Postfix/Spamassassin and "Trusted Networks" - Excluding IPs from spam scanning...

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
DavidMerrill
Advanced member
Advanced member
Posts: 116
Joined: Thu Jul 30, 2015 2:44 pm
Location: Portland, ME
ZCS/ZD Version: 8.8.15 P19
Contact:

Postfix/Spamassassin and "Trusted Networks" - Excluding IPs from spam scanning...

Postby DavidMerrill » Fri Mar 16, 2018 9:11 pm

One of our clients is running 8.7.11.GA.1854.UBUNTU16.64 NE.

In the Admin UI (Configuration > Servers > MTA) "MTA Trusted Networks" (Attribute Name zimbraMTAMyNetworks - value of postfix mynetworks) is set to

Code: Select all

127.0.0.0/8 10.9.9.0/24 173.220.228.19/32 173.220.228.20/32 173.220.228.21/32 173.220.228.22/32


In this file:

Code: Select all

/opt/zimbra/data/spamassassin/localrules/salocal.cf


there's this line:

Code: Select all

trusted_networks 127.0.0.0/8 10.9.9.0/24 173.220.228.19/32 173.220.228.20/32 173.220.228.21/32 173.220.228.22/32


It was my understanding that these IP addresses would be excluded from spam scanning in SpamAssassin.

However headers from this sample email (I've redacted client-identifying details) one can see that the email comes from 173.220.228.20 (see the last line) and is obviously getting spam scanned:

X-Spam-Flag: YES
X-Spam-Score: 9.11
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.11 required=9 tests=[ALL_TRUSTED=-1,
BAYES_00=-1.9, DMARC_FAIL_REJECT=9, HTML_MESSAGE=0.001,
MANY_SPAN_IN_TEXT=2.999, T_OBFU_PDF_ATTACH=0.01]
autolearn=no autolearn_force=no
Received: from *****REDACTED***** ([127.0.0.1])
by localhost (*****REDACTED***** [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id V2W5qg6WO8GX; Thu, 8 Mar 2018 17:47:23 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1])
by *****REDACTED***** (Postfix) with ESMTP id 26BFA1AE3630;
Thu, 8 Mar 2018 17:47:23 +0000 (UTC)
X-Virus-Scanned: amavisd-new at *****REDACTED*****
Received: from *****REDACTED***** ([127.0.0.1])
by localhost (*****REDACTED***** [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id cmFBlIdin5Pi; Thu, 8 Mar 2018 17:47:22 +0000 (UTC)
Received: from *****REDACTED***** (*****REDACTED***** [173.220.228.20])
by *****REDACTED***** (Postfix) with ESMTP id 8BE511AE3628
for <*****REDACTED*****>; Thu, 8 Mar 2018 17:47:19 +0000 (UTC)

Clearly I'm missing something, where's the inconsistency?


___________________________________
David Merrill - Zimbra Practice Lead
OTELCO Zimbra Hosting, Licensing and Professional Services
Zeta Alliance
Sergey84
Posts: 1
Joined: Thu Jan 28, 2021 10:18 am

Re: Postfix/Spamassassin and "Trusted Networks" - Excluding IPs from spam scanning...

Postby Sergey84 » Thu Jan 28, 2021 10:25 am

Good afternoon, DevidMerrill. I have the same problem. Did you manage to solve it somehow? It seems that the "trusted_networks" parameter is not working.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2226
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: Postfix/Spamassassin and "Trusted Networks" - Excluding IPs from spam scanning...

Postby L. Mark Stone » Thu Jan 28, 2021 11:52 am

That attribute only sets for which hosts Postfix will act as an open relay.

If you want to treat internal emails differently the best way IMHO is to configure additional Policy Banks in amavis.

Zimbra by default treats all emails the same as regards amavis checking, so as to prevent a compromised mailbox from sending unchecked malware to others in the domain.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: Baidu [Spider], Zecca and 23 guests