"Is Definitely Spam" rule not working ?
Glenn Steen
glenn.steen at gmail.com
Tue Feb 5 22:42:52 GMT 2008
On 05/02/2008, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Glenn Steen wrote:
> > On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
> >
> >> Le 05-févr.-08 à 12:31, Glenn Steen a écrit :
> >>
> >>
> >>> On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
> >>>
> >>>> Le 05-févr.-08 à 09:45, Glenn Steen a écrit :
> >>>>
> >>>>
> >>>>> On 05/02/2008, Glenn Steen <glenn.steen at gmail.com> wrote:
> >>>>>
> >>>>>> On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
> >>>>>>
> >>>>> (snip)
> >>>>>
> >>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner
> >>>>>>> takes it and puts it back into the Postfix queue.
> >>>>>>>
> >>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP
> >>>>>>> address otherwise why is the "Is Definitely Not Spam" rule
> >>>>>>> working :
> >>>>>>>
> >>>>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message
> >>>>>>> E8686E9102.A7655
> >>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be at spamassassin.apache.org
> >>>>>>> ) is whitelisted
> >>>>>>>
> >>>>>>>
> >>>>>>> Regards
> >>>>>>>
> >>>>>> Anything happening to the message _after_ MailScaner doesn't hjave
> >>>>>> any
> >>>>>> impact on your problem... What happens before though... You have to
> >>>>>> make sure that your SA trust_path is OK, and all should be well.
> >>>>>> Why
> >>>>>> do you use the ClamSMTP thing at all?
> >>>>>>
> >>>>>> Cheers
> >>>>>>
> >>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle
> >>>>> this is
> >>>>> the clamsmtp thing, which might just be the problem.
> >>>>> Again, why do you use that? Theoretically MailScanner (through the
> >>>>> batching, and using either clamavmodule or clamd) should be more
> >>>>> efficient and less likely to be able to be DoS'd... That
> >>>>> "not-really-part-of-SMTP-flow insulation" is ... golden.
> >>>>>
> >>>>> Cheers
> >>>>> --
> >>>>> -- Glenn
> >>>>> email: glenn < dot > steen < at > gmail < dot > com
> >>>>> work: glenn < dot > steen < at > ap1 < dot > se
> >>>>>
> >>>> One advantage of using ClamSMTP is the reject of the worm at the
> >>>> connection time.
> >>>> As we receive a lot of mail per day, it's not negligible.
> >>>>
> >>> No, but then neither is the resource drain;-).
> >>>
> >>>
> >>>> As MailScanner is using McAffe, we have two different AV to check the
> >>>> messages.
> >>>>
> >>> Prudent, but did you look at processing times etc for the "all MS"
> >>> case?
> >>> Sure, the real killer is likely SA, and the ClamSMTP thing will
> >>> avoid that...
> >>> I wonder if the clamav milter would be a "nicer" solution, avoiding
> >>> your current problem...
> >>>
> >>> Cheers
> >>> --
> >>> -- Glenn
> >>> email: glenn < dot > steen < at > gmail < dot > com
> >>> work: glenn < dot > steen < at > ap1 < dot > se
> >>> --
> >>>
> >> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see
> >> what happens.
> >> All the clientip are 127.0.0.1 :-(
> >>
> >> Whitelisting is working because the check is done on the From address
> >> and not on the client IP.
> >> The blacklisting, in that case doesn't work because it's an IP address.
> >>
> >> So, we can't use before-filter with Postifx and MailScanner and hope
> >> that the white or black listing will work with IP addresses even we
> >> use the smtpd_authorized_xforward_hosts.
> >>
> >> Is that right ?
> >>
> >
> > Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding"
> > loopback when determining the ip... Perhaps a bit like SA does it
> > (with the trust thing).
> >
> I can't do that. MailScanner directly reads the IP address of the TCP/IP
> connection source, it doesn't involve looking at the headers of the
> message at all.
True. Bummer. That completely defeats any such "smtp base pre-filters"
to work (any MTA) in conjunction with IP-based rulesets. Really bad,
that... since using the email to/from address for WL is so...
spoofable...:(.
Oh well, Pascal will have to look at the milter route then... Or let
MS do all AV...
> >
> >> If yes, what's the use of smtpd_authorized_xforward_hosts (to be
> >> posted on the postfix list also) ?
> >>
> > Good question. Perhaps one (Jules) could use that...:).
> > BTW, wear your asbetos underwear when telling the pf-list your
> > problem... they seriously dislike MS... still...:(.
> >
> Don't expect to get anything useful from the Postfix list about MailScanner.
Hehe, we know what they'll say:-). And what other product they'll tote...:/.
Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list