1 Topic by tomierna

  • tomierna
  • Member
  • Offline
  • Registered: 2018-02-18
  • Posts: 14

Topic: Spam From Local

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.7.3
- Deployed with iRedMail Easy or the downloadable installer? iRedMail Enterprise
- Linux/BSD distribution name and version: Ubuntu 24.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? iRedMail Enterprise
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

An authenticated user on a whitelisted /24 tried to send myself and two other users an email. We are all on the same domain, served by this server. His MUA is configured to log in to send. I have the internal network we are both connected to on the system-wide whitelist, and on the Trusted Clients list.

The email he sent keeps getting marked as spam and discarded. I have spam quarantining turned on, but still, they are being discarded.

What can I do to turn off spam scanning on the sending side? And also, why is spam quarantining not working?

Here is a sanitized snippet of the mail log where his email is getting discarded (he is listed as sending.user@mydomain.com, and the three recipients are listed as receiving.user[1-3]@mydomain.com)

2025-06-25T12:06:31.072923+00:00 mail postfix/submission/smtpd[527454]: connect from unknown[192.168.11.133]
2025-06-25T12:06:31.075685+00:00 mail postfix/submission/smtpd[527454]: discarding EHLO keywords: CHUNKING
2025-06-25T12:06:31.135611+00:00 mail postfix/submission/smtpd[527454]: Anonymous TLS connection established from unknown[192.168.11.133]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2025-06-25T12:06:31.137099+00:00 mail postfix/submission/smtpd[527454]: discarding EHLO keywords: CHUNKING
2025-06-25T12:06:31.211026+00:00 mail postfix/submission/smtpd[527454]: 4bS0sg1Tr1z7y5F4: client=unknown[192.168.11.133], sasl_method=PLAIN, sasl_username=sending.user@mydomain.com
2025-06-25T12:06:31.299819+00:00 mail postfix/cleanup[527456]: 4bS0sg1Tr1z7y5F4: message-id=<5FDA5420-5C64-44B5-A858-D99416894245@mydomain.com>
2025-06-25T12:06:31.320288+00:00 mail postfix/qmgr[1116177]: 4bS0sg1Tr1z7y5F4: from=<sending.user@mydomain.com>, size=561351, nrcpt=3 (queue active)
2025-06-25T12:06:38.054522+00:00 mail postfix/10025/smtpd[527479]: connect from mail.mydomain.com[127.0.0.1]
2025-06-25T12:06:38.054930+00:00 mail postfix/10025/smtpd[527479]: discarding EHLO keywords: CHUNKING
2025-06-25T12:06:38.063465+00:00 mail postfix/10025/smtpd[527479]: 4bS0sp0RNFz7y5FQ: client=mail.mydomain.com[127.0.0.1]
2025-06-25T12:06:38.067727+00:00 mail postfix/cleanup[527456]: 4bS0sp0RNFz7y5FQ: message-id=<SAIWgukn3tf2lw@mail.mydomain.com>
2025-06-25T12:06:38.068401+00:00 mail postfix/10025/smtpd[527480]: connect from mail.mydomain.com[127.0.0.1]
2025-06-25T12:06:38.068890+00:00 mail postfix/10025/smtpd[527480]: discarding EHLO keywords: CHUNKING
2025-06-25T12:06:38.069513+00:00 mail postfix/10025/smtpd[527479]: disconnect from mail.mydomain.com[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2025-06-25T12:06:38.070068+00:00 mail postfix/qmgr[1116177]: 4bS0sp0RNFz7y5FQ: from=<postmaster@mail.mydomain.com>, size=4836, nrcpt=1 (queue active)
2025-06-25T12:06:38.083172+00:00 mail amavis[330920]: (330920-14) Blocked SPAM {DiscardedInternal}, ORIGINATING LOCAL [192.168.11.133]:54693 ESMTP/ESMTP <sending.user@mydomain.com> -> <receiving.user2@mydomain.com>, (), Queue-ID: 4bS0sg1Tr1z7y5F4, Message-ID: <5FDA5420-5C64-44B5-A858-D99416894245@mydomain.com>, mail_id: IWgukn3tf2lw, b: 55v8LauJX, Hits: 6.964, size: 561350, Subject: "Fwd: Event in Paris May 31 to June 3", From: <sending.user@mydomain.com>, X-Mailer: Apple_Mail_(2.3826.600.51.1.1), helo=smtpclient.apple, Tests: [AC_DIV_BONANZA=0.001,ALL_TRUSTED=0.1,BAYES_50=0.8,HTML_FONT_LOW_CONTRAST=0.001,HTML_MESSAGE=0.3,KAM_DMARC_STATUS=0.01,KAM_INFOUSMEBIZ=0.75,KAM_NUMSUBJECT=0.5,KAM_SHORT=0.001,LOTS_OF_MONEY=4.5,XFER_LOTSA_MONEY=0.001], autolearn=no autolearn_force=no, autolearnscore=6.064, 6646 ms
2025-06-25T12:06:38.087289+00:00 mail postfix/amavis/smtp[527457]: 4bS0sg1Tr1z7y5F4: to=<receiving.user2@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=6.9, delays=0.17/0.12/0.01/6.6, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=330920-14 - spam)
2025-06-25T12:06:38.093555+00:00 mail postfix/10025/smtpd[527480]: 4bS0sp0fSCz7y5FV: client=mail.mydomain.com[127.0.0.1]
2025-06-25T12:06:38.097706+00:00 mail postfix/cleanup[527456]: 4bS0sp0fSCz7y5FV: message-id=<SAFKhnN0s42jLn@mail.mydomain.com>
2025-06-25T12:06:38.099615+00:00 mail postfix/qmgr[1116177]: 4bS0sp0fSCz7y5FV: from=<postmaster@mail.mydomain.com>, size=4830, nrcpt=1 (queue active)
2025-06-25T12:06:38.100534+00:00 mail postfix/10025/smtpd[527480]: disconnect from mail.mydomain.com[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2025-06-25T12:06:38.103263+00:00 mail postfix/cleanup[527456]: 4bS0sp0hjbz7y5Fj: message-id=<SAIWgukn3tf2lw@mail.mydomain.com>
2025-06-25T12:06:38.104743+00:00 mail postfix/local[527482]: 4bS0sp0RNFz7y5FQ: to=<root@mail.mydomain.com>, relay=local, delay=0.04, delays=0.01/0.02/0/0.01, dsn=2.0.0, status=sent (forwarded as 4bS0sp0hjbz7y5Fj)
2025-06-25T12:06:38.104900+00:00 mail postfix/qmgr[1116177]: 4bS0sp0hjbz7y5Fj: from=<postmaster@mail.mydomain.com>, size=4989, nrcpt=1 (queue active)
2025-06-25T12:06:38.110388+00:00 mail postfix/qmgr[1116177]: 4bS0sp0RNFz7y5FQ: removed 
2025-06-25T12:06:38.111173+00:00 mail amavis[339812]: (339812-12) Blocked SPAM {DiscardedInternal}, ORIGINATING LOCAL [192.168.11.133]:54693 ESMTP/ESMTP <sending.user@mydomain.com> -> <receiving.user3@mydomain.com>, (), Queue-ID: 4bS0sg1Tr1z7y5F4, Message-ID: <5FDA5420-5C64-44B5-A858-D99416894245@mydomain.com>, mail_id: FKhnN0s42jLn, b: 55v8LauJX, Hits: 6.964, size: 561350, Subject: "Fwd: Event in Paris May 31 to June 3", From: <sending.user@mydomain.com>, X-Mailer: Apple_Mail_(2.3826.600.51.1.1), helo=smtpclient.apple, Tests: [AC_DIV_BONANZA=0.001,ALL_TRUSTED=0.1,BAYES_50=0.8,HTML_FONT_LOW_CONTRAST=0.001,HTML_MESSAGE=0.3,KAM_DMARC_STATUS=0.01,KAM_INFOUSMEBIZ=0.75,KAM_NUMSUBJECT=0.5,KAM_SHORT=0.001,LOTS_OF_MONEY=4.5,XFER_LOTSA_MONEY=0.001], autolearn=no autolearn_force=no, autolearnscore=6.064, 6563 ms
2025-06-25T12:06:38.114246+00:00 mail postfix/amavis/smtp[527458]: 4bS0sg1Tr1z7y5F4: to=<receiving.user3@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=7, delays=0.17/0.23/0/6.6, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=339812-12 - spam)
2025-06-25T12:06:38.116619+00:00 mail postfix/cleanup[527456]: 4bS0sp0mk6z7y5FQ: message-id=<SAFKhnN0s42jLn@mail.mydomain.com>
2025-06-25T12:06:38.118770+00:00 mail postfix/local[527482]: 4bS0sp0fSCz7y5FV: to=<root@mail.mydomain.com>, relay=local, delay=0.03, delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (forwarded as 4bS0sp0mk6z7y5FQ)
2025-06-25T12:06:38.119008+00:00 mail postfix/qmgr[1116177]: 4bS0sp0mk6z7y5FQ: from=<postmaster@mail.mydomain.com>, size=4983, nrcpt=1 (queue active)
2025-06-25T12:06:38.119641+00:00 mail postfix/qmgr[1116177]: 4bS0sp0fSCz7y5FV: removed
2025-06-25T12:06:38.154083+00:00 mail postfix/10025/smtpd[527479]: connect from mail.mydomain.com[127.0.0.1]
2025-06-25T12:06:38.157494+00:00 mail postfix/10025/smtpd[527479]: discarding EHLO keywords: CHUNKING
2025-06-25T12:06:38.158783+00:00 mail postfix/10025/smtpd[527479]: 4bS0sp16Zxz7y5FV: client=mail.mydomain.com[127.0.0.1]
2025-06-25T12:06:38.163019+00:00 mail postfix/cleanup[527483]: 4bS0sp16Zxz7y5FV: message-id=<SAaZhJcNe2ljod@mail.mydomain.com>
2025-06-25T12:06:38.167789+00:00 mail postfix/10025/smtpd[527479]: disconnect from mail.mydomain.com[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2025-06-25T12:06:38.167933+00:00 mail postfix/qmgr[1116177]: 4bS0sp16Zxz7y5FV: from=<postmaster@mail.mydomain.com>, size=4831, nrcpt=1 (queue active)
2025-06-25T12:06:38.179146+00:00 mail amavis[339924]: (339924-12) Blocked SPAM {DiscardedInternal}, ORIGINATING LOCAL [192.168.11.133]:54693 ESMTP/ESMTP <sending.user@mydomain.com> -> <receiving.user1@mydomain.com>, (), Queue-ID: 4bS0sg1Tr1z7y5F4, Message-ID: <5FDA5420-5C64-44B5-A858-D99416894245@mydomain.com>, mail_id: aZhJcNe2ljod, b: 55v8LauJX, Hits: 6.964, size: 561350, Subject: "Fwd: Event in Paris May 31 to June 3", From: <sending.user@mydomain.com>, X-Mailer: Apple_Mail_(2.3826.600.51.1.1), helo=smtpclient.apple, Tests: [AC_DIV_BONANZA=0.001,ALL_TRUSTED=0.1,BAYES_50=0.8,HTML_FONT_LOW_CONTRAST=0.001,HTML_MESSAGE=0.3,KAM_DMARC_STATUS=0.01,KAM_INFOUSMEBIZ=0.75,KAM_NUMSUBJECT=0.5,KAM_SHORT=0.001,LOTS_OF_MONEY=4.5,XFER_LOTSA_MONEY=0.001], autolearn=no autolearn_force=no, autolearnscore=6.064, 6515 ms
2025-06-25T12:06:38.181707+00:00 mail postfix/cleanup[527456]: 4bS0sp1FsMz7y5Fv: message-id=<SAaZhJcNe2ljod@mail.mydomain.com>
2025-06-25T12:06:38.182883+00:00 mail postfix/amavis/smtp[527459]: 4bS0sg1Tr1z7y5F4: to=<receiving.user1@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=7, delays=0.17/0.34/0/6.5, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=339924-12 - spam)

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,420

Re: Spam From Local

tomierna wrote:

2025-06-25T12:06:38.083172+00:00 mail amavis[330920]: (330920-14) Blocked SPAM {DiscardedInternal}, ... Hits: 6.964, ... Tests: [...,LOTS_OF_MONEY=4.5,...

Did you see the matched spamassassin rule which has high score?

3 Reply by tomierna

  • tomierna
  • Member
  • Offline
  • Registered: 2018-02-18
  • Posts: 14

Re: Spam From Local

ZhangHuangbin wrote:

Did you see the matched spamassassin rule which has high score?

Yes, I did, but my question is why do messages from logged in, trusted clients coming from whitelisted networks, and being sent to only other internal users get sent through the spam filter at all?

My users are not sending spam from their authenticated MUA while they are on the LAN.

I can understand filtering mail from users which are not SMTP authenticated, and/or if they are not being submitted from a trusted, whitelisted network.

It also seems like different behavior than iRedMail with iRedAdmin-Pro, which is what I upgraded from. I don’t recall any internal mail bouncing as spam in all the years I have used iRedMail.

4 Reply by tomierna

  • tomierna
  • Member
  • Offline
  • Registered: 2018-02-18
  • Posts: 14

Re: Spam From Local

After looking at the issue today, I think I found my problem. I think it is related to the way I migrated to iRedmailEE from iRedmail/iRedAdmin-Pro.

When doing the migration, I took the lazy way and put copies of all of the files in /opt/iredmail/custom, including postfix/main.cf and postfix/master.cf.

After reading the documentation more closely, I see that means that any managed changes to these two files are going ignored because of the symbolic links to the files in /opt/iredmail/postfix.

Any changes I made to main.cf and master.cf back when this was a iRedMail/iRedAdmin-Pro machine were not documented by me, so it will be hard for me to build append_master.cf and append_main.cf files, but I will comb through the differences between my /opt/iredmail/postfix/(main|master).cf and /etc/postfix/(main|master).cf.iredmail before attempting this.

My question now is: how do I recover from this situation? Do I just remove the main.cf and master.cf in /opt/iredmail/postfix and re-deploy? Do I also need to remove the symlinks?

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,420

Re: Spam From Local

tomierna wrote:

My question now is: how do I recover from this situation? Do I just remove the main.cf and master.cf in /opt/iredmail/postfix and re-deploy? Do I also need to remove the symlinks?

It's not hard to find the difference between your own main.cf / master.cf and the ones generated by EE (/etc/postfix/*.cf.iredmail) with "diff -Naur" command.
Move the changed / new parameters to append_main.cf and append_master.cf, then re-deploy "Postfix" component, or even better, re-perform a full deployment.

6 Reply by tomierna (edited by tomierna 2025-07-03 02:43:15)

  • tomierna
  • Member
  • Offline
  • Registered: 2018-02-18
  • Posts: 14

Re: Spam From Local

Zhang,

I have done a full re-deployment. I had several failed re-deployment attempts at first because I had done the same lazy copy of my sogo.conf to the custom directory, and I only deleted the target files in the custom directories but left the symlinks. The postfix part of the re-deployment fixed the symlinks in /etc/postfix/, but the sogo deployment barfed with a log in /var/crash complaining about a dangling symlink. I deleted that symlink and re-deployed and finally had success with the full re-deployment.

However, the issue is still happening.

This particular user is an authenticated sender, but they are not on my private networks.

How can I configure this server to whitelist authenticated users if they are outside my trusted nets?

Edit: I guess I could add the whole domain to the Senders Whitelist, but that would whitelist spoofed from: wouldn't it?

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,420

Re: Spam From Local

The emails sent by this user matched spamassassin rule "LOTS_OF_MONEY" and got score 4.5, this is the cause. Did you ever check the mail content to figure out why they matched this rule?
FYI https://buttondown.com/resources/spam-a … s-of-money

Another option is, login to iRedAdmin-Pro, go to user profile page, configure to not enable spam scanning for this user.