FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-11-2008, 08:54 AM
"Bob Hoffman"
 
Default Logwatch / spamassassin

Hi all,

Well it took a while for me to figure it out, but apparently my logwatch no
longer can be mailed locally on my computer as I believe spamassassin is
eating it.

I can send it out to an email address outside my server though. So
spamassassin is only checking incoming I guess.

My question is....how do I...or should I.... Make all local mail go straight
to the boxes and skip spamasassin entirely..

Or.. Whitelist logwatch.

Apparently, I am guessing, all those nifty log reports are so full of
blacklisted urls and ips...well, you get the picure.

Best ways to make this work so I can get it delivered to root again?


Thanks

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-11-2008, 08:59 AM
Ralph Angenendt
 
Default Logwatch / spamassassin

Bob Hoffman wrote:
> Best ways to make this work so I can get it delivered to root again?

Please, don't give out too much information when asking questions, all
of us here really like to go on a wild goose chase now and then.

IOW:

Show logs.

Ralph
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-11-2008, 09:03 AM
"Bob Hoffman"
 
Default Logwatch / spamassassin

So..

To answer my own question...

so I edited the file /etc/mail/spamassassin/local.cf

whitelist_from logwatch@localhost.localdomain

Where localhost.localdomain is your hostname.servername

And it worked.

However, I am concerned about spoofing. I would think that mail agent and
spamassassin would have an 'okay, it's a local user' thing going on.

They do not.

On the internet there are 1000s of posts like mine, asking questions about
this and getting no answers. I hope this helps.

Centos 5.2...

-----Original Message-----
From: Bob Hoffman [mailto:bob@bobhoffman.com]
Sent: Thursday, September 11, 2008 4:54 AM
To: 'centos@centos.org'
Subject: Logwatch / spamassassin


Hi all,

Well it took a while for me to figure it out, but apparently my logwatch no
longer can be mailed locally on my computer as I believe spamassassin is
eating it.

I can send it out to an email address outside my server though. So
spamassassin is only checking incoming I guess.

My question is....how do I...or should I.... Make all local mail go straight
to the boxes and skip spamasassin entirely..

Or.. Whitelist logwatch.

Apparently, I am guessing, all those nifty log reports are so full of
blacklisted urls and ips...well, you get the picure.

Best ways to make this work so I can get it delivered to root again?


Thanks

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-11-2008, 09:19 AM
Ned Slider
 
Default Logwatch / spamassassin

Bob Hoffman wrote:

Hi all,


Well it took a while for me to figure it out, but apparently my logwatch no
longer can be mailed locally on my computer as I believe spamassassin is
eating it.

I can send it out to an email address outside my server though. So
spamassassin is only checking incoming I guess.

My question is....how do I...or should I.... Make all local mail go straight
to the boxes and skip spamasassin entirely..



Try adding a whitelist entry to /etc/mail/spamassassin/local.cf. To
whitelist all mail from your domain:


whitelist_from *@example.com


Or.. Whitelist logwatch.


or try:

whitelist_from logwatch@example.com

for a single address.

This will add -100 to the score for spamassassin.



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-11-2008, 09:38 AM
Ned Slider
 
Default Logwatch / spamassassin

Bob Hoffman wrote:

So..

To answer my own question...

so I edited the file /etc/mail/spamassassin/local.cf

whitelist_from logwatch@localhost.localdomain

Where localhost.localdomain is your hostname.servername

And it worked.



Sorry, didn't see you'd answered your own question in my previous reply


However, I am concerned about spoofing. I would think that mail agent and
spamassassin would have an 'okay, it's a local user' thing going on.

They do not.

On the internet there are 1000s of posts like mine, asking questions about
this and getting no answers. I hope this helps.



The best method (IMHO) is probably not to accept mail from a non-FQDN in
your MTA. There's no good reason I can think of to accept external mail
from localhost.localdomain.


Other methods using spamassassin might be to have those mails sent to an
account that shouldn't be filtered anyway (such as postmaster) or to
write a some header/body checks unique to your logwatch mails to make
sure they pass rather than just filtering on the From: sender address.






_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-11-2008, 01:33 PM
Bowie Bailey
 
Default Logwatch / spamassassin

Bob Hoffman wrote:
> So..
>
> To answer my own question...
>
> so I edited the file /etc/mail/spamassassin/local.cf
>
> whitelist_from logwatch@localhost.localdomain
>
> Where localhost.localdomain is your hostname.servername
>
> And it worked.
>
> However, I am concerned about spoofing. I would think that mail agent
> and spamassassin would have an 'okay, it's a local user' thing going
> on.

Generally, using 'whitelist_from' is a bad idea due to spoofing. The
address you are using will probably not cause too many problems, but you
should still fix it if possible. Use 'whitelist_from_rcvd' instead.
This will whitelist the address only if the mail comes from a specified
domain.

Try this (untested):

whitelist_from_rcvd logwatch@localhost.localdomain localhost.localdomain

Note that this will require your DNS server to resolve
localhost.localdomain (forward and reverse).

Another option is to configure your mail server to bypass SA entirely
for local mail.

--
Bowie
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-11-2008, 02:21 PM
"Bob Hoffman"
 
Default Logwatch / spamassassin

Ned,

Thanks for the letters. Yes, I added the whitelist, but think that is not
right either. No matter what I add in there, it will allow someone to use it
and come in.
The postmaster not getting tagged is just as scary actually.

The weird part is the mail will go to another server via smtp and not be
tagged as SPAM. How strange is that. I can only assume I should be changing
something in the logwatch file to make it not be from 'logwatch' but to
instead be 'root' or some other local user.

Since logwatch has no local user in my mail setups...maybe that is the
problem. So it might be that matter that makes it get killed by procmail or
by spamassassin.

Strange. But a very obvious problem across the net.

I will work on this more tonight and see if I can get it to run better
without whitelisting.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-11-2008, 03:15 PM
"RobertH"
 
Default Logwatch / spamassassin

Take a logwatch email with lots of "bad ips etc" and run it through
spamassassin as the same user that spamassassin runs under on that machine
and it will give you some info you need to make better decisions

You will actually see how it is getting eval'd and scored...

The best answer(s), and what you use to solve the issue may not be the same
thing.

Once you do that, you could actually create a rule called
ADMIN_LOGWATCH_LOCAL and have it score appropriately.

Whitelisting is a kludge.

Possibly your trust path could be messed up too.

Many people would say don't allow the MTA to hand to SA, yet if all email
must be handed to SA by policy.... you get the idea...

- rh

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-11-2008, 07:04 PM
Scott Silva
 
Default Logwatch / spamassassin

<snip>


Try adding a whitelist entry to /etc/mail/spamassassin/local.cf. To
whitelist all mail from your domain:


whitelist_from *@example.com

It is very easy to spoof email addresses. It is better to whitelist from ip
addresses when possible.





--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-11-2008, 08:39 PM
"Bob Hoffman"
 
Default Logwatch / spamassassin

I have been thinking on this for a while now. Since logwatch can send a mail
to another server and that server DOES not mark it as spam, that presents a
logic issue. Now, the other server does not have as new a spam assassin as
the new, so it is hard to check it that way.
So I 'replied' to the logwatch file and sent it to a known user, back to the
new server. It never arrived.

>From that I know a 100% spam assassin is taking it, not based on local
usernames, or any sendmail settings. I had originally thought that because
'logwatch' was not a sender that would be an issue.

I like the 'from ip' whitelist, but is not that spoofable too? I imagine
making it both 'logwatch and from this IP' might be better.

In logwatch there is a setting to say who the mail is from, right now it
says 'logwatch' but I could always add some long goobledy gook as 'from'
like

"alkjfpolp3534j4f9logwatchsd9f9se9sdf9s99fwe"

And then whitelist that, make it like 40 characters or whatever.

I can understand why spamassassin cannot tell it is from a local user or
have the ability to just auto whitelist stuff from a local user....but I can
forsee problems with interwebsite mails and even things like mailing lists
on the server without properly thinking this through.

Never thought this would be an issue, but at least I know how to make it
work...sorta.

> -----Original Message-----
> From: centos-bounces@centos.org
> [mailto:centos-bounces@centos.org] On Behalf Of Scott Silva
> Sent: Thursday, September 11, 2008 3:04 PM
> To: centos@centos.org
> Subject: [CentOS] Re: Logwatch / spamassassin
>
> <snip>
> >
> > Try adding a whitelist entry to /etc/mail/spamassassin/local.cf. To
> > whitelist all mail from your domain:
> >
> > whitelist_from *@example.com
> >
> It is very easy to spoof email addresses. It is better to
> whitelist from ip addresses when possible.
>
>
>
>
> --
> MailScanner is like deodorant...
> You hope everybody uses it, and
> you notice quickly if they don't!!!!
>
>

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 10:33 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org