Whitelist advice, correct way to minimize score for known domains from gapps

Dauser Martin Johannes mdauser at cs.sbg.ac.at
Mon Feb 26 19:36:36 CET 2018 

Hi!

It seems the SPF entry of senders's domain isn't allowing the
originating mail server. Originating server might be stripped off, so I
take a wild guess that it is a Google server (last Received: header).
[1] 

The other rules are content based.
MIME_HTML_ONLY nags about missing alternative text besides html [2]

HTML_IMAGE_ONLY_08 nags about an image which seems to be used instead
of words to mitigate text-based scanning. [3]

As long as you send messages to yourself whitelisting will do the job,
but as soon as you send messages to someone external you'll end up with
the same problem again.

I'm by no means an expert for spamassassin or amavis but these are my
guesses.


within spamassassin:
####################

"SpamAssassin offers more control over whitelisted senders with the
whitelist_from_rcvd  directive. This directive associates a sender's
email address with the hostname or domain name of the LAST TRUSTED
RELAY. 

SpamAssassin uses DNS to do a reverse-lookup of the IP address of the
last trusted relay; the reverse-lookup yields one or more hostnames
associated with the IP address.

[...]

In order for SpamAssassin to distinguish trusted and untrusted relays,
you may need to set the trusted_networks option." [4]

"[...] By default, SpamAssassin works backward through the Received 
headers, beginning with the one [atop -author's note] added by the MTA
on its own system (which is always trusted), and decides whether or not
the addresses in each header are trusted. [...]" [5]

So, you'd need those mailservers from google as trusted. -- I guess
there are more than this very "mail-it0-f45.google.com".


whitelist_from_rcvd *@SENDERTLD.COM mail-it0-f45.google.com

perhaps this might work too as it can be the hostname or the domain of
the trusted server. 
whitelist_from_rcvd *@SENDERTLD.COM google.com

Don't forget to set trusted_networks too.



within amavis:
##############

A) As those mails are successfully DKIM signed you could do a hard or
soft whitelist by selecting a custom policy bank based on successful
DKIM and sender's envelope address (Return-Path: )

@author_to_policy_bank_maps = (
read_hash("/etc/amavisd/DKIM_sender_to_policy-bank") );
##
## content example /etc/amavisd/DKIM_sender_to_policy-bank
##
## 'dddddd at SENDERTLD.com'  'WHITELIST'
## 'SENDERTLD.com'         'MILD_WHITELIST'

# do no spamassassin checks at all
$policy_bank{'WHITELIST'} = {
  bypass_spam_checks_maps => [1],
  spam_lovers_maps => [1],
};

# reduce spam score by 3.0
$policy_bank{'MILD_WHITELIST'} = {
  score_sender_maps => [ { '.' => [-3.0] } ],
};



B) Generally (even without DKIM) reduce spam score from sender either
for your personal recipient address or sitewide

@score_sender_maps = ({ 
  'recipient at sbt.net.au'    =>  [
read_hash("/etc/amavisd/sender_scores_recipient"), ],

  '.' =>  [ read_hash("/etc/amavisd/sender_scores_sitewide"), ],
});
##
## content example /etc/amavisd/sender_scores_sitewide
##
## 'dddddd at SENDERTLD.com'  '-3.0'
## 'SENDERTLD.com'         '-1.5'



C) Generally trust this sender address

read_hash(\%whitelist_sender, '/etc/amavis/whitelist');

$policy_bank{'YOUR_COMMON_INCOMMING_CONF'} = {
    # set incomming mails as NOT-originating
    originating                 => 0,

    # mails from trusted envelope senders
    # are whitelisted by Spamassassin
    whitelist_sender_maps       => [ \%whitelist_sender ],

    ...
};
##
## content example /etc/amavisd/whitelist
##
## dddddd at SENDERTLD.com
##
SENDERTLD.com



[1]https://support.google.com/a/answer/33786?hl=en&ref_topic=2759192&vi
sit_id=0-636552554295951700-2667039385&rd=1

[2]https://wiki.apache.org/spamassassin/Rules/MIME_HTML_ONLY

[3]https://wiki.apache.org/spamassassin/Rules/HTML_IMAGE_ONLY_08

[4]http://commons.oreilly.com/wiki/index.php/SpamAssassin/SpamAssassin_
Rules#Whitelisting_senders_by_relay

[5]http://commons.oreilly.com/wiki/index.php/SpamAssassin/SpamAssassin_
Rules#check_rbl.28_.29


On Tue, 1519599416-12-31 at 00:00 +0000, Voytek wrote:
> 
> 
> I have several domains where email is on gapps, and, noticed emails from
> such user get around 3+/spam, above my threshold of 3,
> tried to whitelist using such, but, didn't seem to work
> 
> what the correct way to whitelst such domains, should that be
> gappssmtp.com ? as last item NOT SENDERTLD.com ?
> 
> -----------
> cat  /etc/mail/spamassassin/local.cf
> .../trim/...
> > whitelist_from_rcvd *@SENDERTLD.com SENDERTLD.com
> 
> 
> ===========
> > Return-Path: <dddddd at SENDERTLD.com>
> Delivered-To: voytek at sbt.net.au
> Received: from localhost (localhost [127.0.0.1])
> >     	by geko.sbt.net.au (Postfix) with ESMTP id 9B5E664BF2E3
> > >     	for <voytek at sbt.net.au>; Thu, 22 Feb 2018 15:53:34 +1100 (AEDT)
> X-Virus-Scanned: amavisd-new at sbt.net.au
> X-Spam-Flag: NO
> X-Spam-Score: 3.86
> X-Spam-Level: ***
> X-Spam-Status: No, score=3.86 tagged_above=2 required=6.2
> >     	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_IMAGE_ONLY_08=1.781,
> >     	HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.105, SPF_SOFTFAIL=0.972,
> >     	URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
> Authentication-Results: geko.sbt.net.au (amavisd-new);
> >     	dkim=pass (2048-bit key) header.d=SENDERTLD-com.20150623.gappssmtp.com
> Received: from geko.sbt.net.au ([127.0.0.1])
> >     	by localhost (geko.sbt.net.au [127.0.0.1]) (amavisd-new, port 10024)
> > >     	with ESMTP id V_DN-7-7FF3H for <voytek at sbt.net.au>;
> >     	Thu, 22 Feb 2018 15:53:27 +1100 (AEDT)
> Received: from mail-it0-f45.google.com (mail-it0-f45.google.com
> [209.85.214.45])
> >     	by geko.sbt.net.au (Postfix) with ESMTPS id 4308064D5D6F
> > >     	for <voytek at sbt.net.au>; Thu, 22 Feb 2018 15:53:25 +1100 (AEDT)
> Received: by mail-it0-f45.google.com with SMTP id n7so4769838ita.5
> >      for <voytek at sbt.net.au>; Wed, 21 Feb 2018 20:53:25 -0800 (PST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>      d=SENDERTLD-com.20150623.gappssmtp.com; s=20150623;
>      h=reply-to:to:from:subject:organization:message-id:date:user-agent
>      :mime-version;
>      bh=1jjbz+n4ebfJauh3AY80pwowR1/YCl/OFEbuXKJetXw=;
>      /stripped/A==
> X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>      d=1e100.net; s=20161025;
>      h=x-gm-message-state:reply-to:to:from:subject:organization:message-id
>      :date:user-agent:mime-version;
>      bh=1jjbz+n4ebfJauh3AY80pwowR1/YCl/OFEbuXKJetXw=;
> /stripped/==
> 
>

More information about the amavis-users mailing list