Re: Smtp auth and trusted_networks
On 11.07.14 22:20, Nick I wrote: I implemented your patch, but unfortunatelly it did not work for me. Authenticated sender IP address was recognised as trusted. I still need to have 'smtpd_sasl_authenticated_header = yes' in my postfix so i commented out these 3 lines. I still don't understad the point: isn't the whole point of authentication to avoid scanning the authenticated IP in blacklists? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
Re: Smtp auth and trusted_networks
Matus UHLAR - fantomas skrev den 2014-07-13 12:30: isn't the whole point of authentication to avoid scanning the authenticated IP in blacklists? that would be a fault, since when its sent via smtps or submission it would be in trusted_networks, but blindly think this is not spam is another fault, authenticated just help to know who to blame :)
Re: Smtp auth and trusted_networks
Matus UHLAR - fantomas skrev den 2014-07-13 12:30: isn't the whole point of authentication to avoid scanning the authenticated IP in blacklists? On 13.07.14 15:04, Benny Pedersen wrote: that would be a fault, since when its sent via smtps or submission it would be in trusted_networks, doesn't the posted patch avoid exactly this? but blindly think this is not spam is another fault, authenticated just help to know who to blame :) SA does not blindly think it is spam when it's sent with authentication. Authentication just causes the sending IP to be scanned in blacklists. That means, authenticated sending IP should not be scanned for dynamic lists, so it should not hit blacklists. This patch seems to remove this behaviour, so all authenticated mail from dynamic IPs may get too high score... What do I (or the others) miss here? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
Re: Smtp auth and trusted_networks
Matus UHLAR - fantomas skrev den 2014-07-13 17:14: What do I (or the others) miss here? auth smtp users here can have dynamic ip in pbl, that does not mean its spam sent from them on my postfix, but if my server ip was in pbl it would be rejected on destinations, that would be my own fault, not smtp auth faults i think this patch is completely unnedded if trusted_networks and internal_networks is doing its job smtp auth gets all_trusted, and system users get no_relays i yet to see that pbl ips with smtp auth here
Re: Smtp auth and trusted_networks
Matus UHLAR - fantomas skrev den 2014-07-13 17:14: What do I (or the others) miss here? On 13.07.14 18:27, Benny Pedersen wrote: i yet to see that pbl ips with smtp auth here any dynamic - dialup, DSL, cable ... ? they are supposed to use authentication and should not get RCVD_IN_SORBS_DUL RCVD_IN_MAPS_DUL RCVD_IN_PBL RDNS_DYNAMIC and metas like: DYN_RDNS_* DOS_*_TO_MX those combined can have score highly over 5. if you apply the patch, your own customers may get such score and get blocked (or whatever you do when they have too big score). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm.
Re: Smtp auth and trusted_networks
On 10.07.14 18:36, Nick I wrote: In the following example our mx received message with ESMTPSA from 1.1.1.1 and that ip detected as trusted. Our trusted_networks list do not have this ip configured. I need to run rbl check against 1.1.1.1. Is there any settings to not add authenticated host to trusted hosts ? isn't the whole point of authenticaTION to avoid scanning the authenticated IP in blacklists? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: Smtp auth and trusted_networks
On 7/10/2014 5:55 PM, Giampaolo Tomassoni wrote: Il 2014-07-10 17:36 Nick I ha scritto: Hi In the following example our mx received message with ESMTPSA from 1.1.1.1 and that ip detected as trusted. Our trusted_networks list do not have this ip configured. I need to run rbl check against 1.1.1.1. Is there any settings to not add authenticated host to trusted hosts ? We use SpamAssassin version 3.3.1. You case is exactly what the patch in bug#6430 (https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6430) attempts to cover. Unfortunately, that patch never went into any SA version, so you have to apply it by yourself if you really need to let your MX act as an MSA in case of authenticated submissions. If you use amavis, there is another option: move mail submission to another instance of your smtp daemon and configure it to submit received (and authenticated) message to an amavis channel you prepared for outgoing mail. Regards, Giampaolo If you use that patch and it works, please weigh in on the bugzilla or at least on the list. The patch was considered pretty esoteric and didn't justify yet another option in the code. But if people need it and use it, we will of course reconsider.
Re: Smtp auth and trusted_networks
I implemented your patch, but unfortunatelly it did not work for me.
Authenticated sender IP address was recognised as trusted.
I still need to have 'smtpd_sasl_authenticated_header = yes' in my postfix
so i commented out these 3 lines.
And it does work for my installation.
---
/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Message/Metadata/Received.pm.orig
2010-03-16 14:49:21.0 +
+++
/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Message/Metadata/Received.pm
2014-07-11 17:20:21.497687731 +
@@ -389,9 +389,9 @@
# with ASMTP (Authenticated SMTP) is used by Earthlink, Exim 4.34, and
others
# with HTTP should only be authenticated webmail sessions
# with HTTPU is used by Communigate Pro with Pronto! webmail interface
- if (/ by / / with (ESMTPA|ESMTPSA|LMTPA|LMTPSA|ASMTP|HTTPU?)(?:
|$)/i) {
-$auth = $1;
- }
+#if (/ by / / with (ESMTPA|ESMTPSA|LMTPA|LMTPSA|ASMTP|HTTPU?)(?:
|$)/i) {
+# $auth = $1;
+#}
# Courier v0.47 and possibly others
elsif (/^from .*?(?:\]\)|\)\]) \(AUTH: (LOGIN|PLAIN|DIGEST-MD5|CRAM-MD5)
\S+(?:, .*?)?\) by /) {
$auth = $1;
Thanks All for the help.
2014-07-11 17:26 GMT+03:00 Kevin A. McGrail kmcgr...@pccc.com:
On 7/10/2014 5:55 PM, Giampaolo Tomassoni wrote:
Il 2014-07-10 17:36 Nick I ha scritto:
Hi
In the following example our mx received message with ESMTPSA from
1.1.1.1 and that ip detected as trusted.
Our trusted_networks list do not have this ip configured.
I need to run rbl check against 1.1.1.1.
Is there any settings to not add authenticated host to trusted hosts ?
We use SpamAssassin version 3.3.1.
You case is exactly what the patch in bug#6430 (
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6430) attempts to
cover.
Unfortunately, that patch never went into any SA version, so you have to
apply it by yourself if you really need to let your MX act as an MSA in
case of authenticated submissions.
If you use amavis, there is another option: move mail submission to
another instance of your smtp daemon and configure it to submit received
(and authenticated) message to an amavis channel you prepared for outgoing
mail.
Regards,
Giampaolo
If you use that patch and it works, please weigh in on the bugzilla or at
least on the list. The patch was considered pretty esoteric and didn't
justify yet another option in the code. But if people need it and use it,
we will of course reconsider.
Re: Smtp auth and trusted_networks
Il 2014-07-10 17:36 Nick I ha scritto: Hi In the following example our mx received message with ESMTPSA from 1.1.1.1 and that ip detected as trusted. Our trusted_networks list do not have this ip configured. I need to run rbl check against 1.1.1.1. Is there any settings to not add authenticated host to trusted hosts ? We use SpamAssassin version 3.3.1. You case is exactly what the patch in bug#6430 (https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6430) attempts to cover. Unfortunately, that patch never went into any SA version, so you have to apply it by yourself if you really need to let your MX act as an MSA in case of authenticated submissions. If you use amavis, there is another option: move mail submission to another instance of your smtp daemon and configure it to submit received (and authenticated) message to an amavis channel you prepared for outgoing mail. Regards, Giampaolo Jul 10 14:27:34.275 [9780] dbg: received-header: parsed as [ ip=1.1.1.1 rdns=sender1.domain.com [1] helo=mail.domain.com [2] by=mx.domain.com [3] ident= envfrom= intl=0 id= auth=ESMTPSA msa=0 ] Jul 10 14:27:34.275 [9780] dbg: received-header: relay 1.1.1.1 trusted? yes internal? yes msa? no Jul 10 14:27:34.277 [9780] dbg: received-header: parsed as [ ip=2.2.2.2 rdns= helo= by=mail.domain.com [2] ident= envfrom= intl=0 id= auth= msa=0 ] Jul 10 14:27:34.277 [9780] dbg: received-header: relay 2.2.2.2 trusted? no internal? no msa? no Jul 10 14:27:34.277 [9780] dbg: metadata: X-Spam-Relays-Trusted: [ ip=1.1.1.1 rdns=sender1.domain.com [1] helo=mail.domain.com [2] by=mx.domain.com [3] ident= envfrom= intl=1 id= auth=ESMTPSA msa=0 ] Jul 10 14:27:34.277 [9780] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=2.2.2.2 rdns= helo= by=mail.domain.com [2] ident= envfrom= intl=0 id= auth= msa=0 ] Jul 10 14:27:34.277 [9780] dbg: metadata: X-Spam-Relays-Internal: [ ip=1.1.1.1 rdns=sender1.domain.com [1] helo=mail.domain.com [2] by=mx.domain.com [3] ident= envfrom= intl=1 id= auth=ESMTPSA msa=0 ] Jul 10 14:27:34.277 [9780] dbg: metadata: X-Spam-Relays-External: [ ip=2.2.2.2 rdns= helo= by=mail.domain.com [2] ident= envfrom= intl=0 id= auth= msa=0 ] Thanks. Links: -- [1] http://sender1.domain.com [2] http://mail.domain.com [3] http://mx.domain.com
