Spamassassin problems

14 posts / 0 new
Last post
#1 Thu, 01/01/2009 - 23:37
Hal9000

Spamassassin problems

Hi there! I have some problems with spamassassin when i send email to a mailbox hosted on the same server. I get this score:

Content analysis details: (5.1 points, 5.0 required)

pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 STOX_REPLY_TYPE STOX_REPLY_TYPE 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.6 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [85.176.236.37 listed in dnsbl.sorbs.net] 0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [85.176.236.37 listed in zen.spamhaus.org] 2.3 AWL AWL: From: address is in the auto white-list

ok, so: 1. Why does SPF softfail. The DNS record is setup correctly. If I send mails to mailboxes outside the server, SPF does work correctly 2. "sent directly from dynamic IP address"? the ip address in question was the ip address of my pc when I sent the mail, not my mail server's ip! 3. Why is AWL such a bad thing?

So my suspicion here is that when Postfix delivers an email to a domain it hosts, somehow the sender IP gets mixed up and spamassassin thinks my pc actually sent the email, instead of the mail server. Do I get this wrong?

Anyhow, how can I fix the problem? I'm running Virtualmin Pro on Debian 4.0r6 amd64.

Greetings Sebastian

Sun, 01/11/2009 - 04:09
Hal9000

sorry if i'm bumping this, but i really need to solve this problem :(

Thu, 01/15/2009 - 15:53 (Reply to #2)
andreychek

A couple of thoughts regarding this --

You said you sent the email from your PC. I suspect you're not using your ISP's mail server as a relay? If not, I suspect many of these issues would go away if you did, rather than sending them through your own server.

At that point, you'll just want to make sure your SPF record includes your ISP's mail relay.

Regarding the AWL, how that works is described here:

http://wiki.apache.org/spamassassin/AutoWhitelist

Wed, 01/21/2009 - 22:32 (Reply to #3)
Hal9000

that page says

<div class='quote'>In SpamAssassin 3.2.x, it will no longer be necessary to specify 127.0.0.1; it'll automatically be trusted implicitly</div>

Wed, 01/21/2009 - 22:35 (Reply to #4)
Hal9000

that page says

<div class='quote'>In SpamAssassin 3.2.x, it will no longer be necessary to specify 127.0.0.1; it'll automatically be trusted implicitly</div>

and i have version 3.2.3-0.volatile1

the problem is, spamassassin does just see the ip address of the pc client the users sent the mail from, and i cant possibly add the whole world to the trusted_networks...

i just want to disable spamassassin from checking mail that comes in through port 465 and 587, if there is no other way to distinguish incoming from outgoing mail.
basically i dont want spamassassin to scan outgoing mail! it punishes users for being on dialup connections, this is ridiculous!

Thu, 01/22/2009 - 05:30 (Reply to #5)
andreychek

Howdy,

Well, what SpamAssassin would be seeing when a message comes in on port 465 or 587 is your servers external Internet-facing IP, not the localhost (127.0.0.1) IP.

The localhost interface only comes into play for locally generated emails.

So, my recommendation would be to add your external IP address(es) to SpamAssassin's trusted_networks in /etc/mail/spamassassin/local.cf, then restart SpamAssassin.
-Eric

My understanding from the above TrustPath document (I'm no SpamAssassin guru, but

Thu, 01/22/2009 - 05:54 (Reply to #6)
Hal9000

Wrong! Spamassassin does not see my server's external IP, it sees the IP of the sender's home connection!
So I am sitting home and sending a mail, spamassassin thinks the mail comes from the IP of my home connection, instead of the server itself, which of course is dynamic etc, and fails on SPF as well.
Something is definetly wrong...

Thu, 01/22/2009 - 06:03 (Reply to #7)
andreychek

Well, that might be part of the problem then :-)

While the IP of your home connection should be in there, Postfix should also tag all email it receives with it's own IP address.

Postfix should be tagging it prior to SpamAssassin seeing the email, so in theory, having your IP in the trusted_networks would solve that problem.

If that's not the case, something else may be going awry :-)
-Eric

Thu, 01/22/2009 - 06:16 (Reply to #8)
Hal9000

I added the IP to that setting, but unfortunatelly with no success...
An alternative could be disabling checks when sasl authentication is used, which is basically how postfix's config is set up already, but I guess that the postfix command gets executed no matter what, so yeah...
Probably something is wrong with Postfix not tagging the emails with its own ip for some reason...
Might it help if I post my postfix configuration file here?

Thu, 01/22/2009 - 06:36 (Reply to #9)
andreychek

Hrm, I know there's some info in there you might not want public -- would you consider emailing some conf files to me?

That will get me a look at both the configuration files, as well as the email headers being set by your server.

If you can, send it through your server though.

I'm interested in /etc/postfix/main.cf, /etc/spamassassin/local.cf -- as well as the output of &quot;/sbin/ifconfig&quot;.

And, if you could include a link to this thread in the body of the message, that'd be sweet! My address is &quot;eric@virtualmin.com&quot;.

Thanks,
-Eric

Thu, 01/15/2009 - 21:31
Hal9000

i do not use my isp as a relay.

all my clients have SPF records and it is basically impossible to include all their isps in the record. also, many are using webmail, which uses my mail server anyway.

I believe spamassassin should not be invoked for mail sent thorugh smtps (port 465) or submission (port 587). However, I don't know how to disable that, since Virtualmin's implementation calls spamassassin via procmail.

Fri, 01/16/2009 - 05:48 (Reply to #11)
andreychek

Okay. I might look into explicitly setting your own server/network as trusted in SpamAssassin's local.cf. There's some details on that here:

http://wiki.apache.org/spamassassin/TrustPath

Thu, 01/22/2009 - 07:23
Hal9000

ok, done

Wed, 08/05/2009 - 16:48
marcus

Hey you guys

I'm having the exact same issue here. Postfix should somehow tag those mails (for spamassassin) sent through smtps (Ports 465 or 587) or at least those sent by someone who successfully authenticated himself (SASL AUTH). Did anyone find out how this is done? Google wasn't that big a help so far...

Thanks a lot in advance

Edit: After a looooong search I finally found an easy solution for the problem here: http://de.postfix.org/pipermail/postfix-users/2008-July/000366.html

Just in case the site's going offline, here's how it's done: Here is also another way to reduce the spam score for SASL auth users that can be used with Postfix version 2.1 or newer. This should add a 'X-SMTP-Auth: no' header to all messages except authenticated. The SpamAssassin rule then adds -10 points if this header is missing:

In main.cf:

smtpd_data_restrictions = reject_unauth_pipelining permit_sasl_authenticated check_client_access regexp:/etc/postfix/add_auth_header.regexp

In /etc/postfix/add_auth_header.regexp:

/^/ PREPEND X-SMTP-Auth: no

In SpamAssassin's local.cf:

header __NO_SMTP_AUTH X-SMTP-Auth =~ /^no$/m meta SMTP_AUTH !__NO_SMTP_AUTH describe SMTP_AUTH Message sent using SMTP Authentication tflags SMTP_AUTH nice score SMTP_AUTH -10

I suggest you do not use X-SMTP-Auth literally. I would obscure this by using a X-something-else header name of your choice, and if you have more than one machine, I suggest using something different on each. In order to prevent confusion (the header would end up getting written again after the message was processed by amavisd-new), you should override smtpd_data_restrictions on the amavisd-new reinjection port. In master.cf add -o smtpd_data_restrictions=

127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_data_restrictions= [other typical amavisd-new reinjection port overrides]