Postfix/Spamassassin and "Trusted Networks" - Excluding IPs from spam scanning...

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
DavidMerrill
Advanced member
Advanced member
Posts: 126
Joined: Thu Jul 30, 2015 2:44 pm
Location: Portland, ME
ZCS/ZD Version: 8.8.15 P19
Contact:

Postfix/Spamassassin and "Trusted Networks" - Excluding IPs from spam scanning...

Post by DavidMerrill »

One of our clients is running 8.7.11.GA.1854.UBUNTU16.64 NE.

In the Admin UI (Configuration > Servers > MTA) "MTA Trusted Networks" (Attribute Name zimbraMTAMyNetworks - value of postfix mynetworks) is set to

Code: Select all

127.0.0.0/8 10.9.9.0/24 173.220.228.19/32 173.220.228.20/32 173.220.228.21/32 173.220.228.22/32
In this file:

Code: Select all

/opt/zimbra/data/spamassassin/localrules/salocal.cf
there's this line:

Code: Select all

trusted_networks 127.0.0.0/8 10.9.9.0/24 173.220.228.19/32 173.220.228.20/32 173.220.228.21/32 173.220.228.22/32
It was my understanding that these IP addresses would be excluded from spam scanning in SpamAssassin.

However headers from this sample email (I've redacted client-identifying details) one can see that the email comes from 173.220.228.20 (see the last line) and is obviously getting spam scanned:

X-Spam-Flag: YES
X-Spam-Score: 9.11
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.11 required=9 tests=[ALL_TRUSTED=-1,
BAYES_00=-1.9, DMARC_FAIL_REJECT=9, HTML_MESSAGE=0.001,
MANY_SPAN_IN_TEXT=2.999, T_OBFU_PDF_ATTACH=0.01]
autolearn=no autolearn_force=no
Received: from *****REDACTED***** ([127.0.0.1])
by localhost (*****REDACTED***** [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id V2W5qg6WO8GX; Thu, 8 Mar 2018 17:47:23 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1])
by *****REDACTED***** (Postfix) with ESMTP id 26BFA1AE3630;
Thu, 8 Mar 2018 17:47:23 +0000 (UTC)
X-Virus-Scanned: amavisd-new at *****REDACTED*****
Received: from *****REDACTED***** ([127.0.0.1])
by localhost (*****REDACTED***** [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id cmFBlIdin5Pi; Thu, 8 Mar 2018 17:47:22 +0000 (UTC)
Received: from *****REDACTED***** (*****REDACTED***** [173.220.228.20])
by *****REDACTED***** (Postfix) with ESMTP id 8BE511AE3628
for <*****REDACTED*****>; Thu, 8 Mar 2018 17:47:19 +0000 (UTC)

Clearly I'm missing something, where's the inconsistency?
___________________________________
David Merrill - Zimbra Practice Lead
OTELCO Zimbra Hosting, Licensing and Professional Services
Zeta Alliance
Sergey84
Posts: 1
Joined: Thu Jan 28, 2021 10:18 am

Re: Postfix/Spamassassin and "Trusted Networks" - Excluding IPs from spam scanning...

Post by Sergey84 »

Good afternoon, DevidMerrill. I have the same problem. Did you manage to solve it somehow? It seems that the "trusted_networks" parameter is not working.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Postfix/Spamassassin and "Trusted Networks" - Excluding IPs from spam scanning...

Post by L. Mark Stone »

That attribute only sets for which hosts Postfix will act as an open relay.

If you want to treat internal emails differently the best way IMHO is to configure additional Policy Banks in amavis.

Zimbra by default treats all emails the same as regards amavis checking, so as to prevent a compromised mailbox from sending unchecked malware to others in the domain.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply