1

Topic: SPAM Question

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Ubuntu 16.04.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?  Yes  2.8.0
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

So to avoid our own emails from ending up as SPAM, I whitelisted our own domain for incoming email. However recently, our users have been receiving emails that look like they are from themselves (demanding bitcoin claiming to have our info, and emails requesting us to change our passwords). What is the proper way for me to combat this? When looking at the source you can eventually see that it comes from a different IP address... See below.....Any help appreciated...

Return-Path: <smsmith@mydomain.com>
Delivered-To: smsmith@mydomain.com
Received: from mail.mydomain.com (mail.mydomain.com [127.0.0.1])
        by mail.mydomain.com (Postfix) with ESMTP id 166861F81241
        for <smsmith@mydomain.com>; Mon, 29 Oct 2018 03:50:35 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at mail.mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=x tagged_above=-100 required=1.5 WHITELISTED tests=[]
        autolearn=unavailable
Received: from mail.mydomain.com ([127.0.0.1])
        by mail.mydomain.com (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id pe2Mp5mlM33U for <smsmith@mydomain.com>;
        Mon, 29 Oct 2018 03:50:34 -0400 (EDT)
Received: from [103.71.77.175] (unknown [103.71.77.175])                                    <------------This is the foreign IP address
        by mail.mydomain.com (Postfix) with ESMTP id 874831F80500
        for <smsmith@mydomain.com>; Mon, 29 Oct 2018 03:50:33 -0400 (EDT)
From: <smsmith@mydomain.com>
To: <smsmith@mydomain.com>
Subject: smsmith@mydomain.com is compromised. Password must be changed
Date: 29 Oct 2018 16:59:48 +0400
Message-ID: <004401d46f8a$04c41686$9a9380b2$@sbcjolley.com>
MIME-Version: 1.0
Content-Type: text/plain;
        charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acy3r9771dnhc3u5y3r9771dnhc3u5==
Content-Language: en
x-cr-hashedpuzzle: 2D4= r977 1dnh c3u5 y3r9 771d nhc3 u5y3 r977 1dnh c3u5 y3r9 771d nhc3 u5y3 r977;1;1dnhc3u5y3r9771dnhc3u5y3r9771dnhc3u5y3r9771dnhc3;Sosha1_v1;7;\{A5874389-A361-4D69-4B8F-456FAD81A587\};ZQB3AGUAZgr9771dnhc3u5y3r9771dnhc3u5y3r9771dnhc3;29 Oct 2018 16:59:48 +0400;u5y3r9771dnhc3u5
x-cr-puzzleid: \{A5874389-A361-4D69-4B8F-456FAD81A587\}

Hello!

I'm a programmer who cracked your email account and device about half year ago.
You entered a password on one of the insecure site you visited, and I catched it.

Of course you can will change your password, or already made it.
But it doesn't matter, my rat software update it every time.

Please don't try to contact me or find me, it is impossible, since I sent you an email from your email account.

Through your e-mail, I uploaded malicious code to your Operation System.
I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the Internet resources.
Also I installed a rat software on your device and long tome spying for you.

You are not my only victim, I usually lock devices and ask for a ransom.
But I was struck by the sites of intimate content that you very often visit.

I am in shock of your reach fantasies! Wow! I've never seen anything like this!
I did not even know that SUCH content could be so exciting!

So, when you had fun on intime sites (you know what I mean!)
I made screenshot with using my program from your camera of yours device.
After that, I jointed them to the content of the currently viewed site.

Will be funny when I send these photos to your contacts! And if your relatives see it?
BUT I'm sure you don't want it. I definitely would not want to ...

I will not do this if you pay me a little amount.
I think $845 is a nice price for it!

I accept only Bitcoins.
My BTC wallet: 17XHRucfd4kx3W5ty7ySLGiKHqmPUUdpus

If you have difficulty with this - Ask Google "how to make a payment on a bitcoin wallet". It's easy.
After receiving the above amount, all your data will be immediately removed automatically.
My virus will also will be destroy itself from your operating system.

My Trojan have auto alert, after this email is looked, I will be know it!

You have 2 days (48 hours) for make a payment.
If this does not happen - all your contacts will get crazy shots with your dirty life!
And so that you do not obstruct me, your device will be locked (also after 48 hours)

Do not take this frivolously! This is the last warning!
Various security services or antiviruses won't help you for sure (I have already collected all your data).

Here are the recommendations of a professional:
Antiviruses do not help against modern malicious code. Just do not enter your passwords on unsafe sites!

I hope you will be prudent.
Bye.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SPAM Question

Luke6283 wrote:

Received: from [103.71.77.175] (unknown [103.71.77.175])                                    <------------This is the foreign IP address

Any related log in /var/log/iredapd/iredapd.log regarding this IP address?

3

Re: SPAM Question

ZhangHuangbin wrote:
Luke6283 wrote:

Received: from [103.71.77.175] (unknown [103.71.77.175])                                    <------------This is the foreign IP address

Any related log in /var/log/iredapd/iredapd.log regarding this IP address?

Looks like the log reset last night so I'll have to wait for the next occurrence.

4

Re: SPAM Question

Luke6283 wrote:

Looks like the log reset last night so I'll have to wait for the next occurrence.

Why not simply check archived log file ...

5

Re: SPAM Question

ZhangHuangbin wrote:
Luke6283 wrote:

Looks like the log reset last night so I'll have to wait for the next occurrence.

Why not simply check archived log file ...

Sorry, I was unaware of an archived log file....can you tell me where to find that in the future?
Anyways another email of the same nature came through yesterday....here is the iRedAPD log for that IP address

2018-11-05 01:46:06 INFO [41.50.142.181] RCPT, smsmith@mydomain.com -> smsmith@mydomain.com, DUNNO [0.0280s]
2018-11-05 01:46:06 INFO [41.50.142.181] END-OF-MESSAGE, smsmith@mydomain.com -> smsmith@mydomain.com, DUNNO [0.0015s]

Here is the source for that email:

Return-Path: <smsmith@mydomain.com>
Delivered-To: smsmith@mydomain.com
Received: from mail.mydomain.com (mail.mydomain.com [127.0.0.1])
    by mail.mydomain.com (Postfix) with ESMTP id 0B8201F81347
    for <smsmith@mydomain.com>; Mon, 5 Nov 2018 01:46:07 -0500 (EST)
X-Virus-Scanned: Debian amavisd-new at mail.mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=x tagged_above=-100 required=1.5 WHITELISTED tests=[]
    autolearn=unavailable
Received: from mail.mydomain.com ([127.0.0.1])
    by mail.mydomain.com (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id Y20vEQD7dslc for <smsmith@mydomain.com>;
    Mon, 5 Nov 2018 01:46:06 -0500 (EST)
Received: from [41.50.142.181] (unknown [41.50.142.181])
    by mail.mydomain.com (Postfix) with ESMTP id 331041F806B6
    for <smsmith@mydomain.com>; Mon, 5 Nov 2018 01:46:06 -0500 (EST)
Message-ID: <003201d474e3$02336d00$02b35b86@ttqbxs>
From: <smsmith@mydomain.com>
To: <smsmith@mydomain.com>
Subject: Change your password immediately. Your account has been hacked.
Date: 5 Nov 2018 09:08:00 +0100
MIME-Version: 1.0
Content-Type: text/plain;
    charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

6

Re: SPAM Question

- Did you modify any Postfix settings? Please show us output of command "postconf -n".
- You may need to turn on debug mode in iRedAPD, so that we can get more details about (new) spam email.

7

Re: SPAM Question

Yes, I had made a few changes way back when I first setup the server as we were having some issues with some emails not being able to get through..... See the postconf -n output below:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
inet_protocols = ipv4
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mail_owner = postfix
mailbox_size_limit = 154857600
mailq_path = /usr/bin/mailq
message_size_limit = 104857600
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = mail.mydomain.com
myhostname = mail.mydomain.com
mynetworks = 127.0.0.1, 50.***.***.***, 64.***.***.*** 50.***.***.*** 10.10.10.2 10.10.10.9 50.***.***.***
myorigin = mail.mydomain.com
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
queue_directory = /var/spool/postfix
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp-amavis_destination_recipient_limit = 1
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_helo_required = yes
smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access permit_mynetworks permit_sasl_authenticated check_helo_access pcre:/etc/postfix/helo_access.pcre reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access reject_unknown_recipient_domain reject_non_fqdn_recipient reject_unlisted_recipient permit_mynetworks check_policy_service inet:127.0.0.1:7777 permit_sasl_authenticated reject_unauth_destination reject_rbl_client zen.spamhaus.org reject_rbl_client b.barracudacentral.org
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access check_sender_access hash:/etc/postfix/accepted_unauth_senders reject_unknown_sender_domain reject_non_fqdn_sender reject_unlisted_sender permit_mynetworks permit_sasl_authenticated check_sender_access pcre:/etc/postfix/sender_access.pcre
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_cert_file = /etc/ssl/certs/mail_mydomain_com.crt
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf proxy:mysql:/etc/postfix/mysql/catchall_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

8

Re: SPAM Question

Luke6283 wrote:

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access check_sender_access hash:/etc/postfix/accepted_unauth_senders reject_unknown_sender_domain reject_non_fqdn_sender reject_unlisted_sender permit_mynetworks permit_sasl_authenticated check_sender_access pcre:/etc/postfix/sender_access.pcre

Default iRedMail setting is:

# Sender restrictions
smtpd_sender_restrictions =
    reject_unknown_sender_domain
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
    check_sender_access pcre:/etc/postfix/sender_access.pcre

- You may need to turn on debug mode in iRedAPD, so that we can get more details about (new) spam email.

9

Re: SPAM Question

ZhangHuangbin wrote:

- You may need to turn on debug mode in iRedAPD, so that we can get more details about (new) spam email.

Ok, I have enabled debug mode for iRedAPD. WHen a new spam email comes in, I'll post the log contents.

10

Re: SPAM Question

Luke6283 wrote:
ZhangHuangbin wrote:

- You may need to turn on debug mode in iRedAPD, so that we can get more details about (new) spam email.

Ok, I have enabled debug mode for iRedAPD. WHen a new spam email comes in, I'll post the log contents.

Ok a new spam mail has come through, here are the iRedAPD log results....


2018-11-19 05:28:38 DEBUG Connect from 127.0.0.1, port 49816.
2018-11-19 05:28:38 DEBUG smtp session: request=smtpd_access_policy
2018-11-19 05:28:38 DEBUG smtp session: protocol_state=RCPT
2018-11-19 05:28:38 DEBUG smtp session: protocol_name=ESMTP
2018-11-19 05:28:38 DEBUG smtp session: client_address=97.103.252.209
2018-11-19 05:28:38 DEBUG smtp session: client_name=unknown
2018-11-19 05:28:38 DEBUG smtp session: client_port=37608
2018-11-19 05:28:38 DEBUG smtp session: reverse_client_name=97-103-252-209.res.bhn.net
2018-11-19 05:28:38 DEBUG smtp session: helo_name=97-103-252-209.res.bhn.net
2018-11-19 05:28:38 DEBUG smtp session: sender=smsmith@mydomain.com
2018-11-19 05:28:38 DEBUG smtp session: recipient=smsmith@mydomain.com
2018-11-19 05:28:38 DEBUG smtp session: recipient_count=0
2018-11-19 05:28:38 DEBUG smtp session: queue_id=
2018-11-19 05:28:38 DEBUG smtp session: instance=482a.5bf29056.2c87a.0
2018-11-19 05:28:38 DEBUG smtp session: size=0
2018-11-19 05:28:38 DEBUG smtp session: etrn_domain=
2018-11-19 05:28:38 DEBUG smtp session: stress=
2018-11-19 05:28:38 DEBUG smtp session: sasl_method=
2018-11-19 05:28:38 DEBUG smtp session: sasl_username=
2018-11-19 05:28:38 DEBUG smtp session: sasl_sender=
2018-11-19 05:28:38 DEBUG smtp session: ccert_subject=
2018-11-19 05:28:38 DEBUG smtp session: ccert_issuer=
2018-11-19 05:28:38 DEBUG smtp session: ccert_fingerprint=
2018-11-19 05:28:38 DEBUG smtp session: ccert_pubkey_fingerprint=
2018-11-19 05:28:38 DEBUG smtp session: encryption_protocol=
2018-11-19 05:28:38 DEBUG smtp session: encryption_cipher=
2018-11-19 05:28:38 DEBUG smtp session: encryption_keysize=0
2018-11-19 05:28:38 DEBUG smtp session: policy_context=
2018-11-19 05:28:38 DEBUG --> Apply plugin: reject_null_sender
2018-11-19 05:28:38 DEBUG <-- Result: DUNNO
2018-11-19 05:28:38 DEBUG --> Apply plugin: reject_sender_login_mismatch
2018-11-19 05:28:38 DEBUG Not an authenticated sender (no sasl_username).
2018-11-19 05:28:38 DEBUG <-- Result: DUNNO
2018-11-19 05:28:38 DEBUG --> Apply plugin: greylisting
2018-11-19 05:28:38 DEBUG [SQL] Query greylisting whitelists from `greylisting_whitelist_domain_spf`:
SELECT id, sender, comment
2018-11-19 05:28:38 DEBUG [SQL] Query greylisting whitelists from `greylisting_whitelist_domain_spf`:
SELECT id, sender, comment
                   FROM greylisting_whitelist_domain_spf
                  WHERE account IN ('smsmith@mydomain.com', '@mydomain.com', '@.', '@.mydomain.com', '@.com')
2018-11-19 05:28:38 DEBUG [97.103.252.209] No whitelist found.
2018-11-19 05:28:38 DEBUG [SQL] Query greylisting whitelists from `greylisting_whitelists`:
SELECT id, sender, comment
                   FROM greylisting_whitelists
                  WHERE account IN ('smsmith@mydomain.com', '@mydomain.com', '@.', '@.mydomain.com', '@.com')
2018-11-19 05:28:38 DEBUG [97.103.252.209] No whitelist found.
2018-11-19 05:28:38 DEBUG No whitelist found.
2018-11-19 05:28:38 DEBUG [SQL] query greylisting settings:
SELECT id, account, sender, sender_priority, active
               FROM greylisting
              WHERE account IN ('smsmith@mydomain.com', '@mydomain.com', '@.', '@.mydomain.com', '@.com')
              ORDER BY priority DESC, sender_priority DESC
2018-11-19 05:28:38 DEBUG [SQL] query result: [(2, '@.', '@.', 0, 0)]
2018-11-19 05:28:38 DEBUG Greylisting should NOT be applied according to SQL record: (id=2, account='@.', sender='@.')
2018-11-19 05:28:38 DEBUG <-- Result: DUNNO
2018-11-19 05:28:38 DEBUG --> Apply plugin: throttle
2018-11-19 05:28:38 DEBUG SKIP: Sender domain (@mydomain.com) is same as recipient domain.
2018-11-19 05:28:38 DEBUG <-- Result: DUNNO
2018-11-19 05:28:38 DEBUG --> Apply plugin: sql_alias_access_policy
2018-11-19 05:28:38 DEBUG [SQL] query access policy:
SELECT accesspolicy
               FROM alias
              WHERE address='smsmith@mydomain.com'
              LIMIT 1
2018-11-19 05:28:38 DEBUG SQL query result: None
2018-11-19 05:28:38 DEBUG [SQL] Check whether recipient domain is an alias domain:
SELECT target_domain
                   FROM alias_domain
                  WHERE alias_domain = 'mydomain.com'
                  LIMIT 1

2018-11-19 05:28:38 DEBUG [SQL] Query result: None
2018-11-19 05:28:38 DEBUG Recipient domain is not an alias domain.
2018-11-19 05:28:38 DEBUG <-- Result: DUNNO Recipient is not a mail alias account or no access policy
2018-11-19 05:28:38 DEBUG --> Apply plugin: amavisd_wblist
2018-11-19 05:28:38 DEBUG SKIP: Sender is same as recipient.
2018-11-19 05:28:38 DEBUG <-- Result: DUNNO
2018-11-19 05:28:38 DEBUG Session ended.
2018-11-19 05:28:38 INFO [97.103.252.209] RCPT, smsmith@mydomain.com -> smsmith@mydomain.com, DUNNO [0.0303s]
2018-11-19 05:28:38 DEBUG smtp session: request=smtpd_access_policy
2018-11-19 05:28:38 DEBUG smtp session: protocol_state=END-OF-MESSAGE
2018-11-19 05:28:38 DEBUG smtp session: protocol_name=ESMTP
2018-11-19 05:28:38 DEBUG smtp session: client_address=97.103.252.209
2018-11-19 05:28:38 DEBUG smtp session: client_name=unknown
2018-11-19 05:28:38 DEBUG smtp session: client_port=37608
2018-11-19 05:28:38 DEBUG smtp session: reverse_client_name=97-103-252-209.res.bhn.net
2018-11-19 05:28:38 DEBUG smtp session: helo_name=97-103-252-209.res.bhn.net
2018-11-19 05:28:38 DEBUG smtp session: sender=smsmith@mydomain.com
2018-11-19 05:28:38 DEBUG smtp session: recipient=smsmith@mydomain.com
2018-11-19 05:28:38 DEBUG smtp session: sender=smsmith@mydomain.com
2018-11-19 05:28:38 DEBUG smtp session: recipient=smsmith@mydomain.com
2018-11-19 05:28:38 DEBUG smtp session: recipient_count=1
2018-11-19 05:28:38 DEBUG smtp session: queue_id=55F991F8032D
2018-11-19 05:28:38 DEBUG smtp session: instance=482a.5bf29056.2c87a.0
2018-11-19 05:28:38 DEBUG smtp session: size=3332
2018-11-19 05:28:38 DEBUG smtp session: etrn_domain=
2018-11-19 05:28:38 DEBUG smtp session: stress=
2018-11-19 05:28:38 DEBUG smtp session: sasl_method=
2018-11-19 05:28:38 DEBUG smtp session: sasl_username=
2018-11-19 05:28:38 DEBUG smtp session: sasl_sender=
2018-11-19 05:28:38 DEBUG smtp session: ccert_subject=
2018-11-19 05:28:38 DEBUG smtp session: ccert_issuer=
2018-11-19 05:28:38 DEBUG smtp session: ccert_fingerprint=
2018-11-19 05:28:38 DEBUG smtp session: ccert_pubkey_fingerprint=
2018-11-19 05:28:38 DEBUG smtp session: encryption_protocol=
2018-11-19 05:28:38 DEBUG smtp session: encryption_cipher=
2018-11-19 05:28:38 DEBUG smtp session: encryption_keysize=0
2018-11-19 05:28:38 DEBUG smtp session: policy_context=
2018-11-19 05:28:38 DEBUG Skip plugin: reject_null_sender (protocol_state != END-OF-MESSAGE)
2018-11-19 05:28:38 DEBUG Skip plugin: reject_sender_login_mismatch (protocol_state != END-OF-MESSAGE)
2018-11-19 05:28:38 DEBUG Skip plugin: greylisting (protocol_state != END-OF-MESSAGE)
2018-11-19 05:28:38 DEBUG --> Apply plugin: throttle
2018-11-19 05:28:38 DEBUG SKIP: Sender domain (@mydomain.com) is same as recipient domain.
2018-11-19 05:28:38 DEBUG <-- Result: DUNNO
2018-11-19 05:28:38 DEBUG Skip plugin: sql_alias_access_policy (protocol_state != END-OF-MESSAGE)
2018-11-19 05:28:38 DEBUG Skip plugin: amavisd_wblist (protocol_state != END-OF-MESSAGE)
2018-11-19 05:28:38 DEBUG Session ended.
2018-11-19 05:28:38 INFO [97.103.252.209] END-OF-MESSAGE, smsmith@mydomain.com -> smsmith@mydomain.com, DUNNO [0.0023s]

11

Re: SPAM Question

I have few doubts:

Luke6283 wrote:

2018-11-19 05:28:38 DEBUG smtp session: helo_name=97-103-252-209.res.bhn.net

With file /etc/postfix/helo_access.pcre shipped in iRedMail, this client should be rejected due to the helo name contains IP address (97-103-252-209).

Luke6283 wrote:

2018-11-19 05:28:38 DEBUG smtp session: sender=smsmith@mydomain.com
2018-11-19 05:28:38 DEBUG smtp session: recipient=smsmith@mydomain.com
...
2018-11-19 05:28:38 DEBUG smtp session: sasl_username=

If sender (domain) is same as recipient (domain), smtp authentication is required.
I did a quick test again with the latest iRedAPD-2.3, this email was rejected correctly.

Could you try to upgrade iRedAPD to the latest 2.3 and keep monitoring this issue (with debug mode turned on)?
Also, after upgraded to 2.3, please download this file and replace /opt/iredapd/plugins/reject_sender_login_mismatch.py, then restart iredapd service:
https://bitbucket.org/zhb/iredapd/raw/b … ismatch.py

This file adds more logging messages for easier debugging.