Bug 730308 - spamass-milter does not detect Postfix authenticated mail
Summary: spamass-milter does not detect Postfix authenticated mail
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: spamass-milter
Version: 14
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Paul Howarth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-12 12:51 UTC by Pim Zandbergen
Modified: 2011-09-09 00:05 UTC (History)
1 user (show)

Fixed In Version: spamass-milter-0.3.2-3.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-06 23:57:33 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Debian BTS 627989 None None None Never

Description Pim Zandbergen 2011-08-12 12:51:46 UTC
Description of problem:
After switching from Sendmail to Postfix, spamass-milter no longer detects SMTP AUTH authenticated mail as such. This causes SPF failures and false positives.


Version-Release number of selected component (if applicable):
spamass-milter-0.3.1-21.fc14.x86_64

How reproducible:
Always


Steps to Reproduce:
1. configure postfix, spamassassin with spamass-milter
2. receive an SMTP AUTH authenticated mail from an untrustworthy source
3. examine the received mail headers
  
Actual results:
IP-adress of untrustworthy source is examined by spamassassin


Expected results:
IP-adress of untrustworthy source is ignored


Additional info:
Having spamass-milter recognize authenticated messages should sufficient, but making sure by using the -I option does not work either

Probable cause:
spamass-milter relies on the sendmail {auth_ssf} macro which is not available in Postfix

Suggested fix:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627989

Comment 1 Paul Howarth 2011-08-12 13:11:07 UTC
The patch implementing AUTH support in Fedora uses the {auth_authen} macro, which according to http://www.postfix.org/MILTER_README.html is supported by Postfix.

You could try running with the "-d misc" option to help debug what the milter is getting when asking Postfix for {auth_authen}.

Comment 2 Paul Howarth 2011-08-12 13:23:59 UTC
Additional note: make sure you have {auth_authen} in milter_mail_macros.

Comment 3 Pim Zandbergen 2011-08-12 13:34:43 UTC
That is the case by default. The only change I made was adding "_" to milter_connect_macros, in order to prevent UNPARSEBLE_RELAY reports

milter_connect_macros = j {daemon_name} v {if_name} _
milter_data_macros = i
milter_end_of_data_macros = i
milter_end_of_header_macros = i
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}
milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer}
milter_unknown_command_macros =

Comment 4 Pim Zandbergen 2011-08-12 15:29:57 UTC
It now appears I was bit by another bug.
Changes to to /etc/sysconfig/spamass-milter were not caught after restarting spamass-milter.

I was testing the -I and the -d options on a non-production Fedora 15 box.
I can now conclude that

systemctl restart spamass-milter.service

does not kill the old instance. The new instance cannot connect to the MTA.

After manually restarting spamass-milter, the Fedora patch that provides the -I option does work as advertised.

Still, I would prefer the proposed Debian patch, as it does not require a custom startup config and allows the mail to be processed by spamassassin rather than skipping that.

Comment 5 Paul Howarth 2011-08-12 21:02:54 UTC
(In reply to comment #4)
> It now appears I was bit by another bug.
> Changes to to /etc/sysconfig/spamass-milter were not caught after restarting
> spamass-milter.
> 
> I was testing the -I and the -d options on a non-production Fedora 15 box.
> I can now conclude that
> 
> systemctl restart spamass-milter.service
> 
> does not kill the old instance. The new instance cannot connect to the MTA.

This is strange because the SysV initscript just does a stop and a start for "restart", which involves killing the old one and starting a new one. Can you reproduce this?

> After manually restarting spamass-milter, the Fedora patch that provides the -I
> option does work as advertised.
> 
> Still, I would prefer the proposed Debian patch, as it does not require a
> custom startup config and allows the mail to be processed by spamassassin
> rather than skipping that.

Looking at that patch, I feel it's complementary to what's already in, which already includes adding the "(authenticated bits={auth_ssf})" part of the Received: header if {auth_ssf} is present. It just needs tweaking to add "(authenticated)" if {auth_authen} is present but {auth_ssf} is not.

Comment 6 Pim Zandbergen 2011-08-15 08:47:20 UTC
> This is strange because the SysV initscript just does a stop and a start for
> "restart", which involves killing the old one and starting a new one. Can you
> reproduce this?

Every time. And there's a warning from systemd that might be related:

systemd[1]: spamass-milter.service: Supervising process nnnn which is not our child. We'll most likely not notice when it exits.

Typing stop and start instead of restart did work; maybe because of the typing delay.

This was with spamass-milter-0.3.2-1.fc15.x86_64 which still had the wrapper
script. Upgrading to spamass-milter-0.3.2-2.fc16.x86_64 from rawhide fixes that.
I suppose I don't have to file this as a separate bug, as the solution is already there.

Comment 7 Paul Howarth 2011-08-18 13:38:07 UTC
Can you give this scratch build a try:

(f14) http://koji.fedoraproject.org/koji/taskinfo?taskID=3282480
(f15) http://koji.fedoraproject.org/koji/taskinfo?taskID=3282495

It adds "(authenticated)" to the dummy Received: header if {auth_authen} is present but {auth_ssf} is missing.

I use sendmail myself and that's still working OK :-)

Comment 8 Pim Zandbergen 2011-08-23 15:58:57 UTC
I tried the f15 version on an x86_64 non-production server.

It works as advertised. I could switch off the -I switch; authenticated mail is now processed by spamassassin, but it is tagged ALL_TRUSTED like it did with sendmail.

Thanks. I will try the f14 version later.

Comment 9 Pim Zandbergen 2011-08-23 16:16:32 UTC
The f14 version fails on our x86_64 production server.
Mail will be rejected.
Syslog says "postfix/smtpd[12184]: warning: milter unix:/var/run/spamass-milter/postfix/sock: can't read SMFIC_MAIL reply packet header: Broken pipe"

Comment 10 Paul Howarth 2011-08-23 20:25:58 UTC
(In reply to comment #9)
> The f14 version fails on our x86_64 production server.
> Mail will be rejected.
> Syslog says "postfix/smtpd[12184]: warning: milter
> unix:/var/run/spamass-milter/postfix/sock: can't read SMFIC_MAIL reply packet
> header: Broken pipe"

That doesn't look like something that would have changed as a result of the new patch; is the only thing changed the new milter? If you revert to the old one (which version exactly?), does it start working again? I trust you have the spamass-milter-postfix package installed too?

Comment 11 Pim Zandbergen 2011-08-24 17:53:02 UTC
I was kind of very hasty to revert back when I noticed all mail was being rejected on this production server.

I tried it again, this time restarted postfix as well. That did it.
Somehow, other upgrades and downgrades did not require a postfix restart.

Thanks

Comment 12 Fedora Update System 2011-08-24 20:54:23 UTC
spamass-milter-0.3.2-3.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.fc16

Comment 13 Fedora Update System 2011-08-24 20:54:30 UTC
spamass-milter-0.3.2-3.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.fc15

Comment 14 Fedora Update System 2011-08-24 21:00:31 UTC
spamass-milter-0.3.2-3.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.fc14

Comment 15 Fedora Update System 2011-08-24 21:04:14 UTC
spamass-milter-0.3.2-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.el6

Comment 16 Fedora Update System 2011-08-24 21:06:06 UTC
spamass-milter-0.3.2-3.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.el5

Comment 17 Fedora Update System 2011-08-24 21:06:15 UTC
spamass-milter-0.3.2-3.el4 has been submitted as an update for Fedora EPEL 4.
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.el4

Comment 18 Fedora Update System 2011-08-26 19:01:50 UTC
Package spamass-milter-0.3.2-3.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing spamass-milter-0.3.2-3.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/spamass-milter-0.3.2-3.fc14
then log in and leave karma (feedback).

Comment 19 Fedora Update System 2011-09-06 23:57:28 UTC
spamass-milter-0.3.2-3.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2011-09-07 00:28:07 UTC
spamass-milter-0.3.2-3.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2011-09-07 03:25:29 UTC
spamass-milter-0.3.2-3.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2011-09-08 23:57:13 UTC
spamass-milter-0.3.2-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2011-09-08 23:59:09 UTC
spamass-milter-0.3.2-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2011-09-09 00:05:20 UTC
spamass-milter-0.3.2-3.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.