$final_bad_header_destiny = D_BOUNCE and Return-Path: <>, mail gets delivered unscanned

[Leonard den Ottolander]

Hello Hans,

On Sat, 2013-07-13 at 18:00 +0200, Hans Spaans wrote:
> The default is D_PASS, so did you change it or does Fedora supply amavis
> with this setting?

This is indeed a setting as shipped by Fedora EPEL. Not sure what Fedora
the distro does, but I'd guess they might be doing the same.

If this is an invalid configuration then perhaps it should not be
possible to configure amavis this way? But if amavis *can* be configured
this way I'd say the mail wiggling itself from the quarantine should at
least be scanned by spamassassin.

>  If the later is the case, then a bugreport may be
> wise. Bouncing after an OK on the SMTP DATA phase will get you
> blacklisted sooner or later. I prefer sooner btw ;-)

Since I originally sent this email (with a different subject) a few
weeks ago I have altered my configuration to $final_bad_header_destiny =
D_PASS.

> > Received: from unknown (HELO localhost)
> >  (from at domain.ru@2.2.2.2) by 1.1.1.1 with ESMTPA;
> 
> Source routing, haven't seen that one for years. You're willing to
> publish the IP?

Well, actually all the messages that managed to get through by using
this "no return path" trick do this. Could be a dozen or more.

This particular address has a name that suggests a dynamic IP network
under the domain vologda.ru (shpd-2-2-2-2.vologda.ru).

> > The missing date header puts the mail in quarantine and the missing
> > Return-Path breaks the bouncing so the mail gets sent without having
> > been scanned by spamassassin:
> 
> Yes and no, the missing return-path is there to break the mail loop that
> otherwise could emerge. It is a special case, you may want to read RFC
> 2822 if I'm not mistaken.
> 
> > 
> <cut>
> > 
> > And the mail gets delivered to my mailbox.
> 
> You have setup amavis to use your address as an administrator address or
> something like it?

No that would be postmaster and there is no translation from the
postmaster address to my email address. Only the straight forward email
-> user translation.

Jun 14 12:51:54 host postfix/virtual[2220]: D642542:
to=<user at domain.nl>, orig_to=<email at domain.nl>, relay=virtual,
delay=0.11, delays=0.07/0.01/0/0.04, dsn=2.0.0, status=sent (delivered
to maildir)

It's not like the message is being handled as a quarantine after the
bounce has failed. Amavis hands it back to postfix which delivers it.

> > How can I assure that mail that fails to bounce at least gets scanned by
> > spamassassin?
> 
> Reading your logs, your DKIM setup appears to be broken as it tries to
> sign a non-local domain, but doesn't has the right keys luckily. You may
> want to follow the submission port style signing if you mix a receiving
> MTA with a sending MTA on the same box.

Last year when I was looking into DKIM I added 0.0.0.0/8 to @mynetworks
as per the instructions at
http://www.ijs.si/software/amavisd/amavisd-new-docs.html section "For
the impatient - signing from scratch".

At that time I didn't give it any thought, but looking into this in
relation to this issue the adding of this network seemed very wrong, so
I removed that addition to @mynetworks. See also my mail from June 16th.

I didn't make the effort to add DKIM signing yet.

Regards,
Leonard.