Re: KAM_DMARC_REJECT on internal emails

[Simon Wilson]

On 19.04.21 16:36, Simon Wilson wrote:
- I'm running KAM rules in Spamassassin
- Postfix port 587-submitted email is sent to Amavisd (as a  
content_filter) on port 10026 (tagged as ORIGINATING/MYNETS) and is  
spam-checked and DKIM-signed on its way out the door, sent back to  
Postfix at port 10025 for final delivery
- my domain has DMARC p=reject
If the final delivery is a local address, I'm getting some  
in-theory valid but in practicality invalid Spamassassin scores...  
e.g. SA is tagging those emails with KAM_DMARC_REJECT - as DMARC  
fails (correctly). The sending and receiving IPs are all internal...

Not sure if this is more an Amavis question actually, but how  
should I configure SA to not run or assess tests which make no  
sense on OUTBOUND emails - e.g. SPF, DKIM, DMARC?

I'd say that a proper solution would be to DKIM-sign mail before it's
spam-scanned.

Good point. If DKIM is signed it should pass DMARC, even if SPF fails.

Amavisd handles both pieces, including DKIM signing... from looking at  
the headers it looks like Amavisd is spam scanning it first *then*  
DKIM signing it. I will post to the amavisd mailing list on that  
question...

Example headers:

Return-Path: <si...@simonandkate.net>
Received: from mail.simonandkate.net ([unix socket])
         by emp87.simonandkate.lan (Cyrus 3.0.7-19.el8 Fedora) with LMTPA;
         Mon, 19 Apr 2021 15:48:49 +1000
X-Cyrus-Session-Id: cyrus-1024276-1618811329-2-17461079309210778615
X-Sieve: CMU Sieve 3.0
Received: from localhost (localhost [127.0.0.1])
        by mail.simonandkate.net (Postfix) with ESMTP id 46BF6805DD
        for <simon@mail.local>; Mon, 19 Apr 2021 15:48:49 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        simonandkate.net; h=mime-version:content-type:content-type
        :reply-to:subject:subject:from:from:message-id:date:date
        :received:received:received; s=default; t=1618811327; bh=Wu3ZcGt
        h8o1YW+OPWu58wegp/fZmc1B+FDiux/qcXUU=; b=FuKqNJCT9CmySXiSILqBUmu
        73a9tQ5a61LS/IYAZvbQIhnigw/Jb0Vq1YGqHVUplpNxpMIZnPNi+/xJN6QcJ+5k
        1TQ5JV0sfNX7r58TyuiNnGkv1eFO9jRBWPpBkkrbxB4wPRe6YNPaxqFsnyFJE/Hm
        nhWnxIORis0a2Z04UVuA=
X-Virus-Scanned: amavisd-new at mail.local
X-Spam-Flag: NO
X-Spam-Score: 1.911
X-Spam-Level: *
X-Spam-Status: No, score=1.911 tagged_above=-999 required=6.2
        tests=[ALL_TRUSTED=-1.5, BAYES_50=0.8, DCC_REPUT_00_12=-0.4,
        HTML_MESSAGE=0.001, KAM_DMARC_REJECT=3, KAM_DMARC_STATUS=0.01]
        autolearn=no autolearn_force=no
Received: from mail.simonandkate.net ([127.0.0.1])
        by localhost (amavis.simonandkate.net [127.0.0.1]) (amavisd-new, port 
10026)
        with LMTP id NNQ0S1bHSMav for <simon@mail.local>;
        Mon, 19 Apr 2021 15:48:47 +1000 (AEST)
Received: from emp86.simonandkate.lan (emp86.simonandkate.lan [192.168.1.245])
        by mail.simonandkate.net (Postfix) with ESMTPSA id 089FB7B4F3
        for <si...@simonandkate.net>; Mon, 19 Apr 2021 15:48:47 +1000 (AEST)
Received: from ryzen.simonandkate.lan (ryzen.simonandkate.lan [192.168.1.1])
 by mail.simonandkate.net (Horde Framework) with HTTPS; Mon, 19 Apr 2021
 15:48:47 +1000
Date: Mon, 19 Apr 2021 15:48:47 +1000
Message-ID:  
<20210419154847.horde.1o3u94p-v2fwwnsdw38_...@mail.simonandkate.net>
From: Simon Wilson <si...@simonandkate.net>
To: si...@simonandkate.net


but, the rule could apparently avoid locally-originated mail
(would help for non-DKIM domains).

meta     KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&  
__KAM_DMARC_POLICY_REJECT

maybe __LAST_EXTERNAL_RELAY_NO_AUTH ?


Am I reading the rule correctly that EITHER a fail DKIM or SPF will  
cause this to trip?

  meta     KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&  
__KAM_DMARC_POLICY_REJECT
  describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the  
message and the domain has a DMARC reject policy
  score    KAM_DMARC_REJECT 3.0

...in which case, SPF will *always* fail on an internal email and this  
rule will always fail. DMARC can still pass with e.g. an SPF failure  
if DKIM passes - why is this an "OR"?




What am I trying to achieve? - I've had a compromised user account  
in the past send out spam, so I scan outbound email, with spam  
notices to postmaster (me). I want that outbound scanning to be  
sensible - only run spam tests which make sense at that point of  
the process.

while SA is not very good at scanning outgoing mail, I believe this is still
a good idea.

I've also noticed that Bayes is really struggling to learn  
local-->local emails, with consistently BAYES_20 or BAYES_50  
results. sa-learn advises tokens learned, but it still seems to  
struggle with these. Other than that my Bayes is excellent, very  
effective and accurate.

Any advice would be appreciated.


----- End message from Matus UHLAR - fantomas <uh...@fantomas.sk> -----



--
Simon Wilson
M: 0400 12 11 16