On 1/23/23 17:53, Bill Cole wrote:
On 2023-01-23 at 10:51:14 UTC-0500 (Mon, 23 Jan 2023 16:51:14 +0100)
Andrea Venturoli <m...@netfence.it>
is rumored to have said:

Hello.

I've got a long standing server, where I run FreeBSD (13.1) + sendmail (8.17.1) 
+ MIMEDefang (2.84) + SpamAssassin (3.4.6).
(I know there are more recent versions, but that's what ports currently 
provide).

SA4 has been in ports for a while. MD3.x should be but is not. This is unlikely 
to be relevant to your problem.

This has been working perfectly for years.

Since the beginning of this year, however, incoming (SMTP authenticated) mail 
from clients outside the LAN is marked as spam.

Very odd. Since you're still on SA3.4.6, the only piece that should have 
changed about SA is the rules and the data in external resources like DNSBLs. 
That should not have been able to affect how SA detects authenticated clients.

E.g.
X-Spam-Score: 10.756 (**********) 
BAYES_00,KAM_DMARC_REJECT,KAM_DMARC_STATUS,KAM_LOTSOFHASH,KHOP_HELO_FCRDNS,LOTS_OF_MONEY,PDS_RDNS_DYNAMIC_FP,RCVD_IN_PBL,RCVD_IN_ZEN_LASTEXTERNAL,RDNS_DYNAMIC,SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL

Some external data sources there: sender domain DMARC/SPF records, SpamHaus, 
client rDNS. I think the KAM_DMARC_* rules may be new as well.

It is also possible that there were changes in your system that could trigger 
this, but I would expect that you'd have mentioned it if you had made any 
obvious ones: hostname, local.cf, mimedefang-filter. It would also be notable 
if your users have started connecting from a new range of addresses.


Right now I instructed MIMEDefang to avoid passing authenticated mails to 
SpamAssassin, but this is not what I ideally want. (If a client gets 
compromised...).

Correct. SA should be able to detect trustworthy authentication indications in 
the trusted Received headers which prevent it from applying *most* of those 
rules.

My real wish would be to always run messages through SpamAssassin, but avoid 
RBL/SPF/DMARC/dynamic IPs/etc... checks for those that come from an 
authenticated client, as these rules make no sense in that case.

What's the best practice to achieve this result?

Configure your internal_networks, msa_networks, and trusted_networks properly 
and make sure that your mimedefang-filter calls synthesize_received_header() 
before spam_assassin_check(). With those parameters set correctly and the local 
Received header included, SA should be able to detect authenticated clients of 
trusted machines and skip those rules.

in MIMEDefang 2.84 synthesize_received_header() doesn't add a correct header if 
the email is authenticated,
this has been fixed in MIMEDefang 2.85 with this commit:
https://github.com/The-McGrail-Foundation/MIMEDefang/commit/34ffd6fa31c4d9e79494fae427ec3b9da6a1c8b1

The problem could have been spotted only recently because more domains started 
to use DMARC.
 Giovanni

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to