pts rule name description
---- ---------------------- --------------------------------------------------
0.0 STOX_REPLY_TYPE STOX_REPLY_TYPE
0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
1.6 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[85.176.236.37 listed in dnsbl.sorbs.net]
0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[85.176.236.37 listed in zen.spamhaus.org]
2.3 AWL AWL: From: address is in the auto white-list
ok, so:
Why does SPF softfail. The DNS record is setup correctly. If I send mails to mailboxes outside the server, SPF does work correctly
“sent directly from dynamic IP address”? the ip address in question was the ip address of my pc when I sent the mail, not my mail server’s ip!
Why is AWL such a bad thing?
So my suspicion here is that when Postfix delivers an email to a domain it hosts, somehow the sender IP gets mixed up and spamassassin thinks my pc actually sent the email, instead of the mail server.
Do I get this wrong?
Anyhow, how can I fix the problem?
I’m running Virtualmin Pro on Debian 4.0r6 amd64.
You said you sent the email from your PC. I suspect you’re not using your ISP’s mail server as a relay? If not, I suspect many of these issues would go away if you did, rather than sending them through your own server.
At that point, you’ll just want to make sure your SPF record includes your ISP’s mail relay.
Regarding the AWL, how that works is described here:
all my clients have SPF records and it is basically impossible to include all their isps in the record. also, many are using webmail, which uses my mail server anyway.
I believe spamassassin should not be invoked for mail sent thorugh smtps (port 465) or submission (port 587). However, I don’t know how to disable that, since Virtualmin’s implementation calls spamassassin via procmail.
In SpamAssassin 3.2.x, it will no longer be necessary to specify 127.0.0.1; it'll automatically be trusted implicitly
and i have version 3.2.3-0.volatile1
the problem is, spamassassin does just see the ip address of the pc client the users sent the mail from, and i cant possibly add the whole world to the trusted_networks…
i just want to disable spamassassin from checking mail that comes in through port 465 and 587, if there is no other way to distinguish incoming from outgoing mail.
basically i dont want spamassassin to scan outgoing mail! it punishes users for being on dialup connections, this is ridiculous!
Well, what SpamAssassin would be seeing when a message comes in on port 465 or 587 is your servers external Internet-facing IP, not the localhost (127.0.0.1) IP.
The localhost interface only comes into play for locally generated emails.
So, my recommendation would be to add your external IP address(es) to SpamAssassin’s trusted_networks in /etc/mail/spamassassin/local.cf, then restart SpamAssassin.
-Eric
My understanding from the above TrustPath document (I’m no SpamAssassin guru, but
Wrong! Spamassassin does not see my server’s external IP, it sees the IP of the sender’s home connection!
So I am sitting home and sending a mail, spamassassin thinks the mail comes from the IP of my home connection, instead of the server itself, which of course is dynamic etc, and fails on SPF as well.
Something is definetly wrong…
I added the IP to that setting, but unfortunatelly with no success…
An alternative could be disabling checks when sasl authentication is used, which is basically how postfix’s config is set up already, but I guess that the postfix command gets executed no matter what, so yeah…
Probably something is wrong with Postfix not tagging the emails with its own ip for some reason…
Might it help if I post my postfix configuration file here?
I’m having the exact same issue here. Postfix should somehow tag those mails (for spamassassin) sent through smtps (Ports 465 or 587) or at least those sent by someone who successfully authenticated himself (SASL AUTH). Did anyone find out how this is done? Google wasn’t that big a help so far…
Just in case the site’s going offline, here’s how it’s done:
Here is also another way to reduce the spam score for SASL auth users
that can be used with Postfix version 2.1 or newer. This should add a
‘X-SMTP-Auth: no’ header to all messages except authenticated. The
SpamAssassin rule then adds -10 points if this header is missing:
header __NO_SMTP_AUTH X-SMTP-Auth =~ /^no$/m
meta SMTP_AUTH !__NO_SMTP_AUTH
describe SMTP_AUTH Message sent using SMTP Authentication
tflags SMTP_AUTH nice
score SMTP_AUTH -10
I suggest you do not use X-SMTP-Auth literally. I would obscure this by
using a X-something-else header name of your choice, and if you have
more than one machine, I suggest using something different on each. In
order to prevent confusion (the header would end up getting written
again after the message was processed by amavisd-new), you should
override smtpd_data_restrictions on the amavisd-new reinjection port. In
master.cf add
-o smtpd_data_restrictions=
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_data_restrictions=
[other typical amavisd-new reinjection port overrides]
