Need HELP setting up EFA for outgoing emails

[ovizii]

Currently EFA scans incoming emails just fine and to avoid my outgoing emails getting marked as SPAM I have told EFA to only check outgoing emails for viruses and NOT SPAM.

This was however only a workaround and I do want to check outgoing emails for SPAM to prevent an outbreak in case a client PC got infected.

Here are a few threads, most of them mine with no conclusions:
viewtopic.php?f=5&t=2206
viewtopic.php?f=14&t=2066
viewtopic.php?f=14&t=1203
viewtopic.php?f=5&t=2077

Did you make any changes to postfix to let it know about trusted networks or internal networks or mynetworks?

[pdwalker]

I scan all outgoing messes for spam and viruse and I have no problem.

I'll review my configuration and see if I Catan remember what I changed.

[pdwalker]

I cheated.

I set ALL_TRUSTED to -8.0 in my local.cf

[ovizii]

Thanks, much appreciated. Well, I don't want to "cheat" besides, that is what I did by stopping to scan outgoing emails for SPAM.

here's an example:

a user with his laptop, out in the wild, sending through our in-house EX using RPC over HTTPS so EFA sees the message go from his dial-up to my ex straight to EFA.

True enough, bayes and txrep keep the score pretty much down but shouldn't efa see the message coming from my trusted EX and not bother about where EX got it from?

besides, I don't get the ALL_TRUSTED in this case. Does the mail originating from dial-up "break" the ALL_TRUSTED chain? The user is authenticated by EX though. I feel like I am missing something.

[ovizii]

I just noticed that even sending from outlook within my company network, straight to EX then EFA I don't get ALL_TRUSTED status :-/

[pdwalker]

Strange,

I just sent a message using Outlook 2007 configured to use the Exchange http rpc proxy. The message shows "trusted"

Delivered-To: pdwalker@destination.domain
Received: by 10.25.216.104 with SMTP id p101csp343994lfg;
Wed, 10 May 2017 11:43:28 -0700 (PDT)
X-Received: by 10.233.216.68 with SMTP id u65mr6562282qkf.37.1494441808654;
Wed, 10 May 2017 11:43:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1494441808; cv=none;
d=google.com; s=arc-20160816;
b=q1TGZIhn8NLXSBWC7TVVVYdCpiUTI6dm298oOZFX+in78t0sXF+n9hfufZt+Lha2kl
5+7HGkdgsl466pC+8T76+XtsXLF409x9xKB+KoH63jx/H7J+AFu0zPH8GPd6MJF44b10
C0aiU69WaIjrxT+LhPcZmxU48Sxgr1De7arw7mUXpfsW8jTq0ay8gnBs7DOnZ6Wrj3jq
ciMqKRY3Cxp1hlHgg8Gl4MD2kTkOlyFzHAH6FR+Ujl97kb2/kYX0yMKK9n+c/LdAjas7
DQqdFz6q7HfAUrLOYbP4AvJBct/kUKUVBPazVIZBiztV+x1HP+7O1eyBYcE2WddvK42P
E/pg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=mime-version:acceptlanguage:content-language:accept-language
:message-id:thread-index:thread-topic:subjectto:from
:dkim-signature:arc-authentication-results;
bh=PPgL8ZkkAKJv2lGHXhLKuaIxxX9THCQ11z2Gp7kx4R8=;
b=ty04pw1HxGPXMEAwIwHe/CyMheBGL1CAr26k5EKepAF3KQ3+O/5kMt446vuEqPV9lJ
lxDe4ERh7qmps3cJN3AUzjEwAMMDJWpm79e/pupZAJ6JbAwUiMTXugV9sEzNPbPwGXGz
4dE0HTCtwekA8SGbsWX/Ls7DMC+BbL+HomZNrwoSUcOjrI0bti2HGZLONdBHF2v5FT8L
IIDTsT8/TFU5XajQsqHKEKOKTIUzcfenCcFqlYp6Ro4ldPSbXyV7N++IbX0zM37TXad7
clf65+1QKADtIqt5teN6v/hXxvAU/dwd6Zx0kZknIXpnxWGWJPjWAOG1yWSu1BNQySMK
VBdQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@source.domain;
spf=pass (google.com: domain of pdwalker@source.domain designates 216.82.243.202 as permitted sender) smtp.mailfrom=pdwalker@source.domain;
dmarc=pass (p=QUARANTINE sp=REJECT dis=NONE) header.from=source.domain
Return-Path: <pdwalker@source.domain>
Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com. [216.82.243.202])
by mx.google.com with ESMTPS id k126si4054112qkc.96.2017.05.10.11.43.28
for <pdwalker@destination.domain>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 10 May 2017 11:43:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of pdwalker@source.domain designates 216.82.243.202 as permitted sender) client-ip=216.82.243.202;
Authentication-Results: mx.google.com;
dkim=pass header.i=@source.domain;
spf=pass (google.com: domain of pdwalker@source.domain designates 216.82.243.202 as permitted sender) smtp.mailfrom=pdwalker@source.domain;
dmarc=pass (p=QUARANTINE sp=REJECT dis=NONE) header.from=source.domain
Return-Path: <pdwalker@source.domain>
Received: from [216.82.241.132] by server-10.bemta-8.messagelabs.com id C5/6A-01724-05F53195; Wed, 10 May 2017 18:43:28 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrGKsWRWlGSWpSXmKPExsVSUBHQousfLxx
pcPqblcWEJVcYHRg9XixuZQxgjGLNzEvKr0hgzfiy6BtrwTGBijl3XrA2ME7m72Lk5JAQEJTY
+fwCG4TtJ7FtUS8ThG0tsaBrO1R8I5PE1F21ELaeRO/2fhYI21Bi5pIPrBB2usT5L5uBbC4OI
YFZTBJfvx1lB0mwCDxmkjj9NQciMY1RYsKPnUAbODjYBIwkVndYgtSICNhKLHm2lg2iXlXiwe
VNYLawAL/Enc6P7BA1IhJbF29lgbD1JHbN/QxWwysQLjF9wx2wOKOAmMT3U2vAHmAWEJe49WQ
+1DMCEkv2nGeGsEUlXj7+xwpRLypxp309I0R9nsSdww9YIWYKSpyc+YRlAqPELCSjZiEpm4Wk
DCKuI7Fg9yc2CFtbYtnC18ww9pkDj5mQxRcwsq9i1ChOLSpLLdI1NtNLKspMzyjJTczM0TU0s
NDLTS0uTkxPzUlMKtZLzs/dxAiM33oGBsYdjF+XRR9ilORgUhLl/aklHCnEl5SfUpmRWJwRX1
Sak1p8iFGGg0NJgtcxDignWJSanlqRlpkDTCQwaQkOHiURXk6QNG9xQWJucWY6ROoUo6KUOO+
LWKCEAEgiozQPrg2WvC4xykoJ8zIyMDAI8RSkFuVmlqDKv2IU52BUEuZNABnPk5lXAjf9FdBi
JqDFgQwCIItLEhFSUg2My/b+T5OatO8du8pkCc+Qc2qLy2ZGGk4XNS/yNPpWpHqYtd6m1KbV5
NJnPsnLlp9vn416b92t2VbdYXTqdubpXWvXbI06M2n2vXUHD5RLxn0L1F84py47su3izUl33V
w/bRcV6X/TmNCgYBNz0qT9UKr/E6lf5SaVW8uPbyqesTjkwJSJSaoPlViKMxINtZiLihMBO2W
XUVkDAAA=
X-Env-Sender: pdwalker@source.domain
X-Msg-Ref: server-5.tower-45.messagelabs.com!1494441805!63218174!1
X-Originating-IP: [my.public.ip.address]
X-StarScan-Received:
X-StarScan-Version: 9.4.12; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 8657 invoked from network); 10 May 2017 18:43:27 -0000
Received: from mailserver.source.domain (HELO mailserver.source.domain) (112.120.80.132)
by server-5.tower-45.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 10 May 2017 18:43:27 -0000
X-Spam-Status: No
X-SourceCompany-MailScanner-EFA-Watermark: 1495046591.85014@PepI26zIi9cbPRZsojaenA
X-SourceCompany-MailScanner-EFA-From: pdwalker@source.domain
X-SourceCompany-MailScanner-EFA-SpamCheck: not spam, SpamAssassin (not cached, score=-7.98, required 4, ALL_TRUSTED -8.00, BAYES_00 -1.90, DCC_CHECK 1.10, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HTML_MESSAGE 0.00, KAM_NUMSUBJECT 0.50, MIME_HTML_MOSTLY 0.43, MXPF_TEST 0.00, OW_PASS -0.01)
X-SourceCompany-MailScanner-EFA: Found to be clean
X-SourceCompany-MailScanner-EFA-ID: 8E7D818005C.AD83E
X-SourceCompany-MailScanner-EFA-Information: Please contact itsupport@source.domain for more information
Received: from mailserver.source.domain (ExchangeServer [my.private.ip.address]) (using TLSv1 with cipher RC4-MD5 (112/128 bits)) (No client certificate requested) by mailserver.source.domain (Postfix) with ESMTPS id 8E7D818005C for <pdwalker@destination.domain>; Thu, 11 May 2017 02:43:09 +0800 (HKT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=source.domain; s=default; t=1494441789; bh=xgcA1yi2P06Vz4LmMlU9HXJoI1khZwDQ5sVI8WCE8gM=; h=From:To:Date:Subject; b=hcxO6AMMR1s/MrlZeutxR+acys0cOd51G1CQfCxn0PD4yv17U6DaO26owi5n4k2fr
2ZCNq/AopiB1jc1TjJYstyZZ/f/joizA/q1ujX0D4zYDX5PSSKlhqZzhD/nO8twPTx
6MXhJZE9P90jr1RlTgOohTkHPKzXu2pp6w2G5xyk=
Received: from ExchangeServer.source.local ([my.private.ip.address]) by ExchangeServer.source.local ([my.private.ip.address]) with mapi; Thu, 11 May 2017 02:41:13 +0800
From: "me" <pdwalker@source.domain>
To: "me (Destination)" <pdwalker@destination.domain>
Date: Thu, 11 May 2017 02:41:11 +0800
Subject: test 2
Thread-Topic: test 2
Thread-Index: AdLJvUEYcqJnsLiqST+0J1GlXfF9Ww==
Message-ID: <EF1762BA9E96C342B337C75287517EFC05769FEDCF28@ExchangeServer.source.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_EF1762BA9E96C342B337C75287517EFC05769FEDCF28ExchangeServerch_"
MIME-Version: 1.0

So the mail went from the remote client outlook, to exchange server outlook web access via http rpc on public ip, to efa, to messagelabs, to my destination account. The public ip of my remote computer doesn't show anywhere. The message appears to originate from the exchange server internal ip directly [my.private.ip.address]

Can you show me your headers?

[pdwalker]

https://wiki.apache.org/spamassassin/TrustPath

I wonder how I got "ALL_TRUSTED" to to fire? I've not actually configured a trusted_networks = line in my local.cf.

Needs further investigation.

[pdwalker]

https://wiki.apache.org/spamassassin/TrustedRelays

I followed the debug example in the above link.

From what I can see, spamassassin complains that I've not configured trusted_networks and then proceeded to figure out that the relay is my exchange server on the local network and decided that it's ok.

I use the following command to spamassassin debug a message

Code: Select all

cd /var/spool/MailScanner/quarantine/YYYYMMDD/nonspam
spamassassin -D -t < EFAMessage.ID 2>&1 |vim -

where YYYYMMDD is the date of the message I am checking, and EFAMessage.ID is the messageid/name of the mail file to test.

and then I do a case insensitive search for "relay"

[ovizii]

Thanks for looking into this. Here are a few more facts I stumbled upon:

at some point, All_Trusted seems to have worked for me as I see this in my SA rule hits report:

Code: Select all

ALL_TRUSTED	Passed through trusted hosts only via SMTP	-1.00	56	56	100	0	0

I know about trusted_networks and internal_networks and even stumbled upon msa_networks in my search but it never worked right.

Here is all info I could find, not sure about my config below though

#Generally you want trusted_networks set to contain all the mailservers you control
#that add Received: headers, and nothing else.
#set 'internal_networks' to include the hosts that act as MX for your domains,
#or that may deliver mail internally in your organisation.
#set 'trusted_networks' to include the same hosts and networks as 'internal_networks',
#with the addition of some hosts that are external to your organisation which you trust
#to not be under the control of spammers. For example, very high-volume mail relays at other ISPs,
#or mailing list servers. Note that it doesn't matter if the server relays spam to you
#from other hosts; that still means you trust the server not to originate spam,
#which is what 'trusted_networks' specifies.

#A mail relay that you want to trust in trusted_networks may itself trust its own internal dynamic IP networks.
#You may trust them not to be a spam source but putting them into your internal_networks list
#would create a false positive because then those dynamic IPs would be searched for in the DUL lists.
#This is an example where the two lists need to be different.

#Trusted relays that accept mail directly from dial-up connections should not be listed in
#internal_networks. List them only in trusted_networks.

#details: https://spamassassin.apache.org/full/3. ... _Conf.html

#Mails from our users submitted to our MSA or "smarthost" are hitting RCVD_IN_DYNABLOCK.
#In SpamAssassin 3.2.0 or later you can use the msa_networks option to list your MSAs.

#details: https://wiki.apache.org/spamassassin/DynablockIssues

Can you check the config below? What do you think, did I get this right?

Code: Select all

internal_networks       192.168.220.2 192.168.200.3 193.xxx.xxx.13
trusted_networks        138.xxx.xxx.229  192.168.200.3 192.168.220.2 193.xxx.xxx.13
msa_networks            192.168.200.3

192.168.220.2 - internal IP of EFA
192.168.200.3 - EX
193.xxx.xxx.13 - my MX record IP (my firewall forwards SMTP traffic to this IP to EFA)
138.xxx.xxx.229 - a server on the web, hosting our website which takes emails from all its docker containers and forwards them to EFA with the relayhost postfix parameter

basically what I think I want is that every email which reaches EFA from my EX or from 138.xxx.xxx.229 should be marked as ALL_TRUSTED as those are the only 2 of my own IPs sending directly to EFA everything else hitting EFA is coming from outside. Making sense here?

The instructions are contradictory. i.e. trusted relays receiving emails from dial-ups should not be in internal_networks but in trusted only? meaning my EX should only be in trusted and not internal?

[pdwalker]

Your configuration looks correct as far as I can tell, and no, your exchange server should be in both internal_networks and trusted_networks.

Can you run spamassassin with the debug options listed above and email me the results?

I'll pm you my address.

Oh, stupid question: you've restarted MailScanner after making the changes?

[ovizii]

The changes aren't live yet. I saw your PM will reply as soon as I can, thanks!

[ovizii]

Your configuration looks correct as far as I can tell, and no, your exchange server should be in both internal_networks and trusted_networks.

So EX isn't a relay in this case? I wasn't sure what exactly counts as a relay. my EX relays messages from all internal clients and from my webserver.

[pdwalker]

I think we are mixing up our word definitions:

Exchange is both a relay (it sends mail from clients to the outside world) and a trusted computer - assuming you think your exchange server is not compromised and sending out junk which is why we add it to both networks.

Can you recreate the log file. Change your command from

Code: Select all

spamassassin -D -t ADFC010005E.AC565 > /root/sa-result.txt

to

Code: Select all

spamassassin -D -t ADFC010005E.AC565 &> /root/sa-result.txt

so I can see all the information

[ovizii]

Exchange is both a relay (it sends mail from clients to the outside world) and a trusted computer - assuming you think your exchange server is not compromised and sending out junk which is why we add it to both networks.

So the requirement to scan outgoing emails for SPAM is to catch an outbreak if it occurs. i.e. an employee manages to catch a virus/trojan which then sends out SPAM. So should I put my EX into TRUSTED or only into INTERNAL? It should get a bonus but not enough to completely let everything skip through. I guess I'll keep it in both networks and watch it for a while.

Can you recreate the log file. Change your command from

Code: Select all

spamassassin -D -t ADFC010005E.AC565 > /root/sa-result.txt

to

Code: Select all

spamassassin -D -t ADFC010005E.AC565 &> /root/sa-result.txt

so I can see all the information

Sorry, I didn't copy/paste but re-typed your command so I missed the & - will resend the files.