Re: DNSWL_HI testing wrong Received header?

Wed, 28 Dec 2022 01:28:41 -0800 

John Stimson via users skrev den 2022-12-27 23:28:

I have a single SMTP server with single public IP address.  I have set
trusted_networks my.ip.num.ber



this can have all external trusted ips aswell, but minimal it should be 
a list of ips you have ssh root access on, nothing more nothing less



internal_networks my.ip.num.ber


should have all "ip addr show" listed


and removed the clear_originating_ip_headers line.  I also added the
line



this is safe to keep so ips only is in recieved headers, not any other 
bogus ips, it have nothing to do with trusted_networks anyway



add_header all RelaysUntrusted _RELAYSUNTRUSTED_


good to see so you can track errors later :=)


based on the suggestion in the TrustPath documentation at
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/TrustPath



dokumention assume all do the same errors as dokumention describe, while 
sane configs is more or less expirence, the expirences cant be readed in 
books sadly



The documentation there only suggests setting my trusted_networks and
internal_networks, not clearing either of them.


so why is clearing supported ?


Now, when I manually check the messages, the X-Spam-RelaysUntrusted:
header displays the mail host that my server received the message
from. That seems proper. HOWEVER, even though that is supposed to be
the host used for all IP based checks, DNSWL_HI is being triggered.
The first untrusted host is not in the dnswl.org high confidence list.
However the IP in X-Originating-Ip: is listed in dnswl.org's high
confidence list.  I don't know why spamassassin would use that header,
though, since it is below the Received: line for the first untrusted
relay.



problem with additional header trust is that we dont know if its forged 
or not, with only recieved header it know what it forged, thats my point 
of why is it default trusted headers from untrusted sources ?




On 2022/12/27 18:20:35 Matus UHLAR - fantomas wrote:

>On 2022/12/26 23:47:41 Benny Pedersen wrote:
On 27.12.22 13:04, John Stimson via users wrote:
>Thanks -- I found a mechanism that empties the list of headers used

to

>determine the originating IP.  I added this line to my local.cf:
>
>clear_originating_ip_headers


keep this option in local.cf



I recommend checking:

trusted_networks
clear_trusted_networks

internal_networks
clear_internal_networks

these to be set up properly instead of just

clear_originating_ip_headers


- you should still check them, as they give you opportunity to check

proper

headers in DNS, not just in DNSWL.






















					Reply via email to