<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body>
<p>Hi,</p>
<p>This is all working now - thanks for your pointers and help. Thanks very much! The trusted and internal network did work, my issue was that for some reason I have to restart amavis and spamassassin for new settings to be taken into use. I can't explain it, but once I did this things were much more reliable (and your settings worked).</p>
<p>Thanks again for all the help!</p>
<p>... Russell</p>
<p> </p>
<p>On 2012-12-30 13:45, Cedric Knight wrote:</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<pre>On 30/12/12 15:11, R. Morris wrote:</pre>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%">Hi, First of all - thanks so much for the help! Much appreciated. Some thoughts, below. 1) I can ask at spamassassin, but it seems like my spamassassin settings aren't being used. Does amavis somehow take this over, or should the spamassassin settings really work? Sounds like a dumb question I know, but I have tried changing the settings and they don't seem to be used (and I'm restarting spamassassin and amavis both ... :-().</blockquote>
<pre>Where are you adding the SpamAssassin settings? They should be in your
global conf folder (on unix-like systems /etc/spamasassin/local.cf).
You shouldn't need to restart spamassassin. Amavis is a Perl program
that includes that SpamAssassin Perl libraries
(/usr/share/perl5/Mail/SpamAssassin) directly and doesn't use the
spamassassin "spamd" daemon.
Amavis does ignore the skip_rbl_checks setting (as I mention it has its
own setting for whether to perform remote checks), but AFAIK respects
just about everything else in the global .cf files.
If you're just altering settings in your local folder (/home/ or
\Users\) then Amavis won't read it. You could try changing a SA rule
score to check your settings really are taking.</pre>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%">2) You are correct - it's because my IP is a dynamic IP, provided by Verizion FIOS. They have added all their IP's to the blacklist. I just have a backup mail server (at my brother's house), that forwards email to me when my main server goes down. But I don't want the email blocked just because it came from FIOS (in fact, one of the failing RBL checks just says it's a Verizon IP, which I already know ... :-)). 3) Sorry, just trying to understand your last comment (about internal and trusted networks). Will the previous relays be checked, just the last one is skipped?</blockquote>
<pre>Yes.</pre>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%">And can I use a machine name (FQDN), or do I have to enter the IP address (it's dynamic, so name would be nice).</blockquote>
<pre>OK, that is a bit tricky. I can't see any easy way to trust one server
based on something like DynDNS. You could possibly write rules or a
module to trust or shortcircuit based on DNS or HELO. See
<a href="http://wiki.apache.org/spamassassin/TrustPath">http://wiki.apache.org/spamassassin/TrustPath</a>I think you have two main options to get that working properly:
A) Trust the whole of the Verizon pool with something like:
internal_networks 96.224.0.0/11
trusted_networks 96.224.0.0/11
but that's quite a wide range and you may want to see if in practice it
is more restricted.
B) Use SMTP SASL to authenticate the backup MX with the main mail
server. Assuming you're using your main server for emailing out, there
presumably is already some authentication method, so you just need to
set the backup MTA to use SASL (eg with Postfix set
smtp_sasl_password_maps). SpamAssassin should trust a relay if it is
authenticated by the local MTA.</pre>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%">I will check the reference you mention, just not sure my spamassassin settings are being used ... :-(</blockquote>
<pre>See also <a href="http://wiki.apache.org/spamassassin/TrustPath">http://wiki.apache.org/spamassassin/TrustPath</a>.
HTH
Cedric</pre>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%">On 2012-12-30 02:42, Cedric Knight wrote:
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%">Hi Russell On 30/12/12 05:21, R. Morris wrote:
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%">Hi, This may be a dumb question (and likely is, sorry!), but I haven't been able to figure out how to get it working, so ...</blockquote>
Well, I hope this isn't a dumb answer. It does sound like a SpamAssassin issue maybe best dealt with at <a href="mailto:users@spamassassin.apache.org">users@spamassassin.apache.org</a> <mailto:<a href="mailto:users@spamassassin.apache.org">users@spamassassin.apache.org</a>>.
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%">I have a working setup with Postfix + Amavis-new. Works quite well, except for one thing - if email goes through my backup MX (mail server), then it is flagged as spam (due to RBL checks). I can disable all checking based on this IP, but I really only want to disable RBL / DNSBL checks for this IP, and let the other checks proceed as usual.</blockquote>
Which RBL checks, and why is your backup MX on an RBL? Maybe it's just a list of dynamic or consumer IPs, but maybe it's associated with a previous exploit.
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%">Is there an easy way to do this? I have tried changing the Spamassassin setting itself (both trusted networks and skip_rbl_checks), but neither one seems to work.</blockquote>
trusted_networks should work if you use it correctly. If you really want to disable RBL checks altogether, put the following line in your amavis configuration (it has the same effect as skip_rbl_checks would if you weren't using amavis): $sa_local_tests_only = 1; But for the behaviour you want, in your SpamAssassin local.cf add two lines internal_networks 10.0.0.1 trusted_networks 10.0.0.1 replacing 10.0.0.1 with the IPv4 address of the machine you don't want checked for RBLs. Then reload amavis. This should mean the "last external" RBL checks will be carried out for the address that connects to your backup, and SA still scores on content and headers. See "man Mail::SpamAssassin::Conf" for more.</blockquote>
</blockquote>
</blockquote>
<p> </p>
<p> </p>
<div> </div>
</body></html>