MailScanner and Zimbra
David Jones
djones at ena.com
Mon Nov 4 01:30:40 UTC 2019
Those Zimbra rules are better than nothing but they aren’t correct on lines 88, 93, and 98. The DMARC specification says that DKIM should pass and align with the From: domain OR SPF should pass and align with the envelope-from domain. Those rules at those lines say it’s an AND but it should be OR like
(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_*
It’s not that critical since they are only subtracting a few points for the DMARC_PASS_* rules. Then again, passing DMARC doesn’t have a direct relationship to spam and ham. It only asserts the email was authentic (DKIM) or authorized (SPF). You can take any of those DKIM_VALID_AU and SPF_PASS and create whitelist_auth entries which actually have value towards allowing/blocking.
The best way to get DMARC support into SA is to install opendmarc and integrate it into your MTA (plenty of HOWTOs out there) and then add rules similar to these (adjust regex for your opendmarc.conf AuthservID setting):
/etc/opendmarc.conf
AuthservID = smtp.example.com
RejectFailures true
Socket inet:8893 at localhost
SoftwareHeader true
SPFIgnoreResults true
SPFSelfValidate true
/etc/mail/spamassassin/10_opendmarc.cf
header DMARC_PASS Authentication-Results =~ /smtp\.example\.com; dmarc=pass/
describe DMARC_PASS DMARC check passed
score DMARC_PASS -0.01
header DMARC_FAIL Authentication-Results =~ /smtp\.example\.com; dmarc=fail/
describe DMARC_FAIL DMARC check failed
score DMARC_FAIL 0.01
header DMARC_NONE Authentication-Results =~ /smtp\.example\.com; dmarc=none/
describe DMARC_NONE DMARC check neutral
score DMARC_NONE 0.01
header __DMARC_FAIL_REJECT Authentication-Results =~ /smtp\.example\.com; dmarc=fail \(p=reject/
meta DMARC_FAIL_REJECT __DMARC_FAIL_REJECT
describe DMARC_FAIL_REJECT DMARC check failed and the sending domains says to reject this message
score DMARC_FAIL_REJECT 9.0
Then create meta rules based off of the rules above or use MailScanner’s “SpamAssassin Rule Actions” form more precision.
DMARC_PASS != ham and DMARC_FAIL != spam. These should be used to make safe whitelist_auth entries.
From: Thomas Stephen Lee <lee.iitb at gmail.com>
Date: Sunday, November 3, 2019 at 9:10 AM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Cc: Shawn Iverson <iversons at rushville.k12.in.us>, David Jones <djones at ena.com>
Subject: Re: MailScanner and Zimbra
Hi All,
The DMARC rules are in
https://github.com/Zimbra/zm-mta/blob/develop/salocal.cf.in
Sorry, Zimbra does not have a MailScanner rule.
We added it extra.
vim /opt/zimbra/data/spamassassin/localrules/sauser.cf<http://sauser.cf>
-----------------
header LOCAL_MAILSCANNER_SPAM X-Organization-MailScanner-SpamScore =~ /sssss/
describe LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM
score LOCAL_MAILSCANNER_SPAM 4.123
-----------------
thanks
---
Thomas Stephen Lee
On Sat, Nov 2, 2019 at 11:01 PM Shawn Iverson via MailScanner <mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>> wrote:
Following...
Would love to see those rules as well. I like that Zimbra has a MailScanner rule!
On Sat, Nov 2, 2019 at 1:25 PM David Jones via MailScanner <mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>> wrote:
DMARC and BAYES blocked that email.
It would be interesting to get/see the details of the “DMARC_” rules on the Zimbra server. Zimbra must have added DMARC support to Spamassassin. I wonder if they used opendmarc with custom SA rules to read the opendmarc headers.
Same for LOCAL_MAILSCANNER_SPAM. I would like to see that rule. In a Zimbra environment, you may want to use MailScanner to score only and not block to utilize the built-in Zimbra spam/ham handling.
From: MailScanner <mailscanner-bounces+djones=ena.com at lists.mailscanner.info<mailto:ena.com at lists.mailscanner.info>> on behalf of Thomas Stephen Lee <lee.iitb at gmail.com<mailto:lee.iitb at gmail.com>>
Reply-To: MailScanner Discussion <mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>>
Date: Saturday, November 2, 2019 at 4:12 AM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>>
Subject: Re: MailScanner and Zimbra
Hi All,
Thank you very much for all the suggestions.
We will try out one by one.
Given below is a partial output of a message Zimbra caught as spam.
*----------------------------------------------------------------------------*
Content analysis details: (16.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
1.0 HK_RANDOM_REPLYTO Reply-To username looks random
4.1 LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM
1.0 HK_RANDOM_FROM From username looks random
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(hulsingcrm6[at]aliyun.com<http://aliyun.com>)
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
(hulsingcrm6[at]aliyun.com<http://aliyun.com>)
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
6.0 DMARC_FAIL_QUAR DMARC validation failed and policy is quarantine
0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom
freemail headers are different
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
*----------------------------------------------------------------------------*
thanks
---
Thomas Stephen Lee
On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro <mark at msapiro.net<mailto:mark at msapiro.net>> wrote:
On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote:
> +1
>
> We need to put this on the MailScanner website as "Things you can do to
> enhance your MailScanner" :)
+1
The old web site used to have some tips. See
<https://web.archive.org/web/20150315051129/http://mailscanner.info/gettingthebest.html<https://web.archive.org/web/20150315051129/http:/mailscanner.info/gettingthebest.html>>.
Some of this is out of date, but we should have similar info on the
current web site.
--
Mark Sapiro <mark at msapiro.net<mailto:mark at msapiro.net>> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
Shawn Iverson, CETL
Rush County Schools
iversons at rushville.k12.in.us<mailto:iversons at rushville.k12.in.us>
Error! Filename not specified.Error! Filename not specified.Error! Filename not specified.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20191104/1ec41f0b/attachment.html>
More information about the MailScanner
mailing list