> I've got a long standing server, where I run FreeBSD (13.1) + sendmail > (8.17.1) + MIMEDefang (2.84) + SpamAssassin (3.4.6). > (I know there are more recent versions, but that's what ports currently > provide). > This has been working perfectly for years.
yes time changes, currently gmail is sometimes blocking emails complain about spf+dkim, while these messages are not even configured for spf/dkim. > Since the beginning of this year, however, incoming (SMTP authenticated) > mail from clients outside the LAN is marked as spam. > E.g. > > X-Spam-Score: 10.756 (**********) > BAYES_00,KAM_DMARC_REJECT,KAM_DMARC_STATUS,KAM_LOTSOFHASH,KHOP_HELO_FCRDNS,LOT > S_OF_MONEY,PDS_RDNS_DYNAMIC_FP,RCVD_IN_PBL,RCVD_IN_ZEN_LASTEXTERNAL,RDNS_DYNAM > IC,SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL Don't you have more details? Looks to me you are on dns blacklists, your spf is not good etc. > Right now I instructed MIMEDefang to avoid passing authenticated mails > to SpamAssassin, but this is not what I ideally want. (If a client gets > compromised...). maybe just stat it only (with prometheus)? https://www.mail-archive.com/users@spamassassin.apache.org/msg109914.html > My real wish would be to always run messages through SpamAssassin, but > avoid RBL/SPF/DMARC/dynamic IPs/etc... checks for those that come from > an authenticated client, as these rules make no sense in that case. I prefer to have spf, dns rbl connect done in the milter, that is more efficient. As a last I parse message data to resource intensive tasks like spamassassin and clamav. > What's the best practice to achieve this result? > Separate in and out going servers and different configurations for their spamassassin. It is almost impossible to have in/out going combined.
