1 Topic by toxic

  • toxic
  • Member
  • Offline
  • Registered: 2016-04-01
  • Posts: 28

Topic: SPAM Check for mails relayed to other servers

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: Ubuntu 16.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? yes
- Related log if you're reporting an issue:
====

Hi,

I set amavis to reject spam mails above a score of 15. That works perfectly with mailaccounts on the iredmail server itself. But i have a problem with domains that get their mails relayed to another server. If they receive mails with a score higher that 15 these mails don´t get rejected by the iredmail server.

Does anyone know how to prevent this behaviour ?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: SPAM Check for mails relayed to other servers

Do you have "$final_spam_destiny = D_DISCARD;" in amavisd config file? Reference:
http://www.iredmail.org/docs/quarantining.html

Also, follow the tutorial to configure AMavisd to quarantine detected spam/virus into SQL db, then manage them with iRedAdmin-Pro.

3 Reply by toxic

  • toxic
  • Member
  • Offline
  • Registered: 2016-04-01
  • Posts: 28

Re: SPAM Check for mails relayed to other servers

ZhangHuangbin wrote:

Do you have "$final_spam_destiny = D_DISCARD;" in amavisd config file? Reference:
http://www.iredmail.org/docs/quarantining.html

Also, follow the tutorial to configure AMavisd to quarantine detected spam/virus into SQL db, then manage them with iRedAdmin-Pro.

It is set to $final_spam_destiny = D_REJECT;

Spam and Virus are both set to reject as we are not allowed to quarantine any mails. I was just wondering why local accounts get no messages with a score above 15 and relayed domains get everything.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: SPAM Check for mails relayed to other servers

toxic wrote:

But i have a problem with domains that get their mails relayed to another server. If they receive mails with a score higher that 15 these mails don´t get rejected by the iredmail server.

Could you please show us FULL log related to this testing email in Postfix log file? (try to send a spam email to trigger it)

5 Reply by toxic

  • toxic
  • Member
  • Offline
  • Registered: 2016-04-01
  • Posts: 28

Re: SPAM Check for mails relayed to other servers

ZhangHuangbin wrote:
toxic wrote:

But i have a problem with domains that get their mails relayed to another server. If they receive mails with a score higher that 15 these mails don´t get rejected by the iredmail server.

Could you please show us FULL log related to this testing email in Postfix log file? (try to send a spam email to trigger it)

The Postfix Log looks like this:

Mar 14 11:49:08 mta postfix/qmgr[32832]: 6749E601AF: from=<test@gmx.de>, size=1794, nrcpt=1 (queue active)
Mar 14 11:49:08 mta postfix/qmgr[32832]: DF231601FE: from=<test@gmx.de>, size=2673, nrcpt=1 (queue active)
Mar 14 11:49:08 mta amavis[24551]: (24551-19) Passed SPAM {RelayedTaggedInbound}, [212.227.15.19]:56187 [213.144.8.89] <test@gmx.de> -> h*@n*.de>, Queue-ID: 6749E601AF, Message-ID: <trinity-811a459c-0ba1-4923-a3f8-469d754cfc5a-1489488545680@3capp-gmx-bs76>, mail_id: vrgBk6GiXqTl, Hits: 997.625, size: 1794, queued_as: DF231601FE, 450 ms, Tests: [BAYES_00=-1.9,FREEMAIL_FROM=0.001,GTUBE=1000,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.723,RCVD_IN_DNSWL_LOW=-0.7,RCVD_IN_MSPIKE_H2=-0.5,SPF_PASS=-0.001,TVD_SPACE_RATIO=0.001]


It taggs the SPAM mail but does not block it. The mail header looks like this:

Received: from exchange.* (10.0.0.2) by exchange.*
(10.0.0.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Mailbox
Transport; Tue, 14 Mar 2017 11:49:09 +0100
Received: from exchange.* (10.0.0.2) by exchange.*
(10.0.0.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 14 Mar
2017 11:49:09 +0100
Received: from mta.n*.de (10.14.0.251) by exchange.*
(10.0.0.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend
Transport; Tue, 14 Mar 2017 11:49:09 +0100
Received: from mta.n*.de (localhost [127.0.0.1])
    by mta.n*.de (Postfix) with ESMTP id DF231601FE
    for <h@n*.de>; Tue, 14 Mar 2017 11:49:08 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mta.n*.de
X-Spam-Flag: YES
X-Spam-Score: 997.625
X-Spam-Level: ****************************************************************
X-Spam-Status: Yes, score=997.625 required=5 tests=[BAYES_00=-1.9,
    FREEMAIL_FROM=0.001, GTUBE=1000, HTML_MESSAGE=0.001,
    MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.5,
    SPF_PASS=-0.001, TVD_SPACE_RATIO=0.001]
    autolearn=no autolearn_force=no
Received: from mta.n*.de ([127.0.0.1])
    by mta.n*.de (mta.n*.de [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id vrgBk6GiXqTl for <h*@n*.de>;
    Tue, 14 Mar 2017 11:49:08 +0100 (CET)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19])
    by mta.n*.de (Postfix) with ESMTPS id 6749E601AF
    for <h*@n*.de>; Tue, 14 Mar 2017 11:49:08 +0100 (CET)
Received: from [213.144.8.89] by 3capp-gmx-bs76.server.lan (via HTTP); Tue,
14 Mar 2017 11:49:05 +0100
Message-ID: <trinity-811a459c-0ba1-4923-a3f8-469d754cfc5a-1489488545680@3capp-gmx-bs76>
From: Test <test@gmx.de>
To: <h*@n*.de>
Subject: ***SPAM*** test
Content-Type: text/html; charset="UTF-8"
Date: Tue, 14 Mar 2017 11:49:05 +0100

If I send it to a local account on the mta server I receive an instant non deliverable notification from the mta itself and the log entry for that message looks like this. If that could also work for the relayed mails i would be happy

Mar 14 11:57:52 mta postfix/qmgr[32832]: 3315460223: from=<test@gmx.de>, size=1770, nrcpt=1 (queue active)
Mar 14 11:57:52 mta amavis[25444]: (25444-17) Blocked SPAM {RejectedInbound}, [212.227.17.20]:57284 [213.144.8.89] <test@gmx.de> -> , Queue-ID: 3315460223, Message-ID: <trinity-1a7d22e1-f2d4-4e40-95ee-a96358f4545e-1489489070832@3capp-gmx-bs76>, mail_id: QydplNzkTFjl, Hits: 997.625, size: 1770, 427 ms, Tests: [BAYES_00=-1.9,FREEMAIL_FROM=0.001,GTUBE=1000,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.723,RCVD_IN_DNSWL_LOW=-0.7,RCVD_IN_MSPIKE_H2=-0.5,SPF_PASS=-0.001,TVD_SPACE_RATIO=0.001]
Mar 14 11:57:52 mta postfix/smtp[26978]: B558B606F2: to=<test@gmx.de>, relay=mx01.emig.gmx.net[212.227.17.5]:25, delay=0.24, delays=0.01/0/0.12/0.11, dsn=2.0.0, status=sent (250 Requested mail action okay, completed: id=0Mc95H-1cU9Ml3fqZ-00Jc8x)

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: SPAM Check for mails relayed to other servers

I think it depends on the relay status sent by Postfix to Amavisd, and Amavisd correctly detects the status because it has different spam status for the email:

RelayedTaggedInbound
RejectedInbound

I suggest posting to Amavisd mailing list to get deep and detailed answer from its developers.

7 Reply by toxic

  • toxic
  • Member
  • Offline
  • Registered: 2016-04-01
  • Posts: 28

Re: SPAM Check for mails relayed to other servers

I found the problem. It was in the amavisd policy table. The value spam_lover was set to "y" instead of NULL. Must have come from migrating from an old server. New domains are created without spam_lover set to yes

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: SPAM Check for mails relayed to other servers

Thanks for sharing, @toxic.