date:20210420

Antony Stone wrote:
> Bob Proulx wrote:
> > I was not aware that this mailing list requires one to be subscribed
> > to post to it.  Does it?  It's not necessary on most technical mailing
> > lists.
> 
> I would in fact say the exact opposite: most mailing lists do
> require subscription in order to post, primarily in order to reduce
> spam from random addresses.

But, but, but...  SpamAssassin's entire purpose is an anti-spam
function!  Oh the irony of it!

> After all, if just anyone, without subscription, can post to a list, then 
> it's 
> open to the entire Internet, and then, as we all know, anarchy ensues...

Hmm...  No.  I disagree.  It's not if-one-then-the-other.  All that is
needed to disprove it is one example.  And as it happens I can list
two immediately.

So as it happens I am actually one of the anti-spam admins for the
lists.gnu.org mailing lists.  There are some 1,500+ mailing lists
there.  Most of them are bug reporting mailing lists.  Requiring
people to subscribe to a mailing list in order to make a report would
be much too burdensome.  Therefore the bug reporting lists are open
lists and anyone may post there and it does not require subscriptions.

I know that many will argue that there is nothing but chaos and
anarchy there but there is very little spam on the mailing lists!  (If
people do see spam there I welcome reports so that problem can get
addressed.  Send reports to the mailman AT gnu.org address please.)
One of the major components of the anti-spam to those mailing lists is
SpamAssassin.  Plus some additional things too of course.

Secondly the Debian project mailing lists are extensive and extremely
active too.  The Debian lists are all open lists.  Anyone may post to
them.  Many do!  I am not directly involved there but I have been a
long time community participant.

If we can do it then why can't SpamAssassin do it for itelf?  Don't
answer as that's a rhetorical question.  I already know the answer.
The answer is because SpamAssassin is using the Apache Software
Foundation infrastructure and Apache isn't operating their mailing
lists that way.  The SpamAssassin group could do things differently
from Apache if they wanted to do so but using the Apache
infrastructure has advantages and that is why they moved under that
umbrella in the first place.  And closed mailing lists are just one of
the trade-offs of that decision and it is okay.

Bob

Re: KAM_DMARC_REJECT on internal emails

2021-04-20 Thread RW

On Mon, 19 Apr 2021 20:40:58 -0400
Bill Cole wrote:

> On 19 Apr 2021, at 18:25, RW wrote:

> I suggested exempting messages hitting ALL_TRUSTED from 
> KAM_DMARC_REJECT.
> Matus noted correctly that doing so with external machines in 
> trusted_networks could result in "problems" i.e. allowing unsigned
> (i.e. fake) messages to bypass KAM_DMARC_REJECT because they are
> originating on a machine which is trusted not to write bogus Received
> headers. Note that a machine in trusted_networks is NOT necessarily
> presumed to not originate spam.
> I proposed (and have committed to my sandbox) an ALL_INTERNAL rule
> which could be used to exempt mail which has originated on internal
> networks

Anything that enters through through the remote trusted network and hits
ALL_TRUSTED will almost certainly pass whatever authentication
mechanism are set-up for the domain.

The difference between ALL_TRUSTED and ALL_INTERNAL will likely be
small. There are minor advantages either way.

Re: How do you set nomail for the List?

2021-04-20 Thread Antony Stone

On Tuesday 20 April 2021 at 23:27:14, Bob Proulx wrote:

> I was not aware that this mailing list requires one to be subscribed
> to post to it.  Does it?  It's not necessary on most technical mailing
> lists.

I would in fact say the exact opposite: most mailing lists do require 
subscription in order to post, primarily in order to reduce spam from random 
addresses.

After all, if just anyone, without subscription, can post to a list, then it's 
open to the entire Internet, and then, as we all know, anarchy ensues...

At least if you have to subscribe first:

a) the subscription process itself is a barrier to bots

b) a list admin can block unwanted posters.

Antony.

-- 
I know I always wanted to be somebody, but I guess I should have been more 
specific.

   Please reply to the list;
 please *don't* CC me.

Re: How do you set nomail for the List?

Antony Stone wrote:
> Incidentally, I had no idea what "a pre-mangled address for the web archive
> readers" meant.

You are the second person to mention this, the first in a direct
message to me. Which means there will be many. Sorry. Let me
explain.

Due to too much caution about spammers harvesting email addresses from
web pages most web mailing list archives block display of anything
that looks similar to an email address. I say similar because often
false positives are a problem. Which is super annoying!

While I am still reading email with an actual mail reader (I am using
mutt) I know that the majority of all email users today are using a
web-mail interface to email. And many of those people are using
mailing list archives to read mailing lists. Therefore I try to write
with that reading interface of those other users in mind.

This web archive hiding of anything that looks like an email address
makes posting email addresses in responses to people more difficult
than it should be. I happen to be aware of the problem and sensitive
to the breakage and therefore, when I remember to do so, I try to
include both the address written plain as it should be and also
encoded in the typical way for a human to be able to read it and
reconstruct it back into the original.

Here are some examples of my message with the email address hidden,
obscured, "mangled" by the web mail readers, for the archives listed
for this mailing list. So that you can see the problem that is being
addressed by including both a plain email address and also a human
readable but encoded address to avoid the hiding.

says "[hidden email]"

http://spamassassin.1065346.n5.nabble.com/How-do-you-set-nomail-for-the-List-td161302.html

says "users-unsubscr...@spamassassin.apache.org" with those dots mangling it
https://www.mail-archive.com/users@spamassassin.apache.org/msg108060.html

says "user...@spamassassin.apache.org" again with different dots mangling it

https://markmail.org/search/list:org.apache.spamassassin.users#query:list%3Aorg.apache.spamassassin.users+page:1+mid:5tjzft7smag2433m+state:results

Meanwhile other archives show the message plain.

https://mail-archives.apache.org/mod_mbox/spamassassin-users/202104.mbox/browser

https://marc.info/?l=spamassassin-users=161893573926245=2

Sorry for perhaps obscure and confusing reference to "pre-mangling"
it. I meant I was going to get ahead of the web archive manglers and
do it myself so that my "pre-mangled" version would be left un-mangled
and therefore still readable and possible to reconstruct.

And also even though the OP was asking the question that means there
are many more people who would like to know the answer to it too who
are wanting to know but not wanting to ask. And some of them will use
the web to search for wisdom and find one of the above email archives.
If they find a good archive without mangling then they have their
answer. If they find a bad archive that mangles then they are left
still looking. However in this case, hopefully, my answer is still
useful to them even on a bad archive as they can assemble it
themselves.

https://xkcd.com/979/

Hopefully that explains what I meant there! :-)

Bob

Re: How do you set nomail for the List?

RW wrote:
> I think the question was getting no mail without unsubscribing and
> losing the ability to post. This is useful if you read a list by other
> means, e.g. via NNTP.

I was not aware that this mailing list requires one to be subscribed
to post to it.  Does it?  It's not necessary on most technical mailing
lists.

I look now at the help file for the apache.org mailing lists and do
not find any way to set a "nomail" option (which some other mailing
list management software provides).  Therefore I think there is no
feature to do it.  The help file only lists unsubscription.  Since it
has become part of the discussion I will include the help file at the
end.

As to your specific case question I can only find this infomration on
it and it appears that primarily it requires the list owner to
manually handle things.

https://www.ezmlm.org/manual/Unsubscribing.html

1.4.1 Posting from an alternative address when post are allowed only to 
subscribers.

When a list is set up to allow posts from subscribers only(*), a post
from an address ('jon...@softx.com') may be rejected since this
address is not a subscriber (even though mail to the subscriber
'j...@univ.edu' reaches you, ezmlm has no way of knowing this). The
easiest way to deal with this is to unsubscribe 'j...@univ.edu' and
subscribe 'jon...@softx.com'. If this is not possible/desirable, send
the addresses in question with a note to
'mailinglist-ow...@example.org'.

The list owner can add your sender address (in this case
'jon...@softx.com') to an extra address lists of non-subscribers
allowed to post (and access the archive). The extra addresses are
kept in a database much like subscriber addresses.

In fact, you can add the address 'jon...@softx.com' as an alias
for the list 'mailingl...@example.org' by mailing
'mailinglist-allow-subscribe-jonesj=softx@example.org' and
replying to the confirmation request. Again, you're changing the
"target" address of the request from the default (the sender
address) by adding the target to the command with the '@' replaced
by '='. Of course, the "allow" list doesn't send out posts. It is
solely a vehicle for storing "allowed" aliases.

That last paragraph (I reformated it into these paragraphs for
readability) is not clear to me and I do not understand it.  But this
next makes it clear that it can only be done by an administrator.

https://www.ezmlm.org/manual/Adding-Aliases.html

2.4 Adding subscriber aliases(*).

ezmlm lists may be set up to only allow subscribers to send
messages to the list. This is less secure than moderation, but
still keeps most "garbage" off the list. Occasionally, a user may
wish to send messages from an address other than the subscription
address. As a remote administrator, you can add the user's alias
to a special "allow" database. To add 'j...@example.net' as an
alias to the 'mailingl...@example.org', send mail to
'mailinglist-allow-subscribe-john=example@example.org'. -unsubscribe
and other commands work the same way. The messages ezmlm sends
talk about the 'mailinglist-al...@example.org' mailing list, but
of course you know that this is just a figure of speech.

On lists that do not have subscription moderation, users can add
themselves to the "allow" database in the same way. This is
documented only briefly in the USER'S manual.

Archive access may also be restricted to subscribers. Like
subscribers of the list or the digest list, addresses in the
"allow" database are allowed to access the archive.

Therefore it seems that unsubscribing is the only action a user may
take to avoid receiving email.  The above requires the mailing list
owner to take action.

Bob

Hi! This is the ezmlm program. I'm managing the
users@spamassassin.apache.org mailing list.

This is a generic help message. The message I received wasn't sent to
any of my command addresses.

--- Administrative commands for the users list ---

I can handle administrative requests automatically. Please
do not send them to the list address! Instead, send
your message to the correct command address:

To subscribe to the list, send a message to:

To remove your address from the list, send a message to:

Send mail to the following for info and FAQ for this list:

Similar addresses exist for the digest list:

To get messages 123 through 145 (a maximum of 100 per request), mail:

To get an index with subject and author for messages 123-456 , mail:

They are always returned as sets of 100, max 2000 per request,
so you'll actually get 100-499.

To receive all messages with the same subject as message 12345,
send a short message to:

The messages should contain one line or word of text to avoid being
treated as sp@m, but I will ignore their content.
Only the ADDRESS you send to is important.

You can start a subscription for an

Re: Spamassassin goes to folder spam

2021-04-20 Thread RW

On Tue, 20 Apr 2021 01:12:18 +0200
mau...@gmx.ch wrote:

> Hello
> 
> Asking for litle help.. Doevecot and sieve are running fine.. One
> thing now, if receiving mail from Users-spamassassin
> 
> This mail will by forwarding from sieve to folder spam. I didn't see
> why this will transfer there.

You have two conflicting X-Spam-flag headers. This isn't why your email
wasn't filtered into the list folder, but it's the more serious problem.

Ordinarily SA will strip any pre-existing X-Spam-* headers, which
suggests some other software is calling SA as a library and writing its
own headers. If possible configure a header with a different and unique name.

Re: How do you set nomail for the List?

2021-04-20 Thread Antony Stone

On Tuesday 20 April 2021 at 22:54:29, RW wrote:

> On Tue, 20 Apr 2021 10:21:57 -0600 Bob Proulx wrote:
> > Don Saklad wrote:
> > > How do you set nomail for the List?
> > 
> > To unsubscribe send an email message to this address.  Followed by a
> > pre-mangled address for the web archive readers that hide email
> > addresses.
> > 
> > users-unsubscr...@spamassassin.apache.org
> 
> I think the question was getting no mail without unsubscribing and
> losing the ability to post. This is useful if you read a list by other
> means, e.g. via NNTP.

I thought the question was for someone being away for some time and not 
wanting to build up list emails which wouldn't be replied to, and therefore 
probably also wouldn't be worth reading upon the return.

mailman supports this on its web interface; I can't see the equivalent 
function on what this list runs on.

Incidentally, I had no idea what "a pre-mangled address for the web archive 
readers" meant.

Antony.

-- 
"Can you keep a secret?"
"Well, I shouldn't really tell you this, but... no."

   Please reply to the list;
 please *don't* CC me.

Re: How do you set nomail for the List?

2021-04-20 Thread RW

On Tue, 20 Apr 2021 10:21:57 -0600
Bob Proulx wrote:

> Don Saklad wrote:
> > How do you set nomail for the List?   
> 
> To unsubscribe send an email message to this address.  Followed by a
> pre-mangled address for the web archive readers that hide email
> addresses.
> 
> users-unsubscr...@spamassassin.apache.org

I think the question was getting no mail without unsubscribing and
losing the ability to post. This is useful if you read a list by other
means, e.g. via NNTP.

Re: How do you set nomail for the List?

Don Saklad wrote:
> How do you set nomail for the List? 

To unsubscribe send an email message to this address.  Followed by a
pre-mangled address for the web archive readers that hide email
addresses.

users-unsubscr...@spamassassin.apache.org

users-unsubscribe AT spamassassin DOT apache DOT org

For general information about the mailing lists:

https://cwiki.apache.org/confluence/display/SPAMASSASSIN/MailingLists

Bob

Re: Senderscore

2021-04-20 Thread Bill Cole

On 20 Apr 2021, at 7:27, Simon Wilson wrote:

> ...is the correct way to disable it:
>
> local.cf:   score RCVD_IN_VALIDITY_RPBL 0

Yes.

-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: KAM_DMARC_REJECT on internal emails

2021-04-20 Thread Bill Cole


On 20 Apr 2021, at 7:48, Matus UHLAR - fantomas wrote:


On 19 Apr 2021, at 21:28, John Hardin wrote:

...so:

 header  ALL_INTERNAL  X-Spam-Relays-External =~ /^$/

?


On 19.04.21 22:15, Bill Cole wrote:
Actually, what I committed earlier today in my sandbox and will move 
to the main rules tree if it doesn't do anything crazy in masschecks:


describe __NO_EXTERNALS No external relays
header   __NO_EXTERNALS X-Spam-Relays-External =~ /^$/

describe ALL_INTERNAL   Has only internal relays
meta ALL_INTERNAL   __NO_EXTERNALS && !NO_RELAYS
tflags   ALL_INTERNAL   nice


afik NO_RELAYS hits when mail was locally generated, which means, so 
you need

at least one relay, otherwise it won't hit.

Are you sure you need it this way?


Sure? I'm rarely sure about anything...

It was suggested to me off-list and I think it makes sense from a broad 
view to have non-overlapping full coverage of the possibilities and 
semantic consistency across "ALL_TRUSTED" and "ALL_INTERNAL" in 
asserting that "ALL" is non-zero.


However, it does make sense in this case to exclude __NO_EXTERNALS from 
DMARC checking rather than ALL_INTERNAL. I'm undecided on whether either 
actually needs to be a scored rule.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: KAM_DMARC_REJECT on internal emails


header DMARC_FAIL_REJECT Authentication-Results =~
/mail\.simonandkate\.net; dmarc=fail \(p=reject/
describe DMARC_FAIL_REJECT DMARC check failed (p=reject)
score DMARC_FAIL_REJECT 6.0

That works fine,


this rule is DMARC testing in OUTbound mail, dont do this :)


***No it is not DMARC testing in OUTbound mail*** (not shouting, just  
stressing this point)


Read my message again please :)
I have said a few times I do *not* run milters on outbound email, so  
the header that rule tests for *does not exist on outbound email*, and  
so the custom DMARC rule does not trigger on outbound email. It DOES  
trigger on INbound emails, which is correct.



the rule is fine for INbound mail, IF you use opendmarc before  
spamassassin milter, there is no garenti that spamassassin see  
opendmarc results in that chains of trustness


its safe to remove all AR headers before doing own milters that add  
local testing and trusted headers, AR headers is not DKIM signed by  
a good reason :=)



and has the bonus of only running when I expect it to
- which is when I have ensured the relevant milters have run and
added  trusted headers on inbound email.


irrelevant since the rule in spamassassin is still used in OUTbound  
and INbound, it will give false possitive testing this in  
spamassassin, work around could be to have spamd for inbound,and  
spamd for outbound, but this needs new rules for outbound :=)


Sorry, you have not understood what I have written.

I will try and be clearer:

- OpenDMARC only runs on inbound email (controlled as a milter only on  
port 25 inbound Postfix)
- When OpenDMARC runs it adds an Authentication-Results header with a  
trusted Authserv-ID
- Only when that header exists does the rule trigger in Spamassassin,  
i.e. THE RULE ONLY TRIGGERS ON INBOUND




--
Simon Wilson
M: 0400 12 11 16

Re: KAM_DMARC_REJECT on internal emails


On 2021-04-20 14:48, Simon Wilson wrote:


score__KAM_DMARC_POLICY_REJECT 0
score__KAM_DMARC_POLICY_QUAR   0
score__KAM_DMARC_POLICY_NONE   0
score__KAM_DMARC_POLICY_DKIM_STRICT0

... as then the metas will never pass.


any solutions creates another problem

Re: KAM_DMARC_REJECT on internal emails


On 2021-04-20 14:35, Henrik K wrote:

> On Mon, Apr 19, 2021 at 10:05:21PM +1000, Simon Wilson wrote:

rather than change the channel distributed KAM.cf, what needs to go in
local.cf to tell that not to run? *CAN* it be disabled from local.cf, 
or can

it only be done by commenting out the entry in KAM.cf?


It would not make any sense to not be able to override things.  Or edit 
a
channel file which would later be overwritten?  Of course you can 
disable it

in local.cf:

score __KAM_DMARC_POLICY_REJECT 0


i just say it does not solve the real problem

it possible already solved in spamassassin 4

is it time for RFE with running spamd for indbound and another spamd for 
outbound ?


Framework is still missing for this

Re: KAM_DMARC_REJECT on internal emails


> On Mon, Apr 19, 2021 at 10:05:21PM +1000, Simon Wilson wrote:

rather than change the channel distributed KAM.cf, what needs to go in
local.cf to tell that not to run? *CAN* it be disabled from local.cf, or can
it only be done by commenting out the entry in KAM.cf?


It would not make any sense to not be able to override things.  Or edit a
channel file which would later be overwritten?  Of course you can disable it
in local.cf:

score __KAM_DMARC_POLICY_REJECT 0


Thanks Henrik -

So KAM.cf's

  askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT  
/^v=DMARC1;.*\bp=reject;/


is prevented from running its DNS query by setting in local.cf:

  score __KAM_DMARC_POLICY_REJECT 0

That is what I wanted to understand  :) thanks.

So the best way to disable the KAM DMARC rules is not to set score 0  
on the metas, but set score 0 on the askdns rules:


score__KAM_DMARC_POLICY_REJECT 0
score__KAM_DMARC_POLICY_QUAR   0
score__KAM_DMARC_POLICY_NONE   0
score__KAM_DMARC_POLICY_DKIM_STRICT0

... as then the metas will never pass.


--
Simon Wilson
M: 0400 12 11 16

Re: KAM_DMARC_REJECT on internal emails


On 2021-04-20 14:21, Simon Wilson wrote:


 header DMARC_FAIL_REJECT Authentication-Results =~
/mail\.simonandkate\.net; dmarc=fail \(p=reject/
 describe DMARC_FAIL_REJECT DMARC check failed (p=reject)
 score DMARC_FAIL_REJECT 6.0

That works fine,


this rule is DMARC testing in OUTbound mail, dont do this :)

the rule is fine for INbound mail, IF you use opendmarc before 
spamassassin milter, there is no garenti that spamassassin see opendmarc 
results in that chains of trustness


its safe to remove all AR headers before doing own milters that add 
local testing and trusted headers, AR headers is not DKIM signed by a 
good reason :=)



and has the bonus of only running when I expect it to
 - which is when I have ensured the relevant milters have run and
added  trusted headers on inbound email.


irrelevant since the rule in spamassassin is still used in OUTbound and 
INbound, it will give false possitive testing this in spamassassin, work 
around could be to have spamd for inbound,and spamd for outbound, but 
this needs new rules for outbound :=)


i remember KAM sayed, the possible to do anything in Framework is 
stable, its just rules that is still waiting for spamassassin 4.x.x


when you post problems here its a hope KAM listen on it, and will 
possible change the problem


all the best, YMMV



Simon.

Re: KAM_DMARC_REJECT on internal emails

2021-04-20 Thread Henrik K

> > On Mon, Apr 19, 2021 at 10:05:21PM +1000, Simon Wilson wrote:
>
> rather than change the channel distributed KAM.cf, what needs to go in
> local.cf to tell that not to run? *CAN* it be disabled from local.cf, or can
> it only be done by commenting out the entry in KAM.cf?

It would not make any sense to not be able to override things.  Or edit a
channel file which would later be overwritten?  Of course you can disable it
in local.cf:

score __KAM_DMARC_POLICY_REJECT 0

Re: KAM_DMARC_REJECT on internal emails


On 2021-04-20 13:48, Matus UHLAR - fantomas wrote:

On 19 Apr 2021, at 21:28, John Hardin wrote:

...so:

 header  ALL_INTERNAL  X-Spam-Relays-External =~ /^$/

?


On 19.04.21 22:15, Bill Cole wrote:
Actually, what I committed earlier today in my sandbox and will move 
to the main rules tree if it doesn't do anything crazy in masschecks:


describe __NO_EXTERNALS No external relays
header   __NO_EXTERNALS X-Spam-Relays-External =~ /^$/

describe ALL_INTERNAL   Has only internal relays
meta ALL_INTERNAL   __NO_EXTERNALS && !NO_RELAYS
tflags   ALL_INTERNAL   nice


afik NO_RELAYS hits when mail was locally generated, which means, so 
you need

at least one relay, otherwise it won't hit.

Are you sure you need it this way?


!NO_RELAYS is external ip since NO_RELAYS is internal_networks

this is so cool that Bill created another rule for ALL_EXTERNAL when 
NO_RELAYS exists :/


please fokus on DKIM signed mails is LOCAL domains or not

KAM cant help knowing what is local or not, we all wait for spamassassin 
4.x.x where this mess is solved by no need for any rules waste anymore


Bill have this in mind when AuthRes doing this on 4.x.x then KAM rule 
will be not needed or atleast change for 4.x.x usage


hope the best for the future of spamassassin

Re: KAM_DMARC_REJECT on internal emails


They do yes. However I use fetchmail to retrieve emails from some
services; fetchmail presents into the inbound stack as being from
127.0.0.1 - so I do not use the milters' "whitelists" to decide
whether or not to run on inbound email, I use directed flow through
postfix and amavisd to decide whether or not the milters are run.


make your fetchmail use mda, problem solved


In the context of my query here on *outbound* email... I do *not* run
milters on outbound email, so it is only the KAM DMARC rules which
were running regardless which generated an issue.


fetchmail is inbound not outbound, kam rule is not a milter



Hi Benny,

The original issue was OUTbound all-internal email. You mentioned  
milters whitelisting 127.0.0.1 which as my milters only run on INbound  
is irrelevant to the original issue (none of my milters run on  
internal-->internal email). My comment on fetchmail was to point out  
one example of where I change milters to *not* ignore localhost: you  
cannot assume milters *always* ignore localhost just because they do  
by default. And I do not have a problem with fetchmail to solve - it  
works well, configured to drop to my smtphost where milters *do*  
process it as inbound email, even though it is seen as being from  
localhost (the fetchmail daemon smtphost drops it to a specific  
postfix instance).


Anyway, back to OUTBOUND internal-->internal :)

When SA runs in this scenario email has not been DKIM signed, SPF is  
irrelevant, and the email has never left my perimeter - a DMARC  
evaluation should NOT be run. It looks like there are some good ideas  
on how to resolve that, for which I am grateful.




FWIW...
Whilst I can see the value of the KAM DMARC rules for an "out of the  
box" install of SA, I will likely leave them disabled on ALL email: I  
have a robust inbound milter setup which adds sequentially trusted  
headers for SPF, DKIM, ARC and DMARC.


My preference is for SA to use \existing trusted headers/ to base  
DKIM, SPF, ARC, DMARC score decisions on - *NOT* to run additional DNS  
lookups to do its own when they have already been done (even though  
likely nameserver-cached).


I already do this with DMARC, which SA does not do DNS-checking tests  
for (out of the box, i.e. without KAM rules). I have custom rules in  
local.cf which use the headers provided by OpenDMARC:


e.g.
 header DMARC_FAIL_REJECT Authentication-Results =~  
/mail\.simonandkate\.net; dmarc=fail \(p=reject/

 describe DMARC_FAIL_REJECT DMARC check failed (p=reject)
 score DMARC_FAIL_REJECT 6.0

That works fine, and has the bonus of only running when I expect it to  
- which is when I have ensured the relevant milters have run and added  
trusted headers on inbound email.


Simon.

--
Simon Wilson
M: 0400 12 11 16

Re: KAM_DMARC_REJECT on internal emails

2021-04-20 Thread Matus UHLAR - fantomas


On 19 Apr 2021, at 21:28, John Hardin wrote:

...so:

 header  ALL_INTERNAL  X-Spam-Relays-External =~ /^$/

?


On 19.04.21 22:15, Bill Cole wrote:
Actually, what I committed earlier today in my sandbox and will move 
to the main rules tree if it doesn't do anything crazy in masschecks:


describe __NO_EXTERNALS No external relays
header   __NO_EXTERNALS X-Spam-Relays-External =~ /^$/

describe ALL_INTERNAL   Has only internal relays
meta ALL_INTERNAL   __NO_EXTERNALS && !NO_RELAYS
tflags   ALL_INTERNAL   nice


afik NO_RELAYS hits when mail was locally generated, which means, so you need
at least one relay, otherwise it won't hit.

Are you sure you need it this way?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller

Re: KAM_DMARC_REJECT on internal emails

2021-04-20 Thread Matus UHLAR - fantomas


On 19 Apr 2021, at 11:30, Matus UHLAR - fantomas wrote:

I understand this as:

if mail was received by internal relay unauthenticated, it's 
external,


On 19.04.21 12:49, Bill Cole wrote:

I cannot make SA behave that way.



On 19 Apr 2021, at 13:03, Matus UHLAR - fantomas wrote:

why not?


On 19.04.21 13:20, Bill Cole wrote:
When I provide SA with a message that has stepped through 2 internal 
machines with no authentication, SA *DOES NOT* insert any information 
about the relay host in X-Spam-Relays-External.


OK, this how I understand it:

__LAST_EXTERNAL_RELAY_NO_AUTH

- message received from external (by internal) network unauthenticated
- incoming message
- check SPF/DKIM/DMARC

!__LAST_EXTERNAL_RELAY_NO_AUTH

- message received from external (by internal) network authenticated
- locally generated/outgoing message
- don't check SPF/DKIM/DMARC, may DKIM-sign


e.g., these received headers:

Return-Path: 
	Received: from skinnyclam.scconsult.com (skinnyclam.scconsult.com 
[192.168.254.125])

by toaster.scconsult.com (Postfix) with ESMTP id 
4FP7Tb0wWWz5q7dl
for ; Mon, 19 Apr 2021 09:49:23 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
by skinnyclam.scconsult.com (Postfix) with ESMTP id D74214C88329
for ; Mon, 19 Apr 2021 09:49:22 -0400 (EDT)



Results in these RELAYS* assignments:

	Apr 19 12:38:23.932 [14599] dbg: check: tagrun - tag RELAYSTRUSTED is 
now ready, value: [ ip=192.168.254.125 rdns=skinnyclam.scconsult.com 
helo=skinnyclam.scconsult.com by=bigsky.scconsult.com ident= 
envfrom=r...@skinnyclam.scconsult.com intl=1 id=4FP7Tb0wWWz5q7dl auth= 
msa=0 ] [ ip=127.0.0.1 rdns=localhost helo=localhost 
by=skinnyclam.scconsult.com ident= 
envfrom=r...@skinnyclam.scconsult.com intl=1 id=D74214C88329 auth= 
msa=0 ]
	Apr 19 12:38:23.932 [14599] dbg: check: tagrun - tag RELAYSUNTRUSTED 
is now ready, value:
	Apr 19 12:38:23.932 [14599] dbg: check: tagrun - tag RELAYSINTERNAL 
is now ready, value: [ ip=192.168.254.125 
rdns=skinnyclam.scconsult.com helo=skinnyclam.scconsult.com 
by=bigsky.scconsult.com ident= envfrom=r...@skinnyclam.scconsult.com 
intl=1 id=4FP7Tb0wWWz5q7dl auth= msa=0 ] [ ip=127.0.0.1 rdns=localhost 
helo=localhost by=skinnyclam.scconsult.com ident= 
envfrom=r...@skinnyclam.scconsult.com intl=1 id=D74214C88329 auth= 
msa=0 ]
	Apr 19 12:38:23.932 [14599] dbg: check: tagrun - tag RELAYSEXTERNAL 
is now ready, value:



this should be the correct case above - this is mail created in your
network, you chould not check, but sign it instead.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler

Re: Senderscore


And btw, usually on the DNS infos of Senderscores, you can see about 3
days of lag compared to their online interface, dunno if expected on
their side, or they're facing perf issues, but that service is not a
top priority at all at least

On Mon, Apr 19, 2021 at 7:29 PM Simon Bressier  wrote:


Hi Simon,

For info for few days now, the Senderscore DNS server is failing to
answer. I've pinged one relation I have at Validity so they can dig on
it.

Senderscore via DNS is a legacy service they just maintain but dunno
for how long... They are more on a mood to stop that service in the
future to push to their API usage, and you ofc need to be client to
use it :)



Seems like a good candidate to be dropped from tests.

That dnsbl is called in 20_dnsbl_tests.cf as follows:

 # Validity RPBL (née Return Path Reputation Network Blacklist - RNBL):
 # https://www.senderscore.org/blocklistlookup/
 # (replaces RCVD_IN_RP_RNBL)
 header RCVD_IN_VALIDITY_RPBL  
eval:check_rbl('rnbl-lastexternal','bl.score.senderscore.com.')
 describe RCVD_IN_VALIDITY_RPBL   Relay in Validity RPBL,  
https://senderscore.org/blocklistlookup/

 tflags RCVD_IN_VALIDITY_RPBL net publish
 reuse RCVD_IN_VALIDITY_RPBL  RCVD_IN_RP_RNBL

...is the correct way to disable it:

local.cf:   score RCVD_IN_VALIDITY_RPBL 0

?

Simon

--
Simon Wilson
M: 0400 12 11 16

Re: KAM_DMARC_REJECT on internal emails

2021-04-20 Thread Matus UHLAR - fantomas

>On 19 Apr 2021, at 11:30, Matus UHLAR - fantomas wrote:
>> I understand this as:
>>
>> if mail was received by internal relay unauthenticated, it's
>> external,

On 19.04.21 12:49, Bill Cole wrote:
>I cannot make SA behave that way.

On Mon, 19 Apr 2021 19:03:55 +0200
Matus UHLAR - fantomas wrote:

why not?

meta KAM_DMARC_REJECT  __LAST_EXTERNAL_RELAY_NO_AUTH &&
!(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT

should avoid KAM_DMARC_REJECT if the mail was accepted authenticated
by internal relay from external one.

On 19.04.21 18:19, RW wrote:

__LAST_EXTERNAL_RELAY_NO_AUTH will hit if an email arrived in the
internal network from external-trusted.

that should be it, DKIM should be checked at internal network border, so it
should be checked even when receiving mail from trusted (but not internal)
hosts.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)

Re: KAM_DMARC_REJECT on internal emails