Andy Spiegl wrote:
Hi Rich,
This might make things more clear: Your email to the list only hit the following on my SA:
Thanks a lot for that. I am glad that my mails don't get tagged but - as I just wrote to Matt Kettler - I don't get it why my SA scores them so high. My very own message got: X-Spam-Scores: AWL=-1.348,BAYES_00=-4.9,RCVD_IN_DYNABLOCK=2.599, RCVD_IN_NJABL=0.1,RCVD_IN_NJABL_DIALUP=3.536,RCVD_IN_SORBS=0.1, USER_IN_WHITELIST=-100
Note that *my* Spamassassin doesn't hit DYNABLOCK or NJABL_DIALUP on your email. This is because you are doing exactly what you should be doing (sending out through a smarthost).
That's what I was hoping, but then why does my own SA think so bad about my mails? There must be some kind of mistake in my configuration. I'll better put it up on my webserver, so you can look at it: http://andy.spiegl.de/sa-local.cf
In your case, you're sending from a dynamic IP which is not in your trusted networks list. SA thinks "ok, a mailserver in my network (condor) just got a connection from somewhere OUTSIDE my network, let's check the connecting IP (217.233.34.182) against the dialup RBLS, let's check all other IPs beyond that against other RBLs, and see what gets hit."
In my case, when receiving a mail, my SA thinks "ok, mx(n).2z.net received a mail from outside my network (lyta.akte.de), let's check that IP to see if it's in any dialup RBLS, and let's check all the other IPs against the regular RBLs".
Does that help make it more clear?
The rule of thumb that I think is missing from the documentation is (anyone please correct me if I'm wrong here) is that the trusted_networks and internal_networks settings should contain:
trusted_networks: List the IP ranges of everything that will be using your MTAs as smarthosts (answer the question "who is allowed to send email out through my servers?")
internal_networks: List the IP ranges of your MX servers.
Running spamassassin -D, and looking closely at the debug output will help show what it considers local, and what it's looking up in RBLs.
The example just made it a bit fuzzy at to what was part of your network, and how normal email flowed.
In the sample message you posted, you appear to have sent to a "non-local" email address, but the message was processed by SA on condor. Strange, unless web.de is also local, and condor is processing email for that server?
You are right, I guess that was a bad example. I was trying to create a mail from me to an external address, so I sent it to my web.de account. From there I downloaded it via POP3 and then ran SA on it. What I did wrong was that I ran SA on condor instead of on lyta. But running it on lyta leads to the same result (just tried it):
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on lyta.akte.de
X-Spam-Scores: BAYES_00=-4.9,RCVD_IN_DYNABLOCK=2.599,RCVD_IN_NJABL=0.1,
RCVD_IN_NJABL_DIALUP=3.536,RCVD_IN_SORBS=0.1,USER_IN_WHITELIST=-100
X-Spam-Status: No, hits=-98.6 required=5.0 tests=BAYES_00,RCVD_IN_DYNABLOCK,
RCVD_IN_NJABL,RCVD_IN_NJABL_DIALUP,RCVD_IN_SORBS,USER_IN_WHITELIST autolearn=no version=2.63
That's going to cause a bit of a problem for a while, SA currently can't tell the difference between a legit client connecting to your MTA via authenticated SMTP and a spammer on a dialup doing direct to MX. I think that's in the pipe to be fixed, but I'm not certain. In the mean time, if you tend to be at the same ISP your options are to either use that ISP's outbound SMTP server, or add that ISP's IP range to trusted_networks.What do you have set in local_networks (at the time of receiving the
mail you posted)?
Do you mean trusted_networks? Please look at sa-local.cf from above. I didn't change it in the meantime.
Is lyta.akte.de your smarthost? (appears to be)
Yes.
What IP ranges are allowed to send through your smarthost?
Anyone, but only via authenticated SMTP.
Thanks so much for trying to help me, Andy.
Not a problem. It's helping me get my head around the config issues involved.
