Re: whitelist_from_rcvd and trusted_networks
On Sat, 08 Aug 2009 17:10:01 -0500 Chris cpoll...@embarqmail.com wrote: I have an entry in a what I call my-whitelist.cf in /etc/mail/spamassassin: whitelist_from_rcvd blackwell_...@yahoo.com yahoo.com If I run a message from this person with spamassassin -D -t msg shouldn't I get a hit on USER_IN_WHITELIST or not? The trouble with whitelist_from_rcvd is that it relies on the MX server recording reverse DNS - most do, some don't. Also, I'm still not sure I have my trusted_networks setting correct. I have this in my local.cf: trusted_networks 192.168/16 71.48.160.0/20 71.54.96/19 Here is a line of Received: from headers from a test mail to myself: Received: from [71.54.109.114] and one from someone else using embarq Received: from [71.48.166.180] If I read the below correct this is a listing of all CIDRs in the embarq AS range: http://www.cidr-report.org/cgi-bin/as-report?as=as6367view=2.0 should all of these be listed in the trusted_networks entry or do I misunderstand the concept still? Absolutely not, it leaves thousands of back-doors open. Just use the ip addresses used as servers, not customer addresses. /24 ranges based on the server addresses you've seen in headers are usually a safe compromise. Often the servers between you and the MX server use private addresses, which makes things a lot easier - you can safely list all private addresses. The best way to tell is to send test messages from external mail services or look at real mail - mail from yourself can be misleading. If you are using an ISP for your mail you're conservatively advised to put them in trusted_networks because that behaves least badly for the worst case ISPs. In practice it's almost always better to put them into internal_networks so SA knows where the real MX servers are, particularly in your case since embarq records authentication on it's submission server, note the with ESMTPA in your headers.
Re: whitelist_from_rcvd and trusted_networks
On Sun, 2009-08-09 at 00:56 +0100, RW wrote: The trouble with whitelist_from_rcvd is that it relies on the MX server recording reverse DNS - most do, some don't. Also, I'm still not sure I have my trusted_networks setting correct. I have this in my local.cf: trusted_networks 192.168/16 71.48.160.0/20 71.54.96/19 Here is a line of Received: from headers from a test mail to myself: Received: from [71.54.109.114] and one from someone else using embarq Received: from [71.48.166.180] If I read the below correct this is a listing of all CIDRs in the embarq AS range: http://www.cidr-report.org/cgi-bin/as-report?as=as6367view=2.0 should all of these be listed in the trusted_networks entry or do I misunderstand the concept still? Absolutely not, it leaves thousands of back-doors open. Just use the ip addresses used as servers, not customer addresses. /24 ranges based on the server addresses you've seen in headers are usually a safe compromise. Often the servers between you and the MX server use private addresses, which makes things a lot easier - you can safely list all private addresses. The best way to tell is to send test messages from external mail services or look at real mail - mail from yourself can be misleading. I didn't think that would be necessary, after sending mail to myself from three other accounts here is what I see: Received: from [195.4.92.94] ([195.4.92.94:38943] helo=mout4.freenet.de) by smtp.embarq.synacor.com (envelope-from @freenet.de) (ecelerity 2.2.2.36 r(27513/27514)) with ESMTP id 8F/64-30700-A051E7A4; Sat, 08 Aug 2009 20:15:07 -0400 Received: from [195.4.92.23] (helo=13.mx.freenet.de) by mout4.freenet.de with esmtpa (ID @freenet.de) (port 25) (Exim 4.69 #92) id 1MZw42-0007og-6v for cpoll...@embarqmail.com; Sun, 09 Aug 2009 02:15:06 +0200 Received: from web13.emo.freenet-rz.de ([194.97.107.135]:51350) by 13.mx.freenet.de with esmtpa (ID @freenet.de) (port 25) (Exim 4.69 #93) id 1MZw42-CS-2N for cpoll...@embarqmail.com; Sun, 09 Aug 2009 02:15:06 +0200 Received: from [206.190.38.132] ([206.190.38.132:27950] helo=web51001.mail.re2.yahoo.com) by smtp.embarq.synacor.com (envelope-from @yahoo.com) (ecelerity 2.2.2.36 r(27513/27514)) with ESMTP id 54/BB-30700-4571E7A4; Sat, 08 Aug 2009 20:24:52 -0400 Received: from [209.85.210.204] ([209.85.210.204:50198] helo=mail-yx0-f204.google.com) by smtp.embarq.synacor.com (envelope-from @gmail.com) (ecelerity 2.2.2.36 r(27513/27514)) with ESMTP id D3/99-26274-D381E7A4; Sat, 08 Aug 2009 20:28:45 -0400 Received: by 10.150.218.17 with SMTP If you are using an ISP for your mail you're conservatively advised to put them in trusted_networks because that behaves least badly for the worst case ISPs. In practice it's almost always better to put them into internal_networks so SA knows where the real MX servers are, particularly in your case since embarq records authentication on it's submission server, note the with ESMTPA in your headers. Ok, now I am a bit confused, this 71.54.109.114 and the other IP shown at the top would go into internal_networks? -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: whitelist_from_rcvd and trusted_networks
On Sun, 2009-08-09 at 00:56 +0100, RW wrote: Also, I'm still not sure I have my trusted_networks setting correct. I have this in my local.cf: trusted_networks 192.168/16 71.48.160.0/20 71.54.96/19 Here is a line of Received: from headers from a test mail to myself: Received: from [71.54.109.114] and one from someone else using embarq Received: from [71.48.166.180] If I read the below correct this is a listing of all CIDRs in the embarq AS range: http://www.cidr-report.org/cgi-bin/as-report?as=as6367view=2.0 should all of these be listed in the trusted_networks entry or do I misunderstand the concept still? Absolutely not, it leaves thousands of back-doors open. Just use the ip addresses used as servers, not customer addresses. /24 ranges based on the server addresses you've seen in headers are usually a safe compromise. Often the servers between you and the MX server use private addresses, which makes things a lot easier - you can safely list all private addresses. The best way to tell is to send test messages from external mail services or look at real mail - mail from yourself can be misleading. If you are using an ISP for your mail you're conservatively advised to put them in trusted_networks because that behaves least badly for the worst case ISPs. In practice it's almost always better to put them into internal_networks so SA knows where the real MX servers are, particularly in your case since embarq records authentication on it's submission server, note the with ESMTPA in your headers. One other note, I have a formail recipe that parses out the sender-ip, ASN and CIDR. For instance in the test I sent to myself from gmail it shows this: X-senderip: 209.85.210.204 X-asn: ASN-15169 X-cidr: 209.85.210.0/24 Would it be safe/sane to put the 208.85.210.0/24 into the trusted_networks line? -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part