Re: whitelist_from_rcvd and trusted_networks
On Sun, 2009-08-09 at 00:56 +0100, RW wrote: > > Also, I'm still not sure I have my trusted_networks setting correct. I > > have this in my local.cf: > > > > trusted_networks 192.168/16 71.48.160.0/20 71.54.96/19 > > > > Here is a line of Received: from headers from a test mail to myself: > > > > Received: from [71.54.109.114] and one from someone else using embarq > > Received: from [71.48.166.180] > > > > If I read the below correct this is a listing of all CIDRs in the > > embarq AS range: > > > > http://www.cidr-report.org/cgi-bin/as-report?as=as6367&view=2.0 > > > > should all of these be listed in the trusted_networks entry or do I > > misunderstand the concept still? > > Absolutely not, it leaves thousands of back-doors open. Just use the ip > addresses used as servers, not customer addresses. /24 ranges based > on the server addresses you've seen in headers are usually a safe > compromise. Often the servers between you and the MX server use private > addresses, which makes things a lot easier - you can safely list all > private addresses. The best way to tell is to send test messages from > external mail services or look at real mail - mail from yourself can be > misleading. > > If you are using an ISP for your mail you're conservatively advised > to put them in trusted_networks because that behaves least badly for > the worst case ISPs. > > In practice it's almost always better to put them into > internal_networks so SA knows where the real MX servers are, > particularly in your case since embarq records authentication on it's > submission server, note the "with ESMTPA" in your headers. One other note, I have a formail recipe that parses out the sender-ip, ASN and CIDR. For instance in the test I sent to myself from gmail it shows this: X-senderip: 209.85.210.204 X-asn: ASN-15169 X-cidr: 209.85.210.0/24 Would it be safe/sane to put the 208.85.210.0/24 into the trusted_networks line? -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: whitelist_from_rcvd and trusted_networks
On Sun, 2009-08-09 at 00:56 +0100, RW wrote: > The trouble with whitelist_from_rcvd is that it relies on the MX server > recording reverse DNS - most do, some don't. > > > > Also, I'm still not sure I have my trusted_networks setting correct. I > > have this in my local.cf: > > > > trusted_networks 192.168/16 71.48.160.0/20 71.54.96/19 > > > > Here is a line of Received: from headers from a test mail to myself: > > > > Received: from [71.54.109.114] and one from someone else using embarq > > Received: from [71.48.166.180] > > > > If I read the below correct this is a listing of all CIDRs in the > > embarq AS range: > > > > http://www.cidr-report.org/cgi-bin/as-report?as=as6367&view=2.0 > > > > should all of these be listed in the trusted_networks entry or do I > > misunderstand the concept still? > > Absolutely not, it leaves thousands of back-doors open. Just use the ip > addresses used as servers, not customer addresses. /24 ranges based > on the server addresses you've seen in headers are usually a safe > compromise. Often the servers between you and the MX server use private > addresses, which makes things a lot easier - you can safely list all > private addresses. The best way to tell is to send test messages from > external mail services or look at real mail - mail from yourself can be > misleading. I didn't think that would be necessary, after sending mail to myself from three other accounts here is what I see: Received: from [195.4.92.94] ([195.4.92.94:38943] helo=mout4.freenet.de) by smtp.embarq.synacor.com (envelope-from <@freenet.de>) (ecelerity 2.2.2.36 r(27513/27514)) with ESMTP id 8F/64-30700-A051E7A4; Sat, 08 Aug 2009 20:15:07 -0400 Received: from [195.4.92.23] (helo=13.mx.freenet.de) by mout4.freenet.de with esmtpa (ID @freenet.de) (port 25) (Exim 4.69 #92) id 1MZw42-0007og-6v for cpoll...@embarqmail.com; Sun, 09 Aug 2009 02:15:06 +0200 Received: from web13.emo.freenet-rz.de ([194.97.107.135]:51350) by 13.mx.freenet.de with esmtpa (ID @freenet.de) (port 25) (Exim 4.69 #93) id 1MZw42-CS-2N for cpoll...@embarqmail.com; Sun, 09 Aug 2009 02:15:06 +0200 Received: from [206.190.38.132] ([206.190.38.132:27950] helo=web51001.mail.re2.yahoo.com) by smtp.embarq.synacor.com (envelope-from <@yahoo.com>) (ecelerity 2.2.2.36 r(27513/27514)) with ESMTP id 54/BB-30700-4571E7A4; Sat, 08 Aug 2009 20:24:52 -0400 Received: from [209.85.210.204] ([209.85.210.204:50198] helo=mail-yx0-f204.google.com) by smtp.embarq.synacor.com (envelope-from <@gmail.com>) (ecelerity 2.2.2.36 r(27513/27514)) with ESMTP id D3/99-26274-D381E7A4; Sat, 08 Aug 2009 20:28:45 -0400 Received: by 10.150.218.17 with SMTP > If you are using an ISP for your mail you're conservatively advised > to put them in trusted_networks because that behaves least badly for > the worst case ISPs. > > In practice it's almost always better to put them into > internal_networks so SA knows where the real MX servers are, > particularly in your case since embarq records authentication on it's > submission server, note the "with ESMTPA" in your headers. Ok, now I am a bit confused, this 71.54.109.114 and the other IP shown at the top would go into internal_networks? -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: whitelist_from_rcvd and trusted_networks
On Sat, 08 Aug 2009 17:10:01 -0500 Chris wrote: > I have an entry in a what I call "my-whitelist.cf" > in /etc/mail/spamassassin: > > whitelist_from_rcvd blackwell_...@yahoo.com yahoo.com > > If I run a message from this person with spamassassin -D -t msg > shouldn't I get a hit on USER_IN_WHITELIST or not? The trouble with whitelist_from_rcvd is that it relies on the MX server recording reverse DNS - most do, some don't. > Also, I'm still not sure I have my trusted_networks setting correct. I > have this in my local.cf: > > trusted_networks 192.168/16 71.48.160.0/20 71.54.96/19 > > Here is a line of Received: from headers from a test mail to myself: > > Received: from [71.54.109.114] and one from someone else using embarq > Received: from [71.48.166.180] > > If I read the below correct this is a listing of all CIDRs in the > embarq AS range: > > http://www.cidr-report.org/cgi-bin/as-report?as=as6367&view=2.0 > > should all of these be listed in the trusted_networks entry or do I > misunderstand the concept still? Absolutely not, it leaves thousands of back-doors open. Just use the ip addresses used as servers, not customer addresses. /24 ranges based on the server addresses you've seen in headers are usually a safe compromise. Often the servers between you and the MX server use private addresses, which makes things a lot easier - you can safely list all private addresses. The best way to tell is to send test messages from external mail services or look at real mail - mail from yourself can be misleading. If you are using an ISP for your mail you're conservatively advised to put them in trusted_networks because that behaves least badly for the worst case ISPs. In practice it's almost always better to put them into internal_networks so SA knows where the real MX servers are, particularly in your case since embarq records authentication on it's submission server, note the "with ESMTPA" in your headers.
whitelist_from_rcvd and trusted_networks
I have an entry in a what I call "my-whitelist.cf" in /etc/mail/spamassassin: whitelist_from_rcvd blackwell_...@yahoo.com yahoo.com If I run a message from this person with spamassassin -D -t msg shouldn't I get a hit on USER_IN_WHITELIST or not? Also, I'm still not sure I have my trusted_networks setting correct. I have this in my local.cf: trusted_networks 192.168/16 71.48.160.0/20 71.54.96/19 Here is a line of Received: from headers from a test mail to myself: Received: from [71.54.109.114] and one from someone else using embarq Received: from [71.48.166.180] If I read the below correct this is a listing of all CIDRs in the embarq AS range: http://www.cidr-report.org/cgi-bin/as-report?as=as6367&view=2.0 should all of these be listed in the trusted_networks entry or do I misunderstand the concept still? Chris -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part