> > > > >> did you reload/restart amavis after installing new SA? > >> This header is added by amavis which uses SA libraries internally. > > On 30.05.22 09:50, Alex wrote: > >Yes, thanks. This has been ongoing for weeks. > > doesn't amavisd by any chance use old SA installation/libraries? >
I don't think so - the current paths it uses are: /usr/share/spamassassin /var/lib/spamassassin/4.000000/updates_spamassassin_org /var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com /etc/mail/spamassassin/ May 30 15:05:16.089 [1254396] dbg: generic: Perl 5.034001, PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/va r/lib/spamassassin The only rules in the /var/lib/spamassassin/ directory are those listed above. I used to have a local DMARC.cf file in /etc/mail/spamassassin before DMARC was included in v4, but that's been removed. If I understand Kevin's comments correctly, we know there are still DMARC problems. I think maybe this is related? $ spamassassin -t -D DMARC < dmarc-reject1 2>&1|grep -i dmarc May 30 14:59:14.894 [1250699] dbg: DMARC: using Mail::DMARC::PurePerl for DMARC checks May 30 14:59:15.034 [1250699] dbg: DMARC: result: pass, disposition: none, dkim: pass, spf: fail (spf: pass, spf_helo: fail) DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS, Did SPF fail or pass above? It did hit SPF_PASS but it also hit SPF_HELO_NONE. It is curious that SA succeeds on its own but it's under amavisd that it appears to fail. I also see the following debug messages: May 30 15:06:54.097 [1255659] dbg: check: tagrun - tag AUTHORDOMAIN is now ready, value: indeedemail.com May 30 15:06:54.325 [1255659] dbg: askdns: rule __KAM_DMARC_POLICY_REJECT depends on tags: AUTHORDOMAIN May 30 15:06:54.325 [1255659] dbg: check: tagrun - tag AUTHORDOMAIN was ready, runnable immediately: CODE(0x563c09e23d70) May 30 15:06:54.325 [1255659] dbg: askdns: launching query (__KAM_DMARC_POLICY_REJECT): _dmarc.indeedemail.com May 30 15:06:54.325 [1255659] dbg: async: query 50034/IN/TXT/_ dmarc.indeedemail.com already underway, adding no.4, rules: __KAM_DMARC_POLICY_REJECT May 30 15:06:54.518 [1255659] dbg: async: calling callback on key TXT/_ dmarc.indeedemail.com, rules: __KAM_DMARC_POLICY_REJECT May 30 15:06:54.518 [1255659] dbg: askdns: answer received (__KAM_DMARC_POLICY_REJECT), rcode NOERROR, query IN/TXT/_ dmarc.indeedemail.com, answer has 1 records May 30 15:06:54.518 [1255659] dbg: askdns: domain "_dmarc.indeedemail.com" listed (__KAM_DMARC_POLICY_REJECT): v=DMARC1; p=reject; sp=reject; rua=mailto:f48jz-9...@rua.dm arc.emailanalyst.com,mailto:dm...@indeed.com; ruf=mailto: f48jz-9...@ruf.dmarc.emailanalyst.com; adkim=r; aspf=r; pct=100 So it did hit __KAM_DMARC_POLICY_REJECT but just not whatever else was necessary to fulfill the requirements for the KAM_DMARC_REJECT when run with SA manually.