1 Topic by lug

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Topic: Outgoing mails marked as spam because of HELO_NO_DOMAIN and RDNS_NONE

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? installer
- Linux/BSD distribution name and version: ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,
I have the problem, that all outgoing mails from smarthost customers are marked as spam.

For clarification, I created accounts like customerA@example.org, customerB@example.org and so on.
In 

/opt/iredapd/settings.py

I've added those accounts to 

ALLOWED_LOGIN_MISMATCH_SENDERS = ['customerA@example.org', 'customerB@example.org']

Problem now is, that all customers mails get high spamassisn scores, because of this:
dovecot: 

Jul 17 11:31:41 custmail iredapd INFO: [87.138.213.***] RCPT, customerA@example.org => info@customerA.com -> example-recipient@iredmail.org, DUNNO [sasl_username=customerA@example.org, sender=info@customerA.com, client_name=rdns-record-of-customer.dip0.t-ipconnect.de, reverse_client_name=rdns-record-of-customer.dip0.t-ipconnect.de, helo=dc01.customerA.com, encryption_protocol=TLSv1.2, process_time=0.0100s]

amavis: 

Jul 17 11:31:42 custmail amavis[19294]: (19294-04) Passed SPAM {RelayedTaggedInternal}, ORIGINATING LOCAL [87.138.213.***]:58113 [87.138.213.***] <info@customerA.com> -> <example-recipient@iredmail.org>, Queue-ID: D703C6E123E, Message-ID: <178c511fdce446d6b4a622d4d4d7ce1e@dc01.customerA.com>, mail_id: GIgXXTyAZrlz, Hits: 2.992, size: 2016, queued_as: 81F8D6E1241, 363 ms, Tests: [BAYES_20=-0.001,HELO_NO_DOMAIN=2.199,HTML_MESSAGE=0.001,RDNS_NONE=0.793]

HELO_NO_DOMAIN=2.199
RDNS_NONE=0.793


So I wonder, why are those checks performed on a user that authenticates via login?
And second: there is and HELO and the rdns record is also correct...

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Outgoing mails marked as spam because of HELO_NO_DOMAIN and RDNS_NONE

lug wrote:

So I wonder, why are those checks performed on a user that authenticates via login?

We don't exclude some SpamAssassin rules for outgoing emails.

lug wrote:

And second: there is and HELO and the rdns record is also correct...

The problem is why SpamAssassin on your server cannot get correct DNS query result. sad

3 Reply by lug (edited by lug 2019-07-19 22:32:08)

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: Outgoing mails marked as spam because of HELO_NO_DOMAIN and RDNS_NONE

I think I found the problem, HELO in Exchange Connector was empty.

Edit: Nope, even customers with FQDN get this error sometimes...

I've set https://docs.iredmail.org/debug.amavisd.html

log_level=4
and sa_debug=1

I'll see what happens....

4 Reply by lug

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: Outgoing mails marked as spam because of HELO_NO_DOMAIN and RDNS_NONE

More details: first time this occured it 25th June, before that day HELO_NO_DOMAIN was scored with 0.001
maybe due to spamassassin/amavis updates the score was changed?

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Outgoing mails marked as spam because of HELO_NO_DOMAIN and RDNS_NONE

lug wrote:

maybe due to spamassassin/amavis updates the score was changed?

maybe. do you have custom rule in /etc/mail/spamassassin/local.cf? (You can override the score in this file too)

6 Reply by lug

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: Outgoing mails marked as spam because of HELO_NO_DOMAIN and RDNS_NONE

/etc/mail/spamassassin/local.cf

required_score      5.0
rewrite_header      subject [ SPAM ]

report_safe         0
lock_method         flock

use_bayes          1
bayes_auto_learn   1
bayes_auto_expire  1

score DNS_FROM_AHBL_RHSBL 0

score URIBL_AB_SURBL 0 0.3306 0 0.3812
score URIBL_JP_SURBL 0 0.3360 0 0.4087
score URIBL_OB_SURBL 0 0.2617 0 0.3008
score URIBL_PH_SURBL 0 0.2240 0 0.2800
score URIBL_SBL 0 0.1094 0 0.1639
score URIBL_SC_SURBL 0 0.3600 0 0.4498
score URIBL_WS_SURBL 0 0.1533 0 0.2140

loadplugin Mail::SpamAssassin::Plugin::DKIM
whitelist_from_dkim *@paypal.com
whitelist_from_dkim *@linkedin.com
whitelist_from_dkim *@twitter.com
whitelist_from_dkim *@bounce.twitter.com

ok_locales          all

score RP_MATCHES_RCVD 0

(comments removed)

as far as i remember, i never touched that file

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Outgoing mails marked as spam because of HELO_NO_DOMAIN and RDNS_NONE

No idea right now, another possible cause is DNS server may not work correctly at the moment, but not sure.

8 Reply by lug (edited by lug 2019-07-26 19:21:32)

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: Outgoing mails marked as spam because of HELO_NO_DOMAIN and RDNS_NONE

We use 8.8.8.8 as DNS, I changed it to 1.1.1.1 now - let's see if it helps.

Edit: does not help

9 Reply by lug

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: Outgoing mails marked as spam because of HELO_NO_DOMAIN and RDNS_NONE

So I was able to get more information via debug log.

HELO_NO_DOMAIN does not apply to the sending mail servers IP address, it looks like amavis is doing this check on the mail headers!


Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: received-header: parsed as [ ip=87.138.***.*** rdns=***.dip0.t-ipconnect.de helo=dc01.customer.com by=mx.example.org ident= envfrom= intl=0 id=A7B7C6E00BC auth=ESMTPSA msa=0 ]
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: received-header: authentication method ESMTPSA
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: received-header: relay 87.138.***.*** trusted? yes internal? yes msa? no
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: received-header: parsed as [ ip=192.168.1.2 rdns=dc01.customer.com helo=dc01.customer.com by=dc01.customer.com ident= envfrom= intl=0 id=15.0.1263.5 auth= msa=0 ]
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: received-header: 'from' 192.168.1.2 has private IP
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: received-header: relay 192.168.1.2 trusted? yes internal? yes msa? no
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: received-header: parsed as [ ip=fe80::*ipv6* rdns= helo=dc01.customer.com by=dc01.customer.com ident= envfrom= intl=0 id=15.00.1263.000 auth= msa=0 ]
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: received-header: 'from' fe80::*ipv6* has private IP
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: received-header: relay fe80::*ipv6* trusted? yes internal? yes msa? no
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: received-header: parsed as [ ip=31.16.***.*** rdns= helo= by= ident= envfrom= intl=0 id= auth= msa=0 ]
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: received-header: do not trust any hosts from here on
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: received-header: relay 31.16.***.*** trusted? no internal? no msa? no
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: metadata: X-Spam-Relays-Trusted: [ ip=87.138.***.*** rdns=***.dip0.t-ipconnect.de helo=dc01.customer.com by=mx.example.org ident= envfrom= intl=1 id=A7B7C6E00BC auth=ESMTPSA msa=0 ] [ ip=192.168.1.2 rdns=dc01.customer.com helo=dc01.customer.com by=dc01.customer.com ident= envfrom= intl=1 id=15.0.1263.5 auth= msa=0 ] [ ip=fe80::*ipv6* rdns= helo=dc01.customer.com by=dc01.customer.com ident= envfrom= intl=1 id=15.00.1263.000 auth= msa=0 ]
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: metadata: X-Spam-Relays-Untrusted: [ ip=31.16.***.*** rdns= helo= by= ident= envfrom= intl=0 id= auth= msa=0 ]
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: metadata: X-Spam-Relays-Internal: [ ip=87.138.***.*** rdns=***.dip0.t-ipconnect.de helo=dc01.customer.com by=mx.example.org ident= envfrom= intl=1 id=A7B7C6E00BC auth=ESMTPSA msa=0 ] [ ip=192.168.1.2 rdns=dc01.customer.com helo=dc01.customer.com by=dc01.customer.com ident= envfrom= intl=1 id=15.0.1263.5 auth= msa=0 ] [ ip=fe80::*ipv6* rdns= helo=dc01.customer.com by=dc01.customer.com ident= envfrom= intl=1 id=15.00.1263.000 auth= msa=0 ]
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: metadata: X-Spam-Relays-External: [ ip=31.16.***.*** rdns= helo= by= ident= envfrom= intl=0 id= auth= msa=0 ]

Legend:
- 87.138.***.*** = customers mail servers external ip
- 192.168.1.2 = customers mail servers internal ip
- 31.16.***.*** = customers employees external ip (probably connects to the customers mail server from home)
- mx.example.org = my iredmail server

later in the log i see this: 

Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: rules: ran header rule __RDNS_NONE ======> got hit: "[ ip=31.16.15.55 rdns= "
Jul 26 17:33:09 mx amavis[4543]: (04543-09) SA dbg: rules: ran header rule __HELO_NO_DOMAIN ======> got hit: "[ ip=31.16.**.** rdns= helo= by= ident= envfrom= intl=0 id= auth= msa=0 "

So, as far as I understand, the mails get marked as spam because theres no rdns or helo in the mail header from the customers employees mail?
i mean nobody wants spam, but this deep check seems a little too much, especially for authenticated users...