Disable RBL Checking

Cedric Knight cedric at gn.apc.org
Sun Dec 30 20:45:06 CET 2012


On 30/12/12 15:11, R. Morris wrote:
> Hi,
> 
> First of all - thanks so much for the help! Much appreciated. Some
> thoughts, below.
> 
> 1) I can ask at spamassassin, but it seems like my spamassassin settings
> aren't being used. Does amavis somehow take this over, or should the
> spamassassin settings really work? Sounds like a dumb question I know,
> but I have tried changing the settings and they don't seem to be used
> (and I'm restarting spamassassin and amavis both ... :-().

Where are you adding the SpamAssassin settings?  They should be in your
global conf folder (on unix-like systems /etc/spamasassin/local.cf).

You shouldn't need to restart spamassassin.  Amavis is a Perl program
that includes that SpamAssassin Perl libraries
(/usr/share/perl5/Mail/SpamAssassin) directly and doesn't use the
spamassassin "spamd" daemon.

Amavis does ignore the skip_rbl_checks setting (as I mention it has its
own setting for whether to perform remote checks), but AFAIK respects
just about everything else in the global .cf files.

If you're just altering settings in your local folder (/home/ or
\Users\) then Amavis won't read it.  You could try changing a SA rule
score to check your settings really are taking.

> 
> 2) You are correct - it's because my IP is a dynamic IP, provided by
> Verizion FIOS. They have added all their IP's to the blacklist. I just
> have a backup mail server (at my brother's house), that forwards email
> to me when my main server goes down. But I don't want the email blocked
> just because it came from FIOS (in fact, one of the failing RBL checks
> just says it's a Verizon IP, which I already know ... :-)).
> 
> 3) Sorry, just trying to understand your last comment (about internal
> and trusted networks). Will the previous relays be checked, just the
> last one is skipped?

Yes.

> And can I use a machine name (FQDN), or do I have
> to enter the IP address (it's dynamic, so name would be nice).

OK, that is a bit tricky.  I can't see any easy way to trust one server
based on something like DynDNS.  You could possibly write rules or a
module to trust or shortcircuit based on DNS or HELO.  See
http://wiki.apache.org/spamassassin/TrustPath

I think you have two main options to get that working properly:

A) Trust the whole of the Verizon pool with something like:
internal_networks 96.224.0.0/11
trusted_networks 96.224.0.0/11
but that's quite a wide range and you may want to see if in practice it
is more restricted.

B) Use SMTP SASL to authenticate the backup MX with the main mail
server.  Assuming you're using your main server for emailing out, there
presumably is already some authentication method, so you just need to
set the backup MTA to use SASL (eg with Postfix set
smtp_sasl_password_maps).  SpamAssassin should trust a relay if it is
authenticated by the local MTA.

> I will
> check the reference you mention, just not sure my spamassassin settings
> are being used ... :-(

See also http://wiki.apache.org/spamassassin/TrustPath.

HTH

Cedric


> On 2012-12-30 02:42, Cedric Knight wrote:
> 
>> Hi Russell
>>
>> On 30/12/12 05:21, R. Morris wrote:
>>> Hi, This may be a dumb question (and likely is, sorry!), but I
>>> haven't been able to figure out how to get it working, so ...
>> Well, I hope this isn't a dumb answer.  It does sound like a
>> SpamAssassin issue maybe best dealt with at users at spamassassin.apache.org <mailto:users at spamassassin.apache.org>.
>>> I have a working setup with Postfix + Amavis-new. Works quite well,
>>> except for one thing - if email goes through my backup MX (mail
>>> server), then it is flagged as spam (due to RBL checks). I can
>>> disable all checking based on this IP, but I really only want to
>>> disable RBL / DNSBL checks for this IP, and let the other checks
>>> proceed as usual.
>> Which RBL checks, and why is your backup MX on an RBL?  Maybe it's just
>> a list of dynamic or consumer IPs, but maybe it's associated with a
>> previous exploit.
>>> Is there an easy way to do this? I have tried changing the
>>> Spamassassin setting itself (both trusted networks and
>>> skip_rbl_checks), but neither one seems to work.
>> trusted_networks should work if you use it correctly.  If you really
>> want to disable RBL checks altogether, put the following line in your
>> amavis configuration (it has the same effect as skip_rbl_checks would if
>> you weren't using amavis):
>>    $sa_local_tests_only = 1;
>>
>> But for the behaviour you want, in your SpamAssassin local.cf add two lines
>>
>> internal_networks 10.0.0.1
>> trusted_networks 10.0.0.1
>>
>> replacing 10.0.0.1 with the IPv4 address of the machine you don't want
>> checked for RBLs.  Then reload amavis.  This should mean the "last
>> external" RBL checks will be carried out for the address that connects
>> to your backup, and SA still scores on content and headers.
>>
>> See "man Mail::SpamAssassin::Conf" for more.


More information about the amavis-users mailing list