[prev in list] [next in list] [prev in thread] [next in thread]
List: postfix-users
Subject: Re: Authenticated outgoing email is marked as spam by PBL on mailserver
From: "PenguinWhispererThe ." <th3penguinwhisperer () gmail ! com>
Date: 2017-06-19 5:07:04
Message-ID: CACtG2e1BOFpp5+WF_oJ2M50tD2a14P9f6GEdwQ5tk4cH6E224w () mail ! gmail ! com
[Download RAW message or body]
Hi Dominic,
Thanks for taking your time to read my message and respond.
I've now changed my configuration so postfix rejects the clients based on
reject_rbl_client with zen.spamhaus.com. I've put this after the
permit_sasl_authenticated so users who login won't be affected.
For Mailscanner / Spamassassin I've disabled the use of zen.spamhaus.org
and pbl.spamhaus.org. Now only sbl and xbl are being used for
authenticated. This way I hope that if credentials get hacked at some point
in time perhaps this might still block some spam sent through my mailserver.
There's one downside to such a setup in my opinion. While before I could
see all mails in mailwatch that are received and blocked, I don't have such
an overview now as they'll be blcoked at the connection level already.
Thanks for the help!
2017-06-16 12:07 GMT+02:00 Dominic Raferd <dominic@timedicer.co.uk>:
>
>
> On 16 June 2017 at 10:29, PenguinWhispererThe . <
> th3penguinwhisperer@gmail.com> wrote:
>
>> Hi all,
>>
>> I'm having a problem with valid mails being marked as spam on the MX mail
>> server for a domain. See my description below. If you'd need more details
>> let me know and I'll be happy to provide. I'm posting this here while this
>> might not be a postfix issue itself it is related with how postfix is
>> configured an how it might need a configuration change.
>>
>> Users are sending email, authenticated, through the submission port on my
>> mailserver (their domain MX record points to mailserver; postfix).
>>
>> What's been setup
>>
>> - A record
>> - MX record (pointing to same mailserver for all domains)
>> - PTR record resolving to mailserver name
>> - DKIM: pass
>> - SPF: pass
>> - DMARC: pass
>> - MailScanner with clamd and spamassassin
>> - SASL authentication (mail headers mention user is authenticated)
>> - No open relay
>> - TLS
>> - ...
>>
>> I see that mails are authenticated in the headers.
>>
>> However I see that spamassassin marks it as spam (it mentions that the IP
>> of the client is on the RBL). When I query spamhaus I see that the client
>> IP (which is dynamic due to mobile ISP). Zenhaus says it's on the PBL, so
>> basically it is marked as spam as a policy based on the client IP.as
>>
>> Apart from that there's nothing wrong with those emails. The other ISPs
>> don't have this problem and the emails are then delivered properly.
>>
>> Now on to my questions... :)
>>
>> - is mail send through submission port supposed to go through
>> Mailscanner (spamassassin + clamd)? I would suppose yes as it would already
>> prevent people from sending spam in the first place (instead of preventing
>> spam email to be delivered). On the other hand a receiving mailserver can't
>> trust what's in the headers so it'll probably check it anyway.
>> - Is there a way to not mark as spam if only mentioned on the PBL?
>> - Will releasing the message make it deliverable? Or will it just
>> move the problem? (so the receiving mailserver might check and mark as spam
>> due to the PBL) If it moves the problem it doesn't seem a valid solution to
>> try to bypass the PBL for authenticated users.
>> - Will a receiving mailserver only check the last header (so the
>> header added by my mail server)? In this case disabling spam check might
>> actually resolve the issue and not move it on to the next machine).
>> - another thing that comes to mind is removing/modifying the first
>> header so the IP is no longer mentioned. However this seems like a bad
>> practice.
>> - What's the proper/appropriate way to handle this?
>>
>> For clarity: the mails are received on the smtp server that the users
>> have configured on their laptop/mobile and put in the postfix queue. So no
>> direct rejection to the clients. Only after mailscanner jumps in and checks
>> the email before sending (in this case marking it as spam and not sending
>> it).
>>
>
> The reason that other mailservers don't have any problem with emails from
> your dynamic ips is that the emails are 'cleansed' of their dynamic IP by
> being forwarded through your static-ip server. So no problem releasing them
> for onward delivery - the only IP that an onward server is likely to
> consider is the client's (i.e. of your server), not what any headers might
> say in the message about previous hops.
>
> I'm not sure what the 'proper' way to handle this, but here are a few
> possibilities:
>
> A way to prevent spamassassin from inspecting mail from authenticated
> senders is suggested at https://serverfault.com/
> questions/33518/postfix-skip-spam-checks-for-authorized-smtp.
>
> I use spamassassin+clamd via amavis; it does check mail from authenticated
> senders but I have turned off all RBL checks in spamassassin and instead
> have postfix perform these - but only for non-authenticated senders. Like
> this (suggestions for improvement welcome):
>
> smtpd_sender_restrictions =
> permit_sasl_authenticated
> permit_mynetworks # only the local machine
> # check_sender_access: REJECT emails (by envelope address) from a few
> known spam senders, OK a very few 'false positives'
> check_sender_access hash:/etc/postfix/check_sender_access
> # check_client_access: OK a very few ips prone to 'false positives'
> check_client_access hash:/etc/postfix/check_client_access
> reject_unauth_pipelining
> # accept whitelisted per hostkarma, dnswl.org, uribl.com
> permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1
> permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
> permit_dnswl_client white.uribl.com
> # check against spamhaus etc
> reject_rbl_client zen.spamhaus.org
> [... and others similar]
> reject_rhsbl_helo dbl.spamhaus.org
> [... and others similar]
> reject_rhsbl_sender dbl.spamhaus.org
> [... and others similar]
> reject_rhsbl_reverse_client dbl.spamhaus.org
> [... and others similar]
>
> I think it is regarded as better practice to use postscreen instead, but
> my setup is working well for now.
>
[Attachment #3 (text/html)]
<div dir="ltr"><div><div><div>Hi Dominic,<br><br></div>Thanks for taking your time to \
read my message and respond.<br><br></div>I've now changed my configuration so \
postfix rejects the clients based on reject_rbl_client with <a \
href="http://zen.spamhaus.com">zen.spamhaus.com</a>. I've put this after the \
permit_sasl_authenticated so users who login won't be affected.<br><br></div>For \
Mailscanner / Spamassassin I've disabled the use of <a \
href="http://zen.spamhaus.org">zen.spamhaus.org</a> and <a \
href="http://pbl.spamhaus.org">pbl.spamhaus.org</a>. Now only sbl and xbl are being \
used for authenticated. This way I hope that if credentials get hacked at some point \
in time perhaps this might still block some spam sent through my \
mailserver.<br><div><div><div><div><br></div><div>There's one downside to such a \
setup in my opinion. While before I could see all mails in mailwatch that are \
received and blocked, I don't have such an overview now as they'll be blcoked \
at the connection level already.<br><br></div><div>Thanks for the \
help!<br></div><div><br></div></div></div></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">2017-06-16 12:07 GMT+02:00 Dominic \
Raferd <span dir="ltr"><<a href="mailto:dominic@timedicer.co.uk" \
target="_blank">dominic@timedicer.co.uk</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" \
style="font-size:small"><br></div><div class="gmail_extra"><br><div \
class="gmail_quote"><div><div class="h5">On 16 June 2017 at 10:29, \
PenguinWhispererThe . <span dir="ltr"><<a \
href="mailto:th3penguinwhisperer@gmail.com" \
target="_blank">th3penguinwhisperer@gmail.com</a><wbr>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
class="m_1270633515000613044gmail-m_-543276196236630129post-text">
<p>Hi all,</p><p>I'm having a problem with valid mails being marked as spam on \
the MX mail server for a domain. See my description below. If you'd need more \
details let me know and I'll be happy to provide. I'm posting this here while \
this might not be a postfix issue itself it is related with how postfix is configured \
an how it might need a configuration change.<br></p><p></p><p>Users are sending \
email, authenticated, through the submission port on my mailserver (their domain MX \
record points to mailserver; postfix).</p>
<p>What's been setup</p>
<ul><li>A record</li><li>MX record (pointing to same mailserver for all \
domains)</li><li>PTR record resolving to mailserver name</li><li>DKIM: \
pass</li><li>SPF: pass</li><li>DMARC: pass</li><li>MailScanner with clamd and \
spamassassin</li><li>SASL authentication (mail headers mention user is \
authenticated)</li><li>No open relay</li><li>TLS<br></li><li>...</li></ul>
<p>I see that mails are authenticated in the headers.</p>
<p>However I see that spamassassin marks it as spam (it mentions that
the IP of the client is on the RBL). When I query spamhaus I see that
the client IP (which is dynamic due to mobile ISP).
Zenhaus says it's on the PBL, so basically it is marked as spam as a
policy based on the client IP.as</p>
<p>Apart from that there's nothing wrong with those emails. The other
ISPs don't have this problem and the emails are then delivered properly.</p>
<p>Now on to my questions... :)</p>
<ul><li>is mail send through submission port supposed to go through
Mailscanner (spamassassin + clamd)? I would suppose yes as it would
already prevent people from sending spam in the first place (instead of
preventing spam email to be delivered). On the other hand a receiving
mailserver can't trust what's in the headers so it'll probably check it
anyway.</li><li>Is there a way to not mark as spam if only mentioned on the \
PBL?</li><li>Will releasing the message make it deliverable? Or will it just move \
the problem? (so the receiving mailserver might check and mark as spam due to the \
PBL) If it moves the problem it doesn't seem a valid solution to try to bypass \
the PBL for authenticated users.</li><li>Will a receiving mailserver only check the \
last header (so the header added by my mail server)? In this case disabling spam \
check might actually resolve the issue and not move it on to the next \
machine).</li><li>another thing that comes to mind is removing/modifying the first \
header so the IP is no longer mentioned. However this seems like a bad \
practice.</li><li>What's the proper/appropriate way to handle this?</li></ul>
<p>For clarity: the mails are received on the smtp server that the users
have configured on their laptop/mobile and put in the postfix queue. So
no direct rejection to the clients. Only after mailscanner jumps in and
checks the email before sending (in this case marking it as spam and
not sending it).</p></div></div></blockquote><div><br></div></div></div><div \
class="gmail_default" style="font-size:small">The reason that other mailservers \
don't have any problem with emails from your dynamic ips is that the emails are \
'cleansed' of their dynamic IP by being forwarded through your static-ip \
server. So no problem releasing them for onward delivery - the only IP that an onward \
server is likely to consider is the client's (i.e. of your server), not what any \
headers might say in the message about previous hops.<br></div><div \
class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" \
style="font-size:small">I'm not sure what the 'proper' way to handle \
this, but here are a few possibilities:</div><div class="gmail_default" \
style="font-size:small"><br></div><div class="gmail_default" \
style="font-size:small">A way to prevent spamassassin from inspecting mail from \
authenticated senders is suggested at <a \
href="https://serverfault.com/questions/33518/postfix-skip-spam-checks-for-authorized-smtp" \
target="_blank">https://serverfault.com/<wbr>questions/33518/postfix-skip-<wbr>spam-checks-for-authorized-<wbr>smtp</a>.</div><div \
class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" \
style="font-size:small">I use spamassassin+clamd via amavis; it does check mail from \
authenticated senders but I have turned off all RBL checks in spamassassin and \
instead have postfix perform these - but only for non-authenticated senders. Like \
this (suggestions for improvement welcome):</div><div class="gmail_default" \
style="font-size:small"><br></div><div \
class="gmail_default">smtpd_sender_restrictions =</div><div class="gmail_default"> \
permit_sasl_authenticated</div><div class="gmail_default"> permit_mynetworks # \
only the local machine</div><div class="gmail_default"> # check_sender_access: \
REJECT emails (by envelope address) from a few known spam senders, OK a very few \
'false positives'</div><div class="gmail_default"> check_sender_access \
hash:/etc/postfix/check_<wbr>sender_access</div><div class="gmail_default"> # \
check_client_access: OK a very few ips prone to 'false positives'</div><div \
class="gmail_default"> check_client_access \
hash:/etc/postfix/check_<wbr>client_access</div><div class="gmail_default"> \
reject_unauth_pipelining</div><div class="gmail_default"> # accept whitelisted \
per hostkarma, <a href="http://dnswl.org" target="_blank">dnswl.org</a>, <a \
href="http://uribl.com" target="_blank">uribl.com</a></div><div \
class="gmail_default"> permit_dnswl_client <a \
href="http://hostkarma.junkemailfilter.com" \
target="_blank">hostkarma.junkemailfilter.com</a>=<wbr>127.0.0.1</div><div \
class="gmail_default"> permit_dnswl_client <a href="http://list.dnswl.org" \
target="_blank">list.dnswl.org</a>=127.0.[0..255].<wbr>[1..3]</div><div \
class="gmail_default"> permit_dnswl_client <a href="http://white.uribl.com" \
target="_blank">white.uribl.com</a></div><div class="gmail_default"> # check \
against spamhaus etc</div><div class="gmail_default"> reject_rbl_client <a \
href="http://zen.spamhaus.org" target="_blank">zen.spamhaus.org</a></div><div \
class="gmail_default"><span class="m_1270633515000613044gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>[... and others similar]</div><div \
class="gmail_default"> reject_rhsbl_helo <a href="http://dbl.spamhaus.org" \
target="_blank">dbl.spamhaus.org</a></div><div class="gmail_default"><span \
class="m_1270633515000613044gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>[... and others similar]</div><div \
class="gmail_default"> reject_rhsbl_sender <a href="http://dbl.spamhaus.org" \
target="_blank">dbl.spamhaus.org</a></div><div class="gmail_default"><span \
class="m_1270633515000613044gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>[... and others similar]</div><div \
class="gmail_default"> reject_rhsbl_reverse_client <a \
href="http://dbl.spamhaus.org" target="_blank">dbl.spamhaus.org</a></div><div \
class="gmail_default"><span class="m_1270633515000613044gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>[... and others similar]</div><div \
class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" \
style="font-size:small">I think it is regarded as better practice to use postscreen \
instead, but my setup is working well for now.</div></div></div></div> \
</blockquote></div><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic