spamassassin, dmarc and forwarding

H

Hanspeter Kunz

Active Member
Proxmox Subscriber
Feb 5, 2018
16
0
41
53
Hi all,

I have a question about spamassassin in pmg 8.1.2. I am filtering outgoing mail. I have some questions regarding forwarded mail. SPF breaks (because of the forwarding) and spamassassin increases the SPAM score. However, since the message has also a valid DKIM signature, DMARC should kick in and prevent that the message gets a high SPAM score.

these are the SPAM headers of a message sent to our server to a user who forwards his mail to some external server:

1. header generated by spamassassing scanning the incoming message from the external server:

Apr 4 13:02:04 caspar pmg-smtp-filter[833782]: 224E6660E88A881392: SA score=0/5 time=3.560 bayes=undefined autolearn=disabled hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DMARC_PASS(-0.1),RCVD_IN_DNSWL_NONE(-0.0001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)

2. header generated by spamassassin scanning the outgoing forwarded message:

Apr 4 13:02:07 caspar pmg-smtp-filter[833799]: 224EB660E88AC50522: SA score=2/5 time=3.498 bayes=undefined autolearn=disabled hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DMARC_QUAR(0.1),KAM_DMARC_QUARANTINE(1),SPF_FAIL(0.919),SPF_HELO_NONE(0.001)

a) spamassassin gives SPF_FAIL(0919)
b) there is a DKIM_VALID
c) I see no DMARC_PASS but a DMARC_QUAR

question:
why do I not see a DMARC_PASS in the outgoing (forwarded) mail, but instead a DMAR_QUAR? since the DKIM is valid, ans censequently DMARC should pass.

in the above example no bad things happen, but when the mail is poorly formatted (e.g. newsletter email) or has other problems, the failing SPF is often enough to bring the message to a SPAM score > 5 and consequently the message (outgoing) is blocked.

Best,
Hp
 
hey guys,

maybe my original post was too long/complicated.

my questions is: why does spamassassin mark a mail, that has a valid DKIM signature, with DMARC_QUAR. it should have a DMARC_PASS, right?

is it better if I ask this on a spamassassin mailing list?
 
Hanspeter Kunz said:
my questions is: why does spamassassin mark a mail, that has a valid DKIM signature, with DMARC_QUAR. it should have a DMARC_PASS, right?
Click to expand...
dmarc (in most tutorials online) requires both to be aligned - SPF and DKIM ...
I hope this helps!
 
thanks for the reply. I am not sure if we are talking about different things. But rfc 7489 clearly states:

Section 6.6.2

5. Conduct Identifier Alignment checks. With authentication checks
and policy discovery performed, the Mail Receiver checks to see
if Authenticated Identifiers fall into alignment as described in
Section 3. If one or more of the Authenticated Identifiers align
with the RFC5322.From domain, the message is considered to pass
the DMARC mechanism check. All other conditions (authentication
failures, identifier mismatches) are considered to be DMARC
mechanism check failures.

so, in my opinion we should see a DMARC_PASS if either DKIM *or* SPF passes. do you agree?
 
aahh, wow, you're totally right, that was the reason for not getting DMARC_PASS. thank you very much, I never would have spotted this because of the DKIM_PASS. so thank you very much.

I now get indeed DMARC_PASS:
Apr 11 13:14:53 caspar pmg-smtp-filter[430667]: 3CD056617C62CA369C: SA score=0/5 time=1.052 bayes=undefined autolearn=disabled hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),DMARC_PASS(-0.1),SPF_FAIL(0.919),SPF_HELO_NONE(0.001)

let me ask one more question, though:

I still get a an SPF_FAIL(0.919) penalty, although DMARC passes and the mail is according to the RFC authenticated.

in this case this is no problem. but it can be a problem if the mail gets additional SPAM scores (typically the case for newsletter emails). such mails then might reach the critical SPAM score and get blocked.

what would you suggest to avoid this? assign DMARC_PASS a higher negative spam score to compensate for the SPF_FAIL?
 
Hanspeter Kunz said:
aahh, wow, you're totally right, that was the reason for not getting DMARC_PASS. thank you very much, I never would have spotted this because of the DKIM_PASS. so thank you very much.
Click to expand...
was mostly an educated guess - as usually the weights and decisions made in SpamAssassin are quite fitting and well thought-through..
Thanks to you for pointing out that for DMARC either DKIM, SPF or both is considered enough for a mail to pass!

Hanspeter Kunz said:
in this case this is no problem. but it can be a problem if the mail gets additional SPAM scores (typically the case for newsletter emails). such mails then might reach the critical SPAM score and get blocked.
Click to expand...
I personally would simply set a higher threshhold for blocking and keep a area where mails are quarantined.
That way you can see if this actually would happen in practice - if that's the case I would consider raising the DMARC_PASS score - if not - just lower the score for blocking.

A bit more complicated - but you could add a custom rule that adds a negative score only if SPF_FAIL and DMARC_PASS are present...
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_custom_spamassassin_configuration

I hope this helps!
 
thank you very much, this is a great answer.

yes, on incoming mail we have a 2-level scheme like that (above 10 gets blocked, above 3 gets quarantined).

but here we are talking about outgoing mail (mail that is forwarded from our server to somewere else) I am not sure if it is possible to quarantine outgoing mail. in which quarantine would this mail go?

1. recipient of the forwarded mail (would not make much sense)
2. to the original sender of the mail (would make even less sense)
3. to the quarantine of the user that has a forwarding rule in place (that would make sense)

if 3. would be possible, then indeed we can give this a try (although it seems a bit strange to me).

if quarantine is not the way to go for outgoing mail, I will check check if I can come up with a rule that compensates SPF_FAIL if DMARC_PASS is present.

many thanks,
hp
 
Hanspeter Kunz said:
but here we are talking about outgoing mail (mail that is forwarded from our server to somewere else) I am not sure if it is possible to quarantine outgoing mail. in which quarantine would this mail go?
Click to expand...
if you configure a rule with fitting direction and Quarantine as action the mail gets put in the quarantine of the recipient (even if it is not a "internal" or relay domain address) - only relay-domain addresses get the spam-report mails (and can log in) - but you as admin can access the quarantine of all users.

So depending on your number of users - quarantine could be an option.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back