Spamass-milter and outbound mail

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Spamass-milter and outbound mail

@lbutlr
Recently the behavior of spamass-milter or the underlying spamassasin has changed such that the originating IP for secured submission email is being tagged for PBL/Dynamic scores. This does;t happen often, but since all mail is only accepted via TLSv1.2 this should not be happening.

The trouble is, it is happening so rarely I'm having trouble testing and trying to fix it.

root       793   0.0  0.8  94396  29272  -  Ss   21Oct20     0:18.07 /usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -r 10 -i 65.121.55.40/29 -i 127.0.0.1 -e covisp.net
root      5892   0.0  2.0  76688  69996  -  Ss   01:19       0:03.90 /usr/local/bin/perl -T -w /usr/local/bin/spamd -u spamd -c -H /var/spool/spamd -d -r /var/run/spamd/spamd.pid

I think I've seen three mails in the last 10 days have this issue.

So, what do I need to do to return to previous behavior were the originating IP is not checked for dynamic/PBL when it's an authenticated submission?

The received header looks like this:

Received: from [10.0.0.11] (*dynamic-ip*.hsd1.co.comcast.net [ho.me.ip])
        by mail.covisp.net(Postfix 3.5.7/8.13.0) with SMTP id 4CMRTV2XHxz36hvr;
        Thu, 29 Oct 2020 07:42:54 -0600
        (envelope-from <[hidden email]>)

Logs:
postfix/smtps/smtpd[69044] 4CMRTV2XHxz36hvr: client=*dynamic-ip*.hsd1.co.comcast.net[ho.me.ip], sasl_method=PLAIN, sasl_username=[hidden email]
postfix/smtps/smtpd[69044] 4CMRTV2XHxz36hvr: permit: RCPT from *dynamic-ip*.hsd1.co.comcast.net[ho.me.ip]: action=permit_sasl_authenticated for Client host=*dynamic-ip*.hsd1.co.comcast.net[ho.me.ip] ; from=<[hidden email]> to=<*user*@gmail.com> proto=ESMTP helo=<[10.0.0.11]>
postfix/smtps/smtpd[69044] 4CMRTV2XHxz36hvr: permit: RCPT from *dynamic-ip*.hsd1.co.comcast.net[ho.me.ip]: action=permit_sasl_authenticated for Client host=*dynamic-ip*.hsd1.co.comcast.net[ho.me.ip] ; from=<[hidden email]> to=<*user*@gmail.com> proto=ESMTP helo=<[10.0.0.11]>
postfix/smtps/smtpd[69044] 4CMRTV2XHxz36hvr: permit: RCPT from *dynamic-ip*.hsd1.co.comcast.net[ho.me.ip]: action=permit_sasl_authenticated for Client host=*dynamic-ip*.hsd1.co.comcast.net[ho.me.ip] ; from=<[hidden email]> to=<*user*@gmail.com> proto=ESMTP helo=<[10.0.0.11]>
postfix/cleanup[68900] 4CMRTV2XHxz36hvr: message-id=<[hidden email]>
postfix/qmgr[41481] 4CMRTV2XHxz36hvr: from=<[hidden email]>, size=3622, nrcpt=1 (queue active)
postfix/smtp[69047] 4CMRTV2XHxz36hvr: to=<*user*@gmail.com>, relay=gmail-smtp-in.l.google.com[172.217.214.27]:25, delay=1.4, delays=0.65/0.01/0.27/0.43, dsn=2.0.0, status=sent (250 2.0.0 OK  1603978975 t85si2610834ili.161 - gsmtp)
postfix/qmgr[41481] 4CMRTV2XHxz36hvr: removed

--
I think it would be fun to run a newspaper.

Reply | Threaded
Open this post in threaded view
|

Re: Spamass-milter and outbound mail

PGNet Dev
On 10/29/20 6:51 AM, @lbutlr wrote:

> Recently the behavior of spamass-milter or the underlying spamassasin has changed such that the originating IP for secured submission email is being tagged for PBL/Dynamic scores. This does;t happen often, but since all mail is only accepted via TLSv1.2 this should not be happening.
>
> The trouble is, it is happening so rarely I'm having trouble testing and trying to fix it.
>
> root       793   0.0  0.8  94396  29272  -  Ss   21Oct20     0:18.07 /usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -r 10 -i 65.121.55.40/29 -i 127.0.0.1 -e covisp.net
> root      5892   0.0  2.0  76688  69996  -  Ss   01:19       0:03.90 /usr/local/bin/perl -T -w /usr/local/bin/spamd -u spamd -c -H /var/spool/spamd -d -r /var/run/spamd/spamd.pid
>
> I think I've seen three mails in the last 10 days have this issue.
>
> So, what do I need to do to return to previous behavior were the originating IP is not checked for dynamic/PBL when it's an authenticated submission?

If change is not out of the question, take a look at 'spamassassin-milter'
  (https://gitlab.com/glts/spamassassin-milter)


It's reliably in use here for production for quite awhile now, and does have a config option,

  auth-untrusted

   Treat authenticated senders as untrusted.

   If this option is not used, authenticated senders are trusted, and their messages are not processed with SpamAssassin.

which works as advertised, at least in my minimal testing.
Reply | Threaded
Open this post in threaded view
|

Re: Spamass-milter and outbound mail

@lbutlr
On 29 Oct 2020, at 08:02, PGNet Dev <[hidden email]> wrote:

> On 10/29/20 6:51 AM, @lbutlr wrote:
>> Recently the behavior of spamass-milter or the underlying spamassasin has changed such that the originating IP for secured submission email is being tagged for PBL/Dynamic scores. This does;t happen often, but since all mail is only accepted via TLSv1.2 this should not be happening.
>> The trouble is, it is happening so rarely I'm having trouble testing and trying to fix it.
>> root       793   0.0  0.8  94396  29272  -  Ss   21Oct20     0:18.07 /usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -r 10 -i 65.121.55.40/29 -i 127.0.0.1 -e covisp.net
>> root      5892   0.0  2.0  76688  69996  -  Ss   01:19       0:03.90 /usr/local/bin/perl -T -w /usr/local/bin/spamd -u spamd -c -H /var/spool/spamd -d -r /var/run/spamd/spamd.pid
>> I think I've seen three mails in the last 10 days have this issue.
>> So, what do I need to do to return to previous behavior were the originating IP is not checked for dynamic/PBL when it's an authenticated submission?
>
> If change is not out of the question, take a look at 'spamassassin-milter'
> (https://gitlab.com/glts/spamassassin-milter)
>
>
> It's reliably in use here for production for quite awhile now, and does have a config option,
>
> auth-untrusted
>
>  Treat authenticated senders as untrusted.
>
>  If this option is not used, authenticated senders are trusted, and their messages are not processed with SpamAssassin.
>
> which works as advertised, at least in my minimal testing.

Thank you, I will take a look at that. Spamass-milter is supposed to do this with the -a flag which is missing from the config for some reason above, so I will first add that flag and see if it works. Curious that it is coming up infrequently, however, since all outbound mail is coming from dynamic pool addresses except for the trickle of webmail.

--
No one heard the cry that came back from the dead skull, because
        there was no mouth to utter it and not even a mind to guide it,
        but it screamed out into the night: CLAY OF MY CLAY, THOU SHALT
        NOT KILL! THOU SHALT NOT DIE! --Feet of Clay

Reply | Threaded
Open this post in threaded view
|

Re: Spamass-milter and outbound mail

PGNet Dev
On 10/29/20 7:33 AM, @lbutlr wrote:
> Thank you, I will take a look at that. Spamass-milter is supposed to do this with the -a flag which is missing from the config for some reason above, so I will first add that flag and see if it works. Curious that it is coming up infrequently, however, since all outbound mail is coming from dynamic pool addresses except for the trickle of webmail.

spamass-milter was, for me, causing all sorts of issues; of the "it should do this, but doesn't" kind.
project seems stale/non-responsive; tho, there _is_ this 'clean-up' notice: https://savannah.nongnu.org/forum/forum.php?forum_id=9788 promised

unless there's another source than https://cvs.savannah.nongnu.org/viewvc/spamass-milt/spamass-milt/?sortby=date#dirlist, code hasn't been touched for ~ 6 yrs.

otoh, spamassassin-milter's dev is here/active, on list.
and has been _very_ helpful responsive to date.

it's clean code, an easy build from cmd line, and pkgs nicely (e.g., my own for Fedora, https://download.copr.fedorainfracloud.org/results/pgfed/spamassassin-milter/fedora-32-x86_64/01723785-spamassassin-milter/)

and it works perfectly for my needs, with Postfix.

as you can tell, I'm a fan so far.

YMMV.
Reply | Threaded
Open this post in threaded view
|

Re: Spamass-milter and outbound mail

@lbutlr
On 29 Oct 2020, at 09:45, PGNet Dev <[hidden email]> wrote:
> otoh, spamassassin-milter's dev is here/active, on list.
> and has been _very_ helpful responsive to date.

All good points, but

1) It's not in FreeBSD ports which means I have to take special and specific steps to keep it up-to-date
2) It means dealing with something new

The latter point is OK if there is a benefit, and I will undertake point 1 if this doesn’t fix the issue, but otherwise point 1 is a real sticking point as things outside the normal ports channel tend to fall off the "hey, I need to check that for updates" train far too easily.

--
Well, if crime fighters fight crime and fire fighters fight fire,
        what do freedom fighters fight? They never mention that part to
        us, do they?

Reply | Threaded
Open this post in threaded view
|

Re: Spamass-milter and outbound mail

PGNet Dev
On 10/29/20 9:30 AM, @lbutlr wrote:
> but otherwise point 1 is a real sticking point as things outside the normal ports channel tend to fall off the "hey, I need to check that for updates" train far too easily.

sure.

i've not dealt with *bsd packaging for a _very_ long time, so have no sense for what's involved these days.


but, in my case, that's exactly why, I've set up packaging that tracks upstream's sources; auto-rebuilds on changes.

as much as possible, i avoid stale/unmaintained software, even if packaged.