Thoughts regarding X-Originating-IP headers
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Thoughts regarding X-Originating-IP headers
Hi,
Just wondering, how do you usually configure this? In my case, I usually try to leave it on, and if false positives come up because of it, then I turn it off. I like having the traceability it provides, but most of the times it gives more problems than solutions.
Just wondering, how do you usually configure this? In my case, I usually try to leave it on, and if false positives come up because of it, then I turn it off. I like having the traceability it provides, but most of the times it gives more problems than solutions.
- L. Mark Stone
- Ambassador
- Posts: 2800
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Thoughts regarding X-Originating-IP headers
Years ago I would turn off X-Originating-IP, but now I keep it turned on because It is necessary for the IP blocking capability of DoSFilter, which I find very useful.
The false positives in my experience are all from ZCO users on dynamic and other IP addresses that SpamAssassin wants to block/score highly. The fix for this latter problem is to change the score for the two SpamAssassin tests that cause this. As I mention in my Anti-Spam Best Practices 2019 blog post, if you add these two lines to /opt/zimbra/data/spamassassin/localrules/sauser.cf (creating the file if it doesn't already exist), you'll stop blocking legitimate emails sent by ZCO users.
If you see other false positives, that would be good to know. I'd be happy to update my blog post accordingly!
Blog post here: https://www.missioncriticalemail.com/20 ... ices-2019/
Hope that helps,
Mark
The false positives in my experience are all from ZCO users on dynamic and other IP addresses that SpamAssassin wants to block/score highly. The fix for this latter problem is to change the score for the two SpamAssassin tests that cause this. As I mention in my Anti-Spam Best Practices 2019 blog post, if you add these two lines to /opt/zimbra/data/spamassassin/localrules/sauser.cf (creating the file if it doesn't already exist), you'll stop blocking legitimate emails sent by ZCO users.
Code: Select all
score DOS_OUTLOOK_TO_MX 0
score TO_EQ_FM_DIRECT_MX 0
Blog post here: https://www.missioncriticalemail.com/20 ... ices-2019/
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: Thoughts regarding X-Originating-IP headers
Hi Mark!
Barely today, it happend to me that in my lab enviroment, when sending mails with that option enabled, these SA filters where kicking in:
RCVD_IN_PBL=3.558
RDNS_NONE=1.274
RCVD_IN_SORBS_DUL=0.001
I was performing the tests from my home (i was testing some other thing actually), which in fact is a dyanamic IP that is listed in PBL and others.
I guess best course of action here would be to lower these scores?
Barely today, it happend to me that in my lab enviroment, when sending mails with that option enabled, these SA filters where kicking in:
RCVD_IN_PBL=3.558
RDNS_NONE=1.274
RCVD_IN_SORBS_DUL=0.001
I was performing the tests from my home (i was testing some other thing actually), which in fact is a dyanamic IP that is listed in PBL and others.
I guess best course of action here would be to lower these scores?
- L. Mark Stone
- Ambassador
- Posts: 2800
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Thoughts regarding X-Originating-IP headers
I think it could be good to reduce the RCVD_IN_PBL yes.
Interesting old discussion on this here:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6501
All the best,
Mark
Interesting old discussion on this here:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6501
All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
- ccelis5215
- Outstanding Member
- Posts: 632
- Joined: Sat Sep 13, 2014 2:04 am
- Location: Caracas - Venezuela
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12
Re: Thoughts regarding X-Originating-IP headers
Hi, messages from internal users, authenticate users?pup_seba wrote:Hi Mark!
Barely today, it happend to me that in my lab enviroment, when sending mails with that option enabled, these SA filters where kicking in:
RCVD_IN_PBL=3.558
RDNS_NONE=1.274
RCVD_IN_SORBS_DUL=0.001
I was performing the tests from my home (i was testing some other thing actually), which in fact is a dyanamic IP that is listed in PBL and others.
I guess best course of action here would be to lower these scores?
ccelis
-
- Advanced member
- Posts: 50
- Joined: Wed Aug 08, 2018 8:44 am
Re: Thoughts regarding X-Originating-IP headers
I usually leave the X-originating-IP header intact for debugging/traceability but i switch off its verification from spamassassin rules (10_default_prefs.cf file in default and updated rules):
The part with zmsaupdate is necessary since it downloads new rules every day. This replacement by sed is to be done after each zimbra version change. I use this method since Zimbra 8.0 and it was always working fine.
Code: Select all
# delete X-Originating-IP from spamminess analysis
sed -i 's@X-Originating-IP @@' /opt/zimbra/data/spamassassin/rules/10_default_prefs.cf
sed -i '/qx(\$restart);/ i qx(sed -i "s#X-Originating-IP ##" /opt/zimbra/data/spamassassin/rules/10_default_prefs.cf);' /opt/zimbra/libexec/zmsaupdate
sed -i '/qx(\$restart);/ i qx(sed -i "s#X-Originating-IP ##" /opt/zimbra/data/spamassassin/state/3.004001/updates_spamassassin_org/10_default_prefs.cf);' /opt/zimbra/libexec/zmsaupdate
The part with zmsaupdate is necessary since it downloads new rules every day. This replacement by sed is to be done after each zimbra version change. I use this method since Zimbra 8.0 and it was always working fine.
- JDunphy
- Outstanding Member
- Posts: 897
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Thoughts regarding X-Originating-IP headers
Have you tried this in salocal.cf ... I can see from my comments I wasn't pleased with running BL tests against client side headers. You can also remove explicit headers if you still want to filter on some but not all with SA. I have always thought that trusted_networks was responsible for some of these rules firing against authenticated users. Certainly, PBL was never ment to be run against authenticated clients from reading the projects goal. I don't have problems with these rules firing in our configurations by SA and we still leave the header as a courtesy. I am laughing at my comments now since I must of really been in a bad mood with a false positive to take them all out. LOL
Code: Select all
# No RBL checks on X- headers. We commented out the adding to the list of X- headers to check
# against blacklists (RBL). Makes no sense to have these checks.
# Headers to parse for originating IP address
if (can(Mail::SpamAssassin::Conf::feature_originating_ip_headers))
clear_originating_ip_headers
#originating_ip_headers X-Yahoo-Post-IP X-Originating-IP X-Apparently-From
#originating_ip_headers X-SenderIP X-AOL-IP
endif
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: Thoughts regarding X-Originating-IP headers
Nope, i never digged so deep I will usually break more things that I'll improve
While we are at it, is this the place to tune if we want to hide our hostnames to the public? I'm talking about the local hostnames that appear in the headers of the mail.
While we are at it, is this the place to tune if we want to hide our hostnames to the public? I'm talking about the local hostnames that appear in the headers of the mail.
- JDunphy
- Outstanding Member
- Posts: 897
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Thoughts regarding X-Originating-IP headers
I am not sure... In the past, I didn't like leaking the ip addresses for our remote offices or our homes when using MUA's because of this header ... so I used postfix_header_checks to fix headers I didn't like. Sometimes, I would replace it with our external ip like the zimbra server but other times, just created a new header that made up some fib. You could probably do it there to sanitize your outgoing email if that was a desired goal.pup_seba wrote: While we are at it, is this the place to tune if we want to hide our hostnames to the public? I'm talking about the local hostnames that appear in the headers of the mail.
Code: Select all
% grep -i X-Originating */*/*
mods/opt.zimbra.conf/postfix_header_checks:/^X-Originating-IP:.*24\.X\.Y\.Z.*/ REPLACE XX-Originating-IP: Authenticated phone or internet dongle on network
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: Thoughts regarding X-Originating-IP headers
And just like that...you saved me probably hours of trying to find out how to do this. Thanks a lot!!!