Re: Spamass milter question

[John Hardin]

On Wed, 27 May 2020, LuKreme wrote:


On May 27, 2020, at 20:08, John Hardin  wrote:


On Wed, 27 May 2020, @lbutlr wrote:

On 27 May 2020, at 18:27, RW  wrote:
I should have added that if  whitelist_from_rcvd *@* server.example.com
(without the colon) is only only failing occasionally on mail from
server.example.com, it's probably just an rDNS lookup failure of some
sort.


Well, I do not get anything that I consider spam from that server, so how often 
is this happening? Is it every time spamass-milter thinks the message is spam 
or is it some odd rdns issue? And how could I possibly try? The name and IP of 
the server show up in postfix logs.


Consider telling your MTA to skip SA entirely for that IP.


This is my server running my Postfix, bind, Spamassassin, and spamass-milter. I 
am trying to stop SA from checking mail from that domain (not a single IP).


...or for mail from that domain.

There is no way you can configure SA to stop checking any messages it is 
given. The most you can do is affect what score it assigns (which is what 
you're attempting).


If you're *always* going to accept messages from a given IP/domain, then 
tell your MTA to not send those messages to SA and spare the processing 
overhead.


One reason to not do that is if you have bayes autolearn enabled and you 
want that ham to potentially contribute to the bayes scoring.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  A government is a lot like a gun: It's always loaded,
  and it's stupid and dangerous to point it at anything
  you don't intend to hurt. -- GOF at TSM
---
 9 days until the 76th anniversary of D-Day

Re: Spamass milter question

[Matus UHLAR - fantomas]

On 27.05.20 10:35, @lbutlr wrote:

What, if any, local SpamAssassin settings does spams-milter use when
processing incoming mail?


don't you mean spamass-milter?


For example, if I wanted to white list a sender or blacklist a domain, would 
the general settings in /usr/local/etc/spamassasin/local.cf be the place?

I am wondering because I have a server whitelisted in that file (or do I?), but 
I am seeing occasional logs like:

postfix/cleanup[7771] 49MN7m64m8z2rPFW: milter-reject: END-OF-MESSAGE from 
server.example.com[n.n.n.n]: 5.7.1 Blocked by SpamAssassin;


... looks like. You may use 


"-i n.n.n.n" option for spamass-milter not to scan mail coming from this IP


# Allow all mailing list posts from example.com
whitelist_from_rcvd: *@* server.example.com

This seems to be in accordance with the docs.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.

Re: Spamass milter question

[LuKreme]

On May 27, 2020, at 20:08, John Hardin  wrote:
> 
> On Wed, 27 May 2020, @lbutlr wrote:
>>> On 27 May 2020, at 18:27, RW  wrote:
>>> I should have added that if  whitelist_from_rcvd *@* server.example.com
>>> (without the colon) is only only failing occasionally on mail from
>>> server.example.com, it's probably just an rDNS lookup failure of some
>>> sort.
>> 
>> Well, I do not get anything that I consider spam from that server, so how 
>> often is this happening? Is it every time spamass-milter thinks the message 
>> is spam or is it some odd rdns issue? And how could I possibly try? The name 
>> and IP of the server show up in postfix logs.
> 
> Consider telling your MTA to skip SA entirely for that IP.

This is my server running my Postfix, bind, Spamassassin, and spamass-milter. I 
am trying to stop SA from checking mail from that domain (not a single IP).

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now

Re: Spamass milter question

[John Hardin]

On Wed, 27 May 2020, @lbutlr wrote:


On 27 May 2020, at 18:27, RW  wrote:

I should have added that if  whitelist_from_rcvd *@* server.example.com
(without the colon) is only only failing occasionally on mail from
server.example.com, it's probably just an rDNS lookup failure of some
sort.


Well, I do not get anything that I consider spam from that server, so 
how often is this happening? Is it every time spamass-milter thinks the 
message is spam or is it some odd rdns issue? And how could I possibly 
try? The name and IP of the server show up in postfix logs.


Consider telling your MTA to skip SA entirely for that IP.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...the good of having the government prohibited from doing harm
  far outweighs the harm of having it obstructed from doing good.
   -- Mike@mike-istan
---
 10 days until the 76th anniversary of D-Day

Re: Spamass milter question

[@lbutlr]

On 27 May 2020, at 18:27, RW  wrote:
> I should have added that if  whitelist_from_rcvd *@* server.example.com
> (without the colon) is only only failing occasionally on mail from
> server.example.com, it's probably just an rDNS lookup failure of some
> sort. 

Well, I do not get anything that I consider spam from that server, so how often 
is this happening? Is it every time spamass-milter thinks the message is spam 
or is it some odd rdns issue? And how could I possibly try? The name and IP of 
the server show up in postfix logs.




-- 
Patty > Melt > Foundry > Terminator > SCSI > Voodoo > Economics >
Discworld > Ringworld > Niven > Pink Panther > Black Panther >
Avengers > Assemble > LEGO > Builder > Bob (word association with
geeks)

Re: Spamass milter question

[RW]

On Thu, 28 May 2020 01:04:20 +0100
RW wrote:

> On Wed, 27 May 2020 10:35:26 -0600
> @lbutlr wrote:

> > I am wondering because I have a server whitelisted in that file (or
> > do I?), but I am seeing occasional logs like:

> The lack of recorded rDNS is a common reason for failure.

I should have added that if  whitelist_from_rcvd *@* server.example.com
(without the colon) is only only failing occasionally on mail from
server.example.com, it's probably just an rDNS lookup failure of some
sort. 

Re: Spamass milter question

[RW]

On Wed, 27 May 2020 10:35:26 -0600
@lbutlr wrote:

> What, if any, local SpamAssassin settings does spams-milter use when
> processing incoming mail?
> 
> For example, if I wanted to white list a sender or blacklist a
> domain, would the general settings in
> /usr/local/etc/spamassasin/local.cf be the place?
> 
> I am wondering because I have a server whitelisted in that file (or
> do I?), but I am seeing occasional logs like:
> 
> postfix/cleanup[7771] 49MN7m64m8z2rPFW: milter-reject: END-OF-MESSAGE
> from server.example.com[n.n.n.n]: 5.7.1 Blocked by SpamAssassin;
...
> whitelist_from_rcvd: *@* server.example.com

whitelist_from_rcvd needs rDNS to be recorded in the Received header on
the edge of the trusted network (this is not necessarily your own
server). The lack of recorded rDNS is a common reason for failure.

There's also a potential complication here that spamass-milter forges a
provisional received header for SpamAssassin to use.

 

Re: Spamass milter question

[@lbutlr]

On 27 May 2020, at 10:44, Robert Schetterer  wrote:
> Am 27.05.20 um 18:35 schrieb @lbutlr:
>> # Allow all mailing list posts from example.com

>> whitelist_from_rcvd: *@* server.example.com

Actual file has "whitelist_from_rcvd *@* server.example.com" without the ':'. 
Was hopeful that was the issue.

>> This seems to be in accordance with the docs.

> i think it was
> 
> *@example.com
> 
> but perhaps my memory is out of date

The docs for whitelist_from_rcvd show the following examples:

  whitelist_from_rcvd j...@example.com  example.com
  whitelist_from_rcvd *@*  mail.example.org
  whitelist_from_rcvd *@axkit.org  [192.0.2.123]
  whitelist_from_rcvd *@axkit.org  [192.0.2.0/24]
  whitelist_from_rcvd *@axkit.org  [192.0.2.0]/24
  whitelist_from_rcvd *@axkit.org  [2001:db8:1234::/48]
  whitelist_from_rcvd *@axkit.org  [2001:db8:1234::]/48





-- 
Instant karma's going to get you!

Re: Spamass milter question

[Robert Schetterer]

Am 27.05.20 um 18:35 schrieb @lbutlr:

What, if any, local SpamAssassin settings does spams-milter use when processing 
incoming mail?

For example, if I wanted to white list a sender or blacklist a domain, would 
the general settings in /usr/local/etc/spamassasin/local.cf be the place?

I am wondering because I have a server whitelisted in that file (or do I?), but 
I am seeing occasional logs like:

postfix/cleanup[7771] 49MN7m64m8z2rPFW: milter-reject: END-OF-MESSAGE from 
server.example.com[n.n.n.n]: 5.7.1 Blocked by SpamAssassin;

# Allow all mailing list posts from example.com
whitelist_from_rcvd: *@* server.example.com

This seems to be in accordance with the docs.



 i think it was

*@example.com

but perhaps my memory is out of date

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Spamass milter question

[@lbutlr]

What, if any, local SpamAssassin settings does spams-milter use when processing 
incoming mail?

For example, if I wanted to white list a sender or blacklist a domain, would 
the general settings in /usr/local/etc/spamassasin/local.cf be the place?

I am wondering because I have a server whitelisted in that file (or do I?), but 
I am seeing occasional logs like:

postfix/cleanup[7771] 49MN7m64m8z2rPFW: milter-reject: END-OF-MESSAGE from 
server.example.com[n.n.n.n]: 5.7.1 Blocked by SpamAssassin;

# Allow all mailing list posts from example.com
whitelist_from_rcvd: *@* server.example.com

This seems to be in accordance with the docs.


-- 
The true prize was control. Lord Vetinari knew that. When heavy
weights were balanced on the scales, the trick was to know where
to place your thumb. --The Fifth Elephant

Re: Quick spamass-milter question

[Robert Schetterer]

Am 15.02.2015 um 01:29 schrieb LuKreme:
 Spamass-milter is (as designed, I’m sure) checking outbound mail. When it 
 does this, SPF checks fail and a lot of outbound mail is getting scored as 
 spam because of it.

works like designed
dont use spamass-milter for outbound ( or go the long way configure
spamassassin stuff to get it work ), alternative use clamav-milter with
sanesecurity antipishing sigs

 
 The domains in question *do* have SPF records.
 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Quick spamass-milter question

[LuKreme]

Spamass-milter is (as designed, I’m sure) checking outbound mail. When it does 
this, SPF checks fail and a lot of outbound mail is getting scored as spam 
because of it.

The domains in question *do* have SPF records.

-- 
Why can't you be in a good mood? How hard is it to decide to be in a
good mood and be in a good mood once in a while?

Re: Quick spamass-milter question

[Reindl Harald]

Am 15.02.2015 um 12:20 schrieb Reindl Harald:

that's why we don't mix inbound and autobound mail

* SA is running on the MX
* mail is filtered and clean mail relayed over
   100027 to the final server
* final server has -o receive_override_options=no_milters in master.cf
* the bayes is rsynced from the learning machine which is not
   recommended in general but works in our case because the large
   amount of HAM including outgoing and internal mail

so the final destination which is also the submission server don't scan
a second time and MOST IMORTANT there are a ton of rules which needs to
be disabled on a submission server, SPF is your smallest problem, DNSBL
like PBL or DUL (sorbs) are

in short: a submission server needs a complete different SA config


attached a local.cf from the submission server tuned for a 
milter-reject of 8.0 points and at the bottom are a lot of meta rules 
disabled or scores overwritten (parts of the scores are shared with the MX)


over the last 3 months one false positive and two succesful dictionary 
attacks killed (the spammer did not realize he had the correct password 
and was rejected because the mail-body and continued the dictionary attack)

[root@buildserver:~]$ cat spamd-local.conf
# score to flag messages (just a high-score warning outbound)
required_hits 7.8

# bayes-configuration, no automatic learning please
use_learner 1
use_bayes 1
use_bayes_rules 1
bayes_use_hapaxes 1
bayes_expiry_max_db_size 250
bayes_auto_expire 0
bayes_auto_learn 0
bayes_learn_during_report 0

# skip only DNSBL checks on submission servers
skip_rbl_checks 1

# keep URIBL checks on submission servers
skip_uribl_checks 0

# adjust bayes scores to our block level of 8.0
# max bayes-only score 7.0 to avoid false positives
ifplugin Mail::SpamAssassin::Plugin::Bayes
 score BAYES_00 -3.5
 score BAYES_05 -1.0
 score BAYES_20 -0.5
 score BAYES_40 -0.2
 score BAYES_50 2.5
 score BAYES_60 3.5
 score BAYES_80 4.5
 score BAYES_95 5.5
 score BAYES_99 6.5
 score BAYES_999 0.5
endif

# adjust wrong date scores to our block level of 8.0
score DATE_IN_PAST_03_06 2.5
score DATE_IN_PAST_06_12 2.5
score DATE_IN_PAST_12_24 2.0
score DATE_IN_PAST_24_48 2.5
score DATE_IN_PAST_96_XX 4.5
score DATE_IN_FUTURE_12_24 4.0
score DATE_IN_FUTURE_03_06 3.5
score DATE_IN_FUTURE_48_96 3.0
score DATE_IN_FUTURE_24_48 2.5
score DATE_IN_FUTURE_06_12 2.0
score INVALID_DATE_TZ_ABSURD 0.8

# adjust uri-blacklist scores
score URIBL_AB_SURBL 5.5
score URIBL_JP_SURBL 5.5
score URIBL_MW_SURBL 5.5
score URIBL_WS_SURBL 4.5
score URIBL_SC_SURBL 1.5
score URIBL_SBL 1.0
score URIBL_SBL_A 1.2
score URIBL_DBL_SPAM 3.0
score URIBL_DBL_BOTNETCC 3.0
score URIBL_DBL_PHISH 3.5
score URIBL_DBL_MALWARE 3.5
score URIBL_DBL_ABUSE_SPAM 2.5
score URIBL_DBL_ABUSE_BOTCC 2.5
score URIBL_DBL_ABUSE_PHISH 4.5
score URIBL_DBL_ABUSE_MALW 4.5
score URIBL_BLACK 7.0
score URIBL_GREY 0.5
score URIBL_RED 0.5
score URIBL_DBL_REDIR 0.1
score URIBL_DBL_ABUSE_REDIR 0.3
score URIBL_BLOCKED 0
score URIBL_DBL_ERROR 0
score URI_PHISH 3.5
score URI_TRY_3LD 0.5
score URI_WP_HACKED 3.5

# adjust misc scores
score AC_BR_BONANZA 0.1
score AC_DIV_BONANZA 0.1
score ACT_NOW_CAPS 3.0
score ADVANCE_FEE_2_NEW_FORM 2.0
score ADVANCE_FEE_2_NEW_FRM_MNY 2.0
score ADVANCE_FEE_2_NEW_MONEY 2.0
score ADVANCE_FEE_3_NEW 2.5
score ADVANCE_FEE_3_NEW_FORM 2.0
score ADVANCE_FEE_3_NEW_FRM_MNY 2.0
score ADVANCE_FEE_3_NEW_MONEY 3.5
score ADVANCE_FEE_4_NEW 0.5
score ADVANCE_FEE_4_NEW_FORM 1.5
score ADVANCE_FEE_4_NEW_FRM_MNY 1.0
score ADVANCE_FEE_4_NEW_MONEY 3.5
score ADVANCE_FEE_5_NEW 0.5
score ADVANCE_FEE_5_NEW_FORM 2.5
score ADVANCE_FEE_5_NEW_FRM_MNY 3.0
score ADVANCE_FEE_5_NEW_MONEY 2.0
score AXB_HELO_HOME_UN 1.5
score AXB_RBDY_TENANDTEN 4.5
score AXB_RCVD_NS1GOO 3.0
score AXB_URI_CDGB 1.5
score AXB_X_AOL_SEZ_S 3.5
score AXB_XMAILER_MIMEOLE_OL_024C2 0.5
score AXB_XMAILER_MIMEOLE_OL_1ECD5 2.5
score AXB_XM_FORGED_OL2600 0.5
score BAD_CREDIT 2.5
score BILLION_DOLLARS 2.5
score BODY_EMPTY 3.5
score BODY_URI_ONLY 3.0
score CK_HELO_DYNAMIC_SPLIT_IP 1.5
score CK_HELO_GENERIC 0.8
score CUM_SHOT 1.0
score DC_GIF_UNO_LARGO 0.5
score DC_IMAGE_SPAM_TEXT 0.5
score DC_PNG_UNO_LARGO 0.5
score DEAR_BENEFICIARY 3.5
score DEAR_FRIEND 3.0
score DEAR_SOMETHING 2.0
score DEAR_WINNER 3.5
score DRUG_ED_CAPS 2.5
score DRUG_ED_GENERIC 0.5
score DRUG_ED_ONLINE 1.5
score DRUG_ED_SILD 2.5
score DRUGS_ANXIETY 2.5
score DRUGS_ANXIETY_EREC 0.5
score DRUGS_ANXIETY_OBFU 0.5
score DRUGS_DIET 2.0
score DRUGS_ERECTILE 2.5
score DRUGS_ERECTILE_OBFU 3.5
score DRUGS_MANYKINDS 2.5
score DRUGS_MUSCLE 2.5
score DRUGS_SLEEP_EREC 0.5
score EMPTY_MESSAGE 3.0
score ENGLISH_UCE_SUBJECT 2.0
score EXCUSE_REMOVE 3.5
score FBI_MONEY 2.5
score FBI_SPOOF 2.0
score FILL_THIS_FORM 0.1
score FILL_THIS_FORM_FRAUD_PHISH 1.5
score FILL_THIS_FORM_LOAN 3.5
score FILL_THIS_FORM_LONG 3.5
score FIN_FREE 3.0
score FORGED_HOTMAIL_RCVD2 2.5
score FORGED_MSGID_YAHOO 2.5
score FORGED_MUA_EUDORA 2.5
score FORGED_MUA_IMS 2.5
score FORGED_MUA_MOZILLA 2.5
score 

Re: Quick spamass-milter question

[Reindl Harald]

Am 15.02.2015 um 01:29 schrieb LuKreme:

Spamass-milter is (as designed, I’m sure) checking outbound mail. When it does 
this, SPF checks fail and a lot of outbound mail is getting scored as spam 
because of it.

The domains in question *do* have SPF records


that's why we don't mix inbound and autobound mail

* SA is running on the MX
* mail is filtered and clean mail relayed over
  100027 to the final server
* final server has -o receive_override_options=no_milters in master.cf
* the bayes is rsynced from the learning machine which is not
  recommended in general but works in our case because the large
  amount of HAM including outgoing and internal mail

so the final destination which is also the submission server don't scan 
a second time and MOST IMORTANT there are a ton of rules which needs to 
be disabled on a submission server, SPF is your smallest problem, DNSBL 
like PBL or DUL (sorbs) are


in short: a submission server needs a complete different SA config





signature.asc
Description: OpenPGP digital signature

Re: Quick spamass-milter question

[LuKreme]

On 15 Feb 2015, at 04:29 , Reindl Harald h.rei...@thelounge.net wrote:
 attached a local.cf from the submission server 

I just have the one server handling submission and outbound mail.

 # postconf -n | grep milter
milter_default_action = accept
smtpd_milters = unix:/var/run/spamass-milter.sock

 # grep milter /etc/rc.conf 
spamass_milter_socket_owner=spamd
spamass_milter_socket_group=mail
spamass_milter_socket_mode=664
spamass_milter_enable=Yes
spamass_milter_localflags=-r 9 -u spamd -e covisp.net -- -s 5242880”

 # grep -i milter mail.covisp.net.mc
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, 
T=C:15m;S:4m;R:4m;E:10m')


-- 
He'd never felt really at home with swords, but a cleaver was a different
matter. A cleaver had weight. It had purpose. A sword might have a certain
nobility about it, unless it was the one belonging for example to Nobby, which
relied on rust to hold it together, but what a cleaver had was a tremendous
ability to cut things up.

Re: Quick spamass-milter question

[Reindl Harald]

Am 15.02.2015 um 20:00 schrieb LuKreme:

On 15 Feb 2015, at 11:44 , Reindl Harald h.rei...@thelounge.net wrote:

by set -o receive_override_options=no_milter for your submission service in 
“master.cf


I tried that already.

mail submit-tls/smtpd[46597]: fatal: unknown receive_override_options value no_milter 
in no_milter

submission   inet  n   -   n   -   -   smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_type=dovecot
   -o smtpd_sasl_security_options=noanonymous
   -o smtpd_sasl_path=private/auth
   -o receive_override_options=no_milter
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o smtpd_data_restrictions=
   -o 
smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
   -o smtpd_helo_restrictions=
   -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
   -o syslog_name=submit-tls


sorry - copypaste error
no_milterS

http://www.postfix.org/postconf.5.html#receive_override_options




signature.asc
Description: OpenPGP digital signature

Re: Quick spamass-milter question

[LuKreme]

On 15 Feb 2015, at 04:01 , Robert Schetterer r...@sys4.de wrote:
 Am 15.02.2015 um 01:29 schrieb LuKreme:
 Spamass-milter is (as designed, I’m sure) checking outbound mail. When it 
 does this, SPF checks fail and a lot of outbound mail is getting scored as 
 spam because of it.
 
 works like designed
 dont use spamass-milter for outbound

OK, but it seems to be setup to do that “out of the box” so to speak. How do i 
set it to only scan the incoming mail?


-- 
Some books are undeservedly forgotten; none are undeservedly remembered

Re: Quick spamass-milter question

[LuKreme]

On 15 Feb 2015, at 11:44 , Reindl Harald h.rei...@thelounge.net wrote:
 by set -o receive_override_options=no_milter for your submission service in 
 “master.cf

I tried that already.

mail submit-tls/smtpd[46597]: fatal: unknown receive_override_options value 
no_milter in no_milter

submission   inet  n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_path=private/auth
  -o receive_override_options=no_milter
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_data_restrictions=
  -o 
smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_helo_restrictions=
  -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o syslog_name=submit-tls

-- 
The fact that Bob and John are married does nothing to diminish anyone
else's marriage any more than a black woman marrying a white man, a Jew
marrying a Catholic, or an ugly Lyle marrying a Pretty Woman

Re: Quick spamass-milter question

[LuKreme]

On 15 Feb 2015, at 12:05 , Reindl Harald h.rei...@thelounge.net wrote:
 Am 15.02.2015 um 20:00 schrieb LuKreme:
 
   -o receive_override_options=no_milter
 
 sorry - copypaste error
 no_milterS

Funny we were both making the same typo at the same time… Sigh.

Thanks, sorted now. Yay.

 http://www.postfix.org/postconf.5.html#receive_override_options

Yep, that’s where I’d been and was about to report the failure when I saw your 
message. “I typed it right, right? Yep, same in master.cf as what Reindl typed.”


-- 
If a pig loses its voice, is it disgruntled?

Re: Quick spamass-milter question

[Reindl Harald]

Am 15.02.2015 um 19:35 schrieb LuKreme:

On 15 Feb 2015, at 04:01 , Robert Schetterer r...@sys4.de wrote:

Am 15.02.2015 um 01:29 schrieb LuKreme:

Spamass-milter is (as designed, I’m sure) checking outbound mail. When it does 
this, SPF checks fail and a lot of outbound mail is getting scored as spam 
because of it.


works like designed
dont use spamass-milter for outbound


OK, but it seems to be setup to do that “out of the box” so to speak. How do i 
set it to only scan the incoming mail?


by set -o receive_override_options=no_milter for your submission 
service in master.cf




signature.asc
Description: OpenPGP digital signature

Re: Quick spamass-milter question

[Robert Schetterer]

Am 15.02.2015 um 19:35 schrieb LuKreme:
 On 15 Feb 2015, at 04:01 , Robert Schetterer r...@sys4.de wrote:
 Am 15.02.2015 um 01:29 schrieb LuKreme:
 Spamass-milter is (as designed, I’m sure) checking outbound mail. When it 
 does this, SPF checks fail and a lot of outbound mail is getting scored as 
 spam because of it.

 works like designed
 dont use spamass-milter for outbound
 
 OK, but it seems to be setup to do that “out of the box” so to speak. How do 
 i set it to only scan the incoming mail?
 
 

man spamass-milter

-I  Ignores messages if the sender has authenticated via SMTP AUTH

is a good starting point but simply dont use it at submission i.e
with postfix

master.cf

submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
...
-o smtpd_milters=unix:/var/run/clamav/clamav-milter.ctl
  -o non_smtpd_milters=unix:/var/run/clamav/clamav-milter.ctl
  -o milter_macro_daemon_name=ORIGINATING
...

main.cf

smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl,
inet:localhost:8891, inet:localhost:12345,
unix:/var/spool/postfix/spamass/spamass.sock

non_smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl,
inet:localhost:8891, inet:localhost:12345,
unix:/var/spool/postfix/spamass/spamass.sock

in general dont use permit_sasl_authenticated in smtpd ( port 25 )
only allow deliver in with sasl auth at submission port 587 as
recommended in a setup with postscreen

http://www.postfix.org/POSTSCREEN_README.html

...
postscreen(8) should not be used on SMTP ports that receive mail from
end-user clients (MUAs). In a typical deployment, postscreen(8) handles
the MX service on TCP port 25, while MUA clients submit mail via the
submission service on TCP port 587 which requires client authentication.
...

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein