[Mimedefang] whitelist_from_rcvd question

[Jan-Pieter Cornet]

On Mon, Jun 09, 2008 at 04:20:50PM -0400, Jason Bertoch wrote:
> I just asked this question over on the SA list only to find out that the
> whitelist entry matches when feeding SA directly from the command line.  
> 
> 
> "whitelist_from_rcvd *@greencovesprings.com
> 75-145-201-209-Jacksonville.hfc.comcastbusiness.net" 
> 
> is in my sa-mimedefang.cf yet a message with the following headers didn't
> match.  Any ideas?

Yes.

> Return-Path: <ggriffin at greencovesprings.com>
> Received: from [75.145.201.209]
> (75-145-201-209-Jacksonville.hfc.comcastbusiness.net [75.145.201.209] (may be forged))
                                                                        ^^^^^^^^^^^^^^^
Here's your problem. That host doesn't reverse properly.

mimedefang sees the message as it is originally delivered, without the
extra Received: header that your host, mail.electronet.net, adds to it.
Mimedefang synthesizes that header, but uses a slightly different format
than sendmail does. Among others, it doesn't add a "(may be forged)" in
case of a non-FCRDNS, but just adds the relay with the IP only.

My guess is that if you whitelist based on the IP address, it will
likely work.
  
> by mail.electronet.net (8.14.2/8.14.2) with ESMTP id m54DeD5V009962
>  for <user at domain.com>; Wed, 4 Jun 2008 09:40:19 -0400
> From: "Gregg Griffin" <ggriffin at greencovesprings.com>
> 
> 
> The rules that did match are below.  I'm running sendmail 8.14.2 with SA
> v3.2.4 and MD 2.63.
> 
> X-Spam-Score: 5.221 (*****)
> BOTNET,HELO_EQ_IP_ADDR,HTML_MESSAGE,RDNS_NONE,UNPARSEABLE_RELAY

In this case, the BOTNET rules are biting you. Or the comcast support
staff clue level (or lack of it).

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs.  !!