Mailing List Archive

KAM_DMARC_REJECT on internal emails
Hi list,

- I'm running KAM rules in Spamassassin
- Postfix port 587-submitted email is sent to Amavisd (as a
content_filter) on port 10026 (tagged as ORIGINATING/MYNETS) and is
spam-checked and DKIM-signed on its way out the door, sent back to
Postfix at port 10025 for final delivery
- my domain has DMARC p=reject

If the final delivery is a local address, I'm getting some in-theory
valid but in practicality invalid Spamassassin scores... e.g. SA is
tagging those emails with KAM_DMARC_REJECT - as DMARC fails
(correctly). The sending and receiving IPs are all internal...

Not sure if this is more an Amavis question actually, but how should I
configure SA to not run or assess tests which make no sense on
OUTBOUND emails - e.g. SPF, DKIM, DMARC?

What am I trying to achieve? - I've had a compromised user account in
the past send out spam, so I scan outbound email, with spam notices to
postmaster (me). I want that outbound scanning to be sensible - only
run spam tests which make sense at that point of the process.

I've also noticed that Bayes is really struggling to learn
local-->local emails, with consistently BAYES_20 or BAYES_50 results.
sa-learn advises tokens learned, but it still seems to struggle with
these. Other than that my Bayes is excellent, very effective and
accurate.

Any advice would be appreciated.

Simon.



--
Simon Wilson
M: 0400 12 11 16
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On 19.04.21 16:36, Simon Wilson wrote:
>- I'm running KAM rules in Spamassassin
>- Postfix port 587-submitted email is sent to Amavisd (as a
>content_filter) on port 10026 (tagged as ORIGINATING/MYNETS) and is
>spam-checked and DKIM-signed on its way out the door, sent back to
>Postfix at port 10025 for final delivery
>- my domain has DMARC p=reject
>
>If the final delivery is a local address, I'm getting some in-theory
>valid but in practicality invalid Spamassassin scores... e.g. SA is
>tagging those emails with KAM_DMARC_REJECT - as DMARC fails
>(correctly). The sending and receiving IPs are all internal...
>
>Not sure if this is more an Amavis question actually, but how should I
>configure SA to not run or assess tests which make no sense on
>OUTBOUND emails - e.g. SPF, DKIM, DMARC?

I'd say that a proper solution would be to DKIM-sign mail before it's
spam-scanned.

but, the rule could apparently avoid locally-originated mail
(would help for non-DKIM domains).

meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT

maybe __LAST_EXTERNAL_RELAY_NO_AUTH ?


>What am I trying to achieve? - I've had a compromised user account in
>the past send out spam, so I scan outbound email, with spam notices to
>postmaster (me). I want that outbound scanning to be sensible - only
>run spam tests which make sense at that point of the process.

while SA is not very good at scanning outgoing mail, I believe this is still
a good idea.

>I've also noticed that Bayes is really struggling to learn
>local-->local emails, with consistently BAYES_20 or BAYES_50 results.
>sa-learn advises tokens learned, but it still seems to struggle with
>these. Other than that my Bayes is excellent, very effective and
>accurate.
>
>Any advice would be appreciated.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
> On 19.04.21 16:36, Simon Wilson wrote:
>> - I'm running KAM rules in Spamassassin
>> - Postfix port 587-submitted email is sent to Amavisd (as a
>> content_filter) on port 10026 (tagged as ORIGINATING/MYNETS) and is
>> spam-checked and DKIM-signed on its way out the door, sent back to
>> Postfix at port 10025 for final delivery
>> - my domain has DMARC p=reject
>>
>> If the final delivery is a local address, I'm getting some
>> in-theory valid but in practicality invalid Spamassassin scores...
>> e.g. SA is tagging those emails with KAM_DMARC_REJECT - as DMARC
>> fails (correctly). The sending and receiving IPs are all internal...
>>
>> Not sure if this is more an Amavis question actually, but how
>> should I configure SA to not run or assess tests which make no
>> sense on OUTBOUND emails - e.g. SPF, DKIM, DMARC?
>
> I'd say that a proper solution would be to DKIM-sign mail before it's
> spam-scanned.

Good point. If DKIM is signed it should pass DMARC, even if SPF fails.

Amavisd handles both pieces, including DKIM signing... from looking at
the headers it looks like Amavisd is spam scanning it first *then*
DKIM signing it. I will post to the amavisd mailing list on that
question...

Example headers:

Return-Path: <simon@simonandkate.net>
Received: from mail.simonandkate.net ([unix socket])
by emp87.simonandkate.lan (Cyrus 3.0.7-19.el8 Fedora) with LMTPA;
Mon, 19 Apr 2021 15:48:49 +1000
X-Cyrus-Session-Id: cyrus-1024276-1618811329-2-17461079309210778615
X-Sieve: CMU Sieve 3.0
Received: from localhost (localhost [127.0.0.1])
by mail.simonandkate.net (Postfix) with ESMTP id 46BF6805DD
for <simon@mail.local>; Mon, 19 Apr 2021 15:48:49 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
simonandkate.net; h=mime-version:content-type:content-type
:reply-to:subject:subject:from:from:message-id:date:date
:received:received:received; s=default; t=1618811327; bh=Wu3ZcGt
h8o1YW+OPWu58wegp/fZmc1B+FDiux/qcXUU=; b=FuKqNJCT9CmySXiSILqBUmu
73a9tQ5a61LS/IYAZvbQIhnigw/Jb0Vq1YGqHVUplpNxpMIZnPNi+/xJN6QcJ+5k
1TQ5JV0sfNX7r58TyuiNnGkv1eFO9jRBWPpBkkrbxB4wPRe6YNPaxqFsnyFJE/Hm
nhWnxIORis0a2Z04UVuA=
X-Virus-Scanned: amavisd-new at mail.local
X-Spam-Flag: NO
X-Spam-Score: 1.911
X-Spam-Level: *
X-Spam-Status: No, score=1.911 tagged_above=-999 required=6.2
tests=[ALL_TRUSTED=-1.5, BAYES_50=0.8, DCC_REPUT_00_12=-0.4,
HTML_MESSAGE=0.001, KAM_DMARC_REJECT=3, KAM_DMARC_STATUS=0.01]
autolearn=no autolearn_force=no
Received: from mail.simonandkate.net ([127.0.0.1])
by localhost (amavis.simonandkate.net [127.0.0.1]) (amavisd-new, port 10026)
with LMTP id NNQ0S1bHSMav for <simon@mail.local>;
Mon, 19 Apr 2021 15:48:47 +1000 (AEST)
Received: from emp86.simonandkate.lan (emp86.simonandkate.lan [192.168.1.245])
by mail.simonandkate.net (Postfix) with ESMTPSA id 089FB7B4F3
for <simon@simonandkate.net>; Mon, 19 Apr 2021 15:48:47 +1000 (AEST)
Received: from ryzen.simonandkate.lan (ryzen.simonandkate.lan [192.168.1.1])
by mail.simonandkate.net (Horde Framework) with HTTPS; Mon, 19 Apr 2021
15:48:47 +1000
Date: Mon, 19 Apr 2021 15:48:47 +1000
Message-ID:
<20210419154847.Horde.1O3U94P-V2FwwNsdW38_cPJ@mail.simonandkate.net>
From: Simon Wilson <simon@simonandkate.net>
To: simon@simonandkate.net

>
> but, the rule could apparently avoid locally-originated mail
> (would help for non-DKIM domains).
>
> meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
> __KAM_DMARC_POLICY_REJECT
>
> maybe __LAST_EXTERNAL_RELAY_NO_AUTH ?
>

Am I reading the rule correctly that EITHER a fail DKIM or SPF will
cause this to trip?

meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
__KAM_DMARC_POLICY_REJECT
describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
message and the domain has a DMARC reject policy
score KAM_DMARC_REJECT 3.0

...in which case, SPF will *always* fail on an internal email and this
rule will always fail. DMARC can still pass with e.g. an SPF failure
if DKIM passes - why is this an "OR"?



>
>> What am I trying to achieve? - I've had a compromised user account
>> in the past send out spam, so I scan outbound email, with spam
>> notices to postmaster (me). I want that outbound scanning to be
>> sensible - only run spam tests which make sense at that point of
>> the process.
>
> while SA is not very good at scanning outgoing mail, I believe this is still
> a good idea.
>
>> I've also noticed that Bayes is really struggling to learn
>> local-->local emails, with consistently BAYES_20 or BAYES_50
>> results. sa-learn advises tokens learned, but it still seems to
>> struggle with these. Other than that my Bayes is excellent, very
>> effective and accurate.
>>
>> Any advice would be appreciated.


----- End message from Matus UHLAR - fantomas <uhlar@fantomas.sk> -----



--
Simon Wilson
M: 0400 12 11 16
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
>>I'd say that a proper solution would be to DKIM-sign mail before it's
>>spam-scanned.

On 19.04.21 19:39, Simon Wilson wrote:
>Good point. If DKIM is signed it should pass DMARC, even if SPF fails.
>
>Amavisd handles both pieces, including DKIM signing... from looking at
>the headers it looks like Amavisd is spam scanning it first *then*
>DKIM signing it. I will post to the amavisd mailing list on that
>question...

DKIM-signing locally submitted mail prior to spam scanning would help us
here (and amavis is supposed to know local domains, unlike SA)

It's not applicable for non-DKIM domains, which still can SPF pass and
therefore DMARC pass.

>>but, the rule could apparently avoid locally-originated mail
>>(would help for non-DKIM domains).
>>
>>meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
>>__KAM_DMARC_POLICY_REJECT
>>
>>maybe __LAST_EXTERNAL_RELAY_NO_AUTH ?

>Am I reading the rule correctly that EITHER a fail DKIM or SPF will
>cause this to trip?
>
> meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
>__KAM_DMARC_POLICY_REJECT
> describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
>message and the domain has a DMARC reject policy
> score KAM_DMARC_REJECT 3.0
>
>...in which case, SPF will *always* fail on an internal email and this
>rule will always fail. DMARC can still pass with e.g. an SPF failure
>if DKIM passes - why is this an "OR"?

negated or: if either SPF or DKIM passes, the KAM_DMARC_REJECT won't
hit, because it means DMARC pass.

I am not sure how exactly does SPF match:

header SPF_PASS eval:check_for_spf_pass()

I'm not sure SPF should hit for locally submitted e-mail.

however, putting exemption of local mail to KAM_DMARC_REJECT could help us
to accept locally submitted mail.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
>>> I'd say that a proper solution would be to DKIM-sign mail before it's
>>> spam-scanned.
>
> On 19.04.21 19:39, Simon Wilson wrote:
>> Good point. If DKIM is signed it should pass DMARC, even if SPF fails.
>>
>> Amavisd handles both pieces, including DKIM signing... from looking
>> at the headers it looks like Amavisd is spam scanning it first
>> *then* DKIM signing it. I will post to the amavisd mailing list on
>> that question...
>
> DKIM-signing locally submitted mail prior to spam scanning would help us
> here (and amavis is supposed to know local domains, unlike SA)
>

How does that work though... DKIM is supposed to sign LAST, not before
a bunch of other headers are added...

> It's not applicable for non-DKIM domains, which still can SPF pass and
> therefore DMARC pass.

Surely SPF will never pass an internal only email, as you cannot have
an internal IP address in your SPF record...
E.g. my SPF record is:
v=spf1 ip4:119.18.34.29 a:spf.email-hosting.net.au -all
Any internal assessment will fail when it sees 192.168.x.x as the sending IP.

>
>>> but, the rule could apparently avoid locally-originated mail
>>> (would help for non-DKIM domains).
>>>
>>> meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
>>> __KAM_DMARC_POLICY_REJECT
>>>
>>> maybe __LAST_EXTERNAL_RELAY_NO_AUTH ?
>
>> Am I reading the rule correctly that EITHER a fail DKIM or SPF will
>> cause this to trip?
>>
>> meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
>> __KAM_DMARC_POLICY_REJECT
>> describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
>> message and the domain has a DMARC reject policy
>> score KAM_DMARC_REJECT 3.0
>>
>> ...in which case, SPF will *always* fail on an internal email and
>> this rule will always fail. DMARC can still pass with e.g. an SPF
>> failure if DKIM passes - why is this an "OR"?
>
> negated or: if either SPF or DKIM passes, the KAM_DMARC_REJECT won't
> hit, because it means DMARC pass.

Thank you. I hate logical booleans lol.

>
> I am not sure how exactly does SPF match:
>
> header SPF_PASS eval:check_for_spf_pass()
>
> I'm not sure SPF should hit for locally submitted e-mail.

See above - it can't.

>
> however, putting exemption of local mail to KAM_DMARC_REJECT could help us
> to accept locally submitted mail.

Surely this has to be the fix... if an email has ONLY internal IPs,
then DMARC assessment is irrelevant.


----- End message from Matus UHLAR - fantomas <uhlar@fantomas.sk> -----



--
Simon Wilson
M: 0400 12 11 16
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On Mon, 19 Apr 2021 16:36:58 +1000
Simon Wilson wrote:

> Hi list,
>
> - I'm running KAM rules in Spamassassin
> - Postfix port 587-submitted email is sent to Amavisd (as a
> content_filter) on port 10026 (tagged as ORIGINATING/MYNETS) and is
> spam-checked and DKIM-signed on its way out the door, sent back to
> Postfix at port 10025 for final delivery
> - my domain has DMARC p=reject
>
> If the final delivery is a local address, I'm getting some in-theory
> valid but in practicality invalid Spamassassin scores... e.g. SA is
> tagging those emails with KAM_DMARC_REJECT - as DMARC fails
> (correctly). The sending and receiving IPs are all internal...
>

The KAM DMARC rules are simplistic. IIWY I'd override them.
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
----- Message from RW <rwmaillists@googlemail.com> ---------
Date: Mon, 19 Apr 2021 12:47:02 +0100
From: RW <rwmaillists@googlemail.com>
Subject: Re: KAM_DMARC_REJECT on internal emails
To: users@spamassassin.apache.org


> On Mon, 19 Apr 2021 16:36:58 +1000
> Simon Wilson wrote:
>
>> Hi list,
>>
>> - I'm running KAM rules in Spamassassin
>> - Postfix port 587-submitted email is sent to Amavisd (as a
>> content_filter) on port 10026 (tagged as ORIGINATING/MYNETS) and is
>> spam-checked and DKIM-signed on its way out the door, sent back to
>> Postfix at port 10025 for final delivery
>> - my domain has DMARC p=reject
>>
>> If the final delivery is a local address, I'm getting some in-theory
>> valid but in practicality invalid Spamassassin scores... e.g. SA is
>> tagging those emails with KAM_DMARC_REJECT - as DMARC fails
>> (correctly). The sending and receiving IPs are all internal...
>>
>
> The KAM DMARC rules are simplistic. IIWY I'd override them.

Thanks... I'd reached the same conclusion. Seems crazy to run yet
another set of tests when the emails I want to run those tests for I
already have on the way in with e.g. OpenDMARC. So I've set the KAM
DMARC rules to score 0. I have some alternate DMARC rules which only
trigger on existing Authentication-results headers, rather than do a
new test every time.

Question - with the KAM DMARC rules set to zero, do the dns tests, e.g.:

askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
/^v=DMARC1;.*\bp=reject;/

run anyway? Or only if the resultant metas which call on them have a
score value <> 0?


Simon

--
Simon Wilson
M: 0400 12 11 16
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On 2021-04-19 14:05, Simon Wilson wrote:

> askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
> /^v=DMARC1;.*\bp=reject;/
>
> run anyway?

note rulename starts with __ ?

> Or only if the resultant metas which call on them have a
> score value <> 0?

opendkim opendmarc openarc sid-milter all have 127.0.0.1 whitelisted,
and possible aswell ::1

the above kam rule is ment to be meta'ed with NO_RELAY or ALL_TRUSTED or
other tests that only hit on internal mails

so to ask now, did you configure trusted_networks internal_networks in
spamassassin ?, it have to know all wan ips for your own server /
servers
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
>> askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
>> /^v=DMARC1;.*\bp=reject;/
>>
>> run anyway?
>
> note rulename starts with __ ?

Yes, and the doco says "...rules start with a double underscore, so
they are run and treated as having no score". So my question remains -
It says "are run", so do those rules run the askdns queries if or if
not the subsequent meta rules are enabled or disabled? If I am not
using the meta rules (by setting scores to 0) do I also need to
disable the askdns rules to stop any unneeded dns calls?

>
>> Or only if the resultant metas which call on them have a
>> score value <> 0?
>
> opendkim opendmarc openarc sid-milter all have 127.0.0.1
> whitelisted, and possible aswell ::1
>

They do yes. However I use fetchmail to retrieve emails from some
services; fetchmail presents into the inbound stack as being from
127.0.0.1 - so I do not use the milters' "whitelists" to decide
whether or not to run on inbound email, I use directed flow through
postfix and amavisd to decide whether or not the milters are run.

In the context of my query here on *outbound* email... I do *not* run
milters on outbound email, so it is only the KAM DMARC rules which
were running regardless which generated an issue.

> the above kam rule is ment to be meta'ed with NO_RELAY or
> ALL_TRUSTED or other tests that only hit on internal mails
>
> so to ask now, did you configure trusted_networks internal_networks
> in spamassassin ?, it have to know all wan ips for your own server /
> servers

Yes, my trusted_networks, internal_networks and msa_networks are all
set correctly... I had a long discussion with this mailing list on the
subject last year and got excellent help on resolving that! :)

----- End message from Benny Pedersen <me@junc.eu> -----





--
Simon Wilson
M: 0400 12 11 16
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On 19 Apr 2021, at 8:42, Simon Wilson wrote:

> Yes, my trusted_networks, internal_networks and msa_networks are all
> set correctly... I had a long discussion with this mailing list on the
> subject last year and got excellent help on resolving that! :)

Then the most direct tactic would be to modify KAM_DMARC_REJECT to not
hit if ALL_TRUSTED is hit.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
>On 19 Apr 2021, at 8:42, Simon Wilson wrote:
>>Yes, my trusted_networks, internal_networks and msa_networks are all
>>set correctly... I had a long discussion with this mailing list on
>>the subject last year and got excellent help on resolving that! :)

On 19.04.21 09:17, Bill Cole wrote:
>Then the most direct tactic would be to modify KAM_DMARC_REJECT to not
>hit if ALL_TRUSTED is hit.

that would cause problems if you set up trusted_servers to any foreign server
you trust not to fake headers.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On 19 Apr 2021, at 9:26, Matus UHLAR - fantomas wrote:

>> On 19 Apr 2021, at 8:42, Simon Wilson wrote:
>>> Yes, my trusted_networks, internal_networks and msa_networks are all
>>> set correctly... I had a long discussion with this mailing list on
>>> the subject last year and got excellent help on resolving that! :)
>
> On 19.04.21 09:17, Bill Cole wrote:
>> Then the most direct tactic would be to modify KAM_DMARC_REJECT to
>> not hit if ALL_TRUSTED is hit.
>
> that would cause problems if you set up trusted_servers to any foreign
> server
> you trust not to fake headers.

A valid point.

That raises the question of why we don't have an ALL_INTERNAL rule.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On 2021-04-19 15:46, Bill Cole wrote:
> On 19 Apr 2021, at 9:26, Matus UHLAR - fantomas wrote:
>
>>> On 19 Apr 2021, at 8:42, Simon Wilson wrote:
>>>> Yes, my trusted_networks, internal_networks and msa_networks are all
>>>> set correctly... I had a long discussion with this mailing list on
>>>> the subject last year and got excellent help on resolving that! :)
>>
>> On 19.04.21 09:17, Bill Cole wrote:
>>> Then the most direct tactic would be to modify KAM_DMARC_REJECT to
>>> not hit if ALL_TRUSTED is hit.
>>
>> that would cause problems if you set up trusted_servers to any foreign
>> server
>> you trust not to fake headers.
>
> A valid point.
>
> That raises the question of why we don't have an ALL_INTERNAL rule.

ALL_INTERNAL untrusted ... :=)

its simply not needed, else it would have being a bug in spamassassin
2.6.4

i just repeat, make the trusted_network for ALL maintained wan ips

but dont do this if you have no root access to other mailservers

hopefully this is clear now
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On 2021-04-19 14:42, Simon Wilson wrote:
>>> askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
>>> /^v=DMARC1;.*\bp=reject;/
>>>
>>> run anyway?
>>
>> note rulename starts with __ ?
>
> Yes, and the doco says "...rules start with a double underscore, so
> they are run and treated as having no score". So my question remains -
> It says "are run", so do those rules run the askdns queries if or if
> not the subsequent meta rules are enabled or disabled? If I am not
> using the meta rules (by setting scores to 0) do I also need to
> disable the askdns rules to stop any unneeded dns calls?

yes all __ is runnined, for all mails, even if domains have no dmarc

its a waste rule if this happend

please in dev@ make that sql cached result or drop it

>>> Or only if the resultant metas which call on them have a
>>> score value <> 0?
>>
>> opendkim opendmarc openarc sid-milter all have 127.0.0.1 whitelisted,
>> and possible aswell ::1
>>
>
> They do yes. However I use fetchmail to retrieve emails from some
> services; fetchmail presents into the inbound stack as being from
> 127.0.0.1 - so I do not use the milters' "whitelists" to decide
> whether or not to run on inbound email, I use directed flow through
> postfix and amavisd to decide whether or not the milters are run.

make your fetchmail use mda, problem solved

> In the context of my query here on *outbound* email... I do *not* run
> milters on outbound email, so it is only the KAM DMARC rules which
> were running regardless which generated an issue.

fetchmail is inbound not outbound, kam rule is not a milter

>> the above kam rule is ment to be meta'ed with NO_RELAY or ALL_TRUSTED
>> or other tests that only hit on internal mails
>>
>> so to ask now, did you configure trusted_networks internal_networks
>> in spamassassin ?, it have to know all wan ips for your own server /
>> servers
>
> Yes, my trusted_networks, internal_networks and msa_networks are all
> set correctly... I had a long discussion with this mailing list on the
> subject last year and got excellent help on resolving that! :)

sometimes its needed to debug

all the best
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On Mon, Apr 19, 2021 at 10:05:21PM +1000, Simon Wilson wrote:
>
> askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
>
> run anyway? Or only if the resultant metas which call on them have a score
> value <> 0?

Askdns is like any other rule, it does what it's told to do with little
regard to anything else. So yes you must disable it specifically, if you
don't want it to do something.
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
>>>On 19 Apr 2021, at 8:42, Simon Wilson wrote:
>>>>Yes, my trusted_networks, internal_networks and msa_networks are
>>>>all set correctly... I had a long discussion with this mailing
>>>>list on the subject last year and got excellent help on
>>>>resolving that! :)

>>On 19.04.21 09:17, Bill Cole wrote:
>>>Then the most direct tactic would be to modify KAM_DMARC_REJECT to
>>>not hit if ALL_TRUSTED is hit.

>On 19 Apr 2021, at 9:26, Matus UHLAR - fantomas wrote:
>>that would cause problems if you set up trusted_servers to any
>>foreign server
>>you trust not to fake headers.

On 19.04.21 09:46, Bill Cole wrote:
>A valid point.
>
>That raises the question of why we don't have an ALL_INTERNAL rule.

&& __LAST_EXTERNAL_RELAY_NO_AUTH

should do that.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On 19 Apr 2021, at 11:05, Matus UHLAR - fantomas wrote:

>>>> On 19 Apr 2021, at 8:42, Simon Wilson wrote:
>>>>> Yes, my trusted_networks, internal_networks and msa_networks are
>>>>> all set correctly... I had a long discussion with this mailing
>>>>> list on the subject last year and got excellent help on resolving
>>>>> that! :)
>
>>> On 19.04.21 09:17, Bill Cole wrote:
>>>> Then the most direct tactic would be to modify KAM_DMARC_REJECT to
>>>> not hit if ALL_TRUSTED is hit.
>
>> On 19 Apr 2021, at 9:26, Matus UHLAR - fantomas wrote:
>>> that would cause problems if you set up trusted_servers to any
>>> foreign server
>>> you trust not to fake headers.
>
> On 19.04.21 09:46, Bill Cole wrote:
>> A valid point.
>>
>> That raises the question of why we don't have an ALL_INTERNAL rule.
>
> && __LAST_EXTERNAL_RELAY_NO_AUTH
> should do that.

I don't think that works if X-Spam-Relays-External is empty, i.e. all
relays are internal.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
>>>>>On 19 Apr 2021, at 8:42, Simon Wilson wrote:
>>>>>>Yes, my trusted_networks, internal_networks and msa_networks
>>>>>>are all set correctly... I had a long discussion with this
>>>>>>mailing list on the subject last year and got excellent help
>>>>>>on resolving that! :)
>>
>>>>On 19.04.21 09:17, Bill Cole wrote:
>>>>>Then the most direct tactic would be to modify
>>>>>KAM_DMARC_REJECT to not hit if ALL_TRUSTED is hit.
>>
>>>On 19 Apr 2021, at 9:26, Matus UHLAR - fantomas wrote:
>>>>that would cause problems if you set up trusted_servers to any
>>>>foreign server
>>>>you trust not to fake headers.
>>
>>On 19.04.21 09:46, Bill Cole wrote:
>>>A valid point.
>>>
>>>That raises the question of why we don't have an ALL_INTERNAL rule.

>On 19 Apr 2021, at 11:05, Matus UHLAR - fantomas wrote:
>>&& __LAST_EXTERNAL_RELAY_NO_AUTH
>>should do that.

On 19.04.21 11:11, Bill Cole wrote:
>I don't think that works if X-Spam-Relays-External is empty, i.e. all
>relays are internal.

I understand this as:

if mail was received by internal relay unauthenticated, it's external, and
therefore, should be subject to DMARC checks.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On 2021-04-19 17:30, Matus UHLAR - fantomas wrote:

> I understand this as:
>
> if mail was received by internal relay unauthenticated, it's external,
> and
> therefore, should be subject to DMARC checks.

and 127.0.0.1 ::1 is hardcoded in spamasassasin, opendmarc skips if
client ip is loopback interface

hope sa wont change this

consider NO_RELAYS aswell

no new rules is needed as bill added to test rules

if changes is really needed it would be a change in askdns to skip rules
testing if mail only is in loopback

if !NO_RELAYS
askdns ....
endif
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On 19 Apr 2021, at 11:30, Matus UHLAR - fantomas wrote:

> I understand this as:
>
> if mail was received by internal relay unauthenticated, it's external,

I cannot make SA behave that way.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
>On 19 Apr 2021, at 11:30, Matus UHLAR - fantomas wrote:
>> I understand this as:
>>
>> if mail was received by internal relay unauthenticated, it's external,

On 19.04.21 12:49, Bill Cole wrote:
>I cannot make SA behave that way.

why not?

meta KAM_DMARC_REJECT __LAST_EXTERNAL_RELAY_NO_AUTH && !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT

should avoid KAM_DMARC_REJECT if the mail was accepted authenticated by
internal relay from external one.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On Mon, 19 Apr 2021 09:46:48 -0400
Bill Cole wrote:

> On 19 Apr 2021, at 9:26, Matus UHLAR - fantomas wrote:
>
> >> On 19 Apr 2021, at 8:42, Simon Wilson wrote:
> >>> Yes, my trusted_networks, internal_networks and msa_networks are
> >>> all set correctly... I had a long discussion with this mailing
> >>> list on the subject last year and got excellent help on resolving
> >>> that! :)
> >
> > On 19.04.21 09:17, Bill Cole wrote:
> >> Then the most direct tactic would be to modify KAM_DMARC_REJECT to
> >> not hit if ALL_TRUSTED is hit.
> >
> > that would cause problems if you set up trusted_servers to any
> > foreign server
> > you trust not to fake headers.
>
> A valid point.

I assume you mean because it would still run on forwarded mail that
comes in via the trusted/external network.

This can be fixed by combining ALL_TRUSTED with a comparison of the
number of relays in external and untrusted.
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On Mon, 19 Apr 2021 19:03:55 +0200
Matus UHLAR - fantomas wrote:

> >On 19 Apr 2021, at 11:30, Matus UHLAR - fantomas wrote:
> >> I understand this as:
> >>
> >> if mail was received by internal relay unauthenticated, it's
> >> external,
>
> On 19.04.21 12:49, Bill Cole wrote:
> >I cannot make SA behave that way.
>
> why not?
>
> meta KAM_DMARC_REJECT __LAST_EXTERNAL_RELAY_NO_AUTH &&
> !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT
>
> should avoid KAM_DMARC_REJECT if the mail was accepted authenticated
> by internal relay from external one.
>


__LAST_EXTERNAL_RELAY_NO_AUTH will hit if an email arrived in the
internal network from external-trusted.
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On 19 Apr 2021, at 13:03, Matus UHLAR - fantomas wrote:

>> On 19 Apr 2021, at 11:30, Matus UHLAR - fantomas wrote:
>>> I understand this as:
>>>
>>> if mail was received by internal relay unauthenticated, it's
>>> external,
>
> On 19.04.21 12:49, Bill Cole wrote:
>> I cannot make SA behave that way.
>
> why not?

When I provide SA with a message that has stepped through 2 internal
machines with no authentication, SA *DOES NOT* insert any information
about the relay host in X-Spam-Relays-External.

e.g., these received headers:

Return-Path: <root@skinnyclam.scconsult.com>
Received: from skinnyclam.scconsult.com (skinnyclam.scconsult.com
[192.168.254.125])
by toaster.scconsult.com (Postfix) with ESMTP id 4FP7Tb0wWWz5q7dl
for <bill@scconsult.com>; Mon, 19 Apr 2021 09:49:23 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
by skinnyclam.scconsult.com (Postfix) with ESMTP id D74214C88329
for <bill@scconsult.com>; Mon, 19 Apr 2021 09:49:22 -0400 (EDT)


Results in these RELAYS* assignments:

Apr 19 12:38:23.932 [14599] dbg: check: tagrun - tag RELAYSTRUSTED is
now ready, value: [. ip=192.168.254.125 rdns=skinnyclam.scconsult.com
helo=skinnyclam.scconsult.com by=bigsky.scconsult.com ident=
envfrom=root@skinnyclam.scconsult.com intl=1 id=4FP7Tb0wWWz5q7dl auth=
msa=0 ] [. ip=127.0.0.1 rdns=localhost helo=localhost
by=skinnyclam.scconsult.com ident= envfrom=root@skinnyclam.scconsult.com
intl=1 id=D74214C88329 auth= msa=0 ]
Apr 19 12:38:23.932 [14599] dbg: check: tagrun - tag RELAYSUNTRUSTED is
now ready, value:
Apr 19 12:38:23.932 [14599] dbg: check: tagrun - tag RELAYSINTERNAL is
now ready, value: [. ip=192.168.254.125 rdns=skinnyclam.scconsult.com
helo=skinnyclam.scconsult.com by=bigsky.scconsult.com ident=
envfrom=root@skinnyclam.scconsult.com intl=1 id=4FP7Tb0wWWz5q7dl auth=
msa=0 ] [. ip=127.0.0.1 rdns=localhost helo=localhost
by=skinnyclam.scconsult.com ident= envfrom=root@skinnyclam.scconsult.com
intl=1 id=D74214C88329 auth= msa=0 ]
Apr 19 12:38:23.932 [14599] dbg: check: tagrun - tag RELAYSEXTERNAL is
now ready, value:



--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: KAM_DMARC_REJECT on internal emails [ In reply to ]
On Mon, 19 Apr 2021 13:20:37 -0400
Bill Cole wrote:

> On 19 Apr 2021, at 13:03, Matus UHLAR - fantomas wrote:
>
> >> On 19 Apr 2021, at 11:30, Matus UHLAR - fantomas wrote:
> >>> I understand this as:
> >>>
> >>> if mail was received by internal relay unauthenticated, it's
> >>> external,
> >
> > On 19.04.21 12:49, Bill Cole wrote:
> >> I cannot make SA behave that way.
> >
> > why not?
>
> When I provide SA with a message that has stepped through 2 internal
> machines with no authentication, SA *DOES NOT* insert any information
> about the relay host in X-Spam-Relays-External.

I'm not 100% sure, but I think localhost, unlike private addresses, is
always internal/trusted.

1 2 3  View All