On 1/23/23 17:53, Bill Cole wrote:
On 2023-01-23 at 10:51:14 UTC-0500 (Mon, 23 Jan 2023 16:51:14 +0100) Andrea Venturoli <m...@netfence.it> is rumored to have said:Hello. I've got a long standing server, where I run FreeBSD (13.1) + sendmail (8.17.1) + MIMEDefang (2.84) + SpamAssassin (3.4.6). (I know there are more recent versions, but that's what ports currently provide).SA4 has been in ports for a while. MD3.x should be but is not. This is unlikely to be relevant to your problem.This has been working perfectly for years. Since the beginning of this year, however, incoming (SMTP authenticated) mail from clients outside the LAN is marked as spam.Very odd. Since you're still on SA3.4.6, the only piece that should have changed about SA is the rules and the data in external resources like DNSBLs. That should not have been able to affect how SA detects authenticated clients.E.g.X-Spam-Score: 10.756 (**********) BAYES_00,KAM_DMARC_REJECT,KAM_DMARC_STATUS,KAM_LOTSOFHASH,KHOP_HELO_FCRDNS,LOTS_OF_MONEY,PDS_RDNS_DYNAMIC_FP,RCVD_IN_PBL,RCVD_IN_ZEN_LASTEXTERNAL,RDNS_DYNAMIC,SPF_FAIL,TO_EQ_FM_DOM_SPF_FAILSome external data sources there: sender domain DMARC/SPF records, SpamHaus, client rDNS. I think the KAM_DMARC_* rules may be new as well. It is also possible that there were changes in your system that could trigger this, but I would expect that you'd have mentioned it if you had made any obvious ones: hostname, local.cf, mimedefang-filter. It would also be notable if your users have started connecting from a new range of addresses.Right now I instructed MIMEDefang to avoid passing authenticated mails to SpamAssassin, but this is not what I ideally want. (If a client gets compromised...).Correct. SA should be able to detect trustworthy authentication indications in the trusted Received headers which prevent it from applying *most* of those rules.My real wish would be to always run messages through SpamAssassin, but avoid RBL/SPF/DMARC/dynamic IPs/etc... checks for those that come from an authenticated client, as these rules make no sense in that case. What's the best practice to achieve this result?Configure your internal_networks, msa_networks, and trusted_networks properly and make sure that your mimedefang-filter calls synthesize_received_header() before spam_assassin_check(). With those parameters set correctly and the local Received header included, SA should be able to detect authenticated clients of trusted machines and skip those rules.
in MIMEDefang 2.84 synthesize_received_header() doesn't add a correct header if the email is authenticated, this has been fixed in MIMEDefang 2.85 with this commit: https://github.com/The-McGrail-Foundation/MIMEDefang/commit/34ffd6fa31c4d9e79494fae427ec3b9da6a1c8b1 The problem could have been spotted only recently because more domains started to use DMARC. Giovanni
OpenPGP_signature
Description: OpenPGP digital signature
