Re: Spamassassin and no whitelisting

Mon, 16 Aug 2010 01:20:48 -0700 

Off hand I don't see a problem. What does "spamassassin --lint" say as a
user (not as root?) It's almost as if your whitelist rules are not being
parsed because of an error in the file above the whitelist rules.

If lint passes I'd use "spamassassin -t -D <testemail". Note, I'd NOT
use spamc to make that test, at least at first.

This will tell you what rules are found and fired. It might also tell you
why the whitelist file is not being found.

Also do you have any blacklist entries? Could one of them be misfiring and
negating your whitelist somehow.

How are you including the whitelist entries? (The usual would be a
whitelist.cf file in /etc/mail/spamassassin.)

{^_^}
----- Original Message ----- From: "Josef Karliak" <karl...@ajetaci.cz> 
To: "jdow" <j...@earthlink.net>
Cc: <users@spamassassin.apache.org>
Sent: Sunday, 2010/August/15 22:20
Subject: Re: Spamassassin and no whitelisting



  Hi,
  local.cf is in /etc/mail/spamassassisn, spamd load it at startup.
Spamassassisn work, test runs except whitelist :-/ :

Aug 16 07:08:18 radio-hk spamd[28279]: spamd: setuid to mail succeeded
Aug 16 07:08:18 radio-hk spamd[28279]: spamd: processing message
<20100816050813.2904.qm...@kirke.atweb.cz> for mail:8
Aug 16 07:08:19 radio-hk spamd[28279]: spamd: clean message (1.0/8.0)
for mail:8 in 0.0 seconds, 7706 bytes.
Aug 16 07:08:19 radio-hk spamd[28279]: spamd: result: . 1 -
SPF_CHECK_NONE
scantime=0.0,size=7706,user=mail,uid=8,required_score=8.0,rhost=localhost,raddr=127.0.0.1,rport=33320,mid=<20100816050813.2904.qm...@kirke.atweb.cz>,autolearn=no

  After debug start of the spamd all seems ok:

Aug 16 07:18:10 radio-hk spamd[32557]: plugin: loading
Mail::SpamAssassin::Plugin::WLBLEval from @INC
Aug 16 07:18:10 radio-hk spamd[32557]: plugin: loading
Mail::SpamAssassin::PerMsgStatus from @INC
Aug 16 07:18:10 radio-hk spamd[32557]: plugin: loading
Mail::SpamAssassin::Plugin::VBounce from @INC
Aug 16 07:18:10 radio-hk spamd[32557]: plugin: loading
Mail::SpamAssassin::Plugin::ImageInfo from @INC
Aug 16 07:18:10 radio-hk spamd[32557]: plugin: loading
Mail::SpamAssassin::Plugin::FreeMail from @INC
Aug 16 07:18:10 radio-hk spamd[32557]: config: using
"/etc/mail/spamassassin/whitelist_users" for included file
Aug 16 07:18:10 radio-hk spamd[32557]: config: read file
/etc/mail/spamassassin/whitelist_users
Aug 16 07:18:10 radio-hk spamd[32557]: conf: finish parsing


  So do I missing some module load ? Or so ?
  Thanks
  J.K.

Cituji jdow <j...@earthlink.net>:


OK, you use the file local.cf. Are you sure you are modifying the
correct local.cf. You rather need to be able to use, advisable or not,
whitelist_from if whitelist_from_rcvd or other whitelist_from_XXXX
variants are going to work. So let's get that working first.

Determine where the REAL local.cf SHOULD be on your system. That file
is USUALLY stored in /etc somewhere. On RedHat, as on my system, it is
setup to live in /etc/mail/spamassassin. Your description of what is
happening suggests you modified a file that is not being used.

Note that you can leave spamd running while you test if you use the
"spamassassin -t <testemail" approach. You can throw in a -D to get
debug messages and see why the whitelist_from line fails for you.

THEN it is appropriate to discuss what you should be using.

{^_-}
----- Original Message ----- From: "Josef Karliak" <karl...@ajetaci.cz>
To: <users@spamassassin.apache.org>
Sent: Sunday, 2010/August/15 09:35
Subject: Re: Spamassassin and no whitelisting



 Yes, our users (from local LAN) are authorized over Domainkeys
(all  emails frou our network are signed), and SA has a "trusted"
network.  All from our company is OK and solved.
 But we want to create whitelist for companies that our users mails
 to. When outside company answers for email, and they don't have
DKIM,  SPF, ... and sends emails that look like spam (HTML,
SUBJ_ALL_CAPS,  ...) this whitelisted email adress that we get from
his "Sent Items"  folder pass this email and it is not filtered.
 I know, all this is crazy, but DKIM or even "stupid" SPF is not
used often. And arogant domain admins of "rejected" domains :-/.
How  do you solve false positives ? And complains on that ? I don't
want do  decrease scores, I thought that whitelisting to senders
get from our  users could help. If you emailed him, his reply is
wanted. If not  emailed him, lets see results of the test. Nobody
from our company  emailed you, but you use DKIM/SPF/... , we want
this mail. Grr,  authorized spam ? -> sends to abuse.
 What do you think ?
 Thanks for advices and help.
 J.K.

Cituji John Hardin <jhar...@impsec.org>:


On Sun, 15 Aug 2010, Josef Karliak wrote:
My idea is to create whitelist file for inluding to SA from emails sent by our users (from Sent Items folders in cyrus emails). SA is a content 
filter in the Postfix. Only global, not user prefs.


Is there some easy way to identify your users other than the
domain  they claim to be sending from? In other words, is this a
corporate  MTA where all the local mail originates from a specific
subnet, or  an ISP where users send mail via authenticated SMTP?

If so, then there should be some way to tell postfix to trust
messages originating from those sources and not run them through
SA  at all.

I am not a postfix guru. You might want to do some searches of the
 SA list archives for posts that discuss postfix, there may be
some  config examples already available that will work for you.

Best of luck.


Interesting is that I've many installs but on this server doesn't mark
me whitelisted domain (or email address) with "USER_IN_WHITELIST" test
at all. I'll look over your recomendation about whitelist_from_auth,
but if don't mark one whitelist mode, it couldn't mark another :-/.


whitelist_from_rcvd specifying your local network may be another
option for this.


Thanks.
J.K.

Cituji John Hardin <jhar...@impsec.org>:


On Sun, 15 Aug 2010, Josef Karliak wrote:


I've some problem with whitelisting.
In the local.cf file I've for example:

whitelist_from         *...@ajetaci.cz


You do not want to do that. The From address on an email is
trivially easy to forge, and it is common practice for spammers
to  forge a From address in the same domain as the target
address.  whitelist_from is only to be used if nothing else will
work, as it  is a naive whitelist.

You want to use whitelist_from_auth or one of the other
authenticated variants.


What did I missed ?


The best way to skip SA for local users is in the glue layer.
Tell  it to recognize mail that originates from your local
network and  for those messages simply _not call SA_ at all.
Then you save the  processing overhead.

You didn't tell us how you're gluing SA onto your MTA. How are
you  doing that?


--
John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 If someone has a gun and is trying to kill you, it would be
 reasonable to shoot back with your own gun.
                                     -- the Dalai Lama, May 15, 2001
-----------------------------------------------------------------------
Today: the 65th anniversary of the end of World War II





----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.








----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Reply via email to