SPF and SORBS problems
I've got a server configured with postfix and spamassassin. The mailserver is the only one for the domain, and thus receives mail from other servers, as well as letting users connect directly (with smtp auth) to send mail. Everything works fine, EXCEPT when users send email to each other. In those cases, the emails get tagged both by SPF_FAIL and RCVD_IN_SORBS_DUL as those tests see the email as coming from the user's personal IP address. I've tried whitelist_from_spf [EMAIL PROTECTED] in local.cf, but it doesn't work. Messages still get tagged with SPF_FAIL. I didn't see any similar option for the RBL stuff. Is there any way to do conditional tests, such that SMTP Auth messages get whitelisted? I don't know if there's a way in postfix to add a header only to auth connections? All I could find for postfix was address rewriting stuff, nothing about conditional situations like an authenticated user. Any help would be appreciated, as I'd really rather not disable SPF and RBL completely. Thanks, James
Re: SPF and SORBS problems
On 8/14/2006 6:45 PM, Xepher wrote: I've got a server configured with postfix and spamassassin. The mailserver is the only one for the domain, and thus receives mail from other servers, as well as letting users connect directly (with smtp auth) to send mail. Everything works fine, EXCEPT when users send email to each other. In those cases, the emails get tagged both by SPF_FAIL and RCVD_IN_SORBS_DUL as those tests see the email as coming from the user's personal IP address. I've tried whitelist_from_spf [EMAIL PROTECTED] in local.cf, but it doesn't work. Messages still get tagged with SPF_FAIL. I didn't see any similar option for the RBL stuff. Is there any way to do conditional tests, such that SMTP Auth messages get whitelisted? I don't know if there's a way in postfix to add a header only to auth connections? All I could find for postfix was address rewriting stuff, nothing about conditional situations like an authenticated user. Any help would be appreciated, as I'd really rather not disable SPF and RBL completely. Yeah I have that problem as well, who doesn't. ;-) In the short term I just whitelisted the domains that the server is responsible for in local.cf so that all my users would automatically get a -100 added to their score when they send mail. This will nullify any scores added due to SPF and DUL. Example: whitelist_from [EMAIL PROTECTED] The drawback to this is that someone can spam you by forging your own domain but if your domain is protected by something like SPF then there is no worry of that. If you are running Postfix > v2.3 you might want to look at this page http://wiki.apache.org/spamassassin/DynablockIssues under the heading 'I'm an ISP, and mails from our customers, using authenticated connections from another ISP, are hitting RCVD_IN_DYNABLOCK.' -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 T: 416-247-7740 F: 416-247-7503
Re: SPF and SORBS problems
Daryl C. W. O'Shea wrote: See the third heading on this wiki page that tells you how to resolve this specific issue: http://wiki.apache.org/spamassassin/DynablockIssues Daryl Thank you. That solved the problem. Upgrade to new SA and Postfix versions and everything plays nicely now, as postfix puts in a header for authentication, and SA can read it. I even get "all_trust" to fire on authenticated emails. Sadly I never found that page on my own, as it doesn't have any of the keywords I searched for. The phrase "dynablock" never came up in anything I was having trouble with. Thanks again, --James
Re: SPF and SORBS problems
Xepher writes: > Daryl C. W. O'Shea wrote: > > See the third heading on this wiki page that tells you how to resolve > > this specific issue: > > > > http://wiki.apache.org/spamassassin/DynablockIssues > > > > > > Daryl > > Thank you. That solved the problem. Upgrade to new SA and Postfix > versions and everything plays nicely now, as postfix puts in a header > for authentication, and SA can read it. I even get "all_trust" to fire > on authenticated emails. Sadly I never found that page on my own, as it > doesn't have any of the keywords I searched for. The phrase "dynablock" > never came up in anything I was having trouble with. feel free to add explanatory text so that it will in future ;) --j.
Re: SPF and SORBS problems
Justin Mason wrote: feel free to add explanatory text so that it will in future ;) Done. Would've done so sooner, but it listed the page as "immutable." And I didn't realize that changed if I created a login. Hopefully that should let a few more people find that answer easier. --James
Re: SPF and SORBS problems
On Tue, August 15, 2006 00:45, Xepher wrote: > Any help would be appreciated, as I'd really rather not disable SPF and > RBL completely. i had the same problem once :-) see attached for rbl check the internal_networks and trusted_networks, spf test is disable on internal networks, so make sure your smtp auth ip is not listed as internal in your spamassassin, but it should still be in trusted_networks when this is done it works, atleast here :-) -- Benny# # this one is from Mark # needed in sa 3.1.3 to make spf work !!! # mta is postfix with have default to # Return-Path for the envelope-sender # envelope_sender_header Return-Path always_trust_envelope_sender 1
Re: SPF and SORBS problems
Benny Pedersen wrote: > i had the same problem once :-) > > see attached > > for rbl check the internal_networks and trusted_networks, spf test is disable > on internal networks, so make sure your smtp auth ip is not listed as internal > in your spamassassin, but it should still be in trusted_networks > > when this is done it works, atleast here :-) > Let me clarify, there is no "internal network" save the host itself. This is a machine by itself on the internet, with users connecting from various places all over the world. No ip address is trusted, except for the mailserver itself. The attached config had these two lines. envelope_sender_header Return-Path always_trust_envelope_sender 1 I tried them, and still have the exact same problem. Any other ideas? --James
Re: SPF and SORBS problems
On Tue, August 15, 2006 02:23, Xepher wrote: > I tried them, and still have the exact same problem. Any other ideas? clear_internal_networks internal_networks 127.0.0.1 clear_trusted_networks trusted_networks trusted_networks 127.0.0.1 save my msg with full header and then test my msg with spamassassin 2>&1 -D -t mymsg you should see where the problem is then -- Benny
Re: SPF and SORBS problems
On 8/14/2006 6:45 PM, Xepher wrote: I've got a server configured with postfix and spamassassin. The mailserver is the only one for the domain, and thus receives mail from other servers, as well as letting users connect directly (with smtp auth) to send mail. Everything works fine, EXCEPT when users send email to each other. In those cases, the emails get tagged both by SPF_FAIL and RCVD_IN_SORBS_DUL as those tests see the email as coming from the user's personal IP address. I've tried whitelist_from_spf [EMAIL PROTECTED] in local.cf, but it doesn't work. Messages still get tagged with SPF_FAIL. I didn't see any similar option for the RBL stuff. Is there any way to do conditional tests, such that SMTP Auth messages get whitelisted? I don't know if there's a way in postfix to add a header only to auth connections? All I could find for postfix was address rewriting stuff, nothing about conditional situations like an authenticated user. Any help would be appreciated, as I'd really rather not disable SPF and RBL completely. See the third heading on this wiki page that tells you how to resolve this specific issue: http://wiki.apache.org/spamassassin/DynablockIssues Daryl