mailpi ~ # curl --verbose -L -O --remote-time -g --max-redirs 2 --
connect-timeout 30 --max-time 300 http://spamassassin.apache.org/updates/
MIRRORED.BY
* Hostname was NOT found in DNS cache
  % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
 Dload  Upload   Total   SpentLeft  Speed
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 
0*   Trying 95.216.24.32...
  0 00 00 0  0  0 --:--:--  0:00:01 --:--:-- 
0* Connected to spamassassin.apache.org (95.216.24.32) port 80 (#0)
> GET /updates/MIRRORED.BY HTTP/1.1
> User-Agent: curl/7.38.0
> Host: spamassassin.apache.org
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 06 Nov 2018 11:36:32 GMT
* Server Apache/2.4.18 (Ubuntu) is not blacklisted
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Sat, 27 Oct 2018 16:35:00 GMT
< ETag: "576-579386aca20a2"
< Accept-Ranges: bytes
< Content-Length: 1398
<
{ [data not shown]
100  1398  100  13980 0615  0  0:00:02  0:00:02 --:--:--   615
* Connection #0 to host spamassassin.apache.org left intact

root@mailpi ~ # sa-update
error: unable to refresh mirrors file for channel updates.spamassassin.org, 
using old file
root@mailpi ~ #
---

This does not appear to be a problem with curl, per se, but rather something 
related to sa-update.

-- 
==
Rodney Baker
rod...@jeremiah31-10.net
CCNA #CSCO12880208
==