MailWatch icon indicating copy to clipboard operation
MailWatch copied to clipboard
verified publisher icon mailwatch

spam.whitleist.rules 127.0.0.1 always Allowlisted with local MTA?

Open Stephanowicz opened this issue 4 weeks ago • 4 comments

Hi,

I just wonder if this rule in the spam.whitleist.rules
From: 127.0.0.1 yes
leads to bypass Spamtest on any mail when the MTA is on the same machine?

I ask because all incoming mails in "recent messages" are green and in the details it says SPAM Allowlisted: Y
(though I've seen that this paragraph is titled SpamAssassin - maybe I have a misconfiguration there?)

in the message-header it says:
Received: from xyz (localhost [127.0.0.1]) as the MTA(postfix) is locally installed

Could someone please shed some light on this?

Thank You!

Stephanowicz avatar Dec 10 '25 19:12 Stephanowicz

If the mail is send from the localhost 127.0.0.1 as source ip they would pass through all the spam checks. That can be the case if you use a local sendmail command, a web service as a mail agent or proxying the mails between postfix instances running on the same host.

If the sending MTA is not local eg. if you receive a mail from a google server they would have a google ip as source and that rule would not apply in a typical setup.

Skywalker-11 avatar Dec 12 '25 14:12 Skywalker-11

Ok, I forgot to say that this behaviour appeared after I updated MailScanner & MailWatch...

After some investigation I found some posts about this and it seems that it has to do with using fetchmail as MTA. I found the entry Read IP Address From Received Header
in the MailScanner.conf

I haven't used it before, so maybe there was a change in one of the recent updates?

I have put it to Read IP Address From Received Header = 2` and it seems to help.... I have to continue to observe the behaviour to confirm that this was the reason.

Stephanowicz avatar Dec 12 '25 16:12 Stephanowicz

I haven't used it before, so maybe there was a change in one of the recent updates?

That option exists at least since 9 years. But there might have been an update of mailscanner that changed things. There is a similar bug: https://github.com/MailScanner/v5/issues/701

Skywalker-11 avatar Dec 12 '25 20:12 Skywalker-11

Yes, I saw that, too - and also moved the part where $InReceived gets set a few lines up, as suggested, so that the value gets set, but it didn't seem to help... I will watch the further progress and report back the next week

Stephanowicz avatar Dec 12 '25 20:12 Stephanowicz

Ok, it looks much better now - most of the incoming mail is 'white' in the Mailwatch list - though there are still a couple of messages that are 'green' --> "allow listed"

To summarize everything again:

I use a local MTA (Fetchmail) - so the IP-Address in the mail-header is "127.0.0.1" and therefore doesn't get checked with the default setup settings.

I made three steps that seem to solve the situation:

  1. Set "Read IP Address From Received Header" = 2 in MailScanner.conf
    This uses the 2nd ip-address in the mail-header

  2. In .fetchmailrc add option set invisible "If the invisible option is on, the Received header is suppressed and fetchmail tries to spoof the MTA it forwards to into thinking it came directly from the mail server host." https://www.fetchmail.info/fetchmail-man.html

  3. Made a supposed fix in MailScanners's /usr/share/MailScanner/perl/MailScanner/Postfix.pm
    https://github.com/MailScanner/v5/issues/701

move

      if ($recdata =~ /^Received:/i) {
        $InReceived = 1;
        $UnfoldBuffer = $recdata;
        next;
      }

a few lines up, so that it is processed before the if ($InReceived) { part.

So this is working most of the times, but not always.
As far as I can see it depends on how many hops are in the mail-header. Most of the time the 3rd ip is from the sender - but sometimes it is the 2nd or there may be a private network

So this is not perfect, but better than nothing :)

Stephanowicz avatar Dec 15 '25 10:12 Stephanowicz

UPDATE:

the supposed fix for /usr/share/MailScanner/perl/MailScanner/Postfix.pm https://github.com/MailScanner/v5/issues/701
is wrong! This lead to the unexpected behaviour that some mail still get "Allowlisted".

After reverting the file back to the orignal state, everything is working now ok!

SO:

  1. Set "Read IP Address From Received Header" = 2 in MailScanner.conf This uses the 2nd ip-address in the mail-header

  2. In .fetchmailrc add option set invisible "If the invisible option is on, the Received header is suppressed and fetchmail tries to spoof the MTA it forwards to into thinking it came directly from the mail server host." https://www.fetchmail.info/fetchmail-man.html

Greetings

Stephanowicz avatar Dec 17 '25 09:12 Stephanowicz