Mailing List Archive

whitelist_from_spf
hi-

i'm experimenting with whitelist_from_spf, just to learn a little about how it works, and not getting the result i am expecting. i've created a small test message emulating mail from github [taken from an actual message] and have added an entry for whitelist_from_spf. when testing, it doesn't appear to be working:

http://dpaste.com/0MCGSBN

i see some messages such as [from the pastebin]:

Apr 28 23:32:43.287 [21556] dbg: spf: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping
Apr 28 23:32:43.287 [21556] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender
Apr 28 23:32:43.342 [21556] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check

this appears to be because of the presence of this header:

Received: from mta.example.com (mta.example.com [198.19.20.212])
by mda.example.com (Postfix) with ESMTPS id 49BRLq64qfzGpCT
for <jdoe@example.com>; Tue, 28 Apr 2020 12:05:23 -0400 (EDT)

with that header removed, it works as expected, but i don't understand why. mail passes through the mta, is relayed to mda, which then passes it to spamassassin [amavis].

why does spamassassin have a problem when mail passes through this additional relay? what am i missing [or doing wrong]?

thanks!
Re: whitelist_from_spf [ In reply to ]
On 29.04.20 00:05, listsb wrote:
>i'm experimenting with whitelist_from_spf, just to learn a little about how
> it works, and not getting the result i am expecting. i've created a small
> test message emulating mail from github [taken from an actual message] and
> have added an entry for whitelist_from_spf. when testing, it doesn't
> appear to be working:
>
>http://dpaste.com/0MCGSBN

>Apr 28 23:32:43.287 [21556] dbg: spf: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping
>Apr 28 23:32:43.287 [21556] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender
>Apr 28 23:32:43.342 [21556] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check

>
>this appears to be because of the presence of this header:
>
>Received: from mta.example.com (mta.example.com [198.19.20.212])
> by mda.example.com (Postfix) with ESMTPS id 49BRLq64qfzGpCT
> for <jdoe@example.com>; Tue, 28 Apr 2020 12:05:23 -0400 (EDT)
>
>with that header removed, it works as expected, but i don't understand why. mail passes through the mta, is relayed to mda, which then passes it to spamassassin [amavis].
>
>why does spamassassin have a problem when mail passes through this additional relay? what am i missing [or doing wrong]?

you apparently need to add 198.19.20.212 to your trusted_networks and
internal_networks - I assume It's your ISP from which you receive the email.
sorrect?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Re: whitelist_from_spf [ In reply to ]
On May 03, 2020, at 10.55, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:
>
> On 29.04.20 00:05, listsb wrote:
>> i'm experimenting with whitelist_from_spf, just to learn a little about how
>> it works, and not getting the result i am expecting. i've created a small
>> test message emulating mail from github [taken from an actual message] and
>> have added an entry for whitelist_from_spf. when testing, it doesn't
>> appear to be working:
>>
>> http://dpaste.com/0MCGSBN
>
>> Apr 28 23:32:43.287 [21556] dbg: spf: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping
>> Apr 28 23:32:43.287 [21556] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender
>> Apr 28 23:32:43.342 [21556] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check
>
>>
>> this appears to be because of the presence of this header:
>>
>> Received: from mta.example.com (mta.example.com [198.19.20.212])
>> by mda.example.com (Postfix) with ESMTPS id 49BRLq64qfzGpCT
>> for <jdoe@example.com>; Tue, 28 Apr 2020 12:05:23 -0400 (EDT)
>>
>> with that header removed, it works as expected, but i don't understand why. mail passes through the mta, is relayed to mda, which then passes it to spamassassin [amavis].
>>
>> why does spamassassin have a problem when mail passes through this additional relay? what am i missing [or doing wrong]?
>
> you apparently need to add 198.19.20.212 to your trusted_networks and
> internal_networks - I assume It's your ISP from which you receive the email.
> sorrect?

i have the following defined in the config:

internal_networks 198.19.20.50/32
internal_networks 198.19.20.212/32

198.19.20.212 isn't my isp, it's my mta, which relays mail to 198.19.20.50, which is the content filter on which amavis/spamassassin is running.
Re: whitelist_from_spf [ In reply to ]
>> On 29.04.20 00:05, listsb wrote:
>>> i'm experimenting with whitelist_from_spf, just to learn a little about how
>>> it works, and not getting the result i am expecting. i've created a small
>>> test message emulating mail from github [taken from an actual message] and
>>> have added an entry for whitelist_from_spf. when testing, it doesn't
>>> appear to be working:
>>>
>>> http://dpaste.com/0MCGSBN
>>> Apr 28 23:32:43.287 [21556] dbg: spf: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping
>>> Apr 28 23:32:43.287 [21556] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender
>>> Apr 28 23:32:43.342 [21556] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check
>>>
>>> this appears to be because of the presence of this header:
>>>
>>> Received: from mta.example.com (mta.example.com [198.19.20.212])
>>> by mda.example.com (Postfix) with ESMTPS id 49BRLq64qfzGpCT
>>> for <jdoe@example.com>; Tue, 28 Apr 2020 12:05:23 -0400 (EDT)
>>>
>>> with that header removed, it works as expected, but i don't understand why. mail passes through the mta, is relayed to mda, which then passes it to spamassassin [amavis].
>>>
>>> why does spamassassin have a problem when mail passes through this additional relay? what am i missing [or doing wrong]?

if mail passes through untrusted relay, we can't trust headers anymore
(that's what trusted mean)

>On May 03, 2020, at 10.55, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:
>> you apparently need to add 198.19.20.212 to your trusted_networks and
>> internal_networks - I assume It's your ISP from which you receive the email.
>> sorrect?

On 10.05.20 13:36, listsb wrote:
>i have the following defined in the config:
>
>internal_networks 198.19.20.50/32
>internal_networks 198.19.20.212/32

do you have them in trusted_networks too?

>198.19.20.212 isn't my isp, it's my mta, which relays mail to 198.19.20.50,
> which is the content filter on which amavis/spamassassin is running.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Re: whitelist_from_spf [ In reply to ]
On Wed, 13 May 2020 10:24:06 +0200
Matus UHLAR - fantomas wrote:


> On 10.05.20 13:36, listsb wrote:
> >i have the following defined in the config:
> >
> >internal_networks 198.19.20.50/32
> >internal_networks 198.19.20.212/32
>
> do you have them in trusted_networks too?

IIRC if you define one, but not the other, they are assumed to be the
same.