Re: whitelist_auth return_path / from
On Thursday, July 04, 2024 02:01 AEST, Benny Pedersen wrote:
> Simon Wilson via users skrev den 2024-07-03 15:54:
>
> > header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
> > header USER_IN_DKIM_WHITELIST eval:check_for_dkim_whitelist_from()
>
> keep scores of them neutral
>
> meta MY_DKIM_FAILS_NOTRUST (AUTHRES_DKIM_PASS && USER_IN_DKIM_WHITELIST)
> describe MY_DKIM_FAILS_NOTRUST Meta: AUTHRES_DKIM_PASS &&
> USER_IN_DKIM_WHITELIST
> score MY_DKIM_FAILS_NOTRUST -1 -1 -1 -1
>
> i say no trust since authres can be fooled by untrusted AR headers, when
> authres_networks all is in use
I understand this, thank you.
>
> > and generate -100 that the DKIM plugin assigns to a DKIM
> > pass/USER_IN_DKIM_WHITELIST entry.
>
> why ? are you sure -100 is a very good idea ?
Selected as that is the score allocated by USER_IN_DKIM_WHITELIST
>
> > …but I don't know how to do that properly. I can combine into a meta
> > rule, but that will call the existing DKIM plugin's subroutine to
> > evaulate USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.
>
> need more info on your mta setup, if postfix then i need postconf -nf
> and postconf -Mf in private mail, as i see you can :)
--
Simon WilsonM: 0400 121 116
Re: whitelist_auth return_path / from
On Thursday, July 04, 2024 01:11 AEST, Bill Cole wrote: > On 2024-07-03 at 10:19:28 UTC-0400 (Thu, 04 Jul 2024 00:19:28 +1000) > Simon Wilson via users > is rumored to have said: > > > On 03.07.24 23:54, Simon Wilson via users wrote: > >> Simon Wilson via users skrev den 2024-07-03 14:56: > >>> Do I also need to disable the normal SA DKIM plugin evaluation, i.e. > >>> trusting my upstream authres_trusted_authserv only? > >> > >> both works in paralel, so no need to disable, best results came > >> from > >> both enabled > >> > >> its up to you to add more authres_trusted_authserv or more > >> authres_ignored_authserv lines > >> > >> possible we can now have a very long debate on dmarc plugin ? :) > > > > Please, Simon, quote the text you are replying to. > > > > I have been - was that directed at Benny? > > > > No, it is because your mail is multipart/alternative with a text/plain > part that lacks any indicators of quoting. Looks like your MUA is > broken. > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com > addresses) > Not Currently Available For Hire I have switched it into plain text mode.
Re: whitelist_auth return_path / from
On 03.07.24 23:54, Simon Wilson via users wrote: Simon Wilson via users skrev den 2024-07-03 14:56: Do I also need to disable the normal SA DKIM plugin evaluation, i.e. trusting my upstream authres_trusted_authserv only? both works in paralel, so no need to disable, best results came from both enabled its up to you to add more authres_trusted_authserv or more authres_ignored_authserv lines possible we can now have a very long debate on dmarc plugin ? :) Matus UHLAR - fantomas skrev den 2024-07-03 16:14: Please, Simon, quote the text you are replying to. On 03.07.24 17:47, Benny Pedersen wrote: i am not Simon ...I was not replying to you then. Simon does not quote text he replies to, so it's hard to see who has written what. compare your: https://www.mail-archive.com/users@spamassassin.apache.org/msg111627.html to Simon's: https://www.mail-archive.com/users@spamassassin.apache.org/msg111628.html my question is does spamassassin dmarc plugin use authres results ? not yet. also what i feared, but it should imho do also authres does imho not have spf_helo testing Do you know anything that adds spf_helo to Authentication-Results ? afaik pyspf-milter adds helo information only for DSNs have dmarc ? yes -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
Re: whitelist_auth return_path / from
Simon Wilson via users skrev den 2024-07-03 07:48: whitelist_auth supp...@wasabi.com whitelist_auth *@mmemail.wasabi.com its more simple to set From: "Simon" in mua then both spf and dkim gives pass on same domain, note -d in dkim is not same domain, so you need a new dkim sign key for subdomain in dkim signer
Re: whitelist_auth return_path / from
Simon Wilson via users skrev den 2024-07-03 15:54:
header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
header USER_IN_DKIM_WHITELIST eval:check_for_dkim_whitelist_from()
keep scores of them neutral
meta MY_DKIM_FAILS_NOTRUST (AUTHRES_DKIM_PASS && USER_IN_DKIM_WHITELIST)
describe MY_DKIM_FAILS_NOTRUST Meta: AUTHRES_DKIM_PASS &&
USER_IN_DKIM_WHITELIST
score MY_DKIM_FAILS_NOTRUST -1 -1 -1 -1
i say no trust since authres can be fooled by untrusted AR headers, when
authres_networks all is in use
and generate -100 that the DKIM plugin assigns to a DKIM
pass/USER_IN_DKIM_WHITELIST entry.
why ? are you sure -100 is a very good idea ?
…but I don't know how to do that properly. I can combine into a meta
rule, but that will call the existing DKIM plugin's subroutine to
evaulate USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.
need more info on your mta setup, if postfix then i need postconf -nf
and postconf -Mf in private mail, as i see you can :)
Re: whitelist_auth return_path / from
Bill Cole skrev den 2024-07-03 17:11: Not Currently Available For Hire lol :) back to sandbox, hehe
Re: whitelist_auth return_path / from
Matus UHLAR - fantomas skrev den 2024-07-03 16:14: On 03.07.24 23:54, Simon Wilson via users wrote: Simon Wilson via users skrev den 2024-07-03 14:56: Do I also need to disable the normal SA DKIM plugin evaluation, i.e. trusting my upstream authres_trusted_authserv only? both works in paralel, so no need to disable, best results came from both enabled its up to you to add more authres_trusted_authserv or more authres_ignored_authserv lines possible we can now have a very long debate on dmarc plugin ? :) Please, Simon, quote the text you are replying to. i am not Simon my question is does spamassassin dmarc plugin use authres results ? not yet. also what i feared, but it should imho do also authres does imho not have spf_helo testing, have dmarc ?
Re: whitelist_auth return_path / from
On 2024-07-03 at 10:19:28 UTC-0400 (Thu, 04 Jul 2024 00:19:28 +1000) Simon Wilson via users is rumored to have said: On 03.07.24 23:54, Simon Wilson via users wrote: Simon Wilson via users skrev den 2024-07-03 14:56: Do I also need to disable the normal SA DKIM plugin evaluation, i.e. trusting my upstream authres_trusted_authserv only? both works in paralel, so no need to disable, best results came from both enabled its up to you to add more authres_trusted_authserv or more authres_ignored_authserv lines possible we can now have a very long debate on dmarc plugin ? :) Please, Simon, quote the text you are replying to. I have been - was that directed at Benny? No, it is because your mail is multipart/alternative with a text/plain part that lacks any indicators of quoting. Looks like your MUA is broken. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: whitelist_auth return_path / from
Simon Wilson via users skrev den 2024-07-03 14:56:
> Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
> trusting my upstream authres_trusted_authserv only?
both works in paralel, so no need to disable, best results came from
both enabled
its up to you to add more authres_trusted_authserv or more
authres_ignored_authserv lines
possible we can now have a very long debate on dmarc plugin ? :)
my question is does spamassassin dmarc plugin use authres results ?
- SA's DKIM plugin has failed a message so USER_IN_DKIM_WHITELIST tag will not
get assigned, and a +0.1 is added for a DKIM fail
- with AuthRes plugin installed, my trusted Authentication-Results header ‘DKIM
pass’ = -0.5 is applied
- yes, the -0.5 overrides the +0.1 from the false DKIM fail, but this does not
overcome the reason I wanted the sender in whitelist_auth - to overcome the FP
of their emails triggering a KAM rule
Ideally what I want is for authres.cf to combine:
header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
with
header USER_IN_DKIM_WHITELIST eval:check_for_dkim_whitelist_from()
and generate -100 that the DKIM plugin assigns to a DKIM
pass/USER_IN_DKIM_WHITELIST entry.
…but I don't know how to do that properly. I can combine into a meta rule, but
that will call the existing DKIM plugin's subroutine to evaulate
USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.
OK, I have done the following and it seems to be working, but will take
guidance on if this is going to have unexpected consequences from my ignorance…
- removed the SA DKIM plugin from loading
- Authres plugin working and trusting my own mail server's auth tests
(including DKIM)
- created a meta rule:
## Whitelist Wasabi, subject to passing of auth
header __LR_FROM_WASABI From =~ /support\@wasabi\.com/i
meta LR_WASABI_AUTH (__LR_FROM_WASABI && AUTHRES_DKIM_PASS && AUTHRES_SPF_PASS)
score LR_WASABI_AUTH -100
This now scores the Wasabi emails OK. Please feel free to tell me if this was a
really bad plan :)
Simon
Re: whitelist_auth return_path / from
On 03.07.24 23:54, Simon Wilson via users wrote: >Simon Wilson via users skrev den 2024-07-03 14:56: >> Do I also need to disable the normal SA DKIM plugin evaluation, i.e. >> trusting my upstream authres_trusted_authserv only? > >both works in paralel, so no need to disable, best results came from >both enabled > >its up to you to add more authres_trusted_authserv or more >authres_ignored_authserv lines > >possible we can now have a very long debate on dmarc plugin ? :) Please, Simon, quote the text you are replying to. I have been - was that directed at Benny?
Re: whitelist_auth return_path / from
On 03.07.24 23:54, Simon Wilson via users wrote: Simon Wilson via users skrev den 2024-07-03 14:56: Do I also need to disable the normal SA DKIM plugin evaluation, i.e. trusting my upstream authres_trusted_authserv only? both works in paralel, so no need to disable, best results came from both enabled its up to you to add more authres_trusted_authserv or more authres_ignored_authserv lines possible we can now have a very long debate on dmarc plugin ? :) Please, Simon, quote the text you are replying to. my question is does spamassassin dmarc plugin use authres results ? not yet. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer
Re: whitelist_auth return_path / from
Simon Wilson via users skrev den 2024-07-03 14:56:
> Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
> trusting my upstream authres_trusted_authserv only?
both works in paralel, so no need to disable, best results came from
both enabled
its up to you to add more authres_trusted_authserv or more
authres_ignored_authserv lines
possible we can now have a very long debate on dmarc plugin ? :)
my question is does spamassassin dmarc plugin use authres results ?
- SA's DKIM plugin has failed a message so USER_IN_DKIM_WHITELIST tag will not
get assigned, and a +0.1 is added for a DKIM fail
- with AuthRes plugin installed, my trusted Authentication-Results header ‘DKIM
pass’ = -0.5 is applied
- yes, the -0.5 overrides the +0.1 from the false DKIM fail, but this does not
overcome the reason I wanted the sender in whitelist_auth - to overcome the FP
of their emails triggering a KAM rule
Ideally what I want is for authres.cf to combine:
header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
with
header USER_IN_DKIM_WHITELIST eval:check_for_dkim_whitelist_from()
and generate -100 that the DKIM plugin assigns to a DKIM
pass/USER_IN_DKIM_WHITELIST entry.
…but I don't know how to do that properly. I can combine into a meta rule, but
that will call the existing DKIM plugin's subroutine to evaulate
USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.
Re: whitelist_auth return_path / from
Simon Wilson via users skrev den 2024-07-03 14:56: Do I also need to disable the normal SA DKIM plugin evaluation, i.e. trusting my upstream authres_trusted_authserv only? both works in paralel, so no need to disable, best results came from both enabled its up to you to add more authres_trusted_authserv or more authres_ignored_authserv lines possible we can now have a very long debate on dmarc plugin ? :) my question is does spamassassin dmarc plugin use authres results ?
Re: whitelist_auth return_path / from
Simon Wilson via users skrev den 2024-07-03 14:13: > I don't think SA 3.4.6 on RH8 has AuthRes plugin: take it from spamassassin trunc, this plugin works on 3.4.6 aswell, but was not released or tested on it, i have verify it does work #!/bin/sh svn checkout http://svn.apache.org/repos/asf/spamassassin/trunk spamassassin-trunk OK, done and working. Plugin added, loaded with a .pre and configured with a .cf Working, e.g.:X-Spam-Status: No, score=-1.798 tagged_above=-999 required=6.2 tests=[AUTHRES_ARC_FAIL=1.5, AUTHRES_DKIM_PASS=-0.5, AUTHRES_DMARC_PASS=-0.5, AUTHRES_SPF_PASS=-0.5, BAYES_00=-1.9, DCC_REPUT_70_89=0.1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, LR_ARC_FAIL=1, LR_DMARC_PASS=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no Received: from mail.simonandkate.net ([127.0.0.1]) by localhost (amavis.simonandkate.net [127.0.0.1]) (amavis, port 10024) with LMTP id qiXZppjAGmSg for ; Wed, 3 Jul 2024 22:48:54 +1000 (AEST) Authentication-Results: mail.simonandkate.net; spf=pass smtp.helo=smtp-out.orange.com; spf=pass smtp.mailfrom=orange.com Authentication-Results: mail.simonandkate.net; dmarc=pass (p=none dis=none) header.from=orange.com Authentication-Results: mail.simonandkate.net; arc=fail smtp.remote-ip=80.12.126.238 Authentication-Results: mail.simonandkate.net; dkim=pass (2048-bit key, secure) header.d=orange.com header.i=@orange.com header.a=rsa-sha256 header.s=orange002 header.b=OKdWrX63 Next question though - When the next email comes from Wasabi that my server tags as “Authentication-Results: mail.simonandkate.net; dkim=pass”, I understand that Authres plugin will accept the authres_trusted_authserv assignment to my server, resulting in AUTHRES_DKIM_PASS=-0.5. Do I also need to disable the normal SA DKIM plugin evaluation, i.e. trusting my upstream authres_trusted_authserv only?
Re: whitelist_auth return_path / from
Simon Wilson via users skrev den 2024-07-03 14:13: I don't think SA 3.4.6 on RH8 has AuthRes plugin: take it from spamassassin trunc, this plugin works on 3.4.6 aswell, but was not released or tested on it, i have verify it does work #!/bin/sh svn checkout http://svn.apache.org/repos/asf/spamassassin/trunk spamassassin-trunk
Re: whitelist_auth return_path / from
On Wednesday, July 03, 2024 22:06 AEST, "Simon Wilson via users" wrote: Dave Funk skrev den 2024-07-03 09:29: > On Wed, 3 Jul 2024, Simon Wilson via users wrote: > You say "passing SPF and DKIM" however in the SA rules report it > clearly says: > DKIM_SIGNED=0.1, DKIM_INVALID=0.1 > > So eventho you think 'passed DKIM' SA clearly does NOT think it does. > That DKIM_INVALID will prevent the whitelist_auth from firing, thus you > need to investigate what's going wrong there. whitelist_auth support Return-Path so spf is evaluated aswell as dkim is grep logs DKIM_VALID_EF or enable DMARC plugin Hi Benny, none of that helps unless I'm being dense this evening :-D * I know whitelist_auth supports spf and dkim, that is in the documentation * Grepping for DKIM_VALID_EF only tells me what I now already know - SA thinks that one of the emails did not pass DKIM, when my server validated that it did and entered an Authentication-Results header saying that it did * I already have DMARC assessment, and that is shown in the headers I postedAuthentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine dis=none) header.from=wasabi.com The authentication headers that my server adds are:Authentication-Results: mail.simonandkate.net; spf=none smtp.helo=o562.ptr9861.wasabi.com; spf=pass smtp.mailfrom=mmemail.wasabi.com Authentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine dis=none) header.from=wasabi.com Authentication-Results: mail.simonandkate.net; arc=none smtp.remote-ip=159.183.86.216 Authentication-Results: mail.simonandkate.net; dkim=pass (2048-bit key, unprotected) header.d=wasabi.com header.i=@wasabi.com header.a=rsa-sha256 header.s=mmd header.b=uhRSt2r0 However SA thinks DKIM failed. I note your other email Benny on adding authres settings. I'm not averse to doing so, but would like to first understand why SA is behaving differently with these two emails. Simon I don't think SA 3.4.6 on RH8 has AuthRes plugin: -r--r--r-- 1 root root 4659 Apr 9 2021 AccessDB.pm -r--r--r-- 1 root root 4559 Apr 9 2021 AntiVirus.pm -r--r--r-- 1 root root 29117 Apr 9 2021 AskDNS.pm -r--r--r-- 1 root root 17071 Apr 9 2021 ASN.pm -r--r--r-- 1 root root 8803 Apr 9 2021 AutoLearnThreshold.pm -r--r--r-- 1 root root 19936 Apr 9 2021 AWL.pm -r--r--r-- 1 root root 55885 Apr 9 2021 Bayes.pm …etc…
Re: whitelist_auth return_path / from
Dave Funk skrev den 2024-07-03 09:29: > On Wed, 3 Jul 2024, Simon Wilson via users wrote: > You say "passing SPF and DKIM" however in the SA rules report it > clearly says: > DKIM_SIGNED=0.1, DKIM_INVALID=0.1 > > So eventho you think 'passed DKIM' SA clearly does NOT think it does. > That DKIM_INVALID will prevent the whitelist_auth from firing, thus you > need to investigate what's going wrong there. whitelist_auth support Return-Path so spf is evaluated aswell as dkim is grep logs DKIM_VALID_EF or enable DMARC plugin Hi Benny, none of that helps unless I'm being dense this evening :-D * I know whitelist_auth supports spf and dkim, that is in the documentation * Grepping for DKIM_VALID_EF only tells me what I now already know - SA thinks that one of the emails did not pass DKIM, when my server validated that it did and entered an Authentication-Results header saying that it did * I already have DMARC assessment, and that is shown in the headers I postedAuthentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine dis=none) header.from=wasabi.com The authentication headers that my server adds are:Authentication-Results: mail.simonandkate.net; spf=none smtp.helo=o562.ptr9861.wasabi.com; spf=pass smtp.mailfrom=mmemail.wasabi.com Authentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine dis=none) header.from=wasabi.com Authentication-Results: mail.simonandkate.net; arc=none smtp.remote-ip=159.183.86.216 Authentication-Results: mail.simonandkate.net; dkim=pass (2048-bit key, unprotected) header.d=wasabi.com header.i=@wasabi.com header.a=rsa-sha256 header.s=mmd header.b=uhRSt2r0 However SA thinks DKIM failed. I note your other email Benny on adding authres settings. I'm not averse to doing so, but would like to first understand why SA is behaving differently with these two emails. Simon
Re: whitelist_auth return_path / from
Simon Wilson via users skrev den 2024-07-03 09:48:
So I guess the question is why SA is not accepting a trusted header
with a DKIM pass recorded with the same mail path through the system?
I have no AuthRes settings set specifically in local.cf.
so add it :)
ifplugin Mail::SpamAssassin::Plugin::AuthRes
authres_networks all
authres_trusted_authserv mail.simonandkate.net
describe AUTHRES_ARC_FAIL Authentication-Results: has "arc=fail"
result
describe AUTHRES_ARC_NONE Authentication-Results: has "arc=none"
result
describe AUTHRES_ARC_PASS Authentication-Results: has "arc=pass"
result
header AUTHRES_ARC_FAIL eval:check_authres_result('arc', 'fail')
header AUTHRES_ARC_NONE eval:check_authres_result('arc', 'none')
header AUTHRES_ARC_PASS eval:check_authres_result('arc', 'pass')
score AUTHRES_ARC_FAIL 1.5
score AUTHRES_ARC_NONE 0.5
score AUTHRES_ARC_PASS -1.5
describe AUTHRES_ADSP_DISCARD Authentication-Results: has
"dkim-adsp=discard" result
describe AUTHRES_ADSP_FAIL Authentication-Results: has
"dkim-adsp=fail" result
describe AUTHRES_ADSP_NONE Authentication-Results: has
"dkim-adsp=nonr" result
describe AUTHRES_ADSP_NXDOMAIN Authentication-Results: has
"dkim-adsp=nxdomain" result
describe AUTHRES_ADSP_PASS Authentication-Results: has
"dkim-adsp=pass" result
describe AUTHRES_ADSP_PERMERROR Authentication-Results: has
"dkim-adsp=permerror" result
describe AUTHRES_ADSP_TEMPERROR Authentication-Results: has
"dkim-adsp=temperror" result
describe AUTHRES_ADSP_UNKNOWN Authentication-Results: has
"dkim-adsp=unknown" result
header AUTHRES_ADSP_DISCARD eval:check_authres_result('dkim-adsp',
'discard')
header AUTHRES_ADSP_FAIL eval:check_authres_result('dkim-adsp',
'fail')
header AUTHRES_ADSP_NONE eval:check_authres_result('dkim-adsp',
'none')
header AUTHRES_ADSP_NXDOMAIN eval:check_authres_result('dkim-adsp',
'nxdomain')
header AUTHRES_ADSP_PASS eval:check_authres_result('dkim-adsp',
'pass')
header AUTHRES_ADSP_PERMERROR eval:check_authres_result('dkim-adsp',
'permerror')
header AUTHRES_ADSP_TEMPERROR eval:check_authres_result('dkim-adsp',
'temperror')
header AUTHRES_ADSP_UNKNOWN eval:check_authres_result('dkim-adsp',
'unknown')
score AUTHRES_ADSP_DISCARD 1.5
score AUTHRES_ADSP_FAIL 0.5
score AUTHRES_ADSP_NONE 0.5
score AUTHRES_ADSP_NXDOMAIN 1.5
score AUTHRES_ADSP_PASS -0.5
score AUTHRES_ADSP_PERMERROR 0.5
score AUTHRES_ADSP_TEMPERROR 0.5
score AUTHRES_ADSP_UNKNOWN 0.5
describe AUTHRES_ATPS_FAIL Authentication-Results: has
"dkim-atps=fail" result
describe AUTHRES_ATPS_NEUTRAL Authentication-Results: has
"dkim-atps=neutral" result
describe AUTHRES_ATPS_NONE Authentication-Results: has
"dkim-atps=none" result
describe AUTHRES_ATPS_PASS Authentication-Results: has
"dkim-atps=pass" result
describe AUTHRES_ATPS_PERMERROR Authentication-Results: has
"dkim-atps=permerror" result
describe AUTHRES_ATPS_TEMPERROR Authentication-Results: has
"dkim-atps=temperror" result
header AUTHRES_ATPS_FAIL eval:check_authres_result('dkim-atps',
'fail')
header AUTHRES_ATPS_NEUTRAL eval:check_authres_result('dkim-atps',
'neutral')
header AUTHRES_ATPS_NONE eval:check_authres_result('dkim-atps',
'none')
header AUTHRES_ATPS_PASS eval:check_authres_result('dkim-atps',
'pass')
header AUTHRES_ATPS_PERMERROR eval:check_authres_result('dkim-atps',
'permerror')
header AUTHRES_ATPS_TEMPERROR eval:check_authres_result('dkim-atps',
'temperror')
score AUTHRES_ATPS_FAIL 0.5
score AUTHRES_ATPS_NEUTRAL 0.5
score AUTHRES_ATPS_NONE 1.5
score AUTHRES_ATPS_PASS -1.5
score AUTHRES_ATPS_PERMERROR 0.5
score AUTHRES_ATPS_TEMPERROR 0.5
describe AUTHRES_DKIM_FAIL Authentication-Results: has "dkim=fail"
result
describe AUTHRES_DKIM_PASS Authentication-Results: has "dkim=pass"
result
describe AUTHRES_DKIM_NEUTRAL Authentication-Results: has
"dkim=neutral" result
describe AUTHRES_DKIM_NONE Authentication-Results: has "dkim=none"
result
describe AUTHRES_DKIM_POLICY Authentication-Results: has
"dkim=policy" result
describe AUTHRES_DKIM_PERMERROR Authentication-Results: has
"dkim=permerror" result
describe AUTHRES_DKIM_TEMPERROR Authentication-Results: has
"dkim=temperror" result
header AUTHRES_DKIM_FAIL eval:check_authres_result('dkim', 'fail')
header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
header AUTHRES_DKIM_NEUTRAL eval:check_authres_result('dkim',
'neutral')
header AUTHRES_DKIM_NONE eval:check_authres_result('dkim', 'none')
header AUTHRES_DKIM_POLICY eval:check_authres_result('dkim',
'policy')
header AUTHRES_DKIM_PERMERROR eval:check_authres_result('dkim',
'permerror')
header AUTHRES_DKIM_TEMPERROR eval:check_authres_result('dkim',
'temperror')
score AUTHRES_DKIM_FAIL 0.5
score AUTHRES_DKIM_PASS -0.5
score AUTHRES_DKI
Re: whitelist_auth return_path / from
Dave Funk skrev den 2024-07-03 09:29: On Wed, 3 Jul 2024, Simon Wilson via users wrote: You say "passing SPF and DKIM" however in the SA rules report it clearly says: DKIM_SIGNED=0.1, DKIM_INVALID=0.1 So eventho you think 'passed DKIM' SA clearly does NOT think it does. That DKIM_INVALID will prevent the whitelist_auth from firing, thus you need to investigate what's going wrong there. whitelist_auth support Return-Path so spf is evaluated aswell as dkim is grep logs DKIM_VALID_EF or enable DMARC plugin
Re: whitelist_auth return_path / from
On Wed, 3 Jul 2024, Simon Wilson via users wrote:
> Does whitelist_auth work on From header, or Return-Path? Reason I ask:
>
>
>
> I have two emails from “support .at. wasabi.com”. Due to their emails usually
> triggering KAM rules I have (in
> /etc/mail/spamassassin/local.cf):
>
>
>
> ## Whitelist Wasabi, subject to passing of auth
> whitelist_auth supp...@wasabi.com
[snip..]
> The other is not triggering whitelist_auth and is marked as spam due to the
> KAM rule fails. It has:
>
> Return-Path:
> ...
> From: Wasabi
> ...
> Reply-To: supp...@wasabi.com
>
> Despite passing SPF and DKIM, not whitelisted:
>
> X-Spam-Score: 20.212
> X-Spam-Level:
> X-Spam-Status: Yes, score=20.212 tagged_above=-999 required=6.2
> tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DCC_REPUT_99_100=1.4, DKIM_INVALID=0.1,
> DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001,
> KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1,
> KAM_REALLYHUGEIMGSRC=0.5, LR_DMARC_PASS=-0.1, SPF_HELO_NONE=0.001,
> SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
> autolearn=no autolearn_force=no
[snip]
>
> Thanks.
> Simon.
You say "passing SPF and DKIM" however in the SA rules report it clearly says:
DKIM_SIGNED=0.1, DKIM_INVALID=0.1
So eventho you think 'passed DKIM' SA clearly does NOT think it does. That
DKIM_INVALID will prevent the whitelist_auth from firing, thus you need to
investigate what's going wrong there.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Good spot, thank you.
The email that passed (sent from Wasabi's Salesforce) clearly passes SPF and
DKIM, and SA accepts that it has passed both:X-Spam-Score: -182.112
X-Spam-Level:
X-Spam-Status: No, score=-182.112 tagged_above=-999 required=6.2
tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HELO_STATIC_HOST=-0.001,
HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001, KAM_BODY_URIBL_PCCC=9,
KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1, LR_DMARC_PASS=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01,
USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100,
USER_IN_SPF_WELCOMELIST=-0.01, USER_IN_SPF_WHITELIST=-100]
autolearn=no autolearn_force=no
Received: from mail.simonandkate.net ([127.0.0.1])
by localhost (amavis.simonandkate.net [127.0.0.1]) (amavis, port 10024)
with LMTP id FRQBp6eagRev for ;
Wed, 3 Jul 2024 11:33:21 +1000 (AEST)
Authentication-Results: mail.simonandkate.net;
spf=pass
smtp.helo=smtp-0e3fa5fa5492d81fe.core1.sfdc-lywfpd.mta.salesforce.com;
spf=pass smtp.mailfrom=wasabi.com
Authentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine
dis=none) header.from=wasabi.com
Authentication-Results: mail.simonandkate.net; arc=none
smtp.remote-ip=44.227.237.13
Authentication-Results: mail.simonandkate.net;
dkim=pass (1024-bit key, unprotected) header.d=wasabi.com
header.i=@wasabi.com header.a=rsa-sha256 header.s=sfdcproduction
header.b=VPfjwPoA
Received: from smtp-0e3fa5fa5492d81fe.core1.sfdc-lywfpd.mta.salesforce.com
(smtp-0e3fa5fa5492d81fe.core1.sfdc-lywfpd.mta.salesforce.com [44.227.237.13])
by mail.simonandkate.net (Postfix) with ESMTPS id B2E4460E1
for ; Wed, 3 Jul 2024 11:33:20 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wasabi.com;
s=sfdcproduction; t=1719970393;
bh=HT3vxtae+200eJTAlHJkPaLUuYEbpqXqTkY70+hSYa4=;
h=Date:From:To:Subject:MIME-Version:Content-Type;
b=VPfjwPoAe8Gu3ruU2nvnYYggXO5JZ/7IaxEDNaBsvvxIZ5PHW+7rXN1usl5qmJZ5u
asB0RBBCXNTH/5SDXXJEu1Pc6jRvsdc+POPLrkQkHqhXgX1DmUjnVYnDBA2tu/8RIk
M7ISxYS4psZXdm73/ZF7sILSdS+USXdTM5JlfbV4=
The failed one is assessed by OpenDKIM as having passed by my server
(mail.simonandkate.net), but you are correct SA sees it as invalid.
So I guess the question is why SA is not accepting a trusted header with a DKIM
pass recorded with the same mail path through the system? I have no AuthRes
settings set specifically in local.cf.
X-Spam-Score: 20.212
X-Spam-Level:
X-Spam-Status: Yes, score=20.212 tagged_above=-999 required=6.2
tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DCC_REPUT_99_100=1.4, DKIM_INVALID=0.1,
DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001,
KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1,
KAM_REALLYHUGEIMGSRC=0.5, LR_DMARC_PASS=-0.1, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
autolearn=no autolearn_force=no
Received: from mail.simonandkate.net ([127.0.0.1])
by localhost (amavis.simonandkate.net [127.0.0.1]) (amavis, port 10024)
with LMTP id 0dPigJ_ugPPb for ;
Wed, 3 Jul 2024 07:48:51 +1
Re: whitelist_auth return_path / from
On Wed, 3 Jul 2024, Simon Wilson via users wrote:
Does whitelist_auth work on From header, or Return-Path? Reason I ask:
I have two emails from “support .at. wasabi.com”. Due to their emails usually
triggering KAM rules I have (in
/etc/mail/spamassassin/local.cf):
## Whitelist Wasabi, subject to passing of auth
whitelist_auth supp...@wasabi.com
[snip..]
The other is not triggering whitelist_auth and is marked as spam due to the KAM
rule fails. It has:
Return-Path:
...
From: Wasabi
...
Reply-To: supp...@wasabi.com
Despite passing SPF and DKIM, not whitelisted:
X-Spam-Score: 20.212
X-Spam-Level:
X-Spam-Status: Yes, score=20.212 tagged_above=-999 required=6.2
tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DCC_REPUT_99_100=1.4, DKIM_INVALID=0.1,
DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001,
KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1,
KAM_REALLYHUGEIMGSRC=0.5, LR_DMARC_PASS=-0.1, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
autolearn=no autolearn_force=no
[snip]
Thanks.
Simon.
You say "passing SPF and DKIM" however in the SA rules report it clearly says:
DKIM_SIGNED=0.1, DKIM_INVALID=0.1
So eventho you think 'passed DKIM' SA clearly does NOT think it does. That
DKIM_INVALID will prevent the whitelist_auth from firing, thus you need to
investigate what's going wrong there.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
whitelist_auth return_path / from
Running SA 3.4.6 on RH8. Does whitelist_auth work on From header, or Return-Path? Reason I ask: I have two emails from “support .at. wasabi.com”. Due to their emails usually triggering KAM rules I have (in /etc/mail/spamassassin/local.cf): ## Whitelist Wasabi, subject to passing of auth whitelist_auth supp...@wasabi.com First email triggers whitelist_auth and is passed as expected. It has:Return-Path: ... From: Wasabi Support X-Spam-Score: -182.112 X-Spam-Level: X-Spam-Status: No, score=-182.112 tagged_above=-999 required=6.2 tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HELO_STATIC_HOST=-0.001, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001, KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1, LR_DMARC_PASS=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100, USER_IN_SPF_WELCOMELIST=-0.01, USER_IN_SPF_WHITELIST=-100] The other is not triggering whitelist_auth and is marked as spam due to the KAM rule fails. It has:Return-Path: ... From: Wasabi ... Reply-To: supp...@wasabi.com Despite passing SPF and DKIM, not whitelisted:X-Spam-Score: 20.212 X-Spam-Level: X-Spam-Status: Yes, score=20.212 tagged_above=-999 required=6.2 tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DCC_REPUT_99_100=1.4, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001, KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1, KAM_REALLYHUGEIMGSRC=0.5, LR_DMARC_PASS=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=no autolearn_force=no Received: from mail.simonandkate.net ([127.0.0.1]) by localhost (amavis.simonandkate.net [127.0.0.1]) (amavis, port 10024) with LMTP id 0dPigJ_ugPPb for ; Wed, 3 Jul 2024 07:48:51 +1000 (AEST) Authentication-Results: mail.simonandkate.net; spf=none smtp.helo=o562.ptr9861.wasabi.com; spf=pass smtp.mailfrom=mmemail.wasabi.com Authentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine dis=none) header.from=wasabi.com Authentication-Results: mail.simonandkate.net; arc=none smtp.remote-ip=159.183.86.216 Authentication-Results: mail.simonandkate.net; dkim=pass (2048-bit key, unprotected) header.d=wasabi.com header.i=@wasabi.com header.a=rsa-sha256 header.s=mmd header.b=uhRSt2r0 Received: from o562.ptr9861.wasabi.com (o562.ptr9861.wasabi.com [159.183.86.216]) by mail.simonandkate.net (Postfix) with ESMTPS id C105157044 for ; Wed, 3 Jul 2024 07:48:47 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wasabi.com; h=content-type:from:mime-version:subject:reply-to:to:list-unsubscribe: list-unsubscribe-post:cc:content-type:from:subject:to; s=mmd; bh=cy4eC8HJMJh8b6CwYtOAzArbHod4C/sAQkNIrkSQFPA=; b=uhRSt2r0lE9yE6sSCc7+QA90N0PCyzA0FNP0bOo2ApH/U+u6yCpjvt0KZJ+VO2MfDKuh xmzJPFgaHNvajQDOyqfLCfF4xwTrxYyBaKTMf/qinqP6JHpFsKVaDNykv96ZIac/SwRbha SO4yPkPl1NO5k4ENyD5va2J9LftRyQ0te+awrnbjypQAKJiJ0yPoqNTFCJZGdQSCuJOZG8 ASnJcPZRoL2J83FEJCMPZdS5Wpf0GAgHp7aEpzAFf7TEpfJA8IMsbRSlRs3ptdZtYvwKMR K6oi/d+w3UBSdFGRpRFZlgFeVjNIp/xCz5pDGf7109C0A+QSjn4zZ3edrOjF1JPg== Received: by filterdrecv-6576d68dbc-fxxdn with SMTP id filterdrecv-6576d68dbc-fxxdn-1-668475B6-1 2024-07-02 21:48:38.112531956 + UTC m=+1292691.168998080 Received: from MzUyNTk2MzU (unknown) by geopod-ismtpd-4 (SG) with HTTP id X_mTOosARsSFXqinaxYfEw Tue, 02 Jul 2024 21:48:38.008 + (UTC) Content-Type: multipart/mixed; boundary=75633f0201749d47c1ba5a273d403dbaa85162228d469a5e23d94a668c10 Date: Tue, 02 Jul 2024 21:48:38 + (UTC) From: Wasabi Mime-Version: 1.0 Message-ID: Subject: [SPAM] Wasabi Technologies LLC Invoice Reply-To: supp...@wasabi.com Do I need to add the return-path, i.e.: ## Whitelist Wasabi, subject to passing of auth whitelist_auth supp...@wasabi.com whitelist_auth *@mmemail.wasabi.com ? Thanks. Simon.
