>
>
>
> >> did you reload/restart amavis after installing new SA?
> >> This header is added by amavis which uses SA libraries internally.
>
> On 30.05.22 09:50, Alex wrote:
> >Yes, thanks. This has been ongoing for weeks.
>
> doesn't amavisd by any chance use old SA installation/libraries?
>

I don't think so - the current paths it uses are:

/usr/share/spamassassin
/var/lib/spamassassin/4.000000/updates_spamassassin_org
/var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com
/etc/mail/spamassassin/

May 30 15:05:16.089 [1254396] dbg: generic: Perl 5.034001, PREFIX=/usr,
DEF_RULES_DIR=/usr/share/spamassassin,
LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/va
r/lib/spamassassin

The only rules in the /var/lib/spamassassin/ directory are those listed
above.

I used to have a local DMARC.cf file in /etc/mail/spamassassin before DMARC
was included in v4, but that's been removed.

If I understand Kevin's comments correctly, we know there are still DMARC
problems. I think maybe this is related?

$ spamassassin -t -D DMARC < dmarc-reject1 2>&1|grep -i dmarc
May 30 14:59:14.894 [1250699] dbg: DMARC: using Mail::DMARC::PurePerl for
DMARC checks
May 30 14:59:15.034 [1250699] dbg: DMARC: result: pass, disposition: none,
dkim: pass, spf: fail (spf: pass, spf_helo: fail)
        DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,

Did SPF fail or pass above? It did hit SPF_PASS but it also
hit SPF_HELO_NONE.

It is curious that SA succeeds on its own but it's under amavisd that it
appears to fail.

I also see the following debug messages:

May 30 15:06:54.097 [1255659] dbg: check: tagrun - tag AUTHORDOMAIN is now
ready, value: indeedemail.com
May 30 15:06:54.325 [1255659] dbg: askdns: rule __KAM_DMARC_POLICY_REJECT
depends on tags: AUTHORDOMAIN
May 30 15:06:54.325 [1255659] dbg: check: tagrun - tag AUTHORDOMAIN was
ready, runnable immediately: CODE(0x563c09e23d70)
May 30 15:06:54.325 [1255659] dbg: askdns: launching query
(__KAM_DMARC_POLICY_REJECT): _dmarc.indeedemail.com
May 30 15:06:54.325 [1255659] dbg: async: query 50034/IN/TXT/_
dmarc.indeedemail.com already underway, adding no.4, rules:
__KAM_DMARC_POLICY_REJECT
May 30 15:06:54.518 [1255659] dbg: async: calling callback on key TXT/_
dmarc.indeedemail.com, rules: __KAM_DMARC_POLICY_REJECT
May 30 15:06:54.518 [1255659] dbg: askdns: answer received
(__KAM_DMARC_POLICY_REJECT), rcode NOERROR, query IN/TXT/_
dmarc.indeedemail.com, answer has 1 records
May 30 15:06:54.518 [1255659] dbg: askdns: domain "_dmarc.indeedemail.com"
listed (__KAM_DMARC_POLICY_REJECT): v=DMARC1; p=reject; sp=reject;
rua=mailto:f48jz-9...@rua.dm
arc.emailanalyst.com,mailto:dm...@indeed.com; ruf=mailto:
f48jz-9...@ruf.dmarc.emailanalyst.com; adkim=r; aspf=r; pct=100

So it did hit __KAM_DMARC_POLICY_REJECT but just not whatever else was
necessary to fulfill the requirements for the KAM_DMARC_REJECT when run
with SA manually.

Reply via email to