SpamAssassin: Debugging, SPF and DKIM

A little post-mortem of last night's admin / debug session.

More Logs

SpamAssassin has a humongous amount of debug output – which is disabled by default and to the best of my knowledge is not sent to syslog.

However, by starting spamd without daemonization, you can specify so called debug areas via the -D <comma,separated,areas> flag.

The other options used to start SpamAssassin need to be retrieved from your init script or /etc/defaults/spamassassin.

The command to be run in Terminal:

spamd <options from init script> -D debug,areas,...

Debug areas are documented in the SpamAssassin wiki.
Note: Debug areas are the prefix of of the strings passed to the dbg(<Perl string>) function in the SpamAssassin sources.

SPF Validation

SpamAssassin can perform SPF validation.
After stepping through the (terrible) source code, I learned that there are two modes:

  • Check SPF headers added by a preceding MTA.
  • Do the SPF validation on its own.

Both are used to increase the spam score.

If SpamAssassin is integrated as a milter and you want to validate SPF, it is mandatory that SpamAssassin knows about the SMTP converstation its MTA had. Otherwise, you get the following log errors:

$ spamd <...> -D spf
...
dbg: spf: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping
dbg: spf: spf_whitelist_from: could not find useable envelope sender
dbg: spf: checking to see if the message has a Received-SPF header that we can use
dbg: spf: no suitable relay for spf use found, skipping SPF check
dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks
dbg: spf: no suitable relay for spf use found, skipping SPF-helo check
dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check

To fix this error in Postfix, add the Underscore _ to the macros in main.cf:

milter_connect_macros = j {daemon_name} v {if_name} _

In your /etc/spamassassin/local.pre, add

loadplugin Mail::SpamAssassin::Plugin::SPF

Now restart spamd et voilĂ , broken SPF now adds to the Spam score.

Note: In a setup with spamass-milter, you can use the Shortcircuit module to reject mail with high spam scores.

DKIM Validation

To validate DKIM signatures and make broken signatures add to the Spam score, you need to install the Perl module: Mail::DKIM::Verifier. Afterwards, restart spamd and DKIM signatures are validated.