Mailing List Archive: SpamAssassin: users

Problems with whitelist_from_rcvd

Index | Next | Previous | View Threaded

bi at hl

Oct 2, 2009, 1:34 AM

Post #1 of 13 (1025 views)
Permalink

Problems with whitelist_from_rcvd

Hi,

When I add the string like:
whitelist_from some [at] domain
it works OK.

But:
whitelist_from_rcvd some [at] domain prefix.domain.mail
doesn't work.

I've checked rDNS of the prefix.domain.mail with 'host' utility - it's
all right.

And the appropriate mail header seems to be correct:
Received: from prefix.domain.mail (unknown [12.12.12.12])

What's the matter?

Attachments:

signature.asc (0.19 KB)

me at junc

Oct 2, 2009, 2:55 AM

Post #2 of 13 (980 views)
Permalink

Re: Problems with whitelist_from_rcvd [In reply to]

On fre 02 okt 2009 10:34:55 CEST, Igor Bogomazov wrote
> And the appropriate mail header seems to be correct:
> Received: from prefix.domain.mail (unknown [12.12.12.12])
> What's the matter?

unknown reverse dns is postfix answer for not found reverse dns, so
host was in the test you did wrong

host 12.12.12.12 gives unknown
dig unknown gives 12.12.12.12 ?

prefix.domain.mail is the helo header

--
xpoint

jeff at delphioutpost

Oct 2, 2009, 6:27 AM

Post #3 of 13 (977 views)
Permalink

Re: Problems with whitelist_from_rcvd [In reply to]

From: Igor Bogomazov <bi [at] hl>
Date: Fri, 2 Oct 2009 12:34:55 +0400

When I add the string like:
whitelist_from some [at] domain
it works OK.

But:
whitelist_from_rcvd some [at] domain prefix.domain.mail
doesn't work.

I've checked rDNS of the prefix.domain.mail with 'host' utility - it's
all right.

And the appropriate mail header seems to be correct:
Received: from prefix.domain.mail (unknown [12.12.12.12])

What's the matter?

It is hard to say for sure without seeing actual received headers.

You need to use the last external relay used by the email.

From man Mail::SpamAssassin::Conf.

whitelist_from_rcvd ...

This string is matched against the reverse DNS lookup used during
the handover from the internet to your internal network's mail
exchangers. It can either be the full hostname, or the domain
component of that hostname. ...

The easiest way to figure out which one to use is to add a Relay
header using:
add_header all Relay trusted=_RELAYSTRUSTED_, untrusted=_RELAYSUNTRUSTED_

Then get the RDNS from the first untrusted=[ip=... rdns=RDNS ...] relay.
If the RDNS is blank then the whitelist_from_rcvd won't work.

Your internal_networks and trusted_networks needs to be setup correctly.

-jeff

jhardin at impsec

Oct 2, 2009, 6:32 AM

Post #4 of 13 (985 views)
Permalink

Re: Problems with whitelist_from_rcvd [In reply to]

On Fri, 2 Oct 2009, Igor Bogomazov wrote:

> whitelist_from_rcvd some [at] domain prefix.domain.mail
> doesn't work.
>
> I've checked rDNS of the prefix.domain.mail with 'host' utility - it's
> all right.

You don't check rDNS using "host", you check it using "dig -x
host.ip.addr.here"

> And the appropriate mail header seems to be correct:
> Received: from prefix.domain.mail (unknown [12.12.12.12])
>
> What's the matter?

The "(unknown [12.12.12.12])" part shows that rDNS for that IP address is
_not_ configured, or that DNS on your MTA cannot resolve it for some
reason. The text after "from" is the string used in the client's HELO,
which can be anything at all and cannot be trusted for authentication.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You cannot bring about prosperity by discouraging thrift. You
cannot help small men by tearing down big men. You cannot
strengthen the weak by weakening the strong. You cannot lift the
wage-earner by pulling down the wage-payer. You cannot help the
poor man by destroying the rich. You cannot keep out of trouble by
spending more than your income. You cannot further the brotherhood
of man by inciting class hatred. You cannot establish security on
borrowed money. You cannot build character and courage by taking
away men's initiative and independence. You cannot help men
permanently by doing for them what they could and should do for
themselves. -- William J. H. Boetcker
-----------------------------------------------------------------------
Approximately 9081780 firearms legally purchased in the U.S. this year

kdeugau at vianet

Oct 2, 2009, 7:39 AM

Post #5 of 13 (975 views)
Permalink

Re: Problems with whitelist_from_rcvd [In reply to]

John Hardin wrote:
> You don't check rDNS using "host", you check it using "dig -x
> host.ip.addr.here"

Actually, unless your DNS configuration is doing something bizarre, they
should give back the same basic info - dig is just a lot more verbose:

[kdeugau [at] turbopro ~]$ host 209.91.179.62
62.179.91.209.in-addr.arpa domain name pointer deepnet.cx.
[kdeugau [at] turbopro ~]$ dig -x 209.91.179.62

; <<>> DiG 9.2.4 <<>> -x 209.91.179.62
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62009
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;62.179.91.209.in-addr.arpa. IN PTR

;; ANSWER SECTION:
62.179.91.209.in-addr.arpa. 892 IN PTR deepnet.cx.

;; AUTHORITY SECTION:
179.91.209.in-addr.arpa. 890 IN NS ns3.vianet.ca.
179.91.209.in-addr.arpa. 890 IN NS ns4.vianet.ca.
179.91.209.in-addr.arpa. 890 IN NS ns1.vianet.ca.
179.91.209.in-addr.arpa. 890 IN NS ns2.vianet.ca.

;; ADDITIONAL SECTION:
ns1.vianet.ca. 22 IN A 209.91.128.30
ns2.vianet.ca. 22 IN A 204.187.89.10
ns3.vianet.ca. 22 IN A 209.91.174.60
ns4.vianet.ca. 22 IN A 204.187.88.5

;; Query time: 2 msec
;; SERVER: 209.91.179.154#53(209.91.179.154)
;; WHEN: Fri Oct 2 10:33:50 2009
;; MSG SIZE rcvd: 213

[kdeugau [at] turbopro ~]$ dig -x 209.91.179.62 +short
deepnet.cx.
[kdeugau [at] turbopro ~]$

(The "AUTHORITY" and "ADDITIONAL" sections may not be returned depending
on your DNS cache; BIND returns the above, DJB's dnscache doesn't
return either.)

-kgd, wearing his "ISP DNS admin" hat

bill at inetmsg

Oct 2, 2009, 8:40 AM

Post #6 of 13 (973 views)
Permalink

Re: Problems with whitelist_from_rcvd [In reply to]

John Hardin wrote:
> On Fri, 2 Oct 2009, Igor Bogomazov wrote:
>
>> whitelist_from_rcvd some [at] domain prefix.domain.mail
>> doesn't work.
>>
>> I've checked rDNS of the prefix.domain.mail with 'host' utility - it's
>> all right.
>
> You don't check rDNS using "host", you check it using "dig -x
> host.ip.addr.here"

Why not, they come up with the same thing?:

host 207.210.83.140
140.83.210.207.in-addr.arpa domain name pointer ga.impsec.org.

dig -x 207.210.83.140 +short
ga.impsec.org.

Bill

jhardin at impsec

Oct 2, 2009, 9:32 AM

Post #7 of 13 (969 views)
Permalink

Re: Problems with whitelist_from_rcvd [In reply to]

On Fri, 2 Oct 2009, Kris Deugau wrote:

> John Hardin wrote:
>> You don't check rDNS using "host", you check it using "dig -x
>> host.ip.addr.here"
>
> Actually, unless your DNS configuration is doing something bizarre, they
> should give back the same basic info - dig is just a lot more verbose:
>
> -kgd, wearing his "ISP DNS admin" hat

...I stand corrected. Thanks.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control laws cannot reduce violent crime, because gun control
laws assume a violent criminal will obey the law.
-----------------------------------------------------------------------
Approximately 9085920 firearms legally purchased in the U.S. this year

jhardin at impsec

Oct 2, 2009, 11:06 AM

Post #8 of 13 (967 views)
Permalink

Re: Problems with whitelist_from_rcvd [In reply to]

On Fri, 2 Oct 2009, Bill Landry wrote:

> John Hardin wrote:
>> On Fri, 2 Oct 2009, Igor Bogomazov wrote:
>>
>>> I've checked rDNS of the prefix.domain.mail with 'host' utility - it's
>>> all right.
>>
>> You don't check rDNS using "host", you check it using "dig -x
>> host.ip.addr.here"
>
> Why not, they come up with the same thing?:

I apologize; I don't use host and I looked at the man page for an explicit
reverse option and didn't see one, and jumped to the wrong conclusion.

Igor, can you show us how you used host and what it output?

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control laws cannot reduce violent crime, because gun control
laws assume a violent criminal will obey the law.
-----------------------------------------------------------------------
Approximately 9088680 firearms legally purchased in the U.S. this year

bi at hl

Oct 4, 2009, 11:28 PM

Post #9 of 13 (942 views)
Permalink

Re: Problems with whitelist_from_rcvd [In reply to]

> On Fri, 2 Oct 2009, Bill Landry wrote:
>
> > John Hardin wrote:
> >> On Fri, 2 Oct 2009, Igor Bogomazov wrote:
> >>
> >>> I've checked rDNS of the prefix.domain.mail with 'host' utility -
> >>> it's all right.
> >>
> >> You don't check rDNS using "host", you check it using "dig -x
> >> host.ip.addr.here"
> >
> > Why not, they come up with the same thing?:
>
> I apologize; I don't use host and I looked at the man page for an
> explicit reverse option and didn't see one, and jumped to the wrong
> conclusion.
>
> Igor, can you show us how you used host and what it output?
>

Here's both headers, tagged "Received":

Received: by MYDOMAIN.MAIL (Postfix, from userid 1002)
id F0E8D9B801A; Fri, 2 Oct 2009 12:08:13 +0400 (MSD)

Received: from SUB.MYDOMAIN.MAIL (unknown [12.12.12.12]) by
highlink.ru (Postfix) with ESMTP id 9562D6A82F5 for <someone [at] somewher>;
Fri, 2 Oct 2009 12:08:13 +0400 (MSD)

I suppose the last one is in use. SUB.MYDOMAIN.MAIL with IP 12.12.12.12,
right? I can check rDNS of the IP-address and it is really
SUB.MYDOMAIN.MAIL.

--
С уважением,

Igor Bogomazov
Игорь Богомазов
Главный технический специалист
HighLink Ltd. St-Petersburg, Russia
8(812)334-12-12 [доб. 220]
8(963)344-44-38 (Билайн)
http://www.hl.ru

Attachments:

signature.asc (0.19 KB)

bi at hl

Oct 4, 2009, 11:34 PM

Post #10 of 13 (934 views)
Permalink

Re: Problems with whitelist_from_rcvd [In reply to]

> > On Fri, 2 Oct 2009, Bill Landry wrote:
> >
> > > John Hardin wrote:
> > >> On Fri, 2 Oct 2009, Igor Bogomazov wrote:
> > >>
> > >>> I've checked rDNS of the prefix.domain.mail with 'host' utility
> > >>> - it's all right.
> > >>
> > >> You don't check rDNS using "host", you check it using "dig -x
> > >> host.ip.addr.here"
> > >
> > > Why not, they come up with the same thing?:
> >
> > I apologize; I don't use host and I looked at the man page for an
> > explicit reverse option and didn't see one, and jumped to the wrong
> > conclusion.
> >
> > Igor, can you show us how you used host and what it output?
> >
>
> Here's both headers, tagged "Received":
>
> Received: by MYDOMAIN.MAIL (Postfix, from userid 1002)
> id F0E8D9B801A; Fri, 2 Oct 2009 12:08:13 +0400 (MSD)
>
> Received: from SUB.MYDOMAIN.MAIL (unknown [12.12.12.12]) by
> highlink.ru (Postfix) with ESMTP id 9562D6A82F5 for
> <someone [at] somewher>; Fri, 2 Oct 2009 12:08:13 +0400 (MSD)
>
> I suppose the last one is in use. SUB.MYDOMAIN.MAIL with IP
> 12.12.12.12, right? I can check rDNS of the IP-address and it is
> really SUB.MYDOMAIN.MAIL.

Sorry, about host:

# host SUB.MYDOMAIN.MAIL
SUB.MYDOMAIN.MAIL has address 12.12.12.12

host does not produce anything else but a single row

--
С уважением,

Igor Bogomazov
Игорь Богомазов
Главный технический специалист
HighLink Ltd. St-Petersburg, Russia
8(812)334-12-12 [доб. 220]
8(963)344-44-38 (Билайн)
http://www.hl.ru

Attachments:

signature.asc (0.19 KB)

jhardin at impsec

Oct 5, 2009, 6:38 AM

Post #11 of 13 (932 views)
Permalink

Re: Problems with whitelist_from_rcvd [In reply to]

On Mon, 5 Oct 2009, Igor Bogomazov wrote:

>>> John Hardin wrote:
>>>> On Fri, 2 Oct 2009, Igor Bogomazov wrote:
>>>>
>>>>> I've checked rDNS of the prefix.domain.mail with 'host' utility -
>>>>> it's all right.
>>
>> Igor, can you show us how you used host and what it output?
>
> Here's both headers, tagged "Received":

Neither of these illustrate how you are checking your rDNS data.

> Received: by MYDOMAIN.MAIL (Postfix, from userid 1002)
> id F0E8D9B801A; Fri, 2 Oct 2009 12:08:13 +0400 (MSD)
>
> Received: from SUB.MYDOMAIN.MAIL (unknown [12.12.12.12]) by
> highlink.ru (Postfix) with ESMTP id 9562D6A82F5 for <someone [at] somewher>;
> Fri, 2 Oct 2009 12:08:13 +0400 (MSD)
>
> I suppose the last one is in use. SUB.MYDOMAIN.MAIL with IP 12.12.12.12,
> right? I can check rDNS of the IP-address and it is really
> SUB.MYDOMAIN.MAIL.

Ignore the text immediately after the "from", in this case
"SUB.MYDOMAIN.MAIL". That is _not_ rDNS data, that is whatever the client
sent in its SMTP HELO, and can be _anything_. If you see the correct
hostname there it just means that computer is sending its correct hostname
when it says HELO.

To illustrate, I pulled this out of your message to the list, it is not
edited in any way:

Received: from localhost (unknown [213.108.33.133])
by highlink.ru (Postfix) with ESMTP id 37F236A818D
for <users [at] spamassassin>; Mon, 5 Oct 2009 10:28:48 +0400 (MSD)

I'm pretty sure 213.108.33.133's rDNS does not say "localhost".

The "(unknown [12.12.12.12])" is the DNS data about the client as your MTA
sees it, and the fact that it says "unknown" means that for some reason it
cannot perform rDNS on that IP address, or perhaps its rDNS is explicitly
set to "unknown". If rDNS was working you'd see something like:

Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by ga.impsec.org (8.13.7/8.13.7) with SMTP id n956Tp8L020518
for <jhardin [at] impsec>; Sun, 4 Oct 2009 23:29:55 -0700

Exactly how are you checking the rDNS of that IP address? Can you
demonstrate? For example, here are rDNS lookups on the two IP addresses
from my examples above:

jhardin [at] dendari ~ $ host 213.108.33.133
133.33.108.213.in-addr.arpa domain name pointer 133.33.108.213.hl.ru.
jhardin [at] dendari ~ $ host 140.211.11.3
3.11.211.140.in-addr.arpa domain name pointer hermes.apache.org.

I note that the first does have an rDNS, even though the Received: header
from the MTA in the example above says "unknown".

Are you performing your rDNS tests on the MTA computer? It looks to me
like the DNS setup on it is misconfigured somehow and it can't perform
rDNS queries successfully.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Therapeutic Phrenologist - send email for affordable rate schedule.
-----------------------------------------------------------------------
Approximately 9181140 firearms legally purchased in the U.S. this year

bi at hl

Oct 5, 2009, 11:12 PM

Post #12 of 13 (927 views)
Permalink

Re: Problems with whitelist_from_rcvd [In reply to]

> Ignore the text immediately after the "from", in this case
> "SUB.MYDOMAIN.MAIL". That is _not_ rDNS data, that is whatever the
> client sent in its SMTP HELO, and can be _anything_. If you see the
> correct hostname there it just means that computer is sending its
> correct hostname when it says HELO.
>
> To illustrate, I pulled this out of your message to the list, it is
> not edited in any way:
>
> Received: from localhost (unknown [213.108.33.133])
> by highlink.ru (Postfix) with ESMTP id 37F236A818D
> for <users [at] spamassassin>; Mon, 5 Oct 2009 10:28:48
> +0400 (MSD)
>
> I'm pretty sure 213.108.33.133's rDNS does not say "localhost".
>
> The "(unknown [12.12.12.12])" is the DNS data about the client as
> your MTA sees it, and the fact that it says "unknown" means that for
> some reason it cannot perform rDNS on that IP address, or perhaps its
> rDNS is explicitly set to "unknown". If rDNS was working you'd see
> something like:
>
> Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
> by ga.impsec.org (8.13.7/8.13.7) with SMTP id n956Tp8L020518
> for <jhardin [at] impsec>; Sun, 4 Oct 2009 23:29:55 -0700
>
> Exactly how are you checking the rDNS of that IP address? Can you
> demonstrate? For example, here are rDNS lookups on the two IP
> addresses from my examples above:
>
> jhardin [at] dendari ~ $ host 213.108.33.133
> 133.33.108.213.in-addr.arpa domain name pointer 133.33.108.213.hl.ru.
> jhardin [at] dendari ~ $ host 140.211.11.3
> 3.11.211.140.in-addr.arpa domain name pointer hermes.apache.org.
>
> I note that the first does have an rDNS, even though the Received:
> header from the MTA in the example above says "unknown".
>
> Are you performing your rDNS tests on the MTA computer? It looks to
> me like the DNS setup on it is misconfigured somehow and it can't
> perform rDNS queries successfully.
>

What I do (all commands on the mail-server, where SA is installed):

# host SUB.MYDOMAIN.MAIL
SUB.MYDOMAIN.MAIL has address 12.12.12.12

# host 12.1204.68.58
12.12.12.12.in-addr.arpa domain name pointer SUB.MYDOMAIN.MAIL.

host does not produce anything else but a single row

--
С уважением,

Igor Bogomazov
Игорь Богомазов
Главный технический специалист
HighLink Ltd. St-Petersburg, Russia
8(812)334-12-12 [доб. 220]
8(963)344-44-38 (Билайн)
http://www.hl.ru

Attachments:

signature.asc (0.19 KB)

jhardin at impsec

Oct 6, 2009, 6:14 AM

Post #13 of 13 (922 views)
Permalink

Re: Problems with whitelist_from_rcvd [In reply to]

On Tue, 6 Oct 2009, Igor Bogomazov wrote:

>> Exactly how are you checking the rDNS of that IP address? Can you
>> demonstrate?
>>
>> Are you performing your rDNS tests on the MTA computer? It looks to
>> me like the DNS setup on it is misconfigured somehow and it can't
>> perform rDNS queries successfully.
>
> What I do (all commands on the mail-server, where SA is installed):
>
> # host SUB.MYDOMAIN.MAIL
> SUB.MYDOMAIN.MAIL has address 12.12.12.12
>
> # host 12.1204.68.58
> 12.12.12.12.in-addr.arpa domain name pointer SUB.MYDOMAIN.MAIL.
>
> host does not produce anything else but a single row

Okay, good. That proves that host's rDNS is properly set up.

Can you run that command on the same computer that your _MTA_ is running
on? The MTA is what is doing the rDNS lookups for the Received: header.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If "healthcare is a Right" means that the government is obligated
to provide the people with hospitals, physicians, treatments and
medications at low or no cost, then the right to free speech means
the government is obligated to provide the people with printing
presses and public address systems, the right to freedom of
religion means the government is obligated to build churches for the
people, and the right to keep and bear arms means the government is
obligated to provide the people with guns, all at low or no cost.
-----------------------------------------------------------------------
5 days since a sunspot last seen - EPA blames CO2 emissions

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads