1 Topic by matteo.frakka

  • matteo.frakka
  • Member
  • Offline
  • Registered: 2012-04-15
  • Posts: 66

Topic: Check for spam before forwarding.

==== Required information ====
- iRedMail version: 0.8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CentOS 6.4 64bit
- Related log if you're reporting an issue:
====

Hi.
We host on our iRedMail server some domain which forward emails (though aliases) to another mail server (Exchange) in our lan. The IP address of iRedMail server is whitelisted for spam on the second server.

The problem is:
Mail alias user1@domain.com on iRedMail server is configured to forward all emails to anotheruser@otherdomain.com on another server which don't check for spam SMTP traffic incoming from iRedMail server.
A spam email (like GTUBE) sent to user1@domain.com is immediately forwarded to anotheruser@otherdomain.com without be analyzed so a lot of spam is delivered to anotheruser@otherdomain.com

How can I tune iRedMail to scan for spam all inbound messages before forwarding (or delivering) it?


I've tried to add "#receive_override_options = no_address_mappings" to main.cf and I got an NDR because the destination address is an alias no more translated and doesn't have a mailbox on iRedMail server for delivery.
So I've modified as follow "#  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks" the line "127.0.0.1:10025 inet n  -   -   -   -  smtpd" in master.cf and now I get two emails: The first one forwarded to anotheruser@otherdomain.com with the "spam" mark in the subject and a copy also stored in iRedAdmin control panel (iredadmin/activities/quarantined) which cannot be released or, better, when it is released it is not delivered with this error in maillog:
Aug 19 18:58:20 postfix amavis[31826]: (rel-Qi8n9OV1WsIi) Quarantine release Qi8n9OV1WsIi: missing X-Envelope-From or Return-Path

Some idea?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Check for spam before forwarding.

Did you configure Amavisd to store quarantined SPAM/VIRUS in SQL database? Reference:
http://iredmail.org/wiki/index.php?titl … ining.SPAM

3 Reply by matteo.frakka

  • matteo.frakka
  • Member
  • Offline
  • Registered: 2012-04-15
  • Posts: 66

Re: Check for spam before forwarding.

Yes, I done.

I've also restored old config files from backup to be sure of rolling back any changes I've made but I still have the spam mails delivered to users (local and forwarded) and a copy of that mail stored in amavis db that cannot be released:

Aug 20 13:34:25 postfix amavis[13499]: (rel-2c1F3UKXajBC) Quarantined message release (miscategorized): 2c1F3UKXajBC <> -> , (excluded: <anotheruser@otherdomain.com> )
Aug 20 13:34:25 postfix amavis[13499]: (rel-2c1F3UKXajBC) Quarantine release 2c1F3UKXajBC: missing X-Envelope-From or Return-Path
Aug 20 13:34:25 postfix amavis[13499]: (rel-bBwkA7LR-QGe) Quarantined message release (miscategorized): bBwkA7LR-QGe <> -> , (excluded: <user1@domain.com> )
Aug 20 13:34:25 postfix amavis[13499]: (rel-bBwkA7LR-QGe) Quarantine release bBwkA7LR-QGe: missing X-Envelope-From or Return-Path

4 Reply by matteo.frakka

  • matteo.frakka
  • Member
  • Offline
  • Registered: 2012-04-15
  • Posts: 66

Re: Check for spam before forwarding.

This is an example:

Aug 20 15:17:04 postfix postfix/smtpd[8444]: connect from unknown[YYY.YYY.YYY.YYY]
Aug 20 15:17:04 postfix policyd: connection from: 127.0.0.1 port: 60087 slots: 0 of 2044 used
Aug 20 15:17:04 postfix policyd: connecting to mysql database: 127.0.0.1
Aug 20 15:17:04 postfix policyd: connected..
Aug 20 15:17:04 postfix policyd: rcpt=1, greylist=update, host=YYY.YYY.YYY.YYY (unknown), from=spam-sender@someone.com, to=mail_alias@iredmailserver.com, size=3026
Aug 20 15:17:04 postfix postfix/smtpd[8444]: E0A0260064: client=unknown[YYY.YYY.YYY.YYY]
Aug 20 15:17:05 postfix postfix/cleanup[8453]: E0A0260064: message-id=<52136C3F.6000903@someone.com>
Aug 20 15:17:05 postfix postfix/qmgr[1910]: E0A0260064: from=<spam-sender@someone.com>, size=3289, nrcpt=1 (queue active)
Aug 20 15:17:05 postfix postfix/smtpd[8444]: disconnect from unknown[YYY.YYY.YYY.YYY]
Aug 20 15:17:06 postfix postfix/smtpd[8461]: connect from MYSERVER.LOCALDOMAIN.LAN[127.0.0.1]
Aug 20 15:17:06 postfix postfix/smtpd[8461]: AD2CF600A0: client=MYSERVER.LOCALDOMAIN.LAN[127.0.0.1]
Aug 20 15:17:06 postfix postfix/cleanup[8453]: AD2CF600A0: message-id=<52136C3F.6000903@someone.com>
Aug 20 15:17:06 postfix postfix/qmgr[1910]: AD2CF600A0: from=<spam-sender@someone.com>, size=3763, nrcpt=1 (queue active)
Aug 20 15:17:06 postfix postfix/smtpd[8461]: disconnect from MYSERVER.LOCALDOMAIN.LAN[127.0.0.1]
Aug 20 15:17:06 postfix amavis[1945]: (01945-01) Passed SPAM {RelayedOutbound,Quarantined}, LOCAL [YYY.YYY.YYY.YYY]:56921 [XXX.XXX.XXX.XXX] <spam-sender@someone.com> -> <real_user@not-alias.com>, quarantine: IxPV-P3NOKry, Message-ID: <52136C3F.6000903@someone.com>, mail_id: IxPV-P3NOKry, Hits: 1002.379, size: 3288, queued_as: AD2CF600A0, 1654 ms
Aug 20 15:17:06 postfix postfix/smtp[8457]: E0A0260064: to=<real_user@not-alias.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.5, delays=0.51/0.07/0.02/1.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as AD2CF600A0)
Aug 20 15:17:06 postfix postfix/qmgr[1910]: E0A0260064: removed
Aug 20 15:17:07 postfix postfix/smtp[8462]: AD2CF600A0: to=<real_user@not-alias.com>, relay=mailserver.not-alias.com[zzz.zzz.zzz.zzz]:25, delay=0.52, delays=0.01/0.03/0.01/0.48, dsn=2.6.0, status=sent (250 2.6.0 <52136C3F.6000903@someone.com> Queued mail for delivery)
Aug 20 15:17:07 postfix postfix/qmgr[1910]: AD2CF600A0: removed
Aug 20 15:18:55 postfix amavis[1946]: (rel-IxPV-P3NOKry) Quarantined message release (miscategorized): IxPV-P3NOKry <> -> , (excluded: <real_user@not-alias.com> )
Aug 20 15:18:55 postfix amavis[1946]: (rel-IxPV-P3NOKry) Quarantine release IxPV-P3NOKry: missing X-Envelope-From or Return-Path

Lines from 1 to 19 shows what happens to an incoming email (E0A0260064 - message-id=<52136C3F.6000903@someone.com>) from=spam-sender@someone.com to=mail_alias@iredmailserver.com:

At lines 16-17 the original message E0A0260064 is relayed to [127.0.0.1]:10024 and it becomes AD2CF600A0.
At line 12 the message with id "52136C3F.6000903@someone.com" and queued as AD2CF600A0 is relayed to spam filter and at line 15 it was identified as spam and quarantined (and it appears in iredadmin/activities/quarantined).
At lines 18 and 19 the same message is also forwarded to destination server "mailserver.not-alias.com" and removed from queue...

Lines 20 and 21 show what the log register when the message AD2CF600A0 was released from quarantine...

So the message is relayed twice instead of be trapped and when in was released from qurantine has lost some header...

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Check for spam before forwarding.

matteo.frakka wrote:

I've also restored old config files from backup to be sure of rolling back any changes I've made but I still have the spam mails delivered to users (local and forwarded) and a copy of that mail stored in amavis db that cannot be released:

Could you please show me output of below commands?

# grep 'spam_quarantine' /etc/amavisd/amavisd.conf
# grep 'final_spam_destiny' /etc/amavisd/amavisd.conf

6 Reply by matteo.frakka

  • matteo.frakka
  • Member
  • Offline
  • Registered: 2012-04-15
  • Posts: 66

Re: Check for spam before forwarding.

Sure:

[root@postfix matteo.fracassetti]# grep 'spam_quarantine' /etc/amavisd/amavisd.conf
# $bad_header_quarantine_to, $spam_quarantine_to,
$spam_quarantine_to = 'spam-quarantine';
$spam_quarantine_method = 'sql:';
[root@postfix matteo.fracassetti]# grep 'final_spam_destiny' /etc/amavisd/amavisd.conf
#$final_spam_destiny       = D_PASS;
$final_spam_destiny       = D_DISCARD;
$final_spam_destiny       = D_PASS;

"$final_spam_destiny       = D_DISCARD;" is on line 165/625 in the section "# OTHER MORE COMMON SETTINGS"
"$final_spam_destiny       = D_PASS;" is on line 370/625 in the section "# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING"

Is this the cause?

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Check for spam before forwarding.

Amavisd will use the last one. so parameter "$final_spam_destiny" has value "D_PASS", not "D_DISCARD".

8 Reply by matteo.frakka

  • matteo.frakka
  • Member
  • Offline
  • Registered: 2012-04-15
  • Posts: 66

Re: Check for spam before forwarding.

Ok, fixed.

Tomorrow I'll do some other tests...

9 Reply by matteo.frakka (edited by matteo.frakka 2013-08-29 06:30:20)

  • matteo.frakka
  • Member
  • Offline
  • Registered: 2012-04-15
  • Posts: 66

Re: Check for spam before forwarding.

Hi.
After some testing with no result I've imported amavisd.conf, /etc/policyd.conf and /etc/policyd_sender_throttle.conf from my home server (fresh install of iRedAdmin open source edition, LDAP backed) to my server at work (old install of iRedAdmin Pro, MySQL back-end), correcting the difference related to different back-end and now it works as expected, I must have changed something else somewhere...
So seems to be a my mistake, sorry!