Mailing List Archive

On 17.11.23 11:19, natan wrote:
>How it realy realy works in SA ? I ask beacuse warking not so cool:
>
>example:
>
>ifplugin Mail::SpamAssassin::Plugin::AskDNS
>askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
>askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT
>/^v=DMARC1;.*\bp=quarantine;/
>askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
>/^v=DMARC1;.*\bp=reject;/
>
>meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
>score DMARC_REJECT 1
>meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
>score DMARC_QUAR 0.5
>meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
>score DMARC_NONE 0.1
>endif

Note that SPF uses envelope from domain whie DKIM uses header From, so it
must be combined with HEADER_FROM_DIFFERENT_DOMAINS so something like:

meta DMARC_REJECT __DMARC_POLICY_REJECT && !(DKIM_VALID_AU || (SPF_PASS && !HEADER_FROM_DIFFERENT_DOMAINS))

However there is stock SA rule that uses Mail::SpamAssassin::Plugin::DMARC:

header DMARC_REJECT eval:check_dmarc_reject()

>Log:
>
>Nov 17 11:10:49 amavis5 amavis[598804]: (598804-07) spam-tag, <3JTxXZRAPACwKWUUMVba-VWZMXTgLWKa.OWWOTM.KWU@chime-notifications.bounces.google.com>
>-> <user@domain.ltd>, No, score=4.865 tagged_above=3.6 required=6
>tests=[AWL=-0.124, BAYES_00=-1.9, DCC_CHECK=4, DKIMWL_WL_MED=-0.001,
>
>DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, DMARC_REJECT=1,
>FROM_NOT_RETURN_PATH=2,
>
>root@amavis5:/etc/mail/spamassassin# host -t txt
>chime-notifications.bounces.google.com
>chime-notifications.bounces.google.com descriptive text "v=spf1
>redirect=_spf.google.com"
>
>root@amavis5:/etc/mail/spamassassin# host -t txt _spf.google.com
>_spf.google.com descriptive text "v=spf1 include:_netblocks.google.com
>include:_netblocks2.google.com include:_netblocks3.google.com ~all"
>
>root@amavis5:/etc/mail/spamassassin# host -t txt
>_dmarc.chime-notifications.bounces.google.com
>_dmarc.chime-notifications.bounces.google.com descriptive text "v=spf1
>redirect=_spf.google.com"
>
>E-mail was signed DKIM but why SA set "DMARC_REJECT" in this time ?

it's hard to see this without envelope and header from:

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them

W dniu 17.11.2023 o 12:31, Matus UHLAR - fantomas pisze:
> On 17.11.23 11:19, natan wrote:
>> How it realy realy works in SA ? I ask beacuse warking not so cool:
>>
>> example:
>>
>> ifplugin Mail::SpamAssassin::Plugin::AskDNS
>> askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT
>> /^v=DMARC1;.*\bp=none;/
>> askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT
>> /^v=DMARC1;.*\bp=quarantine;/
>> askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
>> /^v=DMARC1;.*\bp=reject;/
>>
>> meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
>> score DMARC_REJECT 1
>> meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
>> score DMARC_QUAR 0.5
>> meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
>> score DMARC_NONE 0.1
>> endif
>
> Note that SPF uses envelope from domain whie DKIM uses header From, so
> it must be combined with HEADER_FROM_DIFFERENT_DOMAINS so something like:
>
> meta DMARC_REJECT __DMARC_POLICY_REJECT && !(DKIM_VALID_AU ||
> (SPF_PASS && !HEADER_FROM_DIFFERENT_DOMAINS))
>
> However there is stock SA rule that uses
> Mail::SpamAssassin::Plugin::DMARC:
>
> header DMARC_REJECT eval:check_dmarc_reject()
I can't find realy works with rules

>
>> Log:
>>
>> Nov 17 11:10:49 amavis5 amavis[598804]: (598804-07) spam-tag,
>> <3JTxXZRAPACwKWUUMVba-VWZMXTgLWKa.OWWOTM.KWU@chime-notifications.bounces.google.com>
>> -> <user@domain.ltd>, No, score=4.865 tagged_above=3.6 required=6
>> tests=[.AWL=-0.124, BAYES_00=-1.9, DCC_CHECK=4, DKIMWL_WL_MED=-0.001,
>>
>> DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, DMARC_REJECT=1,
>> FROM_NOT_RETURN_PATH=2,
>>
>> root@amavis5:/etc/mail/spamassassin# host -t txt
>> chime-notifications.bounces.google.com
>> chime-notifications.bounces.google.com descriptive text "v=spf1
>> redirect=_spf.google.com"
>>
>> root@amavis5:/etc/mail/spamassassin# host -t txt _spf.google.com
>> _spf.google.com descriptive text "v=spf1
>> include:_netblocks.google.com include:_netblocks2.google.com
>> include:_netblocks3.google.com ~all"
>>
>> root@amavis5:/etc/mail/spamassassin# host -t txt
>> _dmarc.chime-notifications.bounces.google.com
>> _dmarc.chime-notifications.bounces.google.com descriptive text
>> "v=spf1 redirect=_spf.google.com"
>>
>> E-mail was signed DKIM but why SA set "DMARC_REJECT" in this time ?
>

> it's hard to see this without envelope and header from:
>
Return-Path:
<3JTxXZRAPACwKWUUMVba-VWZMXTgLWKa.OWWOTM.KWU@chime-notifications.bounces.google.com>
Delivered-To: user@domain.ltd
Received: from yyyy ([yyy.yyy.yyy.yyyy])
        by dovecot6 with LMTP
        id MMRTKyk8V2XTEAAAcMszrQ
        (envelope-from
<3JTxXZRAPACwKWUUMVba-VWZMXTgLWKa.OWWOTM.KWU@chime-notifications.bounces.google.com>)
        for <user@domain.ltd>; Fri, 17 Nov 2023 11:10:49 +0100
....
Received: by mail-io1-f69.google.com with SMTP id
ca18e2360f4ac-7a68ed726c9so157910939f.3
        for <user@domain.ltd>; Fri, 17 Nov 2023 02:10:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1700215845; x=1700820645;
darn=domain.ltd;
h=to:from:subject:message-id:date:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=Q271PAJLNE4ybEFdYYzmBSNisnfHEmKVmA/gB6QMDBg=;
b=K7zCfAzBao69/w5rWbl+jsmFIIHCDucKkLqpUpEHMnXyElFe1Y8tZTAdm1ZnVfjC1f
nPBS8uHr06W3yDokonBjtJtbGeWhbvRXyQkCaEY8GIgx6U7gCad2137MSAwu5wQH9Udp
mQz/EAxVx+GMEcC2EgqZt/Ptlrays5kYRq+dVYh+uZMDrcYaezBT1u3Y7KlDKycbyXis
C/Eu87graMi99CvgRnCSDNYyrCtAHL1/BcfDpbwVoBFNzD2MEYcgu1xoHyDb0vj+iDX0
Dlblv26b2U7r4TxiP5PyddZv8aVqgU5Z4qdWLMiLqYL5bXHAG77Iiv3DBfDSGoUaqp+Y
         L5iQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700215845; x=1700820645;
h=to:from:subject:message-id:date:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=Q271PAJLNE4ybEFdYYzmBSNisnfHEmKVmA/gB6QMDBg=;
b=ipCF0iXILzxHTf09/2B77o7o1X/VBzKxs+7dNfXVWHA4daM60j4TUfh/8zXqNoZQd7
ZgTHZujfS3B+/URFdiUomGoZ7b+gLEcfX0wcOO8x0cQ6zN0Se/+55741X7fUtw5QtFr5
FbTb+fug6r+Mn8mLu4HsRGKsejep44OGiQbCxE7lCrl0iroapupL/zlQ5/05nbY4v0XU
n9YdWIBA5YcmwOsAFhRo33ueec3xkJcqQL46r+36KO/fT8EZ/8MjxA37Jtx/bh4+ElIM
I81jZAVb7KXePskT5OU94EYjdfJdmbVHN0MZdUEE5GV2xfHZvaTybwdRzHbGGpahGPvp
         YVbw==
.....
Message-ID: <aO12iVMX0HFCR4kC13htfw@notifications.google.com>
Subject:
=?UTF-8?B?4oCeVGFiZWxrYSBLbGllbnTigJ0gYnnFgiBvc3RhdG5pbyBlZHl0b3dhbnk=?=
From: Google Sheets <comments-noreply@docs.google.com>
.....


--

natan skrev den 2023-11-17 11:19:
> How it realy realy works in SA ? I ask beacuse warking not so cool:

its a hack, and bad example on expect it hits unaligned mail aswell as
aligned, we screwed there :)

good news dmarc plugin in sa trunc does aswell work in spamasasssin
3.4.6 last time i tryed

i am still waiting for spamassassin stable release of 4.x

Hi
I had spamassassin-4.x dor ~1 day ;) And I had to downgrade to
spamassasin-3.4.6

The Problem was in /var/lib/amavis/tmp/ where content of the catalog
grow and grow
more was rising than falling like 29 GB and more

When dowgrade to stable spamassassin-3.4.6 problem fixed and size is ~100MB

Can upu send examle or working conf with dmarc plugin ?


W dniu 17.11.2023 o 14:21, Benny Pedersen pisze:
> natan skrev den 2023-11-17 11:19:
>> How it realy realy works in SA ? I ask beacuse warking not so cool:
>
> its a hack, and bad example on expect it hits unaligned mail aswell as
> aligned, we screwed there :)
>
> good news dmarc plugin in sa trunc does aswell work in spamasasssin
> 3.4.6 last time i tryed
>
> i am still waiting for spamassassin stable release of 4.x
>
>
>

--

>natan skrev den 2023-11-17 11:19:
>>How it realy realy works in SA ? I ask beacuse warking not so cool:

On 17.11.23 14:21, Benny Pedersen wrote:
>its a hack, and bad example on expect it hits unaligned mail aswell as
>aligned, we screwed there :)

generally it could work, but it could be the reason for subdomain alignment.

>good news dmarc plugin in sa trunc does aswell work in spamasasssin
>3.4.6 last time i tryed
>
>i am still waiting for spamassassin stable release of 4.x

That happened 11 months ago today, where have you been?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm

>>On 17.11.23 11:19, natan wrote:
>>>E-mail was signed DKIM but why SA set "DMARC_REJECT" in this time ?

>W dniu 17.11.2023 o?12:31, Matus UHLAR - fantomas pisze:
>>it's hard to see this without envelope and header from:

On 17.11.23 12:42, natan wrote:
>Return-Path: <3JTxXZRAPACwKWUUMVba-VWZMXTgLWKa.OWWOTM.KWU@chime-notifications.bounces.google.com>

this means SPF applies to chime-notifications.bounces.google.com

>DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>??????? d=google.com; s=20230601; t=1700215845; x=1700820645;

this is DKIOM signature for google.com

>X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>??????? d=1e100.net; s=20230601; t=1700215845; x=1700820645;

This should be irelevant.

>From: Google Sheets <comments-noreply@docs.google.com>

so the DMARC applies for docs.google.com

On 17.11.23 14:54, natan wrote:
>I had spamassassin-4.x dor ~1 day ;) And I had to downgrade to
>spamassasin-3.4.6
>
>The Problem was in /var/lib/amavis/tmp/ where content of the catalog
>grow and grow
>more was rising than falling like 29 GB and more

This is strange, generally this is not SA problem but amavis problem.

>When dowgrade to stable spamassassin-3.4.6 problem fixed and size is ~100MB
>
>Can upu send examle or working conf with dmarc plugin ?

you need SA4 for that.

>W dniu 17.11.2023 o?14:21, Benny Pedersen pisze:
>>natan skrev den 2023-11-17 11:19:
>>>How it realy realy works in SA ? I ask beacuse warking not so cool:
>>
>>its a hack, and bad example on expect it hits unaligned mail aswell
>>as aligned, we screwed there :)

alignment could be the real culprit.

I didn't study DMARC deeply enough to know if DKIM signature for google.com
is fine here (I have feeling it's not).

_dmarc.docs.google.com. TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com"
_dmarc.google.com. TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com"


However, original mail misses the DKIM_VALID_AU so there's no validation
there.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.