Thanks for that. You've clearly got experience of the content filter but it is an app that I don't use. Is it possible to create a blanket ban to facebook then create an exception rule which has priority or would the exception rule end up bypassing the content filter completely?
Mike Stafford wrote:Someone also said this to me off-list about his attitude. I just wish the experience was more pleasant.
If it makes you feel any better, Reindl Harald has a reputation. There has been more than one request to suspend him from the Fedora dev mailing list.
I'd remembered you ran BIND when I posted so I did not think you were going to have this issue but it appears you do a bit as well.
According to Reindl Harald, spamassassin is perfect and it must be amavis. I'm going to struggle to get a test case as it looks like the amavis website likes you to put amavis into debug mode before you post for help. The last e-mail from peacocks-mail.com went through spamassassin so that is no good. I've just tried whitelisting ebay like you to see if I get the same results as you. If I do, that would be good as my wife is an avid user so we get lots of e-mails from them. If not, are you able to get a test case to post to the amavis mailing list?
For the moment I've slightly back-tracked with my unbound set up, reinstating dnsmasq for all normal DNS queries, but just pointing spamassassin to unbound on port 1053 (after which the daily peacocks-mail.com worked but that may be a coincidence).
Jonathan M Guevarra wrote:Changing your PLDT modem to bridge mode and your ClearOS connection to it to PPPoE should mean you can configure ClearOS with the static IP that you use currently on your PLDT device. That is if it supports Bridge Mode.
you mean for the best result much better to put static ip provided by ISP Provider rather than to use PPPoE? if i use PPPoE i need to change into bridge mode and configure ClearOS WAN as PPPoE and my Sky since this is dedicated fiber line with static IP is no issue
about the DNS i use Google DNS but in my 1st try i use DNS of Sky and if switch to PLDT PLDT provide own different DNS and sky cannot accept this DNSDon't use Sky's DNS at all, or at least put it after Google DNS. If you have it first, you have to wait for each lookup to fail before the Google DNS servers are tried. This will hit your PLDT connection when it takes over. If the Sky servers fail in a particular way, Google DNS will not even be tried.
@devs and anyone interested,
I've just had not the best experience posting about an issue to the SpamAssassin mailing list, but a few points have come up.
1 - Some of the SpamAssassin checks get defeated because we use dnsmasq. This is because it does not resolve FQDN's directly but hands the queries off to a proper recursive resolver. This means the a load of the RBL queries then appear to come from your chosen DNS servers (OpenDNS for me) rather than directly from me. As the queries come from a high volume IP, they get blocked by the RBL once the daily limit of free queries has been exceeded. This gives rise to the URIBL_BLOCKED=0.001 entry in the X-Spam-Status. Have a look here for more info. From the mailing list they feel very strongly (a bit OTT) that anyone running their own mailserver should run their own recursive DNS resolver. After a bit of research (and downgrading unbound-libs) I installed unbound and got it up an running very quickly. I've done it in such a way as dnsmasq uses 127.0.0.1:1053 as its "external resolver" and unbound listens on the same address only. It took two lines to do this in dnsmasq.conflus the configuration of unbound (I used the "Authoritative, validating, recursive caching DNS (example 2)" here removing all the forward-zone, local-zone and local-data sections). It should be pretty easy to bolt this into the webconfig.
Using unbound along-side dnsmasq keeps dnsmasq's handling of the hosts file intact so less webconfig change would be needed. dnsmasq could be disabled for DNS lookups completely (setting port to 0), but then handling of the hosts file by unbound (or whatever) would need to be built into the webconfig. It may also be an idea to remove the caching from dnsmasq at the same time. PowerDNS and BIND were other recursive resolvers mentioned.
2 - A variation of the suggestion above is to run unbound listening on 1053, don't bother integrating it with dnsmasq, add "dns_server [127.0.0.1]:1053" to the SA-configuration, but I can't find the parameter documented and it seems a waste to run unbound like this.
3 - The mailing list were strongly against using whitelist_from in spamassassin and prefer whitelist_auth instead as the from is easily forged. Having said that, clearos.com e-mails don't use DKIM or SPF so don't help the cause!
Comments would be appreciated or should I do a feature request?
Is your server in Standalone or Standalone with Firewall mode? If you have the firewall, please can you switch to without for the moment.
Have you given your users flexshare access? Unfortunately I don't use flexshares so it takes me a while to understand what is happening.
Well I received another e-mail from peacocks-mail.com address yesterday so I posted to the SpamAssassin mailing list here. So far the only results are that I've been flamed for not running my own DNS resolver causing some of the spam checks to fail. Virtually everyone who has replied has said that dnsmasq is no good for running your own mail server with spamassassin as many or the RBL look ups will appear from your chosen DNS servers (OpenDNS for me) which is pretty much guaranteed to have used more than its free quota of lookups at the various RBL providers so the checks will fail (URIBL_BLOCKED=0.001 in the header).
No constructive comments about the issue. Best being "Dunno" and "perhaps amavis". Clearly SpamAssassin is perfect.
Now I've set up unbound to keep them happy I hope for something more constructive. Also amavisd-new could be a lead.