On 07/29/2017 09:09 PM, Alex wrote:
Hi,
On Sat, Jul 29, 2017 at 7:27 PM, David Jones <djo...@ena.com> wrote:
On 07/29/2017 04:33 PM, Alex wrote:
I have a number of domains that I'm trying to whitelist. They hit
DKIM_VALID and SPF_PASS but all don't hit DKIM_VALID_AU. First, why
would they hit DKIM_VALID and not DKIM_VALID_AU?
DKIM_VALID simply means the DKIM signature is a correctly signed message.
DKIM_VALID_AU means it was correctly signed by the author's domain. These
are ones that will work with whitelist_auth entries.
Okay, so all DKIM_VALID_AU messages are also DKIM_VALID, correct?
Yes
Just to be clear, this occurs when rsgsv.net signs the message
(DKIM_VALID) and the domain using that server also signs the message
(DKIM_VALID_AU), correct?
Possibly. I am not exactly sure how the SA code works. When you have
multiple DKIM signatures things can get interesting. Without looking at
the actual code, my guess is the DKIM_VALID will hit if any of the DKIM
signatures are valid. DKIM_VALID_AU will only fire if the sender's
domain matches. I am not sure if SA goes by the From: header, the
envelope-from domain, or both. I personally go by the envelope-from
domain when making whitelist_auth entries which has worked well for years.
From
bounce-mc.us1_1211649.1262601-kelly.boschen=example....@mail93.suw13.rsgsv.net
Sat Jul 29 14:23:05 2017
From: =?utf-8?Q?Lifehacker=20Newsletter?= <newslet...@lifehacker.com>
What is mail93.suw13.rsgsv.net? Can we be assured that's the host
designated to this sender? And of course I'm assuming there's the
potential they could reuse that host for another customer at some
point in the future. Would whitelist_auth *@mail93.suw13.rsgsv.net
whitelist only mail from lifehacker?
Or would I have to use whitelist_from_rcvd?
I have this in my platform:
whitelist_from_rcvd *@*.rsgsv.net rsgsv.net
This is related to MailChimp and they are trustworthy senders with valid
opt-out processing.
This assumes rsgsv.net is also the system relaying their mail, or is
that always the case as the envelope sender?
MailChimp shouldn't be forwarding or relaying anything. It should
always be the originator of the emails so it should be the envelope sender.
Another example:
From deerpark+caf_=44451=example....@gmail.com Sat Jul 29 09:43:33 2017
From: "Office Depot" <rewa...@e.officedepot.com>
In this case I can't use whitelist_auth *@gmail.com, but using
whitelist_from_rcvd and gmail.com is not a good idea either. I'm also
curious what Google service Office Depot is using to route their mail?
Is it just GMail for Business or something?
This was sent to a gmail.com recipient then forwarded to a domain that you
filter for. See http://www.openspf.org/SRS
Ah, I see that:
X-Forwarded-To: 44...@example.com
X-Forwarded-For: deerp...@gmail.com 44...@example.com
It was also dkim-signed by gmail. So that means the deerp...@gmail.com
user configured their account to rewrite as the 44...@example.com
(our domain) user, sent through gmail?
This should be automatic by Gmail when a user enables forwarding so mail
admins like us can tell that it was forwarded. I guess they are
following the SRS standard.
My third example:
From
0101015d8f37100b-117c2da7-b060-4247-a511-6e473d6822c2-000...@us-west-2.amazonses.com
Sat Jul 29 12:39:02 2017
From: Southwest Airlines <surv...@southwest.magid.com>
This also passed DKIM_VALID_AU and SPF_PASS. How do you whitelist mail
that is routed through amazon?
If this sender has a valid opt-out I would add:
whitelist_auth *@*.magid.com
But whitelist_auth operates on the envelope sender, not the "From:"
address. Using whitelist_from_rcvd is a problem because I can't
imagine using amazonses.com as the second argument would ever be a
good idea.
I have been told by this SA list that whitelist_from can work off of
many different headers, not just the envelope-from address but I choose
to use the envelope-from since Postfix is doing some basic validation
and MailScanner also uses it in it's rules.
I realize I could probably get away without whitelisting all of these
and never have a problem. These are just examples (and to better
understand). I'd also like to be able to increase scores of other
rules affecting these emails and not have to worry about them becoming
false-positives.
I shortcircuit WHITELIST and BLACKLIST rules so they score very low and high
respectively.
If the whitelist score is -100, is shortcircuiting really necessary to
ensure it's not tagged by other rules, or is there another reason?
From what I understand the Shortcircuit plugin will use the priority of
each rule and if something it shortcircuit'd as ham or spam, then lower
priority rules don't even run which saves a little time and processing.
I don't necessarily care about saving a few milliseconds or CPU cycles
but I use the SHORTCIRCUIT rule hit and score to help classify my
masscheck/Bayes ham and spam folders.
I also have compromised account detection for outbound mail from
customers sending through my servers which will exclude SHORTCIRCUIT'd
mail. I have setup custom ham rules or safe sending addresses are added
to whitelist_from_rcvd to shortcircuit as ham so they can blast as much
mail as they want. Human mailboxes that can be compromised won't be
shortcircuit'd so they will be blocked quickly to keep my mail servers
off of RBLs.
--
David Jones
