Bug 730308

Summary: spamass-milter does not detect Postfix authenticated mail
Product: [Fedora] Fedora Reporter: Pim Zandbergen <p.zandbergen>
Component: spamass-milterAssignee: Paul Howarth <paul>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 14CC: paul
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: spamass-milter-0.3.2-3.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-06 23:57:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pim Zandbergen 2011-08-12 12:51:46 UTC
Description of problem:
After switching from Sendmail to Postfix, spamass-milter no longer detects SMTP AUTH authenticated mail as such. This causes SPF failures and false positives.


Version-Release number of selected component (if applicable):
spamass-milter-0.3.1-21.fc14.x86_64

How reproducible:
Always


Steps to Reproduce:
1. configure postfix, spamassassin with spamass-milter
2. receive an SMTP AUTH authenticated mail from an untrustworthy source
3. examine the received mail headers
  
Actual results:
IP-adress of untrustworthy source is examined by spamassassin


Expected results:
IP-adress of untrustworthy source is ignored


Additional info:
Having spamass-milter recognize authenticated messages should sufficient, but making sure by using the -I option does not work either

Probable cause:
spamass-milter relies on the sendmail {auth_ssf} macro which is not available in Postfix

Suggested fix:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627989

Comment 1 Paul Howarth 2011-08-12 13:11:07 UTC
The patch implementing AUTH support in Fedora uses the {auth_authen} macro, which according to http://www.postfix.org/MILTER_README.html is supported by Postfix.

You could try running with the "-d misc" option to help debug what the milter is getting when asking Postfix for {auth_authen}.

Comment 2 Paul Howarth 2011-08-12 13:23:59 UTC
Additional note: make sure you have {auth_authen} in milter_mail_macros.

Comment 3 Pim Zandbergen 2011-08-12 13:34:43 UTC
That is the case by default. The only change I made was adding "_" to milter_connect_macros, in order to prevent UNPARSEBLE_RELAY reports

milter_connect_macros = j {daemon_name} v {if_name} _
milter_data_macros = i
milter_end_of_data_macros = i
milter_end_of_header_macros = i
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}
milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer}
milter_unknown_command_macros =

Comment 4 Pim Zandbergen 2011-08-12 15:29:57 UTC
It now appears I was bit by another bug.
Changes to to /etc/sysconfig/spamass-milter were not caught after restarting spamass-milter.

I was testing the -I and the -d options on a non-production Fedora 15 box.
I can now conclude that

systemctl restart spamass-milter.service

does not kill the old instance. The new instance cannot connect to the MTA.

After manually restarting spamass-milter, the Fedora patch that provides the -I option does work as advertised.

Still, I would prefer the proposed Debian patch, as it does not require a custom startup config and allows the mail to be processed by spamassassin rather than skipping that.

Comment 5 Paul Howarth 2011-08-12 21:02:54 UTC
(In reply to comment #4)
> It now appears I was bit by another bug.
> Changes to to /etc/sysconfig/spamass-milter were not caught after restarting
> spamass-milter.
> 
> I was testing the -I and the -d options on a non-production Fedora 15 box.
> I can now conclude that
> 
> systemctl restart spamass-milter.service
> 
> does not kill the old instance. The new instance cannot connect to the MTA.

This is strange because the SysV initscript just does a stop and a start for "restart", which involves killing the old one and starting a new one. Can you reproduce this?

> After manually restarting spamass-milter, the Fedora patch that provides the -I
> option does work as advertised.
> 
> Still, I would prefer the proposed Debian patch, as it does not require a
> custom startup config and allows the mail to be processed by spamassassin
> rather than skipping that.

Looking at that patch, I feel it's complementary to what's already in, which already includes adding the "(authenticated bits={auth_ssf})" part of the Received: header if {auth_ssf} is present. It just needs tweaking to add "(authenticated)" if {auth_authen} is present but {auth_ssf} is not.

Comment 6 Pim Zandbergen 2011-08-15 08:47:20 UTC
> This is strange because the SysV initscript just does a stop and a start for
> "restart", which involves killing the old one and starting a new one. Can you
> reproduce this?

Every time. And there's a warning from systemd that might be related:

systemd[1]: spamass-milter.service: Supervising process nnnn which is not our child. We'll most likely not notice when it exits.

Typing stop and start instead of restart did work; maybe because of the typing delay.

This was with spamass-milter-0.3.2-1.fc15.x86_64 which still had the wrapper
script. Upgrading to spamass-milter-0.3.2-2.fc16.x86_64 from rawhide fixes that.
I suppose I don't have to file this as a separate bug, as the solution is already there.

Comment 7 Paul Howarth 2011-08-18 13:38:07 UTC
Can you give this scratch build a try:

(f14) http://koji.fedoraproject.org/koji/taskinfo?taskID=3282480
(f15) http://koji.fedoraproject.org/koji/taskinfo?taskID=3282495

It adds "(authenticated)" to the dummy Received: header if {auth_authen} is present but {auth_ssf} is missing.

I use sendmail myself and that's still working OK :-)

Comment 8 Pim Zandbergen 2011-08-23 15:58:57 UTC
I tried the f15 version on an x86_64 non-production server.

It works as advertised. I could switch off the -I switch; authenticated mail is now processed by spamassassin, but it is tagged ALL_TRUSTED like it did with sendmail.

Thanks. I will try the f14 version later.

Comment 9 Pim Zandbergen 2011-08-23 16:16:32 UTC
The f14 version fails on our x86_64 production server.
Mail will be rejected.
Syslog says "postfix/smtpd[12184]: warning: milter unix:/var/run/spamass-milter/postfix/sock: can't read SMFIC_MAIL reply packet header: Broken pipe"

Comment 10 Paul Howarth 2011-08-23 20:25:58 UTC
(In reply to comment #9)
> The f14 version fails on our x86_64 production server.
> Mail will be rejected.
> Syslog says "postfix/smtpd[12184]: warning: milter
> unix:/var/run/spamass-milter/postfix/sock: can't read SMFIC_MAIL reply packet
> header: Broken pipe"

That doesn't look like something that would have changed as a result of the new patch; is the only thing changed the new milter? If you revert to the old one (which version exactly?), does it start working again? I trust you have the spamass-milter-postfix package installed too?

Comment 11 Pim Zandbergen 2011-08-24 17:53:02 UTC
I was kind of very hasty to revert back when I noticed all mail was being rejected on this production server.

I tried it again, this time restarted postfix as well. That did it.
Somehow, other upgrades and downgrades did not require a postfix restart.

Thanks

Comment 12 Fedora Update System 2011-08-24 20:54:23 UTC
spamass-milter-0.3.2-3.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.fc16

Comment 13 Fedora Update System 2011-08-24 20:54:30 UTC
spamass-milter-0.3.2-3.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.fc15

Comment 14 Fedora Update System 2011-08-24 21:00:31 UTC
spamass-milter-0.3.2-3.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.fc14

Comment 15 Fedora Update System 2011-08-24 21:04:14 UTC
spamass-milter-0.3.2-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.el6

Comment 16 Fedora Update System 2011-08-24 21:06:06 UTC
spamass-milter-0.3.2-3.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.el5

Comment 17 Fedora Update System 2011-08-24 21:06:15 UTC
spamass-milter-0.3.2-3.el4 has been submitted as an update for Fedora EPEL 4.
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.el4

Comment 18 Fedora Update System 2011-08-26 19:01:50 UTC
Package spamass-milter-0.3.2-3.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing spamass-milter-0.3.2-3.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.fc14
then log in and leave karma (feedback).

Comment 19 Fedora Update System 2011-09-06 23:57:28 UTC
spamass-milter-0.3.2-3.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2011-09-07 00:28:07 UTC
spamass-milter-0.3.2-3.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2011-09-07 03:25:29 UTC
spamass-milter-0.3.2-3.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2011-09-08 23:57:13 UTC
spamass-milter-0.3.2-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2011-09-08 23:59:09 UTC
spamass-milter-0.3.2-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2011-09-09 00:05:20 UTC
spamass-milter-0.3.2-3.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.