On 2023-01-23 at 10:51:14 UTC-0500 (Mon, 23 Jan 2023 16:51:14 +0100)
Andrea Venturoli <m...@netfence.it>
is rumored to have said:
Hello.
I've got a long standing server, where I run FreeBSD (13.1) + sendmail
(8.17.1) + MIMEDefang (2.84) + SpamAssassin (3.4.6).
(I know there are more recent versions, but that's what ports
currently provide).
SA4 has been in ports for a while. MD3.x should be but is not. This is
unlikely to be relevant to your problem.
This has been working perfectly for years.
Since the beginning of this year, however, incoming (SMTP
authenticated) mail from clients outside the LAN is marked as spam.
Very odd. Since you're still on SA3.4.6, the only piece that should have
changed about SA is the rules and the data in external resources like
DNSBLs. That should not have been able to affect how SA detects
authenticated clients.
E.g.
X-Spam-Score: 10.756 (**********)
BAYES_00,KAM_DMARC_REJECT,KAM_DMARC_STATUS,KAM_LOTSOFHASH,KHOP_HELO_FCRDNS,LOTS_OF_MONEY,PDS_RDNS_DYNAMIC_FP,RCVD_IN_PBL,RCVD_IN_ZEN_LASTEXTERNAL,RDNS_DYNAMIC,SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL
Some external data sources there: sender domain DMARC/SPF records,
SpamHaus, client rDNS. I think the KAM_DMARC_* rules may be new as well.
It is also possible that there were changes in your system that could
trigger this, but I would expect that you'd have mentioned it if you had
made any obvious ones: hostname, local.cf, mimedefang-filter. It would
also be notable if your users have started connecting from a new range
of addresses.
Right now I instructed MIMEDefang to avoid passing authenticated mails
to SpamAssassin, but this is not what I ideally want. (If a client
gets compromised...).
Correct. SA should be able to detect trustworthy authentication
indications in the trusted Received headers which prevent it from
applying *most* of those rules.
My real wish would be to always run messages through SpamAssassin, but
avoid RBL/SPF/DMARC/dynamic IPs/etc... checks for those that come from
an authenticated client, as these rules make no sense in that case.
What's the best practice to achieve this result?
Configure your internal_networks, msa_networks, and trusted_networks
properly and make sure that your mimedefang-filter calls
synthesize_received_header() before spam_assassin_check(). With those
parameters set correctly and the local Received header included, SA
should be able to detect authenticated clients of trusted machines and
skip those rules.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
