Forgot to include the hook to procmailrc:
cat /etc/procmailrc
DROPPRIVS=yes
PATH=/bin:/usr/bin:/usr/local/bin
SHELL=/bin/sh
# Spamassassin
INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc
:0fw
* <300 000
|/usr/bin/spamassassin
[root@dsm ~]# cat /etc/mail/spamassassin/spamassassin-spamc.rc
# send mail through spamassassin
:0fw
| /usr/bin/spamc
On Sat, Jul 23, 2016 at 9:31 PM, Robert Kudyba <rkud...@fordham.edu> wrote:
> Sorry forgot to reply all.
>
> Sendmail has a .mc file which creates a .cf file here's ours:
>
> include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
>
> VERSIONID(`setup for linux')dnl
>
> OSTYPE(`linux')dnl
>
> dnl #
>
> dnl # Do not advertize sendmail version.
>
> dnl #
>
> dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
>
> dnl #
>
> dnl # default logging level is 9, you might want to set it higher to
>
> dnl # debug the configuration
>
> dnl #
>
> dnl define(`confLOG_LEVEL', `9')dnl
>
> dnl #
>
> dnl # Uncomment and edit the following line if your outgoing mail needs to
>
> dnl # be sent out through an external mail server:
>
> dnl #
>
> dnl define(`SMART_HOST', `smtp.your.provider')dnl
>
> dnl #
>
> define(`confDEF_USER_ID', ``8:12'')dnl
>
> dnl define(`confAUTO_REBUILD')dnl
>
> define(`confTO_CONNECT', `1m')dnl
>
> define(`confTRY_NULL_MX_LIST', `True')dnl
>
> define(`confDONT_PROBE_INTERFACES', `True')dnl
>
> define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
>
> define(`ALIAS_FILE', `/etc/aliases')dnl
>
> define(`STATUS_FILE', `/var/log/mail/statistics')dnl
>
> define(`UUCP_MAILER_MAX', `2000000')dnl
>
> define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
>
> define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
>
> define(`confAUTH_OPTIONS', `A')dnl
>
> dnl #
>
> dnl # The following allows relaying if the user authenticates, and
> disallows
>
> dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
>
> dnl #
>
> dnl define(`confAUTH_OPTIONS', `A p')dnl
>
> dnl #
>
> dnl # PLAIN is the preferred plaintext authentication method and used by
>
> dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
>
> dnl # use LOGIN. Other mechanisms should be used if the connection is not
>
> dnl # guaranteed secure.
>
> dnl # Please remember that saslauthd needs to be running for AUTH.
>
> dnl #
>
> dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>
> dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
>
> dnl #
>
> dnl # Rudimentary information on creating certificates for sendmail TLS:
>
> dnl # cd /etc/pki/tls/certs; make sendmail.pem
>
> dnl # Complete usage:
>
> dnl # make -C /etc/pki/tls/certs usage
>
> dnl #
>
> dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
>
> dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
>
> dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
>
> dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
>
> dnl #
>
> dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
>
> dnl # slapd, which requires the file to be readble by group ldap
>
> dnl #
>
> dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
>
> dnl #
>
> dnl define(`confTO_QUEUEWARN', `4h')dnl
>
> dnl define(`confTO_QUEUERETURN', `5d')dnl
>
> dnl define(`confQUEUE_LA', `12')dnl
>
> dnl define(`confREFUSE_LA', `18')dnl
>
> define(`confTO_IDENT', `0')dnl
>
> dnl FEATURE(delay_checks)dnl
>
> FEATURE(`no_default_msa', `dnl')dnl
>
> FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
>
> FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
>
> FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
>
> FEATURE(redirect)dnl
>
> FEATURE(always_add_domain)dnl
>
> FEATURE(use_cw_file)dnl
>
> FEATURE(use_ct_file)dnl
>
> FEATURE(`dnsbl',`relays.ordb.org', `"550 5.7.1 Access denied(O):
> Unsolicited e-mail from " $&{client_addr} " refused. "',`t')dnl
>
> dnl #FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} "
> found in dnsbl.sorbs.net"', `t')dnl
>
> FEATURE(`dnsbl', `b.barracudacentral.org', `', `"550 Mail from "
> $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your SMTP
> server " in http://www.barracudacentral.org/lookups "')dnl
>
> FEATURE(`dnsbl',`zen.spamhaus.org')dnl
>
> FEATURE(`dnsbl',`l2.apews.org')
>
> FEATURE(`dnsbl',`bl.spamcop.net')
>
> FEATURE(`dnsbl', `psbl.surriel.com')
>
> dnl HACK(`milter-greylist')
>
>
> INPUT_MAIL_FILTER(`greylist',`S=local:/var/run/milter-greylist/milter-greylist.sock')dnl
>
> define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl
>
> define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
>
> define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl
>
> define(`confMILTER_MACROS_ENVRCPT', `{greylist}')dnl
>
>
> #Optional
>
> dnl #
>
> dnl # Added by agw, 21 Sept 2005
>
> dnl #
>
> FEATURE(`domaintable')dnl
>
> dnl #
>
> dnl # The following limits the number of processes sendmail can fork to
> accept
>
> dnl # incoming messages or process its message queues to 20.) sendmail
> refuses
>
> dnl # to accept connections once it has reached its quota of child
> processes.
>
> dnl #
>
> dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
>
> dnl #
>
> dnl # Limits the number of new connections per second. This caps the
> overhead
>
> dnl # incurred due to forking new sendmail processes. May be useful
> against
>
> dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP
> address
>
> dnl # limit would be useful but is not available as an option at this
> writing.)
>
> dnl #
>
> dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
>
> dnl #
>
> dnl # The -t option will retry delivery if e.g. the user runs over his
> quota.
>
> dnl #
>
> FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
>
> FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
>
> FEATURE(`blacklist_recipients')dnl
>
> EXPOSED_USER(`root')dnl
>
> dnl #
>
> dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery
> uncomment
>
> dnl # the following 2 definitions and activate below in the MAILER section
> the
>
> dnl # cyrusv2 mailer.
>
> dnl #
>
> dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
>
> dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
>
> dnl #
>
> dnl # The following causes sendmail to only listen on the IPv4 loopback
> address
>
> dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
>
> dnl # address restriction to accept email from the internet or intranet.
>
> dnl #
>
> dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>
> dnl #
>
> dnl # The following causes sendmail to additionally listen to port 587 for
>
> dnl # mail from MUAs that authenticate. Roaming users who can't reach their
>
> dnl # preferred sendmail daemon due to port 25 being blocked or redirected
> find
>
> dnl # this useful.
>
> dnl #
>
> dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
>
> dnl #
>
> dnl # The following causes sendmail to additionally listen to port 465, but
>
> dnl # starting immediately in TLS mode upon connecting. Port 25 or 587
> followed
>
> dnl # by STARTTLS is preferred, but roaming clients using Outlook Express
> can't
>
> dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use
> STARTTLS
>
> dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
>
> dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
>
> dnl #
>
> dnl # For this to work your OpenSSL certificates must be configured.
>
> dnl #
>
> dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
>
> dnl #
>
> dnl # The following causes sendmail to additionally listen on the IPv6
> loopback
>
> dnl # device. Remove the loopback address restriction listen to the
> network.
>
> dnl #
>
> dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
>
> dnl #
>
> dnl # enable both ipv6 and ipv4 in sendmail:
>
> dnl #
>
> dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
>
> dnl #
>
> dnl # We strongly recommend not accepting unresolvable domains if you want
> to
>
> dnl # protect yourself from spam. However, the laptop and users on
> computers
>
> dnl # that do not have 24x7 DNS do need this.
>
> dnl #
>
> dnl FEATURE(`accept_unresolvable_domains')dnl
>
> dnl #
>
> dnl FEATURE(`relay_based_on_MX')dnl
>
> dnl #
>
> dnl # Also accept email sent to "localhost.localdomain" as local email.
>
> dnl #
>
> dnl LOCAL_DOMAIN(`localhost.localdomain')dnl
>
> dnl #
>
> dnl # The following example makes mail from this host and any additional
>
> dnl # specified domains appear to be sent from mydomain.com
>
> dnl #
>
> MASQUERADE_AS(`our domain’)dnl
>
> dnl #
>
> dnl # masquerade not just the headers, but the envelope as well
>
> dnl #
>
> FEATURE(masquerade_envelope)dnl
>
> dnl #
>
> dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as
> well
>
> dnl #
>
> dnl FEATURE(masquerade_entire_domain)dnl
>
> dnl #
>
> dnl MASQUERADE_DOMAIN(localhost)dnl
>
> dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
>
> dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
>
> dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
>
>
> # SMTP greet delay may deter spam, as per
>
> # https://wiki.apache.org/spamassassin/OtherTricks
>
> # agw 22 June 2014 (H0.5BDAGW)
>
> FEATURE(`greet_pause', `10000')
>
>
> MAILER(smtp)dnl
>
> MAILER(procmail)dnl
>
> dnl MAILER(cyrusv2)dnl
>
>
> LOCAL_RULE_3
>
> # custom S3 begin ... courtesy of Andrzej Filip <a...@bigfoot.com>
>
> R$-/FACULTY/FIRE $@ $>3 $1@ ourdomain
>
> R$-/GUEST/FIRE $@ $>3 $1@ ourdomain
>
> R$-/STAFF/FIRE $@ $>3 $1@ ourdomain
>
> R$-/STUDENTS/FIRE $@ $>3 $1@ourdomain
>
> # custom S3 end
>
>
> On Sat, Jul 23, 2016 at 8:55 PM, Reindl Harald <h.rei...@thelounge.net>
> wrote:
>
>> STAY ON LIST
>>
>> Am 24.07.2016 um 02:50 schrieb Robert Kudyba:
>>
>>> OK then the next question is why would some messages not be getting
>>> scanned whilst others are? What else can I check? Could another config
>>> file be bypassing? There's nothing in the whitelist unless I'm not
>>> checking all the possible paths to whitelists?
>>>
>>
>> i don't see how spamassassin is supposed to be called in your setup at
>> all, in my setups with spamass-milter (postfix) talking to spamd it's
>> impossible to skip it at all
>>
>> On Sat, Jul 23, 2016 at 8:44 PM, Reindl Harald <h.rei...@thelounge.net
>>> <mailto:h.rei...@thelounge.net>> wrote:
>>>
>>>
>>> Am 24.07.2016 um 02:14 schrieb Robert Kudyba:
>>>
>>> sample header of a missed spam/false negative:
>>>
>>> http://txt.do/5em14
>>>
>>>
>>> there are no spamassassin headers - so what is your evidence that
>>> this message ever went through spamassassin?
>>>
>>
>>
>
