Mailing List Archive

On Mon, 2022-05-09 at 14:35 -0400, Alex wrote:
> Hi,
>
> I'm trying to understand why this email from a bank fails DMARC
> when mxlookup?says the DMARC record is just fine.
>
> https://pastebin.com/0T4Gjn3v
>
> ?* ?1.8 DMARC_REJECT DMARC reject policy
> ?* ?6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
> message
> ?* ? ? ?and the domain has a DMARC reject policy
>
> It also passes SPF and DKIM
>
> ?* ?0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
> ?* -0.0 SPF_PASS SPF: sender matches SPF record
> ?* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> author's
> ?* ? ? ? domain
> ?* -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> signature
> ?* ?0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily
> ?* ? ? ?valid
>
> I'm using a local DNS resolver, not a public server.
>

I'm pretty sure it can't pass SPF for the purposes of satisfying
DMARC with a null envelope sender.

Dunno why the DKIM didn't pass. Can you tell if the
d=ess.firstdata.com signature is valid or only the amazonses.com sig
(which wouldn't satisfy DMARC)?

On 2022-05-09 20:35, Alex wrote:
> Hi,
>
> I'm trying to understand why this email from a bank fails DMARC when
> mxlookup says the DMARC record is just fine.
>
> https://pastebin.com/0T4Gjn3v
>
> * 1.8 DMARC_REJECT DMARC reject policy
> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
> message
> * and the domain has a DMARC reject policy

you have askDNS plugin loaded to get this hits, its not really checking
dmarc via Mail::DMARC

asuming you are not using spamassassin 4.x.x yet

dmarc plugin from spamassassin trunk is working with stable spamassassin
atleast with 3.4.6

On Monday, May 9th, 2022 at 20:35, Alex <mysqlstudent@gmail.com> wrote:


> I'm trying to understand why this email from a bank fails DMARC when mxlookup says the DMARC record is just fine.
> https://pastebin.com/0T4Gjn3v
>

> * 1.8 DMARC_REJECT DMARC reject policy
> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
> * and the domain has a DMARC reject policy
>

> It also passes SPF and DKIM

As far as I understand, for DMARC to be valid, the enveloppe sender address and the header From needs to have the same domain. There are possibilities to allow or restrict subdomains. So if the domains are different (amazonses.com != firstdata.com), DMARC can't be valid. Regardless of what's written in the DMARC record, or if SPF and/or SPF are valid.

Best,
Laurent

On 2022-05-09 at 17:28:59 UTC-0400 (Mon, 09 May 2022 21:28:59 +0000)
Laurent S. <110ef9e3086d8405c2929e34be5b4340@protonmail.ch>
is rumored to have said:

> On Monday, May 9th, 2022 at 20:35, Alex <mysqlstudent@gmail.com> wrote:
>
>
>> I'm trying to understand why this email from a bank fails DMARC when mxlookup says the DMARC record is just fine.
>> https://pastebin.com/0T4Gjn3v
>>
>
>> * 1.8 DMARC_REJECT DMARC reject policy
>> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
>> * and the domain has a DMARC reject policy
>>
>
>> It also passes SPF and DKIM
>
> As far as I understand, for DMARC to be valid, the enveloppe sender address and the header From needs to have the same domain.

Not so.

One of SPF (using the domain of the envelope sender) or DKIM (using the domain of the signature) must validate AND the domain used in the validation must match the domain of the author identified by the From header.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On 2022-05-09 at 14:35:58 UTC-0400 (Mon, 9 May 2022 14:35:58 -0400)
Alex <mysqlstudent@gmail.com>
is rumored to have said:

> Hi,
>
> I'm trying to understand why this email from a bank fails DMARC when
> mxlookup says the DMARC record is just fine.
>
> https://pastebin.com/0T4Gjn3v
>
> * 1.8 DMARC_REJECT DMARC reject policy
> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
> * and the domain has a DMARC reject policy
>
> It also passes SPF and DKIM
>
> * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
> * -0.0 SPF_PASS SPF: sender matches SPF record
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
> * domain
> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> * valid
>
> I'm using a local DNS resolver, not a public server.

Looks like a bug. It should not be possible to hit DKIM_VALID_AU and also DMARC_REJECT and/or KAM_DMARC_REJECT


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

>> On Monday, May 9th, 2022 at 20:35, Alex <mysqlstudent@gmail.com> wrote:
>>> I'm trying to understand why this email from a bank fails DMARC when mxlookup says the DMARC record is just fine.
>>> https://pastebin.com/0T4Gjn3v
>>>
>>
>>> * 1.8 DMARC_REJECT DMARC reject policy
>>> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
>>> * and the domain has a DMARC reject policy
>>>
>>
>>> It also passes SPF and DKIM

>On 2022-05-09 at 17:28:59 UTC-0400 (Mon, 09 May 2022 21:28:59 +0000)
>Laurent S. <110ef9e3086d8405c2929e34be5b4340@protonmail.ch>
>is rumored to have said:
>> As far as I understand, for DMARC to be valid, the enveloppe sender
>> address and the header From needs to have the same domain.

On 10.05.22 13:53, Bill Cole wrote:
>Not so.
>
>One of SPF (using the domain of the envelope sender) or DKIM (using the
> domain of the signature) must validate AND the domain used in the
> validation must match the domain of the author identified by the From
> header.

correct, however:

From: noreply@ess.firstdata.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6g5c7kdjkv3qjrxjsdzn3325ejghli53; d=ess.firstdata.com;
t=1652117979;
h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=gRPH1y61kVZSDVPNuLr2WQo4Q0dpMd1ELWBGEE4Kp8c=;
b=MHojQsOqw1AZHyOIUQahSlbOQMMfufMtRltQ/Y3RCuYVO628KuErabQFB38mc82y
XcsgPG5Xl5Mck5OwlsK3vrS2cmVxfbBlgVRm6yzZehHaJ54Jakjqb5psalWNE5YN2Dw
h1tHFhykima88hgeOzw/KI8y8VidzkeEI/nHOMkk=
Authentication-Results: mail03.example.com (amavisd-new);
dkim=pass (1024-bit key) header.d=ess.firstdata.com
header.b="MHojQsOq"; dkim=pass (1024-bit key) header.d=amazonses.com
header.b="dwNxlXrW"

so the mail looks to be DMARC valid, while SA produces:

* 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
* and the domain has a DMARC reject policy

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

On 2022-05-10 20:39, Matus UHLAR - fantomas wrote:
>>> On Monday, May 9th, 2022 at 20:35, Alex <mysqlstudent@gmail.com>
>>> wrote:
>>>> I'm trying to understand why this email from a bank fails DMARC when
>>>> mxlookup says the DMARC record is just fine.
>>>> https://pastebin.com/0T4Gjn3v
>>>>
>>>
>>>> * 1.8 DMARC_REJECT DMARC reject policy
>>>> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
>>>> message
>>>> * and the domain has a DMARC reject policy
>>>>
>>>
>>>> It also passes SPF and DKIM
>
>> On 2022-05-09 at 17:28:59 UTC-0400 (Mon, 09 May 2022 21:28:59 +0000)
>> Laurent S. <110ef9e3086d8405c2929e34be5b4340@protonmail.ch>
>> is rumored to have said:
>>> As far as I understand, for DMARC to be valid, the enveloppe sender
>>> address and the header From needs to have the same domain.
>
> On 10.05.22 13:53, Bill Cole wrote:
>> Not so.
>>
>> One of SPF (using the domain of the envelope sender) or DKIM (using
>> the domain of the signature) must validate AND the domain used in the
>> validation must match the domain of the author identified by the From
>> header.
>
> correct, however:
>
> From: noreply@ess.firstdata.com
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
> s=6g5c7kdjkv3qjrxjsdzn3325ejghli53; d=ess.firstdata.com;
> t=1652117979;
> h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type;
> bh=gRPH1y61kVZSDVPNuLr2WQo4Q0dpMd1ELWBGEE4Kp8c=;
> b=MHojQsOqw1AZHyOIUQahSlbOQMMfufMtRltQ/Y3RCuYVO628KuErabQFB38mc82y
> XcsgPG5Xl5Mck5OwlsK3vrS2cmVxfbBlgVRm6yzZehHaJ54Jakjqb5psalWNE5YN2Dw
> h1tHFhykima88hgeOzw/KI8y8VidzkeEI/nHOMkk=
> Authentication-Results: mail03.example.com (amavisd-new);
> dkim=pass (1024-bit key) header.d=ess.firstdata.com
> header.b="MHojQsOq"; dkim=pass (1024-bit key) header.d=amazonses.com
> header.b="dwNxlXrW"
>
> so the mail looks to be DMARC valid, while SA produces:
>
> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
> message
> * and the domain has a DMARC reject policy

dkim=pass (1024-bit key) header.d=amazonses.com
header.b="dwNxlXrW"

this does not pass, why do amazonses add dkim :(

when multiple dkim signers is added all must pass for dmarc pass, i
belive this is the kam fails ?

when amazonses drops dkim signing on forwared mails it begins to be
stable, what amazonses should do here is to arc seal and arc sign, but
this must be done before breaking dkim when forwarding

we still wait for spamassassin 4.0.0

note to pmc members is that dmarc plugin do work with spamassassin
3.4.6, super, i can provide dmarc rule to public so askdns is not used
for dmarc rules anymore when dmarc plugin is loaded, i belive pmc
members can do this if version ... aswell :)

I believe this is a bug and fixed in trunk.

On 5/10/2022 1:55 PM, Bill Cole wrote:
> Looks like a bug. It should not be possible to hit DKIM_VALID_AU and also DMARC_REJECT and/or KAM_DMARC_REJECT

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

>On 2022-05-10 20:39, Matus UHLAR - fantomas wrote:
>>From: noreply@ess.firstdata.com
>>DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
>> s=6g5c7kdjkv3qjrxjsdzn3325ejghli53; d=ess.firstdata.com;
>> t=1652117979;
>> h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type;
>> bh=gRPH1y61kVZSDVPNuLr2WQo4Q0dpMd1ELWBGEE4Kp8c=;
>> b=MHojQsOqw1AZHyOIUQahSlbOQMMfufMtRltQ/Y3RCuYVO628KuErabQFB38mc82y
>> XcsgPG5Xl5Mck5OwlsK3vrS2cmVxfbBlgVRm6yzZehHaJ54Jakjqb5psalWNE5YN2Dw
>> h1tHFhykima88hgeOzw/KI8y8VidzkeEI/nHOMkk=
>>Authentication-Results: mail03.example.com (amavisd-new);
>> dkim=pass (1024-bit key) header.d=ess.firstdata.com
>> header.b="MHojQsOq"; dkim=pass (1024-bit key) header.d=amazonses.com
>> header.b="dwNxlXrW"
>>
>>so the mail looks to be DMARC valid, while SA produces:
>>
>> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
>>message
>> * and the domain has a DMARC reject policy

On 11.05.22 00:55, Benny Pedersen wrote:
>dkim=pass (1024-bit key) header.d=amazonses.com
> header.b="dwNxlXrW"
>
>this does not pass, why do amazonses add dkim :(

it does not matter here.

>when multiple dkim signers is added all must pass for dmarc pass,

who told you this? any passing signature from the origin domain is enough.

> i belive this is the kam fails ?

it's more likely a bug

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod

Hi,

On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail <kmcgrail@apache.org>
wrote:

> I believe this is a bug and fixed in trunk.
>
> On 5/10/2022 1:55 PM, Bill Cole wrote:
> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and
> also DMARC_REJECT and/or KAM_DMARC_REJECT
>


This was from svn version 1900493. I've now checked out 1900794, but that
somehow appears different from the version SA reports?

$ spamassassin --version
SpamAssassin version 4.0.0-r1900583
running on Perl version 5.34.1

My firstdata email does appear to now pass DKIM properly,
without DMARC_REJECT or KAM_DMARC_REJECT.

Any idea under what circumstances the DKIM check fails so I can watch for
it? Or can we consider it solved?

Hi, is it possible the DMARC_REJECT problem still exists?

https://pastebin.com/DCu9cq4t

* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* 1.8 DMARC_REJECT DMARC reject policy

Authentication-Results: xavier.example.com (amavisd-new);
dkim=pass (1024-bit key) header.d=hotwire.com
header.b="NEdhsCdV";
dkim=pass (1024-bit key) header.d=amazonses.com
header.b="UglVB1nr"

$ spamassassin --version
SpamAssassin version 4.0.0-r1900583
running on Perl version 5.34.1


On Wed, May 11, 2022 at 9:01 AM Alex <mysqlstudent@gmail.com> wrote:

> Hi,
>
> On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail <kmcgrail@apache.org>
> wrote:
>
>> I believe this is a bug and fixed in trunk.
>>
>> On 5/10/2022 1:55 PM, Bill Cole wrote:
>> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and
>> also DMARC_REJECT and/or KAM_DMARC_REJECT
>>
>
>
> This was from svn version 1900493. I've now checked out 1900794, but that
> somehow appears different from the version SA reports?
>
> $ spamassassin --version
> SpamAssassin version 4.0.0-r1900583
> running on Perl version 5.34.1
>
> My firstdata email does appear to now pass DKIM properly,
> without DMARC_REJECT or KAM_DMARC_REJECT.
>
> Any idea under what circumstances the DKIM check fails so I can watch for
> it? Or can we consider it solved?
>
>
>

Hi, I think this is another - this one also includes KAM_DMARC_REJECT

https://pastebin.com/9g9VrgVK

* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
* and the domain has a DMARC reject policy
* 1.8 DMARC_REJECT DMARC reject policy

Can this info even be added to the welcomelist or will that also now fail?



On Sun, May 22, 2022 at 11:10 AM Alex <mysqlstudent@gmail.com> wrote:

> Hi, is it possible the DMARC_REJECT problem still exists?
>
> https://pastebin.com/DCu9cq4t
>
> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> * valid
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> author's
> * domain
> * 1.8 DMARC_REJECT DMARC reject policy
>
> Authentication-Results: xavier.example.com (amavisd-new);
> dkim=pass (1024-bit key) header.d=hotwire.com
> header.b="NEdhsCdV";
> dkim=pass (1024-bit key) header.d=amazonses.com
> header.b="UglVB1nr"
>
> $ spamassassin --version
> SpamAssassin version 4.0.0-r1900583
> running on Perl version 5.34.1
>
>
> On Wed, May 11, 2022 at 9:01 AM Alex <mysqlstudent@gmail.com> wrote:
>
>> Hi,
>>
>> On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail <kmcgrail@apache.org>
>> wrote:
>>
>>> I believe this is a bug and fixed in trunk.
>>>
>>> On 5/10/2022 1:55 PM, Bill Cole wrote:
>>> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and
>>> also DMARC_REJECT and/or KAM_DMARC_REJECT
>>>
>>
>>
>> This was from svn version 1900493. I've now checked out 1900794, but that
>> somehow appears different from the version SA reports?
>>
>> $ spamassassin --version
>> SpamAssassin version 4.0.0-r1900583
>> running on Perl version 5.34.1
>>
>> My firstdata email does appear to now pass DKIM properly,
>> without DMARC_REJECT or KAM_DMARC_REJECT.
>>
>> Any idea under what circumstances the DKIM check fails so I can watch for
>> it? Or can we consider it solved?
>>
>>
>>

Alex,

#1 you can use the welcomelist entries but NOT the welcomelist_auth entries
if DMARC is failing.

#2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that
we are working through, sorry to say it's been rougher than I wanted too.
But we have it in production and we are working on edge cases from my end.

#3 At my work at PCCC, we changed some concepts to install the KAM rules so
they are parsed after the stock rules for some of the default DMARC scores
to change too. We used a new option for sa-update that Henrik added to do
this. I'll ask for some info about it and test that pastebin to see if it
fails on our system too. I was also discussing more DMARC/DKIM regression
tests are needed. It's too fragile.

Regards,
KAM

--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Sun, May 22, 2022 at 11:25 AM Alex <mysqlstudent@gmail.com> wrote:

> Hi, I think this is another - this one also includes KAM_DMARC_REJECT
>
> https://pastebin.com/9g9VrgVK
>
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> * valid
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> author's
> * domain
> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
> * and the domain has a DMARC reject policy
> * 1.8 DMARC_REJECT DMARC reject policy
>
> Can this info even be added to the welcomelist or will that also now fail?
>
>
>
> On Sun, May 22, 2022 at 11:10 AM Alex <mysqlstudent@gmail.com> wrote:
>
>> Hi, is it possible the DMARC_REJECT problem still exists?
>>
>> https://pastebin.com/DCu9cq4t
>>
>> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
>> * valid
>> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
>> author's
>> * domain
>> * 1.8 DMARC_REJECT DMARC reject policy
>>
>> Authentication-Results: xavier.example.com (amavisd-new);
>> dkim=pass (1024-bit key) header.d=hotwire.com
>> header.b="NEdhsCdV";
>> dkim=pass (1024-bit key) header.d=amazonses.com
>> header.b="UglVB1nr"
>>
>> $ spamassassin --version
>> SpamAssassin version 4.0.0-r1900583
>> running on Perl version 5.34.1
>>
>>
>> On Wed, May 11, 2022 at 9:01 AM Alex <mysqlstudent@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail <kmcgrail@apache.org>
>>> wrote:
>>>
>>>> I believe this is a bug and fixed in trunk.
>>>>
>>>> On 5/10/2022 1:55 PM, Bill Cole wrote:
>>>> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and
>>>> also DMARC_REJECT and/or KAM_DMARC_REJECT
>>>>
>>>
>>>
>>> This was from svn version 1900493. I've now checked out 1900794, but
>>> that somehow appears different from the version SA reports?
>>>
>>> $ spamassassin --version
>>> SpamAssassin version 4.0.0-r1900583
>>> running on Perl version 5.34.1
>>>
>>> My firstdata email does appear to now pass DKIM properly,
>>> without DMARC_REJECT or KAM_DMARC_REJECT.
>>>
>>> Any idea under what circumstances the DKIM check fails so I can watch
>>> for it? Or can we consider it solved?
>>>
>>>
>>>

On 22.05.22 12:25, Kevin A. McGrail wrote:
>#1 you can use the welcomelist entries but NOT the welcomelist_auth entries
>if DMARC is failing.

isn't welcomelist_auth okay with DKIM_VALID_AU ?

>#2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that
>we are working through, sorry to say it's been rougher than I wanted too.
>But we have it in production and we are working on edge cases from my end.

Alex (OP), do you have Mail::DMARC installed?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.

On Sun, May 22, 2022 at 1:51 PM Matus UHLAR - fantomas <uhlar@fantomas.sk>
wrote:

> On 22.05.22 12:25, Kevin A. McGrail wrote:
> >#1 you can use the welcomelist entries but NOT the welcomelist_auth
> entries
> >if DMARC is failing.
>
> isn't welcomelist_auth okay with DKIM_VALID_AU ?
>

It looks like welcomelist_auth works with SPF even when this DMARC_REJECT
occurs, I believe.


> >#2 There are definitely some issues with SA 4.0 Trunk and DMARC issues
> that
> >we are working through, sorry to say it's been rougher than I wanted too.
> >But we have it in production and we are working on edge cases from my end.
>
> Alex (OP), do you have Mail::DMARC installed?
>

May 22 15:12:59.482 [865542] dbg: plugin: loading
Mail::SpamAssassin::Plugin::DMARC from @INC

I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.

On 5/22/22 18:25, Kevin A. McGrail wrote:
> Alex,
>
> #1 you can use the welcomelist entries but NOT the welcomelist_auth entries if DMARC is failing.
>
> #2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that we are working through, sorry to say it's been rougher than I wanted too.  But we have it in production and we are working on edge cases from my end.
>
> #3 At my work at PCCC, we changed some concepts to install the KAM rules so they are parsed after the stock rules for some of the default DMARC scores to change too.  We used a new option for sa-update that Henrik added to do this.  I'll ask for some info about it and test that pastebin to see if it fails on our system too.  I was also discussing more DMARC/DKIM regression tests are needed.  It's too fragile.
>
starting from r1900857, official ASF channels are loaded first, then all other channels in alphabetical order.

I would like to better check the original email if possible.

Giovanni


> Regards,
> KAM
>
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail <https://www.linkedin.com/in/kmcgrail> - 703.798.0171
>
>
> On Sun, May 22, 2022 at 11:25 AM Alex <mysqlstudent@gmail.com <mailto:mysqlstudent@gmail.com>> wrote:
>
> Hi, I think this is another - this one also includes KAM_DMARC_REJECT
>
> https://pastebin.com/9g9VrgVK <https://pastebin.com/9g9VrgVK>
>
>  *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
>  *      valid
>  * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
>  *       domain
>  * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>  *  6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
>  *      and the domain has a DMARC reject policy
>  *  1.8 DMARC_REJECT DMARC reject policy
>
> Can this info even be added to the welcomelist or will that also now fail?
>
>
>
> On Sun, May 22, 2022 at 11:10 AM Alex <mysqlstudent@gmail.com <mailto:mysqlstudent@gmail.com>> wrote:
>
> Hi, is it possible the DMARC_REJECT problem still exists?
>
> https://pastebin.com/DCu9cq4t <https://pastebin.com/DCu9cq4t>
>
>  * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>  *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
>  *      valid
>  * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
>  *       domain
>  *  1.8 DMARC_REJECT DMARC reject policy
>
> Authentication-Results: xavier.example.com <http://xavier.example.com> (amavisd-new);
>             dkim=pass (1024-bit key) header.d=hotwire.com <http://hotwire.com> header.b="NEdhsCdV";
>             dkim=pass (1024-bit key) header.d=amazonses.com <http://amazonses.com> header.b="UglVB1nr"
>
> $ spamassassin --version
> SpamAssassin version 4.0.0-r1900583
>   running on Perl version 5.34.1
>
>
> On Wed, May 11, 2022 at 9:01 AM Alex <mysqlstudent@gmail.com <mailto:mysqlstudent@gmail.com>> wrote:
>
> Hi,
>
> On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail <kmcgrail@apache.org <mailto:kmcgrail@apache.org>> wrote:
>
> I believe this is a bug and fixed in trunk.
>
> On 5/10/2022 1:55 PM, Bill Cole wrote:
> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and also DMARC_REJECT and/or KAM_DMARC_REJECT
>
>
>
> This was from svn version 1900493. I've now checked out 1900794, but that somehow appears different from the version SA reports?
>
> $ spamassassin --version
> SpamAssassin version 4.0.0-r1900583
>   running on Perl version 5.34.1
>
> My firstdata email does appear to now pass DKIM properly, without DMARC_REJECT or KAM_DMARC_REJECT.
>
> Any idea under what circumstances the DKIM check fails so I can watch for it? Or can we consider it solved?
>
>

On 2022-05-23 10:11, giovanni@paclan.it wrote:

> starting from r1900857, official ASF channels are loaded first, then
> all other channels in alphabetical order.
>
> I would like to better check the original email if possible.

dmarc plugin would have to inhirit AuthRes results, imho current dmarc
plugin miss this

i am still unsure if AuthRes is usefull in other tests as is now

>> On 22.05.22 12:25, Kevin A. McGrail wrote:
>> >#1 you can use the welcomelist entries but NOT the welcomelist_auth
>> >entries if DMARC is failing.

>On Sun, May 22, 2022 at 1:51 PM Matus UHLAR - fantomas <uhlar@fantomas.sk>
>wrote:
>> isn't welcomelist_auth okay with DKIM_VALID_AU ?

On 22.05.22 15:17, Alex wrote:
>It looks like welcomelist_auth works with SPF even when this DMARC_REJECT
>occurs, I believe.

welcomelist_auth requires SPF or DKIM pass result, so passing either should
cause welcomelist_auth to hit.

...unless the code was rewritten to ignore those when DMARC causes fail.

>> >#2 There are definitely some issues with SA 4.0 Trunk and DMARC issues
>> >that we are working through, sorry to say it's been rougher than I
>> >wanted too. But we have it in production and we are working on edge
>> >cases from my end.
>>
>> Alex (OP), do you have Mail::DMARC installed?

>May 22 15:12:59.482 [865542] dbg: plugin: loading
>Mail::SpamAssassin::Plugin::DMARC from @INC

this is the SA plugin, not the perl library...

>I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.

... and this is the perl library.

I see you have both KAM_DMARC_REJECT and DMARC_REJECT
- KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
isn't available, but uses the library if it does.

could you (temporarily) uninstall the perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
if it fixes the problem?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe.

>On 2022-05-23 10:11, giovanni@paclan.it wrote:
>>starting from r1900857, official ASF channels are loaded first, then
>>all other channels in alphabetical order.
>>
>>I would like to better check the original email if possible.

On 23.05.22 11:01, Benny Pedersen wrote:
>dmarc plugin would have to inhirit AuthRes results, imho current dmarc
>plugin miss this
>
>i am still unsure if AuthRes is usefull in other tests as is now

I agree, however both the original mails don't have DMARC result in
Authentication-Results: headers.

They both have dkim=pass in Authentication-Results: and both hit
DKIM_VALID_AU.

https://pastebin.com/9g9VrgVK
https://pastebin.com/DCu9cq4t


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95

>
>
>
> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>
> ... and this is the perl library.
>
> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
> isn't available, but uses the library if it does.
>
> could you (temporarily) uninstall the
> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
> if it fixes the problem?
>

Since uninstalling it this morning, there have been no other occurrences of
KAM_DMARC_REJECT all day for any emails.

The last DMARC_REJECT was also this morning prior to uninstalling
perl-Mail-Dmarc-PurePerl.

The only other references to DMARC today have been from KAM_DMARC_STATUS

>
>
>
> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>
> ... and this is the perl library.
>
> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
> isn't available, but uses the library if it does.
>
> could you (temporarily) uninstall the
> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
> if it fixes the problem?
>

Since uninstalling it this morning, there have been no other occurrences of
KAM_DMARC_REJECT all day for any emails.

The last DMARC_REJECT was also this morning prior to uninstalling
perl-Mail-Dmarc-PurePerl.

The only other references to DMARC today have been from KAM_DMARC_STATUS

On Mon, May 23, 2022 at 8:16 PM Alex <mysqlstudent@gmail.com> wrote:

>
>>
>> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>>
>> ... and this is the perl library.
>>
>> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
>> isn't available, but uses the library if it does.
>>
>> could you (temporarily) uninstall the
>> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
>> if it fixes the problem?
>>
>
> Since uninstalling it this morning, there have been no other occurrences
> of KAM_DMARC_REJECT all day for any emails.
>
> The last DMARC_REJECT was also this morning prior to uninstalling
> perl-Mail-Dmarc-PurePerl.
>
> The only other references to DMARC today have been from KAM_DMARC_STATUS
>

What are the proper libraries that should be used to support DMARC with SA?

On Mon, May 23, 2022 at 8:16 PM Alex <mysqlstudent@gmail.com> wrote:

>
>>
>> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>>
>> ... and this is the perl library.
>>
>> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
>> isn't available, but uses the library if it does.
>>
>> could you (temporarily) uninstall the
>> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
>> if it fixes the problem?
>>
>
> Since uninstalling it this morning, there have been no other occurrences
> of KAM_DMARC_REJECT all day for any emails.
>
> The last DMARC_REJECT was also this morning prior to uninstalling
> perl-Mail-Dmarc-PurePerl.
>
> The only other references to DMARC today have been from KAM_DMARC_STATUS
>

What are the proper libraries that should be used to support DMARC with SA?

>>> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>>>
>>> ... and this is the perl library.
>>>
>>> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
>>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
>>> isn't available, but uses the library if it does.
>>>
>>> could you (temporarily) uninstall the
>>> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
>>> if it fixes the problem?

>On Mon, May 23, 2022 at 8:16 PM Alex <mysqlstudent@gmail.com> wrote:
>> Since uninstalling it this morning, there have been no other occurrences
>> of KAM_DMARC_REJECT all day for any emails.

have there been rejects often before?

can you re-run spamassassin over those messages to see if uninstalling that
package fixed the error with the same e-mails?

>> The last DMARC_REJECT was also this morning prior to uninstalling
>> perl-Mail-Dmarc-PurePerl.
>>
>> The only other references to DMARC today have been from KAM_DMARC_STATUS

On 24.05.22 13:02, Alex wrote:
>What are the proper libraries that should be used to support DMARC with SA?

This one should be, but there seems to be either a bug in that library or in
SA code handling that.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?

On Tue, May 24, 2022 at 1:09 PM Matus UHLAR - fantomas <uhlar@fantomas.sk>
wrote:

> >>> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
> >>>
> >>> ... and this is the perl library.
> >>>
> >>> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
> >>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
> >>> isn't available, but uses the library if it does.
> >>>
> >>> could you (temporarily) uninstall the
> >>> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
> >>> if it fixes the problem?
>
> >On Mon, May 23, 2022 at 8:16 PM Alex <mysqlstudent@gmail.com> wrote:
> >> Since uninstalling it this morning, there have been no other occurrences
> >> of KAM_DMARC_REJECT all day for any emails.
>
> have there been rejects often before?
>

I have hundreds of these over the last few days (week?), but they could go
back even further than that. It appears to primarily hit mailing lists or
statements from providers like AmEx or notices from Delta, for example.



> can you re-run spamassassin over those messages to see if uninstalling
> that
> package fixed the error with the same e-mails?
>

Yes, without that library, there's no reference to DMARC in the SA results
at all, even when T_DMARC_POLICY_NONE or T_DMARC_SIMPLE_DKIM would trigger.

>> >>> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>> >>>
>> >>> ... and this is the perl library.
>> >>>
>> >>> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
>> >>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
>> >>> isn't available, but uses the library if it does.
>> >>>
>> >>> could you (temporarily) uninstall the
>> >>> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
>> >>> if it fixes the problem?
>>
>> >On Mon, May 23, 2022 at 8:16 PM Alex <mysqlstudent@gmail.com> wrote:
>> >> Since uninstalling it this morning, there have been no other occurrences
>> >> of KAM_DMARC_REJECT all day for any emails.


>On Tue, May 24, 2022 at 1:09 PM Matus UHLAR - fantomas <uhlar@fantomas.sk>
>wrote:
>> have there been rejects often before?

On 24.05.22 13:58, Alex wrote:
>I have hundreds of these over the last few days (week?), but they could go
>back even further than that. It appears to primarily hit mailing lists or
>statements from providers like AmEx or notices from Delta, for example.


>> can you re-run spamassassin over those messages to see if uninstalling
>> that package fixed the error with the same e-mails?

>Yes, without that library, there's no reference to DMARC in the SA results
>at all, even when T_DMARC_POLICY_NONE or T_DMARC_SIMPLE_DKIM would trigger.

but you still get KAM_DMARC_REJECT for some mail? because KAM_DMARC_REJECT
has a workaround where it works w/o Mail::Dmarc::PurePerl


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.

>
>
>
> >On Tue, May 24, 2022 at 1:09 PM Matus UHLAR - fantomas <uhlar@fantomas.sk
> >
> >wrote:
> >> have there been rejects often before?
>
> On 24.05.22 13:58, Alex wrote:
> >I have hundreds of these over the last few days (week?), but they could go
> >back even further than that. It appears to primarily hit mailing lists or
> >statements from providers like AmEx or notices from Delta, for example.
>
>
> >> can you re-run spamassassin over those messages to see if uninstalling
> >> that package fixed the error with the same e-mails?
>
> >Yes, without that library, there's no reference to DMARC in the SA results
> >at all, even when T_DMARC_POLICY_NONE or T_DMARC_SIMPLE_DKIM would
> trigger.
>
> but you still get KAM_DMARC_REJECT for some mail? because
> KAM_DMARC_REJECT
> has a workaround where it works w/o Mail::Dmarc::PurePerl
>

No, I haven't seen any hits since uninstalling the perl library.

I also haven't any references to DMARC whatsoever from any SA rules since
it was uninstalled.

I otherwise have no way of telling if there should have been any hits, but
I'd imagine there should have been at least one in 24-hours.

It appears to have disabled DMARC functionality entirely.

>> >On Tue, May 24, 2022 at 1:09 PM Matus UHLAR - fantomas <uhlar@fantomas.sk
>> >wrote:
>> >> have there been rejects often before?
>>
>> On 24.05.22 13:58, Alex wrote:
>> >I have hundreds of these over the last few days (week?), but they could go
>> >back even further than that. It appears to primarily hit mailing lists or
>> >statements from providers like AmEx or notices from Delta, for example.
>>
>>
>> >> can you re-run spamassassin over those messages to see if uninstalling
>> >> that package fixed the error with the same e-mails?
>>
>> >Yes, without that library, there's no reference to DMARC in the SA results
>> >at all, even when T_DMARC_POLICY_NONE or T_DMARC_SIMPLE_DKIM would
>> trigger.
>>
>> but you still get KAM_DMARC_REJECT for some mail? because
>> KAM_DMARC_REJECT
>> has a workaround where it works w/o Mail::Dmarc::PurePerl

On 24.05.22 14:10, Alex wrote:
>No, I haven't seen any hits since uninstalling the perl library.
>
>I also haven't any references to DMARC whatsoever from any SA rules since
>it was uninstalled.

>I otherwise have no way of telling if there should have been any hits, but
>I'd imagine there should have been at least one in 24-hours.
>
>It appears to have disabled DMARC functionality entirely.

KAM.cf has some DMARC rules even without Mail::SpamAssassin::Plugin::DMARC
available, but I'm not sure if loading that plugin doesn't disable them.

I have disabled loading it so let's see.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.

Hi,

>
> >I also haven't any references to DMARC whatsoever from any SA rules since
> >it was uninstalled.
>
> >I otherwise have no way of telling if there should have been any hits, but
> >I'd imagine there should have been at least one in 24-hours.
> >
> >It appears to have disabled DMARC functionality entirely.
>
> KAM.cf has some DMARC rules even without Mail::SpamAssassin::Plugin::DMARC
> available, but I'm not sure if loading that plugin doesn't disable them.
>
> I have disabled loading it so let's see.
>

Any further thoughts on this? It appears removing the DMARC perl library
has disabled any DMARC support altogether.

>> >I also haven't any references to DMARC whatsoever from any SA rules since
>> >it was uninstalled.
>>
>> >I otherwise have no way of telling if there should have been any hits, but
>> >I'd imagine there should have been at least one in 24-hours.
>> >
>> >It appears to have disabled DMARC functionality entirely.
>>
>> KAM.cf has some DMARC rules even without Mail::SpamAssassin::Plugin::DMARC
>> available, but I'm not sure if loading that plugin doesn't disable them.
>>
>> I have disabled loading it so let's see.

On 26.05.22 09:34, Alex wrote:
>Any further thoughts on this? It appears removing the DMARC perl library
>has disabled any DMARC support altogether.

disabling Mail::SpamAssassin::Plugin::DMARC should make KAM.cf revert to
it's simpler DMARC functioality

note that it requires:
Mail::SpamAssassin::Plugin::AskDNS
Mail::SpamAssassin::Plugin::DKIM
Mail::SpamAssassin::Plugin::SPF

no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)

On Thu, May 26, 2022 at 03:48:57PM +0200, Matus UHLAR - fantomas wrote:
> > > >I also haven't any references to DMARC whatsoever from any SA rules since
> > > >it was uninstalled.
> > >
> > > >I otherwise have no way of telling if there should have been any hits, but
> > > >I'd imagine there should have been at least one in 24-hours.
> > > >
> > > >It appears to have disabled DMARC functionality entirely.
> > >
> > > KAM.cf has some DMARC rules even without Mail::SpamAssassin::Plugin::DMARC
> > > available, but I'm not sure if loading that plugin doesn't disable them.
> > >
> > > I have disabled loading it so let's see.
>
> On 26.05.22 09:34, Alex wrote:
> > Any further thoughts on this? It appears removing the DMARC perl library
> > has disabled any DMARC support altogether.
>
> disabling Mail::SpamAssassin::Plugin::DMARC should
> make KAM.cf revert to it's simpler DMARC
> functioality
>
> note that it requires:
> Mail::SpamAssassin::Plugin::AskDNS
> Mail::SpamAssassin::Plugin::DKIM
> Mail::SpamAssassin::Plugin::SPF
>
> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not.

Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might be
relevant to this thread.

Hi,

> > Any further thoughts on this? It appears removing the DMARC perl library
> > > has disabled any DMARC support altogether.
> >
> > disabling Mail::SpamAssassin::Plugin::DMARC should
> > make KAM.cf revert to it's simpler DMARC
> > functioality
> >
> > note that it requires:
> > Mail::SpamAssassin::Plugin::AskDNS
> > Mail::SpamAssassin::Plugin::DKIM
> > Mail::SpamAssassin::Plugin::SPF
>

Yes, these plugins are already enabled.

> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not.
>
> Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might be
> relevant to this thread.
>

Okay, new version in place, but without that perl DMARC plugin, still the
same results with only KAM_DMARC_STATUS hitting.

Going back to installing the PurePerl DMARC lib now as well.

>> > Any further thoughts on this? It appears removing the DMARC perl library
>> > > has disabled any DMARC support altogether.
>> >
>> > disabling Mail::SpamAssassin::Plugin::DMARC should
>> > make KAM.cf revert to it's simpler DMARC
>> > functioality
>> >
>> > note that it requires:
>> > Mail::SpamAssassin::Plugin::AskDNS
>> > Mail::SpamAssassin::Plugin::DKIM
>> > Mail::SpamAssassin::Plugin::SPF


>> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not.
>>
>> Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might be
>> relevant to this thread.

according to:
https://github.com/apache/spamassassin/commit/63fa58d814837f5d12b5d587ab4b72fa3c7501c3

it should fix the problem.

On 26.05.22 10:40, Alex wrote:
>Okay, new version in place, but without that perl DMARC plugin, still the
>same results with only KAM_DMARC_STATUS hitting.
>
>Going back to installing the PurePerl DMARC lib now as well.

let us know

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?

On Thu, May 26, 2022 at 10:40 AM Alex <mysqlstudent@gmail.com> wrote:

> Hi,
>
> > > Any further thoughts on this? It appears removing the DMARC perl
>> library
>> > > has disabled any DMARC support altogether.
>> >
>> > disabling Mail::SpamAssassin::Plugin::DMARC should
>> > make KAM.cf revert to it's simpler DMARC
>> > functioality
>> >
>> > note that it requires:
>> > Mail::SpamAssassin::Plugin::AskDNS
>> > Mail::SpamAssassin::Plugin::DKIM
>> > Mail::SpamAssassin::Plugin::SPF
>>
>
> Yes, these plugins are already enabled.
>
> > no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not.
>>
>> Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might be
>> relevant to this thread.
>>
>
> Okay, new version in place, but without that perl DMARC plugin, still the
> same results with only KAM_DMARC_STATUS hitting.
>
> Going back to installing the PurePerl DMARC lib now as well.
>

Ugh, and again we already have DKIM_AU and SPF_PASS and DMARC_REJECT all
hitting.

* 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* -0.0 SPF_PASS SPF: sender matches SPF record
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* -0.7 DKIMWL_WL_HIGH DKIMwl.org - High trust sender
* -1.5 DKIMWL_WL ASKDNS: DKIMwl.org - Whitelisted sender
* [wish.com.lookup.dkimwl.org A:127.0.13.5]
* 0.1 DMARC_REJECT DMARC reject policy
* 1.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
* and the domain has a DMARC reject policy

It was quarantined because it also hit BAYES_99 and a local rule, despite
lowering KAM_DMARC_REJECT to just 1 point.





>
>
>

Hi,

>> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not.
> >>
> >> Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might
> be
> >> relevant to this thread.
>
> according to:
>
> https://github.com/apache/spamassassin/commit/63fa58d814837f5d12b5d587ab4b72fa3c7501c3
>
> it should fix the problem.
>

Okay, wait, it doesn't appear that I have those changes.

$ spamassassin --version
SpamAssassin version 4.0.0-r1900857
running on Perl version 5.34.1

I built SA using the following:

$ svn checkout http://svn.apache.org/repos/asf/spamassassin/trunk
Mail-SpamAssassin-4.0.0

This gave me revision 1901294.

Is that not the proper trunk?

On 2022-05-26 15:34, Alex wrote:

> Any further thoughts on this? It appears removing the DMARC perl
> library has disabled any DMARC support altogether.

disable kam channel solves it ?

if it does then wait for final spamassassin 4.x.x and hope Mail:DMARC
finaly work with the DMARC plugin in all details with AuthRes plugin
deep data

change DKIM scores to not score dkim fails as reject score, rejects
should only happen on dmarc policy

On 2022-05-26 at 11:05:59 UTC-0400 (Thu, 26 May 2022 11:05:59 -0400)
Alex <mysqlstudent@gmail.com>
is rumored to have said:

> Hi,
>
>>> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or
>>> not.
>>>>
>>>> Latest trunk has fix for DMARC waiting for SPF and DKIM results.
>>>> Might
>> be
>>>> relevant to this thread.
>>
>> according to:
>>
>> https://github.com/apache/spamassassin/commit/63fa58d814837f5d12b5d587ab4b72fa3c7501c3
>>
>> it should fix the problem.
>>
>
> Okay, wait, it doesn't appear that I have those changes.

Don't be confused: the GitHub repo is a read-only replica of the
in-house Subversion repo, which obviously uses different commit/revision
identifiers than git.


> $ spamassassin --version
> SpamAssassin version 4.0.0-r1900857

That's the last change (in the Subversion repo) to the
Mail::SpamAssassin module.

> running on Perl version 5.34.1
>
> I built SA using the following:
>
> $ svn checkout http://svn.apache.org/repos/asf/spamassassin/trunk
> Mail-SpamAssassin-4.0.0
>
> This gave me revision 1901294.
>
> Is that not the proper trunk?

That's the correct way to get our trunk.

Right now we are at r1901296, because automated ruleQA/update jobs
generate changes in trunk.



--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On 2022-05-26 at 10:59:29 UTC-0400 (Thu, 26 May 2022 10:59:29 -0400)
Alex <mysqlstudent@gmail.com>
is rumored to have said:

[...]
> Ugh, and again we already have DKIM_AU and SPF_PASS and DMARC_REJECT
> all
> hitting.

Can you get these to match by re-running the same message with the
'spamassassin' script? If so, try it with "-D DMARC" to get all the
messages from the plugin. They may be illuminating.

My suspicion *from a very quick 1st look at the code* is that the logic
for DMARC_REJECT is wrong, in that it seems to mean 'DMARC validation is
good' && 'p=reject,' which seems less than useful.

(And yes, the plugin just bails out, not returning any match, if
Mail::DMARC::PurePerl is not available.)




--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Hi,


On Thu, May 26, 2022 at 1:15 PM Bill Cole <
sausers-20150205@billmail.scconsult.com> wrote:

> On 2022-05-26 at 10:59:29 UTC-0400 (Thu, 26 May 2022 10:59:29 -0400)
> Alex <mysqlstudent@gmail.com>
> is rumored to have said:
>
> [...]
> > Ugh, and again we already have DKIM_AU and SPF_PASS and DMARC_REJECT
> > all
> > hitting.
>
> Can you get these to match by re-running the same message with the
> 'spamassassin' script? If so, try it with "-D DMARC" to get all the
> messages from the plugin. They may be illuminating.
>

This is from the example provided earlier today. It says SPF failed(?) but
it hit SPF_PASS

May 26 14:25:12.080 [370198] dbg: DMARC: using Mail::DMARC::PurePerl for
DMARC checks
May 26 14:25:12.146 [370198] dbg: DMARC: result: pass, disposition: none,
dkim: pass, spf: fail (spf: pass, spf_helo: fail)

My suspicion *from a very quick 1st look at the code* is that the logic
> for DMARC_REJECT is wrong, in that it seems to mean 'DMARC validation is
> good' && 'p=reject,' which seems less than useful.
>

Any idea when this bug may have been introduced? It seems like a pretty
serious problem to just be overlooked?

And my confusion was actually only with the comments in the new DMARC.pm
not reflecting 25_dmarc.cf with the new priority settings. It does appear
I'm using the latest.

Hi, just wondering if anyone else has any ideas on how to solve this?

Is everyone with any v4 having problems with DMARC now or is it something
specific to my environment?

On Thu, May 26, 2022 at 2:36 PM Alex <mysqlstudent@gmail.com> wrote:

> Hi,
>
>
> On Thu, May 26, 2022 at 1:15 PM Bill Cole <
> sausers-20150205@billmail.scconsult.com> wrote:
>
>> On 2022-05-26 at 10:59:29 UTC-0400 (Thu, 26 May 2022 10:59:29 -0400)
>> Alex <mysqlstudent@gmail.com>
>> is rumored to have said:
>>
>> [...]
>> > Ugh, and again we already have DKIM_AU and SPF_PASS and DMARC_REJECT
>> > all
>> > hitting.
>>
>> Can you get these to match by re-running the same message with the
>> 'spamassassin' script? If so, try it with "-D DMARC" to get all the
>> messages from the plugin. They may be illuminating.
>>
>
> This is from the example provided earlier today. It says SPF failed(?)
> but it hit SPF_PASS
>
> May 26 14:25:12.080 [370198] dbg: DMARC: using Mail::DMARC::PurePerl for
> DMARC checks
> May 26 14:25:12.146 [370198] dbg: DMARC: result: pass, disposition: none,
> dkim: pass, spf: fail (spf: pass, spf_helo: fail)
>
> My suspicion *from a very quick 1st look at the code* is that the logic
>> for DMARC_REJECT is wrong, in that it seems to mean 'DMARC validation is
>> good' && 'p=reject,' which seems less than useful.
>>
>
> Any idea when this bug may have been introduced? It seems like a pretty
> serious problem to just be overlooked?
>
> And my confusion was actually only with the comments in the new DMARC.pm
> not reflecting 25_dmarc.cf with the new priority settings. It does appear
> I'm using the latest.
>
>
>

On 2022-05-29 14:22, Alex wrote:
> Hi, just wondering if anyone else has any ideas on how to solve this?

see what ?

> Is everyone with any v4 having problems with DMARC now or is it
> something specific to my environment?

spamassassin v4 is not yet released, take it as its not supported yet

Version 4 does have pre-releases out and people are testing it. And yes,
the project needs testers so we will support questions about 4.0 including
the pre-releases and trunk etc. As we work towards a release.

We have been DMARC issues so no, it is not you Are you running the latest
trunk right now? There have been a flurry of patches and some of them are
for this issue.

I think we are having inconsistencies as well right now where the
authentication header or lack thereof results in failing SPF in my
environment soin my environment we are using other parts of the glue for a
solution.

When you look at the FPs for DMARC, are you seeing SPF failures or anything
that you can track?

KAM

On Sun, May 29, 2022, 09:25 Benny Pedersen <me@junc.eu> wrote:

> On 2022-05-29 14:22, Alex wrote:
> > Hi, just wondering if anyone else has any ideas on how to solve this?
>
> see what ?
>
> > Is everyone with any v4 having problems with DMARC now or is it
> > something specific to my environment?
>
> spamassassin v4 is not yet released, take it as its not supported yet
>
>

On 2022-05-29 16:31, Kevin A. McGrail wrote:
> Version 4 does have pre-releases out and people are testing it. And
> yes, the project needs testers so we will support questions about 4.0
> including the pre-releases and trunk etc. As we work towards a
> release.
>
> We have been DMARC issues so no, it is not you Are you running the
> latest trunk right now? There have been a flurry of patches and some
> of them are for this issue.

check.pm from trunk does not work in current 3.4.6, should it ?

> I think we are having inconsistencies as well right now where the
> authentication header or lack thereof results in failing SPF in my
> environment soin my environment we are using other parts of the glue
> for a solution.
>
> When you look at the FPs for DMARC, are you seeing SPF failures or
> anything that you can track?

Spam-Status: No, score=-8.5 required=5.0
tests=DMARC_MISSING,HTML_MESSAGE,
KAM_DMARC_STATUS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
RCVD_IN_HOSTKARMA_W,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,
T_SCC_BODY_TEXT_LINE,USER_IN_DEF_SPF_WL autolearn=no autolearn_force=no

i added dmarc plugin to 3.4.6, no problem :=)

note spf here is apache.org not orginal sender domain !!

to understand spf better check diffrent maillist without spf

hope this is common knowledge

On 2022-05-29 at 11:16:12 UTC-0400 (Sun, 29 May 2022 17:16:12 +0200)
Benny Pedersen <me@junc.eu>
is rumored to have said:

> On 2022-05-29 16:31, Kevin A. McGrail wrote:
>> Version 4 does have pre-releases out and people are testing it. And
>> yes, the project needs testers so we will support questions about 4.0
>> including the pre-releases and trunk etc. As we work towards a
>> release.
>>
>> We have been DMARC issues so no, it is not you Are you running the
>> latest trunk right now? There have been a flurry of patches and some
>> of them are for this issue.
>
> check.pm from trunk does not work in current 3.4.6, should it ?

There is no such file in trunk or 3.4.x.

Obviously the project does not support files that are not part of the distribution.

We also make no effort to make code in trunk transplantable into older versions. If you want partial backports of 4.x functions into 3.x you are of course free to do that yourself under the ASF License, but I would not expect that to be supported by the project.



--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On 2022-05-29 17:58, Bill Cole wrote:

>> check.pm from trunk does not work in current 3.4.6, should it ?
> There is no such file in trunk or 3.4.x.

in 3.4.6 i have

total 964
-r--r--r-- 1 root root 4360 Apr 9 2021 WhiteListSubject.pm
-r--r--r-- 1 root root 16387 Apr 9 2021 WLBLEval.pm
-r--r--r-- 1 root root 5098 Apr 9 2021 VBounce.pm
-r--r--r-- 1 root root 21614 Apr 9 2021 URILocalBL.pm
-r--r--r-- 1 root root 2687 Apr 9 2021 URIEval.pm
-r--r--r-- 1 root root 7396 Apr 9 2021 URIDetail.pm
-r--r--r-- 1 root root 39833 Apr 9 2021 URIDNSBL.pm
-r--r--r-- 1 root root 79563 Apr 9 2021 TxRep.pm
-r--r--r-- 1 root root 16640 Apr 9 2021 TextCat.pm
-r--r--r-- 1 root root 2005 Apr 9 2021 Test.pm
-r--r--r-- 1 root root 8565 Apr 9 2021 SpamCop.pm
-r--r--r-- 1 root root 8385 Apr 9 2021 Shortcircuit.pm
-r--r--r-- 1 root root 31888 Apr 9 2021 SPF.pm
-r--r--r-- 1 root root 9035 Apr 9 2021 Rule2XSBody.pm
-r--r--r-- 1 root root 7081 Apr 9 2021 Reuse.pm
-r--r--r-- 1 root root 4320 Apr 9 2021 ResourceLimits.pm
-r--r--r-- 1 root root 8049 Apr 9 2021 ReplaceTags.pm
-r--r--r-- 1 root root 11424 Apr 9 2021 RelayEval.pm
-r--r--r-- 1 root root 12917 Apr 9 2021 RelayCountry.pm
-r--r--r-- 1 root root 14418 Apr 9 2021 Razor2.pm
-r--r--r-- 1 root root 13201 Apr 9 2021 Pyzor.pm
-r--r--r-- 1 root root 5644 Apr 9 2021 Phishing.pm
-r--r--r-- 1 root root 7429 Apr 9 2021 PhishTag.pm
-r--r--r-- 1 root root 23609 Apr 9 2021 PDFInfo.pm
-r--r--r-- 1 root root 4569 Apr 9 2021 OneLineBodyRuleType.pm
-r--r--r-- 1 root root 27131 Apr 9 2021 OLEVBMacro.pm
-r--r--r-- 1 root root 6470 Apr 9 2021 MIMEHeader.pm
-r--r--r-- 1 root root 20876 Apr 9 2021 MIMEEval.pm
-r--r--r-- 1 root root 12886 Apr 9 2021 ImageInfo.pm
-r--r--r-- 1 root root 34450 Apr 9 2021 HeaderEval.pm
-r--r--r-- 1 root root 10201 Apr 9 2021 Hashcash.pm
-r--r--r-- 1 root root 19445 Apr 9 2021 HashBL.pm
-r--r--r-- 1 root root 3648 Apr 9 2021 HTTPSMismatch.pm
-r--r--r-- 1 root root 5667 Apr 9 2021 HTMLEval.pm
-r--r--r-- 1 root root 11942 Apr 9 2021 FromNameSpoof.pm
-r--r--r-- 1 root root 20365 Apr 9 2021 FreeMail.pm
-r--r--r-- 1 root root 19801 Apr 9 2021 DNSEval.pm
-r--r--r-- 1 root root 53447 Apr 9 2021 DKIM.pm
-r--r--r-- 1 root root 33520 Apr 9 2021 DCC.pm
-r--r--r-- 1 root root 44818 Apr 9 2021 Check.pm
-r--r--r-- 1 root root 35503 Apr 9 2021 BodyRuleBaseExtractor.pm
-r--r--r-- 1 root root 11332 Apr 9 2021 BodyEval.pm
-r--r--r-- 1 root root 55885 Apr 9 2021 Bayes.pm
-r--r--r-- 1 root root 8803 Apr 9 2021 AutoLearnThreshold.pm
-r--r--r-- 1 root root 29117 Apr 9 2021 AskDNS.pm
-r--r--r-- 1 root root 4559 Apr 9 2021 AntiVirus.pm
-r--r--r-- 1 root root 4659 Apr 9 2021 AccessDB.pm
-r--r--r-- 1 root root 19936 Apr 9 2021 AWL.pm
-r--r--r-- 1 root root 17071 Apr 9 2021 ASN.pm

> Obviously the project does not support files that are not part of the
> distribution.

oh dear

> We also make no effort to make code in trunk transplantable into older
> versions. If you want partial backports of 4.x functions into 3.x you
> are of course free to do that yourself under the ASF License, but I
> would not expect that to be supported by the project.

fair thanks

Hi,

We have been DMARC issues so no, it is not you Are you running the latest
> trunk right now? There have been a flurry of patches and some of them are
> for this issue.
>

Yes, just downloaded, compiled, and installed the latest as of this moment
and still seeing the same problems initially. This is from realtor.com,
sent through cons.6130@envfrm.rsys2.com.

X-Spam-Status: No, score=-2.383 tagged_above=-200 required=5
tests=[.BAYES_00=-1.9, DCC_REPUT_00_12=-0.4, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_REJECT=0.1,
FROM_EXCESS_BASE64=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, KAM_DMARC_REJECT=1,
KAM_REALLYHUGEIMGSRC=0.5, LOC_MKTING=0.25, MIME_HTML_ONLY=0.1,
POISEN_SPAM_PILL=0.1, POISEN_SPAM_PILL_1=0.1,
RCVD_IN_HOSTKARMA_W=-2.5, RCVD_IN_SENDERSCORE_90_100=-0.6,
RELAYCOUNTRY_US=0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
TXREP=0.714, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=disabled

However, when I run it through SA after it's received, it doesn't hit
KAM_DMARC_REJECT or DMARC_REJECT. In fact, it hits DMARC_PASS. It
also continues to hit DKIM_VALID_AU. I don't know how to explain that.

I've changed the rule scores a bit, but have otherwise made no changes.
Perhaps when I ran it manually the timing of the checks were different?

I think we are having inconsistencies as well right now where the
> authentication header or lack thereof results in failing SPF in my
> environment soin my environment we are using other parts of the glue for a
> solution.
>
> When you look at the FPs for DMARC, are you seeing SPF failures or
> anything that you can track?
>

These also typically pass SPF, which is why I suppose my welcomelist_auth
rules continue to work.

There is also a rule update for priority levels. Did you install the
latest rules too?

R

On Sun, May 29, 2022, 12:41 Alex <mysqlstudent@gmail.com> wrote:

> Hi,
>
> We have been DMARC issues so no, it is not you Are you running the latest
>> trunk right now? There have been a flurry of patches and some of them are
>> for this issue.
>>
>
> Yes, just downloaded, compiled, and installed the latest as of this moment
> and still seeing the same problems initially. This is from realtor.com,
> sent through cons.6130@envfrm.rsys2.com.
>
> X-Spam-Status: No, score=-2.383 tagged_above=-200 required=5
> tests=[.BAYES_00=-1.9, DCC_REPUT_00_12=-0.4, DKIM_SIGNED=0.1,
> DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_REJECT=0.1,
> FROM_EXCESS_BASE64=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
> HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, KAM_DMARC_REJECT=1,
> KAM_REALLYHUGEIMGSRC=0.5, LOC_MKTING=0.25, MIME_HTML_ONLY=0.1,
> POISEN_SPAM_PILL=0.1, POISEN_SPAM_PILL_1=0.1,
> RCVD_IN_HOSTKARMA_W=-2.5, RCVD_IN_SENDERSCORE_90_100=-0.6,
> RELAYCOUNTRY_US=0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
> TXREP=0.714, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=disabled
>
> However, when I run it through SA after it's received, it doesn't hit
> KAM_DMARC_REJECT or DMARC_REJECT. In fact, it hits DMARC_PASS. It
> also continues to hit DKIM_VALID_AU. I don't know how to explain that.
>
> I've changed the rule scores a bit, but have otherwise made no changes.
> Perhaps when I ran it manually the timing of the checks were different?
>
> I think we are having inconsistencies as well right now where the
>> authentication header or lack thereof results in failing SPF in my
>> environment soin my environment we are using other parts of the glue for a
>> solution.
>>
>> When you look at the FPs for DMARC, are you seeing SPF failures or
>> anything that you can track?
>>
>
> These also typically pass SPF, which is why I suppose my welcomelist_auth
> rules continue to work.
>
>
>

Hi,

On Sun, May 29, 2022 at 8:10 PM Kevin A. McGrail <kmcgrail@apache.org>
wrote:

> There is also a rule update for priority levels. Did you install the
> latest rules too?
>

Yes, sa-update runs every day. Last run was 00:29 this morning.

>We have been DMARC issues so no, it is not you Are you running the latest
>> trunk right now? There have been a flurry of patches and some of them are
>> for this issue.

On 29.05.22 12:41, Alex wrote:
>Yes, just downloaded, compiled, and installed the latest as of this moment
>and still seeing the same problems initially. This is from realtor.com,
>sent through cons.6130@envfrm.rsys2.com.
>
>X-Spam-Status: No, score=-2.383 tagged_above=-200 required=5
> tests=[.BAYES_00=-1.9, DCC_REPUT_00_12=-0.4, DKIM_SIGNED=0.1,
> DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_REJECT=0.1,
> FROM_EXCESS_BASE64=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
> HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, KAM_DMARC_REJECT=1,
> KAM_REALLYHUGEIMGSRC=0.5, LOC_MKTING=0.25, MIME_HTML_ONLY=0.1,
> POISEN_SPAM_PILL=0.1, POISEN_SPAM_PILL_1=0.1,
> RCVD_IN_HOSTKARMA_W=-2.5, RCVD_IN_SENDERSCORE_90_100=-0.6,
> RELAYCOUNTRY_US=0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
> TXREP=0.714, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=disabled

did you reload/restart amavis after installing new SA?
This header is added by amavis which uses SA libraries internally.

>However, when I run it through SA after it's received, it doesn't hit
>KAM_DMARC_REJECT or DMARC_REJECT. In fact, it hits DMARC_PASS. It
>also continues to hit DKIM_VALID_AU. I don't know how to explain that.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.

>
> >X-Spam-Status: No, score=-2.383 tagged_above=-200 required=5
> > tests=[.BAYES_00=-1.9, DCC_REPUT_00_12=-0.4, DKIM_SIGNED=0.1,
> > DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_REJECT=0.1,
> > FROM_EXCESS_BASE64=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
> > HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, KAM_DMARC_REJECT=1,
> > KAM_REALLYHUGEIMGSRC=0.5, LOC_MKTING=0.25, MIME_HTML_ONLY=0.1,
> > POISEN_SPAM_PILL=0.1, POISEN_SPAM_PILL_1=0.1,
> > RCVD_IN_HOSTKARMA_W=-2.5, RCVD_IN_SENDERSCORE_90_100=-0.6,
> > RELAYCOUNTRY_US=0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
> > TXREP=0.714, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=disabled
>
> did you reload/restart amavis after installing new SA?
> This header is added by amavis which uses SA libraries internally.
>

Yes, thanks. This has been ongoing for weeks.

>> >X-Spam-Status: No, score=-2.383 tagged_above=-200 required=5
>> > tests=[.BAYES_00=-1.9, DCC_REPUT_00_12=-0.4, DKIM_SIGNED=0.1,
>> > DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_REJECT=0.1,
>> > FROM_EXCESS_BASE64=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
>> > HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, KAM_DMARC_REJECT=1,
>> > KAM_REALLYHUGEIMGSRC=0.5, LOC_MKTING=0.25, MIME_HTML_ONLY=0.1,
>> > POISEN_SPAM_PILL=0.1, POISEN_SPAM_PILL_1=0.1,
>> > RCVD_IN_HOSTKARMA_W=-2.5, RCVD_IN_SENDERSCORE_90_100=-0.6,
>> > RELAYCOUNTRY_US=0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
>> > TXREP=0.714, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=disabled
>>
>> did you reload/restart amavis after installing new SA?
>> This header is added by amavis which uses SA libraries internally.

On 30.05.22 09:50, Alex wrote:
>Yes, thanks. This has been ongoing for weeks.

doesn't amavisd by any chance use old SA installation/libraries?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*

>
>
>
> >> did you reload/restart amavis after installing new SA?
> >> This header is added by amavis which uses SA libraries internally.
>
> On 30.05.22 09:50, Alex wrote:
> >Yes, thanks. This has been ongoing for weeks.
>
> doesn't amavisd by any chance use old SA installation/libraries?
>

I don't think so - the current paths it uses are:

/usr/share/spamassassin
/var/lib/spamassassin/4.000000/updates_spamassassin_org
/var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com
/etc/mail/spamassassin/

May 30 15:05:16.089 [1254396] dbg: generic: Perl 5.034001, PREFIX=/usr,
DEF_RULES_DIR=/usr/share/spamassassin,
LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/va
r/lib/spamassassin

The only rules in the /var/lib/spamassassin/ directory are those listed
above.

I used to have a local DMARC.cf file in /etc/mail/spamassassin before DMARC
was included in v4, but that's been removed.

If I understand Kevin's comments correctly, we know there are still DMARC
problems. I think maybe this is related?

$ spamassassin -t -D DMARC < dmarc-reject1 2>&1|grep -i dmarc
May 30 14:59:14.894 [1250699] dbg: DMARC: using Mail::DMARC::PurePerl for
DMARC checks
May 30 14:59:15.034 [1250699] dbg: DMARC: result: pass, disposition: none,
dkim: pass, spf: fail (spf: pass, spf_helo: fail)
DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,

Did SPF fail or pass above? It did hit SPF_PASS but it also
hit SPF_HELO_NONE.

It is curious that SA succeeds on its own but it's under amavisd that it
appears to fail.

I also see the following debug messages:

May 30 15:06:54.097 [1255659] dbg: check: tagrun - tag AUTHORDOMAIN is now
ready, value: indeedemail.com
May 30 15:06:54.325 [1255659] dbg: askdns: rule __KAM_DMARC_POLICY_REJECT
depends on tags: AUTHORDOMAIN
May 30 15:06:54.325 [1255659] dbg: check: tagrun - tag AUTHORDOMAIN was
ready, runnable immediately: CODE(0x563c09e23d70)
May 30 15:06:54.325 [1255659] dbg: askdns: launching query
(__KAM_DMARC_POLICY_REJECT): _dmarc.indeedemail.com
May 30 15:06:54.325 [1255659] dbg: async: query 50034/IN/TXT/_
dmarc.indeedemail.com already underway, adding no.4, rules:
__KAM_DMARC_POLICY_REJECT
May 30 15:06:54.518 [1255659] dbg: async: calling callback on key TXT/_
dmarc.indeedemail.com, rules: __KAM_DMARC_POLICY_REJECT
May 30 15:06:54.518 [1255659] dbg: askdns: answer received
(__KAM_DMARC_POLICY_REJECT), rcode NOERROR, query IN/TXT/_
dmarc.indeedemail.com, answer has 1 records
May 30 15:06:54.518 [1255659] dbg: askdns: domain "_dmarc.indeedemail.com"
listed (__KAM_DMARC_POLICY_REJECT): v=DMARC1; p=reject; sp=reject;
rua=mailto:f48jz-9178@rua.dm
arc.emailanalyst.com,mailto:dmarc@indeed.com; ruf=mailto:
f48jz-9178@ruf.dmarc.emailanalyst.com; adkim=r; aspf=r; pct=100

So it did hit __KAM_DMARC_POLICY_REJECT but just not whatever else was
necessary to fulfill the requirements for the KAM_DMARC_REJECT when run
with SA manually.

On 2022-05-30 at 15:12:34 UTC-0400 (Mon, 30 May 2022 15:12:34 -0400)
Alex <mysqlstudent@gmail.com>
is rumored to have said:

[...]
> $ spamassassin -t -D DMARC < dmarc-reject1 2>&1|grep -i dmarc
> May 30 14:59:14.894 [1250699] dbg: DMARC: using Mail::DMARC::PurePerl
> for
> DMARC checks
> May 30 14:59:15.034 [1250699] dbg: DMARC: result: pass, disposition:
> none,
> dkim: pass, spf: fail (spf: pass, spf_helo: fail)
> DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,
>
> Did SPF fail or pass above? It did hit SPF_PASS but it also
> hit SPF_HELO_NONE.

SPF_PASS tells you that the envelope sender domain has a SPF record that
validates the connecting IP.

SPF_HELO_NONE tells you that the client introduced itself with a
hostname that has no SPF record.

Those two states are not in any fundamental conflict with each other.

> It is curious that SA succeeds on its own but it's under amavisd that
> it
> appears to fail.

This would imply that amavisd has one of these issues relative to
running the spamassassin script from the command line:

1. It is using different user-level preferences.
2. It is using different systemwide rules & preferences.
3. It is unable to access something on the system due to security config
(permissions, SELinux, AppArmor, chrooting, etc.) that your login shell
is able to access.
4. Something substantive has changed between when amavisd ran and when
you are checking manually, e.g. DNSBL changes, custom DNS config, new
rules, etc.

If you can eliminate all of those, you will have established the
existence of magic.

> I also see the following debug messages:
>
> May 30 15:06:54.097 [1255659] dbg: check: tagrun - tag AUTHORDOMAIN is
> now
> ready, value: indeedemail.com
> May 30 15:06:54.325 [1255659] dbg: askdns: rule
> __KAM_DMARC_POLICY_REJECT
> depends on tags: AUTHORDOMAIN
> May 30 15:06:54.325 [1255659] dbg: check: tagrun - tag AUTHORDOMAIN
> was
> ready, runnable immediately: CODE(0x563c09e23d70)
> May 30 15:06:54.325 [1255659] dbg: askdns: launching query
> (__KAM_DMARC_POLICY_REJECT): _dmarc.indeedemail.com
> May 30 15:06:54.325 [1255659] dbg: async: query 50034/IN/TXT/_
> dmarc.indeedemail.com already underway, adding no.4, rules:
> __KAM_DMARC_POLICY_REJECT
> May 30 15:06:54.518 [1255659] dbg: async: calling callback on key
> TXT/_
> dmarc.indeedemail.com, rules: __KAM_DMARC_POLICY_REJECT
> May 30 15:06:54.518 [1255659] dbg: askdns: answer received
> (__KAM_DMARC_POLICY_REJECT), rcode NOERROR, query IN/TXT/_
> dmarc.indeedemail.com, answer has 1 records
> May 30 15:06:54.518 [1255659] dbg: askdns: domain
> "_dmarc.indeedemail.com"
> listed (__KAM_DMARC_POLICY_REJECT): v=DMARC1; p=reject; sp=reject;
> rua=mailto:f48jz-9178@rua.dm
> arc.emailanalyst.com,mailto:dmarc@indeed.com; ruf=mailto:
> f48jz-9178@ruf.dmarc.emailanalyst.com; adkim=r; aspf=r; pct=100
>
> So it did hit __KAM_DMARC_POLICY_REJECT but just not whatever else was
> necessary to fulfill the requirements for the KAM_DMARC_REJECT when
> run
> with SA manually.

__KAM_DMARC_POLICY_REJECT means that the DMARC record for the domain
part of the From header address has a p=reject attribute.

KAM_DMARC_REJECT requires __KAM_DMARC_POLICY_REJECT and NEITHER a
verified DKIM signature from the domain part of the From header address
(DKIM_VALID_AU) NOR a SPF_PASS for the domain part of the envelope
sender address, which must match the domain part of the From header
address.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

>> >> did you reload/restart amavis after installing new SA?
>> >> This header is added by amavis which uses SA libraries internally.
>>
>> On 30.05.22 09:50, Alex wrote:
>> >Yes, thanks. This has been ongoing for weeks.

>> doesn't amavisd by any chance use old SA installation/libraries?

On 30.05.22 15:12, Alex wrote:
>I don't think so - the current paths it uses are:
>
>/usr/share/spamassassin
>/var/lib/spamassassin/4.000000/updates_spamassassin_org
>/var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com
>/etc/mail/spamassassin/

these are rules, not libraries.
there is a possibility that you have multiple versions of SA installed and
amavis uses the old one.

try running:

% locate SpamAssassin.pm DMARC.pm

to see if there are some that shouldn't be...

>If I understand Kevin's comments correctly, we know there are still DMARC
>problems. I think maybe this is related?
>
>$ spamassassin -t -D DMARC < dmarc-reject1 2>&1|grep -i dmarc
>May 30 14:59:14.894 [1250699] dbg: DMARC: using Mail::DMARC::PurePerl for
>DMARC checks
>May 30 14:59:15.034 [1250699] dbg: DMARC: result: pass, disposition: none,
>dkim: pass, spf: fail (spf: pass, spf_helo: fail)
> DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,

it hit DMARC_PASS, which is the opposite of DMARC_REJECT or
KAM_DMARC_REJECT.

>So it did hit __KAM_DMARC_POLICY_REJECT but just not whatever else was
>necessary to fulfill the requirements for the KAM_DMARC_REJECT when run
>with SA manually.

__KAM_DMARC_POLICY_REJECT only says that the sender domain has DMARC policy
set to reject, it does not say that the mail is to be rejected


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...

Hi,


> >> doesn't amavisd by any chance use old SA installation/libraries?
>
> On 30.05.22 15:12, Alex wrote:
> >I don't think so - the current paths it uses are:
> >
> >/usr/share/spamassassin
> >/var/lib/spamassassin/4.000000/updates_spamassassin_org
> >/var/lib/spamassassin/4.000000/kam_sa-channels_mcgrail_com
> >/etc/mail/spamassassin/
>
> these are rules, not libraries.
>

Yes, I was responding to the "installation" part of your question.

there is a possibility that you have multiple versions of SA installed and
> amavis uses the old one.
>
> try running:
>
> % locate SpamAssassin.pm DMARC.pm
>

# locate SpamAssassin.pm DMARC.pm
/usr/share/perl5/vendor_perl/Mail/DMARC.pm
/usr/share/perl5/vendor_perl/Mail/SpamAssassin.pm
/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DMARC.pm

# ls -l /usr/share/perl5/vendor_perl/Mail/DMARC.pm
/usr/share/perl5/vendor_perl/Mail/SpamAssassin.pm
/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/
DMARC.pm
-rw-r--r-- 1 root root 18600 Dec 8 23:01
/usr/share/perl5/vendor_perl/Mail/DMARC.pm
-r--r--r-- 1 root root 9752 May 29 11:14
/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DMARC.pm
-r--r--r-- 1 root root 77572 May 29 11:14
/usr/share/perl5/vendor_perl/Mail/SpamAssassin.pm

# rpm -qf /usr/share/perl5/vendor_perl/Mail/DMARC.pm
perl-Mail-Dmarc-PurePerl-1.20211209-3.fc35.noarch

# rpm -qf /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DMARC.pm
spamassassin-4.0.0-85.fc35.x86_64

Those are both packages I've created and built for fedora and are based on
existing fedora packages.

>If I understand Kevin's comments correctly, we know there are still DMARC
> >problems. I think maybe this is related?
> >
> >$ spamassassin -t -D DMARC < dmarc-reject1 2>&1|grep -i dmarc
> >May 30 14:59:14.894 [1250699] dbg: DMARC: using Mail::DMARC::PurePerl for
> >DMARC checks
> >May 30 14:59:15.034 [1250699] dbg: DMARC: result: pass, disposition: none,
> >dkim: pass, spf: fail (spf: pass, spf_helo: fail)
> > DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,
>
> it hit DMARC_PASS, which is the opposite of DMARC_REJECT or
> KAM_DMARC_REJECT.
>

I was referring to the "spf: fail" component of that, which appears to
conflict with the "spf: pass" within the parentheses. Perhaps the first is
result of the combination of the two checks (HELO and envelope)?