I *do* have Postfix adding a Received-SPF filter using
python-policyd-spf (called as last check in
smtpd_recipient_restrictions), so yes it would make sense for
spamassassin to trust the check already made - I'll see if I can
work out how to do that.
This got me checking the filter flow through my inbound system.
Current filters and checks:
1. Postfix smtpd calls OpenDMARC as a milter, set to "RejectFailures
false", so it adds Authentication-Results header with result but never
rejects (far too much ham I'd lose if this was reject)
2. The last smtpd_recipient_restrictions entry calls policyd-spf,
which *is* set to reject on failure, and adds Received-SPF header
3. Amavisd does a DKIM check, adds another Authentication-Results header
4. Spamassassin is called by amavisd
As an example this (ham) email failed DMARC (OpenDMARC), passed SPF
(policyd-spf), passed DKIM (amavis) and then gets sent to spamassassin:
X-Spam-Status: No, score=-8.584 tagged_above=-999 required=6.2
tests=[BAYES_00=-1.9, DCC_REPUT_00_12=-0.4, DKIMWL_WL_HIGH=-0.001,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_FONT_LOW_CONTRAST=0.001,
HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=0.1, MAILING_LIST_MULTI=-1,
RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, TXREP=-4.833] autolearn=ham autolearn_force=no
Authentication-Results: amavis.simonandkate.net (amavisd-new);
dkim=pass (1024-bit key) header.d=groups.io
Received: from mail.simonandkate.net ([127.0.0.1])
by localhost (amavis.simonandkate.net [127.0.0.1]) (amavisd-new, port
10024)
with LMTP id zGbHGj1BQPdu for <simon@mail.local>;
Wed, 31 Mar 2021 13:06:37 +1000 (AEST)
Received-SPF: Pass (mailfrom) identity=mailfrom;
client-ip=66.175.222.108; helo=mail02.groups.io;
envelope-from=bounce+6376+188464+925173+2363...@groups.io;
receiver=si...@simonandkate.net
Authentication-Results: mail.simonandkate.net/A751B1819CB; dmarc=fail
(p=none dis=none) header.from=cox.net
What I'd like to better understand is how to get Spamassassin to most
effectively look at/interpret results in the previously added headers.
From reading spamassassin doco - ignore_received_spf_header (0|1)
(default: 0) means it should be reading the Received-SPF header if
it's there (and the fast SPF timings - avg<1/4s - would indicate that
it is being used); and it's picking up DKIM (DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1).
I see no DMARC rule assessment... google points me at some years-old
discussions and some home-baked rules, but what is best practice for
using DMARC results in Spamassassin?
Simon
--
Simon Wilson
M: 0400 12 11 16
