I'm trying to piece together the proper defintions for trusted_networks, and
trying
understand how it interacts with whitelist_from_rcvd (version 2.63 of SA),
and
have a few questions.
First, let's take a look at some receive headers, excerpted from a recent
message
sent to this list:
On the incoming side to the list:
Received: (qmail 93755 invoked from network); 6 Feb 2004 05:36:24 -0000
Received: from unknown (HELO server07.icaen.uiowa.edu) (128.255.17.47)
by daedalus.apache.org with SMTP; 6 Feb 2004 05:36:24 -0000
Received: from server11.icaen.uiowa.edu (server11.icaen.uiowa.edu
[128.255.17.51]) by server07.icaen.uiowa.edu (8.9.3/8.9.3) with ESMTP id
XAA26446 sent by <dbfunk@engineering.uiowa.edu>; Thu, 5 Feb 2004
23:36:32 -0600 (CST)
Received: from d-is00.icaen.uiowa.edu ([128.255.17.30])
by server11.icaen.uiowa.edu (8.12.6/smtp-service-1.6) with ESMTP id
i165aWwe007221;
sent by <dbfunk@engineering.uiowa.edu>; Thu, 5 Feb 2004 23:36:32 -0600
(CST)
Received: (from dbfunk@localhost) by d-is00.icaen.uiowa.edu
(8.9.3/client-6.6) id XAA29206; Thu, 5 Feb 2004 23:36:32 -0600 (CST)
and on the outgoing side, received here:
Received: from intrepid.intrepid.com (intrepid.intrepid.com [192.195.190.1])
by screamer.intrepid.com (8.12.8/8.12.8) with ESMTP id i165ajhE023763
for <gary@screamer.intrepid.com>; Thu, 5 Feb 2004 21:36:45 -0800
Received: from mail.apache.org (daedalus.apache.org [208.185.179.12])
by intrepid.intrepid.com (8.12.8/8.12.8) with SMTP id i165ajWO007843
for <gary@intrepid.com>; Thu, 5 Feb 2004 21:36:45 -0800
Received: (qmail 93779 invoked by uid 500); 6 Feb 2004 05:36:24 -0000
---------
So two samples, one qmail and one sendmail.
Let's look at the documentation
(http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html)
---------
trusted_networks ip.add.re.ss[/mask] ... (default: none)
What networks or hosts are 'trusted' in your setup. Trusted in this case
means that relay hosts on these networks are considered to not be
potentially operated by spammers, open relays, or open proxies. DNS
blacklist checks will never query for hosts on these networks.
If a /mask is specified, it's considered a CIDR-style 'netmask', specified
in bits. If it is not specified, but less than 4 octets are specified with a
trailing dot, that's considered a mask to allow all addresses in the
remaining octets. If a mask is not specified, and there is not trailing dot,
then just the single IP address specified is used, as if the mask was /32.
Examples:
trusted_networks 192.168/16 127/8 # all in 192.168.*.* and
127.*.*.*
trusted_networks 212.17.35.15 # just that host
trusted_networks 127. # all in 127.*.*.*
This operates additively, so a trusted_networks line after another one will
result in all those networks becoming trusted. To clear out the existing
entries, use clear_trusted_networks.
If you're running with DNS checks enabled, SpamAssassin includes code to
infer your trusted networks on the fly, so this may not be necessary.
(Thanks to Scott Banister and Andrew Flury for the inspiration for this
algorithm.) This inference works as follows:
if the 'from' IP address is on the same /16 network as the top Received
line's 'by' host, it's trusted
if the address of the 'from' host is in a reserved network range, then it's
trusted
if any addresses of the 'by' host is in a reserved network range, then it's
trusted
-----------
whitelist_from_rcvd addr@lists.sourceforge.net sourceforge.net
Use this to supplement the whitelist_from addresses with a check against the
Received headers. The first parameter is the address to whitelist, and the
second is a string to match the relay's rDNS.
This string is matched against the reverse DNS lookup used during the
handover from the untrusted internet to your trusted network's mail
exchangers. It can either be the full hostname, or the domain component of
that hostname. In other words, if the host that connected to your MX had an
IP address that mapped to 'sendinghost.spamassassin.org', you should specify
sendinghost.spamassassin.org or just spamassassin.org here.
Note that this requires that trusted_networks be correct. For simple cases,
it will be, but for a complex network, or if you're running with DNS checks
off or with -L, you may get better results by setting that parameter.
e.g.
whitelist_from_rcvd joe@example.com example.com
whitelist_from_rcvd *@axkit.org sergeant.org
--------
This will likely turn out to be a very simple question, but I just want to
make sure that I understand how these features work. In the following
Received line:
Received: from mail.apache.org (daedalus.apache.org [208.185.179.12])
by intrepid.intrepid.com (8.12.8/8.12.8) with SMTP id i165ajWO007843
for <gary@intrepid.com>; Thu, 5 Feb 2004 21:36:45 -0800
the 'by intrepid.intrepid.com' is our mail gateway demarcation point.
But the 'by ...' part references a host _name_, not an IP address
(192.195.190.1).
Q: Does SA do an rDNS lookup on each hostname in the "by hostname" part of
the
received header and then match that IP address against the trusted networks?
What I'm worried about is this line that I added to my local config:
whitelist_from_rcvd * localhost
because I see that many spammers spoof 'localhost' as the host name, and
I really want to make the determination that it is coming from my localhost
reliably.
Q: I have this as one of my trusted network defs in local.cf, to hopefully
work in concert with the whitelist_from_rcvd line above:
trusted_networks 127.
Although from reading the docs., it would appear that this network would be
inferred
as one of the 'reserved' IP blocks? (I think it would be helpful if the
docs. defined
these 'reserved IP blocks' explicitly.
Q: if I explicitly define trusted_networks, do I still inherit the ones
determined
by SA's heuristics described above?
Q: When the docs say 'If you're running with DNS checks enabled', is that
equivalent
to saying 'if you do _not_ specify "local only" processing via the -L
switch'?
Q: The docs. seem to imply that even if DNS checks are _disabled_ that by
specifying
trusted_networks explicitly that things like whitelist_rcvd_from will
operate
correctly. Is this true? I ask because it seems like SA has to rDNS each
host
in the 'by host' part of each Received line to work properly, and if checks
are
off, maybe it doesn't do that?
trying
understand how it interacts with whitelist_from_rcvd (version 2.63 of SA),
and
have a few questions.
First, let's take a look at some receive headers, excerpted from a recent
message
sent to this list:
On the incoming side to the list:
Received: (qmail 93755 invoked from network); 6 Feb 2004 05:36:24 -0000
Received: from unknown (HELO server07.icaen.uiowa.edu) (128.255.17.47)
by daedalus.apache.org with SMTP; 6 Feb 2004 05:36:24 -0000
Received: from server11.icaen.uiowa.edu (server11.icaen.uiowa.edu
[128.255.17.51]) by server07.icaen.uiowa.edu (8.9.3/8.9.3) with ESMTP id
XAA26446 sent by <dbfunk@engineering.uiowa.edu>; Thu, 5 Feb 2004
23:36:32 -0600 (CST)
Received: from d-is00.icaen.uiowa.edu ([128.255.17.30])
by server11.icaen.uiowa.edu (8.12.6/smtp-service-1.6) with ESMTP id
i165aWwe007221;
sent by <dbfunk@engineering.uiowa.edu>; Thu, 5 Feb 2004 23:36:32 -0600
(CST)
Received: (from dbfunk@localhost) by d-is00.icaen.uiowa.edu
(8.9.3/client-6.6) id XAA29206; Thu, 5 Feb 2004 23:36:32 -0600 (CST)
and on the outgoing side, received here:
Received: from intrepid.intrepid.com (intrepid.intrepid.com [192.195.190.1])
by screamer.intrepid.com (8.12.8/8.12.8) with ESMTP id i165ajhE023763
for <gary@screamer.intrepid.com>; Thu, 5 Feb 2004 21:36:45 -0800
Received: from mail.apache.org (daedalus.apache.org [208.185.179.12])
by intrepid.intrepid.com (8.12.8/8.12.8) with SMTP id i165ajWO007843
for <gary@intrepid.com>; Thu, 5 Feb 2004 21:36:45 -0800
Received: (qmail 93779 invoked by uid 500); 6 Feb 2004 05:36:24 -0000
---------
So two samples, one qmail and one sendmail.
Let's look at the documentation
(http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html)
---------
trusted_networks ip.add.re.ss[/mask] ... (default: none)
What networks or hosts are 'trusted' in your setup. Trusted in this case
means that relay hosts on these networks are considered to not be
potentially operated by spammers, open relays, or open proxies. DNS
blacklist checks will never query for hosts on these networks.
If a /mask is specified, it's considered a CIDR-style 'netmask', specified
in bits. If it is not specified, but less than 4 octets are specified with a
trailing dot, that's considered a mask to allow all addresses in the
remaining octets. If a mask is not specified, and there is not trailing dot,
then just the single IP address specified is used, as if the mask was /32.
Examples:
trusted_networks 192.168/16 127/8 # all in 192.168.*.* and
127.*.*.*
trusted_networks 212.17.35.15 # just that host
trusted_networks 127. # all in 127.*.*.*
This operates additively, so a trusted_networks line after another one will
result in all those networks becoming trusted. To clear out the existing
entries, use clear_trusted_networks.
If you're running with DNS checks enabled, SpamAssassin includes code to
infer your trusted networks on the fly, so this may not be necessary.
(Thanks to Scott Banister and Andrew Flury for the inspiration for this
algorithm.) This inference works as follows:
if the 'from' IP address is on the same /16 network as the top Received
line's 'by' host, it's trusted
if the address of the 'from' host is in a reserved network range, then it's
trusted
if any addresses of the 'by' host is in a reserved network range, then it's
trusted
-----------
whitelist_from_rcvd addr@lists.sourceforge.net sourceforge.net
Use this to supplement the whitelist_from addresses with a check against the
Received headers. The first parameter is the address to whitelist, and the
second is a string to match the relay's rDNS.
This string is matched against the reverse DNS lookup used during the
handover from the untrusted internet to your trusted network's mail
exchangers. It can either be the full hostname, or the domain component of
that hostname. In other words, if the host that connected to your MX had an
IP address that mapped to 'sendinghost.spamassassin.org', you should specify
sendinghost.spamassassin.org or just spamassassin.org here.
Note that this requires that trusted_networks be correct. For simple cases,
it will be, but for a complex network, or if you're running with DNS checks
off or with -L, you may get better results by setting that parameter.
e.g.
whitelist_from_rcvd joe@example.com example.com
whitelist_from_rcvd *@axkit.org sergeant.org
--------
This will likely turn out to be a very simple question, but I just want to
make sure that I understand how these features work. In the following
Received line:
Received: from mail.apache.org (daedalus.apache.org [208.185.179.12])
by intrepid.intrepid.com (8.12.8/8.12.8) with SMTP id i165ajWO007843
for <gary@intrepid.com>; Thu, 5 Feb 2004 21:36:45 -0800
the 'by intrepid.intrepid.com' is our mail gateway demarcation point.
But the 'by ...' part references a host _name_, not an IP address
(192.195.190.1).
Q: Does SA do an rDNS lookup on each hostname in the "by hostname" part of
the
received header and then match that IP address against the trusted networks?
What I'm worried about is this line that I added to my local config:
whitelist_from_rcvd * localhost
because I see that many spammers spoof 'localhost' as the host name, and
I really want to make the determination that it is coming from my localhost
reliably.
Q: I have this as one of my trusted network defs in local.cf, to hopefully
work in concert with the whitelist_from_rcvd line above:
trusted_networks 127.
Although from reading the docs., it would appear that this network would be
inferred
as one of the 'reserved' IP blocks? (I think it would be helpful if the
docs. defined
these 'reserved IP blocks' explicitly.
Q: if I explicitly define trusted_networks, do I still inherit the ones
determined
by SA's heuristics described above?
Q: When the docs say 'If you're running with DNS checks enabled', is that
equivalent
to saying 'if you do _not_ specify "local only" processing via the -L
switch'?
Q: The docs. seem to imply that even if DNS checks are _disabled_ that by
specifying
trusted_networks explicitly that things like whitelist_rcvd_from will
operate
correctly. Is this true? I ask because it seems like SA has to rDNS each
host
in the 'by host' part of each Received line to work properly, and if checks
are
off, maybe it doesn't do that?