1

Topic: Reporting of every single SPAM-Mail to postmaster address

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Debian 7.0
- Related log if you're reporting an issue:
====

After installation of iRedMail-Pro and switching our MX Record to this new Server we received our first spam mail. No, make that... it was discarded but our postmaster@ account received the following:

Subject: Spam FROM LOCAL [211.xx.xxx.x]:5642 <moms@xxxxxxxxx.tld>

Why LOCAL? It was definitely REMOTE SPAM.

Content type: Spam
Internal reference code for the message is 13229-01/K0zHn6thPirl

First upstream SMTP client IP address: [211.xx.xxx.x]
According to a 'Received:' trace, the message apparently originated at:
[211.xx.xxx.x], XSKLM-20140526Z[169.xxx.xx.xxx]

...

The message WAS NOT relayed to:
<info@our.domain.com>:
  250 2.7.0 Ok, discarded, id=13229-01 - spam

....

Die ursprüngliche Nachricht wurde an diesen Bericht angehängt, so dass
Sie sie anschauen können (falls es doch eine legitime E-Mail ist) oder
ähnliche unerwünschte Nachrichten in Zukunft markieren können.
Bei Fragen zu diesem Vorgang wenden Sie sich bitte an

   @@CONTACT_ADDRESS@@

How to replace this @@CONTACT_ADDRESS@@ with our support address?


So how do we prevent those reportings?

Thanks and regards,
Thomas

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Reporting of every single SPAM-Mail to postmaster address

Comment out 'spam_admin_maps' in Amavisd config file /etc/amavis/conf.d/50-user, then restart Amavisd service.

3 (edited by svoboda77 2014-10-18 19:57:19)

Re: Reporting of every single SPAM-Mail to postmaster address

I am afraid that commenting this line out disables spam notifications completely, doesn't it? LOCAL spam should be notified.

You have to list all your hosted domains in /etc/amavis/conf.d/50-user

@local_domains_maps = ( [".$mydomain","mail.mydomain.de"] );  # list of all local domains

so amavisd should distinguish between local and remote domains

Also you have to set different settings for EXTERNAL and LOCAL emails. In the same configuration file /etc/amavis/conf.d/50-user

set

# do not notify administrator about remotely originating malware
$virus_admin = undef;
$spam_admin = undef;

but under $policy_bank{'ORIGINATING'} and $policy_bank{'MYUSERS'}, keep

# notify administrator of locally originating malware
virus_admin_maps => ["root\@$mydomain"],
spam_admin_maps  => ["root\@$mydomain"],

I hope I am right, maybe ZhangHuangbin can correct me?

4

Re: Reporting of every single SPAM-Mail to postmaster address

You're right. The most important setting is '@local_domains_maps'.

iRedMail tries to make it easier to add X-Spam-* headers in detected spam, so we have '@local_domains_maps = 1;' in Amavisd, but it's not an ideal setting. We should dump all mail domains from SQL/LDAP backend and list them all in '@local_domains_maps'.

I will try to fix this in iRedMail-0.9.0 final release.

5 (edited by svoboda77 2014-10-22 20:16:12)

Re: Reporting of every single SPAM-Mail to postmaster address

Also, if you want to be notified about locally originated banned file types and bad headers, add

# DO NOT NOTIFY ADMINISTRATOR ABOUT SPAM/VIRUS FROM REMOTE SERVERS
$virus_admin = undef;
$spam_admin = undef;
$banned_admin = undef;
$bad_header_admin = undef;

and under ORIGINATING, MYNETS and MYUSERS add:

# notify administrator of locally originating malware
virus_admin_maps => ["root\@$mydomain"],
spam_admin_maps  => ["root\@$mydomain"],
bad_header_admin_maps => ["root\@$mydomain"],
banned_admin_maps => ["root\@$mydomain"],
warnbadhsender => 1,
warnbannedsender => 1,
warnvirussender => 1,
warnspamsender => 1,

6

Re: Reporting of every single SPAM-Mail to postmaster address

Updated default Amavisd setting with your sample settings. Thanks for sharing.

7 (edited by svoboda77 2014-10-23 23:04:25)

Re: Reporting of every single SPAM-Mail to postmaster address

Detail, which i discovered today. Options warnspamsender and warnvirussender are deprecated in amavisd-new since some version ago, using them is ignored and leads to warnings in log file.

So if you want notifications only for administrator and not the sender, just remove all warn*sender options and keep all those *_admin_maps options in each desired policy bank.

To inform sender, you can use warnbadhsender and warnbannedsender for bad headers and banned filenames, but you have to set both final_virus_destiny and final_spam_destiny to D_BOUNCE in each desired policy bank.

http://www.ijs.si/software/amavisd/release-notes.txt

- retired often misused settings $warnvirussender and $warnspamsender
  (but kept marginally useful $warnbannedsender, $warnbadhsender, and their
  parent %warnsender_by_ccat). To bounce or reject viruses and spam use
  D_REJECT and D_BOUNCE settings for corresponding $final_*_destiny. It
  is no longer supported to both deliver (D_PASS) a virus or spam message
  while also sending a notification to sender. Both retired variables are
  still declared for compatibility with old config files, but their value
  is ignored. An attempt to set their value to a non-default value produces
  a warning.

8

Re: Reporting of every single SPAM-Mail to postmaster address

Thanks for your info. Fixed.

9 (edited by svoboda77 2014-10-24 21:59:49)

Re: Reporting of every single SPAM-Mail to postmaster address

Today I got "SPAM FROM LOCAL" notification for email that was sent from a remote server, but the address was forged to match my domain. Amavis then treated the mail as policy_bank MYUSERS, that is not right. Amavis only looks at the "From" address? Even when it is clear that the first upstream SMTP client is a remote machine?

Subject: Spam FROM LOCAL [190.12.33.102]:46391 <protected@forged-as-my-domain.cz>

Content type: Spam
Internal reference code for the message is 23331-03/pYkOjeP97POL

First upstream SMTP client IP address: [190.12.33.102] 
According to a 'Received:' trace, the message apparently originated at:
 [190.12.33.102], zffpkspa localhost [127.0.0.1]

Return-Path: <protected@forged-as-my-domain.cz>
From: "tsibulkintsibr@gmail.com" <protected@forged-as-my-domain.cz>
Message-ID: <B04AA81384507F6CB0B5FC4155284087@kahcvok>
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
Subject: =?windows-1251?Q?=CA=EB=E8=E5=ED=F2=F1=EA=E8=E5_=E1=E0=E7?=
 =?windows-1251?Q?=FB_=F2=E5=EB_+79133913837_ICQ=3A_628886?=
 =?windows-1251?Q?2_Skype=3A_prodawez389_Email=3A_tserovit?=
 =?windows-1251?Q?inovtserer=40gmail=2Ecom_=D3=E7=ED=E0=E9?=
 =?windows-1251?Q?=F2=E5_=EF=EE=E4=F0=EE=E1=ED=E5=E5?=
Not quarantined.

The message WAS NOT relayed to:
<protected@forged-as-my-domain.cz>:
  250 2.7.0 Ok, discarded, id=23331-03 - spam

10

Re: Reporting of every single SPAM-Mail to postmaster address

It might be caused by '@local_domains_maps = 1;' in Amavisd. You can try to list all your mail domain names in @local_domains_maps instead and try again. e.g.

@local_domains_maps = ['domain.com', 'domain2.com', ...];

11

Re: Reporting of every single SPAM-Mail to postmaster address

Unfortunatelly not. With @local_domains_maps = 1, all incoming messages are processed as MYUSERS. With list of your domains in @local_domains_maps, all emails with (often forged) From: address from your domains are processed as MYUSERS. To filter emails from remote servers with forged From: address, it would require rejecting all unautenticated emails (puportedly) sent from your domains, see https://www.mail-archive.com/amavis-use … 09534.html

12

Re: Reporting of every single SPAM-Mail to postmaster address

iRedMail configures Postfox to reject emails by non-authenticated local senders by default. Could you please show us output of command "postconf -n" here?

13 (edited by svoboda77 2014-10-31 01:50:24)

Re: Reporting of every single SPAM-Mail to postmaster address

I think that the relevant settings is

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated

permit_mynetworks on first position

14

Re: Reporting of every single SPAM-Mail to postmaster address

Are you sure? "permit_mynetworks" just bypasses emails sent from servers listed in Postfix parameter "mynetworks =". Do you have this IP listed in "mynetworks"?

15 (edited by svoboda77 2014-10-31 17:34:45)

Re: Reporting of every single SPAM-Mail to postmaster address

Of course you're right. I was thinking about two different things at the same time. Receiving emails is controlled by

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

unfortunatelly I don't understand which option rejects unauthenticated (mynetworks or sasl) emails with local (listed in @local_domains_maps) From: address. Would you mind to explain, please? Thanks.

16

Re: Reporting of every single SPAM-Mail to postmaster address

*) You see "reject_unauth_destination" in "smtpd_recipient_restrictions"?
*) Postfix has 'smtpd_sender_login_maps' to check whether sender email address is hosted on localhost, if yes, SASL authentication is required to send email.

17

Re: Reporting of every single SPAM-Mail to postmaster address

I get it. Thank you!