How to Configure Spamassassin Trusted_Networks

thowden

Well-Known Member
May 17, 2013
56
6
58
cPanel Access Level
Root Administrator
Hi All

I am trying to find where to set spamassassin trusted_networks which are present in /etc/mail/spamassassin/local.cf but are not the same as the Trusted Hosts in Exim.

I have configured 2 Cpanel servers with one acting as a smart for the other. Exim Trusted Host is set, but spamassassin is still flagging ALL email from the remote on the smart host as SPAM.

I had expected that having the remote IP in the smarthost server Trusted Hosts would set for both Exim and SA, but apparently not.

What am I missing ?

Thanks
Tony
 
Last edited by a moderator:

devil2580

Member
Sep 6, 2021
14
4
3
kokata
cPanel Access Level
Root Administrator
HI

Hope you are well

Spam assassin is the trusted path, so you don't need to change the network settings.

For the spam assassin to work, you can follow the bellow steps.

==
cPanel >> Spam Filters >> Enable the Spam Filters >> Spam Threshold Score >> Adjust the Spam Threshold Score to your desired level
==

Feel free to contact us for more info.
 

thowden

Well-Known Member
May 17, 2013
56
6
58
cPanel Access Level
Root Administrator
Hi

Thanks. I did not specifically, but the IP address was already in that setting ? I have been messing with this for a week and may have done so previously, but that suggests that it is not the issue.

I am still perplexed as to why there is a specific spamassassin line for trusted hosts that is different to the Exim trusted hosts list.

Hey there! Have you tried the "Only-verify-recipient" option in WHM >> Exim Configuration Manager? That might be enough to keep these from being flagged.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,029
313
cPanel Access Level
Root Administrator
That's odd - I would expect a trusted host, of any type, to just work.

It might be best to submit a ticket to our team so we can check the actual system(s) where this is happening and see if we can get you more details. If you can submit a ticket, please post the number here so I can follow along and keep things updated.
 

thowden

Well-Known Member
May 17, 2013
56
6
58
cPanel Access Level
Root Administrator
Hi

Thanks for the response. I am not clear on what you mean by "Spam assassin is the trusted path" - the TRUSTED_HOSTS parameter is set with some IP's but not all the IP's that are in the Exim Trusted Hosts list.

With using the "Adjust the Spam Threshold Score to your desired level" I am not sure what "my desired level" needs to be as I have not yet identified what is actually triggering the SPAM vs HAM.

HI

Hope you are well

Spam assassin is the trusted path, so you don't need to change the network settings.

For the spam assassin to work, you can follow the bellow steps.

==
cPanel >> Spam Filters >> Enable the Spam Filters >> Spam Threshold Score >> Adjust the Spam Threshold Score to your desired level
==

Feel free to contact us for more info.
 

thowden

Well-Known Member
May 17, 2013
56
6
58
cPanel Access Level
Root Administrator
Hi cPRex

I started to log a ticket with this information......

Spam Assassin local.cf shows

Code:
trusted_networks 116.90.0.0/20 208.74.120.0/21 208.77.151.115 64.38.239.82 # Autoconfigured by cPanel - Remove this end of line comment to avoid future updates
I am not clear on where these IP's / Ranges are configured from, or who / why they are trusted?

And as I typed this, I realised that these will be for SA updates - i.e. SA trusted hosts as distinct from MY trusted hosts, at least can this be confirmed? The 'avoid future updates' bit means updates to SA, I guess?

That's odd - I would expect a trusted host, of any type, to just work.

It might be best to submit a ticket to our team so we can check the actual system(s) where this is happening and see if we can get you more details. If you can submit a ticket, please post the number here so I can follow along and keep things updated.
Which addresses part of my confusion.

Tony
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,029
313
cPanel Access Level
Root Administrator
All cPanel systems have a similar trusted_networks entry that gets configured to make sure you can get replies from our helpdesk if you reach out to us. 208.74.x.x is one of our support networks, although the other IPs can vary. Your own server's IP range or netmask is likely in there, plus other entries related to your server's configuration.
 

thowden

Well-Known Member
May 17, 2013
56
6
58
cPanel Access Level
Root Administrator
Hi cPRex

The SPAM flag triggered was the RDNS_NONE which was resolved with the TTL expiry at around 0243 this morning which was the last reported RDNS_NONE SPAM message.

Testing email now shows it is allowing mail through as expected.

Back to the first part of my question regarding Trusted Hosts.

I think the answers are in the ? Help for these two settings:

Code:
Only-verify-recipient [?]
Hosts or IP addresses that should be exempt from all spam checks at SMTP time, except recipient verification. Hosts or IP addresses you enter here are stored in /etc/trustedmailhosts.
    Edit
Trusted SMTP IP addresses [?]
IP addresses exempt from all SMTP sender, recipient, spam, and relaying checks. IP addresses you enter here are stored in /etc/skipsmtpcheckhosts. These senders must still use an RFC-compliant HELO name if the Require RFC-compliant HELO setting is enabled.
That's odd - I would expect a trusted host, of any type, to just work.
Yes, a Trusted Host, of any type will work, UNLESS the HELO setting is enabled (it is!) and my PTR setting was inconsistent with the hostname for a period of time.

My question now, just for completeness, is why RDNS_NONE was tested ?

Given the 'trusted host IP status' was the RDNS_NONE test processed being a 'recipient test' or being triggered due to the 'exemption in Exim' failiing?

I am assuming the "Only-verify-recipient" option will still process through SA with a reduced set of tests, is RDNS_NONE one of them?

I think it just highlights the importance of having the PTR setting correct!

Thanks for the help.
 

thowden

Well-Known Member
May 17, 2013
56
6
58
cPanel Access Level
Root Administrator
All cPanel systems have a similar trusted_networks entry that gets configured to make sure you can get replies from our helpdesk if you reach out to us. 208.74.x.x is one of our support networks, although the other IPs can vary. Your own server's IP range or netmask is likely in there, plus other entries related to your server's configuration.
Thanks, that makes sense, and it is automated and not an admin / GUI setting.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,029
313
cPanel Access Level
Root Administrator
I'm glad the rDNS portion is resolved now!

The full documentation for the only_verify_recipient option is this text: "This setting allows you to edit the list of hosts or IP addresses that the system excludes from all spam checks at SMTP connection time, except recipient verification checks. The system adds any hosts or IP addresses you enter here to the /etc/trustedmailhosts file."

It would seem from your testing that the RNDS_NONE is one of the recipient checks that is performed by SpamAssassin, but I can't find anything that says that for certain. I'm going to reach out to our email team and see if they have additional details on this.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,029
313
cPanel Access Level
Root Administrator
SpamAssassin recommended the following configuration options, so you may want to try this out for your particular situation:

"I believe one useful answer for fixing this is for cPanel to NOT set trusted_networks at all, but rather to set internal_networks correctly and handle "trusting" their mail by other means, such as a whitelist_auth entry. The cited problem with RDNS_NONE would not have occurred at all if the inbound relay was in internal_networks. Perhaps the Exim "trusted hosts" should be added to internal_networks?"

It seems we're in a bit of uncharted territory here, but that's what I've got so far!