Mailing List Archive

My interpretation is thus:

You have a firewall with a public IP and an private IP

You have a box with email behind that firewall.

When it talks to the world, it should do helo <fqdn> that maps back to
your Firewall's public IP not to a private RFC1918 address.

Regards,KAM
On 1/6/2023 12:00 PM, joe a wrote:
> Attempting to utilize the various block lists and find rejection
> messages in mail headers "blocked due to usage of an open resolver".
>
> One of many things puzzling me at the moment is something found in the
> related Wiki that states "A: Third, if your email gateway is behind a
> firewall make sure that SpamAssassin is resolving the gateway to its
> external address."
>
> I brazenly confess I have no idea how to check this (or what it means,
> in this context).
>
> Figured I should sort out that puzzlement before attempting to install
> and configure "unbound" for example.

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On 1/6/2023 12:15 PM, Kevin A. McGrail wrote:
> My interpretation is thus:
>
> You have a firewall with a public IP and an private IP
>
> You have a box with email behind that firewall.
>
> When it talks to the world, it should do helo <fqdn> that maps back to
> your Firewall's public IP not to a private RFC1918 address.
>
> Regards,KAM

Make sense to me.

So I guess my real question is, how do I cause spamassassin to make it's
query in that fashion? Since the wiki stated it in a way that suggests
it is a spamassassin feature, I presume to ask here and not look at the
firewall or elsewhere.

On Fri, 6 Jan 2023, joe a wrote:

> Attempting to utilize the various block lists and find rejection messages in
> mail headers "blocked due to usage of an open resolver".

Are you forwarding your SpamAssassin DNS queries to your ISP or (e.g.)
Google?

Best practice is to set up a local, non-forwarding (potentially
non-forwarding only for the DNSBL domains, see my email from a week or so
back) DNS server for your MTA and SpamAssassin to use (potentially your
entire local network as well, but that's not relevant to your question).

DNSBL providers generally don't like requests from public DNS servers as
they aggregate a lot of requests from a lot of sources.


> One of many things puzzling me at the moment is something found in the
> related Wiki that states "A: Third, if your email gateway is behind a
> firewall make sure that SpamAssassin is resolving the gateway to its external
> address."

I think you're getting distracted by the word "resolve" there... This
sounds like a DNS issue.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Je ne suis pas Charlie. Je suis armé.
-----------------------------------------------------------------------
Tomorrow: the 8th anniversary of the Charlie Hebdo massacre

joe a skrev den 2023-01-06 18:35:
> On 1/6/2023 12:15 PM, Kevin A. McGrail wrote:
>> My interpretation is thus:
>>
>> You have a firewall with a public IP and an private IP
>>
>> You have a box with email behind that firewall.
>>
>> When it talks to the world, it should do helo <fqdn> that maps back to
>> your Firewall's public IP not to a private RFC1918 address.
>>
>> Regards,KAM
>
> Make sense to me.
>
> So I guess my real question is, how do I cause spamassassin to make
> it's query in that fashion? Since the wiki stated it in a way that
> suggests it is a spamassassin feature, I presume to ask here and not
> look at the firewall or elsewhere.

KAM is always right firewall :=)

why do you ask for spamassassin configs then ?

if your spamassassin is on rfc1918 ip, then move your local dns server
to wan ip on the firewall, then allow query from rfc 1918 on the dns
server, listen-on 192.168.1.1 as and example, do list all ips "ip addr
show" on the firewall and add all non routeble ips from this list

ps dont bind the wan ip

if you can then use pdns-recursor, with nearly have all good defaults
for all needed to be up and running safely

#powerdns Recursor 4.8.0 | Authoritative Server 4.7.3 | dnsdist 1.7.3

if you like to play :=)

bind is not that stable for me sadly, so using other problems to solve
what bind dont do well

On 1/6/2023 12:49 PM, John Hardin wrote:
> On Fri, 6 Jan 2023, joe a wrote:
> . ..
>
> I think you're getting distracted by the word "resolve" there... This
> sounds like a DNS issue.
>

Agree it is likely a DNS issue. Apparently one I do not yet grasp.

Is there an online tool to which I can make a DNS query and have it
display what it receives? Trying to avoid having to packet sniff my
outbound traffic.

I have captured DNS queries via the firewall log/filters, but would like
to verify.

>On Fri, 6 Jan 2023, joe a wrote:
>>Attempting to utilize the various block lists and find rejection
>>messages in mail headers "blocked due to usage of an open resolver".

On 06.01.23 09:49, John Hardin wrote:
>Are you forwarding your SpamAssassin DNS queries to your ISP or (e.g.)
>Google?
>
>Best practice is to set up a local, non-forwarding (potentially
>non-forwarding only for the DNSBL domains, see my email from a week or
>so back) DNS server for your MTA and SpamAssassin to use (potentially
>your entire local network as well, but that's not relevant to your
>question).
>
>DNSBL providers generally don't like requests from public DNS servers
>as they aggregate a lot of requests from a lot of sources.

https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists

Q: My queries to a DNS-blocklist were blocked. What does this mean?
...

Resolving the block might be as simple as using your own non-forwarding caching nameserver

https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

On 1/7/2023 9:06 AM, Matus UHLAR - fantomas wrote:
>> On Fri, 6 Jan 2023, joe a wrote:
>>> Attempting to utilize the various block lists and find rejection
>>> messages in mail headers "blocked due to usage of an open resolver".
>
> On 06.01.23 09:49, John Hardin wrote:
>> Are you forwarding your SpamAssassin DNS queries to your ISP or (e.g.)
>> Google?
>>
>> Best practice is to set up a local, non-forwarding (potentially
>> non-forwarding only for the DNSBL domains, see my email from a week or
>> so back) DNS server for your MTA and SpamAssassin to use (potentially
>> your entire local network as well, but that's not relevant to your
>> question).
>>
>> DNSBL providers generally don't like requests from public DNS servers
>> as they aggregate a lot of requests from a lot of sources.
>
> https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists
>
> Q: My queries to a DNS-blocklist were blocked. What does this mean?
> ...
>
> Resolving the block might be as simple as using your own non-forwarding
> caching nameserver
>
> https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver
>
>

Thanks. I think I actually got unbound working but still was getting
URIBL rejects from spamhaus.

I've disabled queries for now and will try again in a few days, thinking
the "free use" limits may have been tripped.

That will give me some time to review how to disable specific checks,
such as dnswl.org which caused a score of -5.0 for some obviously spammy
stuff.

joe a skrev den 2023-01-07 18:03:

> That will give me some time to review how to disable specific checks,
> such as dnswl.org which caused a score of -5.0 for some obviously
> spammy stuff.

please report spam https://www.dnswl.org/?page_id=17

especily for dnswl hi

>On 1/7/2023 9:06 AM, Matus UHLAR - fantomas wrote:
>>https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists
>>
>>Q: My queries to a DNS-blocklist were blocked. What does this mean?
>>...
>>
>>Resolving the block might be as simple as using your own
>>non-forwarding caching nameserver
>>
>>https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver

On 07.01.23 12:03, joe a wrote:
>Thanks. I think I actually got unbound working but still was getting
>URIBL rejects from spamhaus.

- do you actually use that unbound server? is 127.0.0.1 in /etc/resolv.conf?
- doesn't unbound forward queries to other (isp, open) resolvers?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.

On 1/7/2023 1:25 PM, Matus UHLAR - fantomas wrote:
>> On 1/7/2023 9:06 AM, Matus UHLAR - fantomas wrote:
>>> https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists
>>>
>>> Q: My queries to a DNS-blocklist were blocked. What does this mean?
>>> ...
>>>
>>> Resolving the block might be as simple as using your own
>>> non-forwarding caching nameserver
>>>
>>> https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver
>
> On 07.01.23 12:03, joe a wrote:
>> Thanks.  I think I actually got unbound working but still was getting
>> URIBL rejects from spamhaus.
>
> - do you actually use that unbound server? is 127.0.0.1 in
> /etc/resolv.conf?

Pretty sure. Or, I was. Ran various tests with unbound running and not
running confirmed it was working, at least providing a response. SA I
told to use unbound via local.cf as well.

Right now unbound is disabled and DNS is via "my old way".

> - doesn't unbound forward queries to other (isp, open) resolvers?
>

Not certain. The docs/examples seemed a bit sparse suggesting it does
and exceptions needed to be specified for spamhaus (for example) but did
not provide examples of how to do that. Some folks elsewhere seemed to
suggest it would "just work".

Likely I need to learn how to configure it properly?

On 1/7/2023 12:16 PM, Benny Pedersen wrote:
> joe a skrev den 2023-01-07 18:03:
>
>> That will give me some time to review how to disable specific checks,
>> such as dnswl.org which caused a score of -5.0 for some obviously
>> spammy stuff.
>
> please report spam https://www.dnswl.org/?page_id=17
>
> especily for dnswl hi
>

I'll give it a try. When I looked at dnswl.org the last updated comment
seemed to be from 2017, so I kind of wrote it off as being unmaintained.

But, what do I know?

joe a skrev den 2023-01-07 20:07:
> On 1/7/2023 12:16 PM, Benny Pedersen wrote:
>> joe a skrev den 2023-01-07 18:03:
>>
>>> That will give me some time to review how to disable specific checks,
>>> such as dnswl.org which caused a score of -5.0 for some obviously
>>> spammy stuff.
>>
>> please report spam https://www.dnswl.org/?page_id=17
>>
>> especily for dnswl hi
>>
>
> I'll give it a try. When I looked at dnswl.org the last updated
> comment seemed to be from 2017, so I kind of wrote it off as being
> unmaintained.
>
> But, what do I know?

haha, thay hate me on irc by this knowledge here have helped Mail::DMARC
in the past to now being in use for spamassassin, just check references

undobt ?, go on dnswl irc

>>On 07.01.23 12:03, joe a wrote:
>>>Thanks.? I think I actually got unbound working but still was
>>>getting URIBL rejects from spamhaus.

>On 1/7/2023 1:25 PM, Matus UHLAR - fantomas wrote:
>>- do you actually use that unbound server? is 127.0.0.1 in
>>/etc/resolv.conf?

On 07.01.23 14:06, joe a wrote:
>Pretty sure. Or, I was. Ran various tests with unbound running and
>not running confirmed it was working, at least providing a response.

providing answer to my second question would spare you from guessing.

>SA I told to use unbound via local.cf as well.
>
>Right now unbound is disabled and DNS is via "my old way".

why? it can't be worse.

>>- doesn't unbound forward queries to other (isp, open) resolvers?
>>
>
>Not certain. The docs/examples seemed a bit sparse suggesting it does
>and exceptions needed to be specified for spamhaus (for example) but
>did not provide examples of how to do that. Some folks elsewhere
>seemed to suggest it would "just work".
>
>Likely I need to learn how to configure it properly?

standard configuration should be enough, IF it's used at all.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.

On 1/8/2023 12:36 PM, Matus UHLAR - fantomas wrote:
>>> On 07.01.23 12:03, joe a wrote:
>>>> Thanks.  I think I actually got unbound working but still was
>>>> getting URIBL rejects from spamhaus.
>
>> On 1/7/2023 1:25 PM, Matus UHLAR - fantomas wrote:
>>> - do you actually use that unbound server? is 127.0.0.1 in
>>> /etc/resolv.conf?
>
> On 07.01.23 14:06, joe a wrote:
>> Pretty sure.  Or, I was.  Ran various tests with unbound running and
>> not running confirmed it was working, at least providing a response.
>
> providing answer to my second question would spare you from guessing.

127.0.0.1 is not in /etc/resolv.conf.

I labor under the impression that telling unbound to accept query only
on one IP and telling SA in local.cf "dns_server th.at.addr.ess" would
cause it to use unbound.

> > On 07.01.23 14:06, joe a wrote:
> > > Pretty sure.  Or, I was.  Ran various tests with unbound running
> > > and
> > > not running confirmed it was working, at least providing a
> > > response.
> >
Thats pretty simple to check, provided you've got Wireshark installed:
Fire it up and tell it to watch for DNS and/or blacklist lookup traffic
on the appropriate ports.

Then feed known spam to SA. Wireshark will show you if spam is causing
external lookup requests to be generated, where they are being sent, and
what replies are being received


Martin

On 1/8/2023 2:08 PM, Martin Gregorie wrote:
>>> On 07.01.23 14:06, joe a wrote:
>>>> Pretty sure.  Or, I was.  Ran various tests with unbound running
>>>> and
>>>> not running confirmed it was working, at least providing a
>>>> response.
>>>
> Thats pretty simple to check, provided you've got Wireshark installed:
> Fire it up and tell it to watch for DNS and/or blacklist lookup traffic
> on the appropriate ports.
>
> Then feed known spam to SA. Wireshark will show you if spam is causing
> external lookup requests to be generated, where they are being sent, and
> what replies are being received
>
>
> Martin
>

Earlier I was going to do something like that, but at the
firewall/router link to the cable modem. I wanted to be sure the
"source IP" was the site static IP.

A separate discussion uncovered I may have to register that IP with
spamhaus.org. Registered years ago and stopped using it. Just now
dawned that provider mergers cause my static IP's to change a few years
back.

Almost every day I pass a "beef farmer" whose ponds and field teem with
Canadian Geese. Perhaps that should have been an omen?

>On 1/8/2023 12:36 PM, Matus UHLAR - fantomas wrote:
>>>>On 07.01.23 12:03, joe a wrote:
>>>>>Thanks.? I think I actually got unbound working but still was
>>>>>getting URIBL rejects from spamhaus.
>>
>>>On 1/7/2023 1:25 PM, Matus UHLAR - fantomas wrote:
>>>>- do you actually use that unbound server? is 127.0.0.1 in
>>>>/etc/resolv.conf?
>>
>>On 07.01.23 14:06, joe a wrote:
>>>Pretty sure.? Or, I was.? Ran various tests with unbound running
>>>and not running confirmed it was working, at least providing a
>>>response.
>>
>>providing answer to my second question would spare you from guessing.

On 08.01.23 13:07, joe a wrote:
>127.0.0.1 is not in /etc/resolv.conf.
>
>I labor under the impression that telling unbound to accept query only
>on one IP and telling SA in local.cf "dns_server th.at.addr.ess" would
>cause it to use unbound.

this requires reloading spamassassin or any process using it (amavis,
mimedefang etc).

putting 127.0.0.1 into resolv.conf usually takes effect faster.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.