(Please keep mail on the list) Marcus Schopen wrote: > Hi Kris, > > thanks for your time! > > Am Donnerstag, den 08.12.2016, 12:18 -0500 schrieb Kris Deugau: >>> On 12/8/2016 10:54 AM, Marcus Schopen wrote: >>>> Hi, >>>> >>>> some of my users forward external mails to my host. In some cases those >>>> forwarding hosts don't filter spam. How do I parse back through >>>> forwarding headers to find the true source IP and run dnsrbl checks on >>>> that IP. I don't want to reject those mails in case of spam, so that the >>>> forwarding host will become a backscatter, but just marking them. I >>>> tried to set the forwarding host IPs to trusted_networks, which helps >>>> with wrong dnswl.org checks, but RBL checks are disabled then. Any ideas >>>> how to handle that? >> >> Not sure what you mean by "RBL checks are disabled then"; do you mean >> that none of them fire when expected? > > On this page I found > > https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html > > trusted_networks: "DNS blacklist checks will never query for hosts on > these networks."
That means that IPs *in* trusted_networks won't be checked. IPs that *hand off to* IPs in trusted_networks will be: Scammer -> Third party forwarder -> Your MX In the minimal setup, trusted_networks only contains your MX, and the only IP SA will consider for IP DNSBL lookups is the third party forwarder. Adding the IP (or IPs) of that forwarder to trusted_networks means SA will do IP DNSBL lookups on the scammer's IP, assuming it can be parsed from the forwarder's Received header(s). Also note, that link is a little stale since IIRC SpamAssassin's trust path system got some minor revisions and tweaks in 3.2. https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html covers the current release. > The mails are forwarded automatically and from the logs of the last > months I see the same 6 IPs which they are sent from. These IPs are > separate from emails which were sent via their smtp relay, so they split > up forwarding IPs from "normal" smtp relay, which is good. > > May I ask your for your configuration? Do you put the forwarding IPs to > "internal_networks" then? No; I have internal hosts listed in internal_networks and/or msa_networks as appropriate, a modest set of other local IPs in trusted_networks, and ~100+ IPs from customer forwarding. +--trusted_networks---------------------------+ | +--internal_networks--+ +--msa_networks--+ | | | 192.168.2.0/24 | | 192.168.3.0/29 | | | +---------------------+ +----------------+ | | us: 192.168.0.0/22 | | Them: | | customer A: | | 10.0.3.3 | | 10.0.3.4 | | 192.168.255.252 | | customer B: | | 172.17.34.56 | +---------------------------------------------+ I *think* there are cases where it's also correct to end up with msa_networks and internal_networks overlapping, and I've found a few mail flow paths where adding the remote system to internal_networks seemed to be the only way to get the DNS lookups pointed to the correct IP, but those have been rare. > > Here is an example for the headers: > > --------- > Return-Path: <SRS0 > +f3sO=XX=e.smdm-mail.de=replies-emid0aa064v3j7p010jm80b7jjb011iq...@udag.de> > Received: from athosian.udag.de (athosian.udag.de [62.146.106.25]) > by mxrelay.medienlabor.de (8.14.4/8.14.4/Debian-2ubuntu2.1) with ESMTP > id uB8Dg6xg008952 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 > bits=256 verify=NOT) for <mar...@mydomain.de>; Thu, 8 Dec 2016 14:42:09 > +0100 > > Received: from exspamix-02.udag.de (exspamix-02.udag.de > [62.146.106.133]) by athosian.udag.de (Postfix) with ESMTP id > 772FD142C2F for <mar...@externaldomain.de>; Thu, 8 Dec 2016 14:42:06 > +0100 (CET) > > Received: from mx68e167.fagms.de ([62.144.68.167]) by > exspamix-02.udag.de with esmtps > (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.86) > (envelope-from > <replies-emid0aa064v3j7p010jm80b7jjb011iq...@e.smdm-mail.de>) > id 1cEyxZ-0008bX-A5 for mar...@externaldomain.de; Thu, 08 Dec 2016 > 14:42:06 +0100 > --------- > > At the external, forwarding provider udag.de the mail was received from > mx68e167.fagms.de (the host I'd like to check by dnsrbl) by > exspamix-02.udag.de. My receiving MX is mxrelay.medienlabor.de, which > received the mail from athosian.udag.de then. > > Whichs hosts do I have to put to "internal_networks" then, only the > forwarding host athosian.udag.de, which connects the my server > (mxrelay.medienlabor.de) or the receiving host exspamix-02.udag.de too? Yes, both. Strictly speaking these should only go in trusted_networks, since these are not *your* hosts, but the way the lookups are defined you'll probably need to put them in internal_networks. I took a look at the stock rules and it seems the "black" DNSBL rules almost all use -lastexternal, where the "white" ones use -firsttrusted. I'm not sure why things are divided that way; I would have expected it to be more along the lines of per-DNSBL grouping to one or the other. I can't recall now what subtle difference I found that made putting third-party relays in internal_networks unusable, but since I built the configuration it's been working well here to just use trusted_networks. (Probably some local rule group that relied on the difference between "trusted" hosts and "internal" hosts.) -kgd
