1

Topic: POSTFIX - how to prevent own domain in the header of received emails

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? iRedAdmin
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi

I want to prevent outsiders sending email FROM "user1@example.com" TO "user1@example.com" - same user and domain name.

What should be added in the file - /etc/postfix/sender_access.pcre?

Mathew

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: POSTFIX - how to prevent own domain in the header of received emails

mathewfer wrote:

I want to prevent outsiders sending email FROM "user1@example.com" TO "user1@example.com" - same user and domain name.

Is this address ("user1@example.com") in the "From:" header, or the sender address in smtp session? To check the sender address in smtp session, you must check Postfix or iRedAPD log file to figure it out.

3

Re: POSTFIX - how to prevent own domain in the header of received emails

Hi Zhang,

Thanks.

Just checked the log and it is exactly like this "From: <user1@example.com>".

So what should be added in the file - /etc/postfix/sender_access.pcre to stop these?

ZhangHuangbin wrote:
mathewfer wrote:

I want to prevent outsiders sending email FROM "user1@example.com" TO "user1@example.com" - same user and domain name.

Is this address ("user1@example.com") in the "From:" header, or the sender address in smtp session? To check the sender address in smtp session, you must check Postfix or iRedAPD log file to figure it out.

Mathew

4

Re: POSTFIX - how to prevent own domain in the header of received emails

mathewfer wrote:

Just checked the log and it is exactly like this "From: <user1@example.com>".

Could you please show us the original postfix + iredapd log relevant to this email? I'd like to see the original log to understand the data.

5

Re: POSTFIX - how to prevent own domain in the header of received emails

Hi Zhang,

Here is the capture with debug - extensive mail.log. Note that I changed the domain name (to example.com) and username (user1) and check the line - "(23269-05) 2822.From: <user1@example.com>,".

See the attached log file.

iRedmail MAIL server IP - 192.168.1.20
SOPHOS (Home edition - acting as MTA gateway) Firewall - IP - 192.168.1.8

Emails are received by SOPHOS and then forwarded to iRedmail.

Please let me know what you can find and how this mail server get the email FROM "user1@example.com" TO "user1@example.com". I see header is modified by the sender ()



Mathew

ZhangHuangbin wrote:
mathewfer wrote:

Just checked the log and it is exactly like this "From: <user1@example.com>".

Could you please show us the original postfix + iredapd log relevant to this email? I'd like to see the original log to understand the data.

Post's attachments

bad-mail-log-same-domain.txt 396.83 kb, 2 downloads since 2019-04-01 

You don't have the permssions to download the attachments of this post.

6

Re: POSTFIX - how to prevent own domain in the header of received emails

Sorry, could you please extract relevant log and paste here directly?
I'm lost in a big log file (with modified email addresses). sad

7

Re: POSTFIX - how to prevent own domain in the header of received emails

Hi Zhang,

Sorry for the late reply.
I changed my name to "user1" and domain to "mydomain.com".

This header got marked as "SPAM" but sometimes, it gets in to INBOX.

How can we setup to discard these SPAM rather than sending to junk mail folder?

Please let me know what you find.

Return-Path: <yenoeoqz@hyi.com>
Delivered-To: user1@mydomain.com
Received: from mail.mydomain.com (localhost [127.0.0.1])
    by mail.mydomain.com (Postfix) with ESMTP id 44bjfk0l4xzSk1C
    for <user1@mydomain.com>; Sat, 6 Apr 2019 15:01:34 +1100 (AEDT)
X-Virus-Scanned: Debian amavisd-new at mail.mydomain.com
X-Spam-Flag: YES
X-Spam-Score: 7.923
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.923 tagged_above=2 required=6.2
    tests=[BITCOIN_SPAM_01=0.001, BITCOIN_SPAM_02=1.201,
    BITCOIN_SPAM_08=2.375, HEADER_FROM_DIFFERENT_DOMAINS=0.001,
    HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.635,
    HTML_SHRT_CMNT_OBFU_MANY=2.499, MALF_HTML_B64=0.001,
    MIME_BASE64_TEXT=0.001, MIME_HTML_ONLY=1.105, OBFU_BITCOIN=0.001,
    TO_IN_SUBJ=0.1, URIBL_BLOCKED=0.001, ZW_OBFU_BITCOIN=0.001]
    autolearn=no autolearn_force=no
Received: from mail.mydomain.com ([127.0.0.1])
    by mail.mydomain.com (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id RJEFCM76NULR for <user1@mydomain.com>;
    Sat, 6 Apr 2019 15:01:31 +1100 (AEDT)
Received: from hyi.com (_gateway [192.168.1.8])
    by mail.mydomain.com (Postfix) with SMTP id 44bjfZ1c45zSk0N
    for <user1@mydomain.com>; Sat, 6 Apr 2019 15:01:24 +1100 (AEDT)
Received: from mail.webhostings4u.com ([25.46.167.77]) by relay37.vosimerkam.net with QMQP; Fri, 05 Apr 2019 23:44:18 -0400
Received: from unknown (99.36.168.240)
    by mail.gimmicc.net with ASMTP; Fri, 05 Apr 2019 23:41:20 -0400
Received: from m1.gns.snv.thisdomainl.com [41.69.208.200] by relay-x.misswldrs.com with QMQP; Fri, 05 Apr 2019 23:28:59 -0400
Received: from unknown (188.30.77.137)
    by mx03.listsystemsf.net with LOCAL; Fri, 05 Apr 2019 23:21:00 -0400
Received: from unknown (HELO nntp.pinxodet.net) (Fri, 05 Apr 2019 23:05:55 -0400)
    by smtp18.yenddx.com with NNFMP; Fri, 05 Apr 2019 23:05:55 -0400
Message-ID: <ED152A4F.79125825@hyi.com>
Date: Fri, 05 Apr 2019 23:05:55 -0400
From: user1@mydomain.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.17) Gecko/20081018 Thunderbird/2.0.0.17
MIME-Version: 1.0
To: <user1@mydomain.com>
Subject: ***Spam*** user1@mydomain.com has been hacked, change your
    password ASAP
Content-Type: text/html;
    charset="us-ascii"
Content-Transfer-Encoding: base64


Mathew


ZhangHuangbin wrote:

Sorry, could you please extract relevant log and paste here directly?
I'm lost in a big log file (with modified email addresses). sad

8

Re: POSTFIX - how to prevent own domain in the header of received emails

mathewfer wrote:

How can we setup to discard these SPAM rather than sending to junk mail folder?

*) There's a sieve rule in /var/vmail/sieve/dovecot.sieve, it moves detected spam to Junk folder. You can change the action to discard it (WARNING: email will be discarded and you can not get it back.)

*) With iRedAdmin-Pro, you can choose to quarantine spams to SQL database, and manage (release or delete) them with iRedAdmin-Pro. FYI: https://docs.iredmail.org/quarantining.html#screenshots

9

Re: POSTFIX - how to prevent own domain in the header of received emails

Hi Zhang,

Thanks for the reply. I will check/consider the suggested two options.

Just got the same kind of an email while ago but it straight came to ,y INBOX. See the header and the log (/var/log/mail.log). I also tried to check with header/body rule to stop these but it seems syntax is not correct.

The question is that it sometimes goes to Junk folder but sometimes misses it and comes to INBOX.

Do you think one of the two options you suggested help with this?

Return-Path: <neder@riopreto.net>
Delivered-To: user1@mydomain.com
Received: from mail.mydomain.com (localhost [127.0.0.1])
    by mail.mydomain.com (Postfix) with ESMTP id 44cCXV4JwdzSjyw
    for <user1@mydomain.com>; Sun, 7 Apr 2019 09:27:54 +1000 (AEST)
X-Virus-Scanned: Debian amavisd-new at mail.mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 5.298
X-Spam-Level: *****
X-Spam-Status: No, score=5.298 tagged_above=2 required=6.2
    tests=[ALL_TRUSTED=-1, HEADER_FROM_DIFFERENT_DOMAINS=0.001,
    HTML_IMAGE_ONLY_04=0.342, HTML_MESSAGE=0.001,
    LIST_PARTIAL_SHORT_MSG=2.499, LOCALPART_IN_SUBJECT=0.73,
    MIME_HTML_MOSTLY=0.001, MPART_ALT_DIFF=0.724,
    TO_NO_BRKTS_HTML_IMG=1.999, TVD_SPACE_RATIO=0.001]
    autolearn=no autolearn_force=no
Received: from mail.mydomain.com ([127.0.0.1])
    by mail.mydomain.com (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id EExNB1dZyP1b for <user1@mydomain.com>;
    Sun, 7 Apr 2019 09:27:53 +1000 (AEST)
Received: from canela.sacola.com.br (_gateway [192.168.1.8])
    by mail.mydomain.com (Postfix) with ESMTPS id 44cCXR0KzvzSjyV
    for <user1@mydomain.com>; Sun, 7 Apr 2019 09:27:50 +1000 (AEST)
Received: from 177-73-8-22.hipernet.inf.br ([177.73.8.22]:57677 helo=[177-73-8-22.hipernet.inf.br])
    by canela.sacola.com.br with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256)
    (Exim 4.91)
    (envelope-from <neder@riopreto.net>)
    id 1hCQJZ-0002qd-RG
    for user1@mydomain.com; Fri, 05 Apr 2019 11:59:45 -0300
Date: Fri, 5 Apr 2019 16:59:30 +0200
Message-ID:
    <fhm6sz5qxapewcysor62grixt.jmq84bxig2.51492054873603.n4qmhqlo1g.r4wulllq@mail491.ifs94.riopreto.net>
Feedback-ID: 050468 caek upu a List(05680):8303789:xcakuq
From: <user1@mydomain.com>
Subject: user1
X-Complaints-To: abuse@mailer.riopreto.net
Errors-To: no-reply@riopreto.net
Content-Type: multipart/related;
    boundary="irojfwweg-523511A2"
MIME-Version: 1.0
To: user1@mydomain.com
X-Sender: <neder@riopreto.net>
X-Abuse-Reports-To: abuse@mail.riopreto.net
List-Unsubscribe:
    <https://riopreto.net/unsubscribe/es/280 … 2398391067>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - canela.sacola.com.br
X-AntiAbuse: Original Domain - mydomain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - riopreto.net
X-Get-Message-Sender-Via: canela.sacola.com.br: authenticated_id: neder@riopreto.net
X-Authenticated-Sender: canela.sacola.com.br: neder@riopreto.net
X-Source:
X-Source-Args:
X-Source-Dir:
Message Body


Apr  7 09:27:42 smtp postfix/postscreen[23885]: CONNECT from [192.168.1.8]:50062 to [192.168.1.20]:25
Apr  7 09:27:42 smtp postfix/postscreen[23885]: cache btree:/var/lib/postfix/postscreen_cache full cleanup: retained=1 dropped=0 entries
Apr  7 09:27:48 smtp postfix/postscreen[23885]: PASS OLD [192.168.1.8]:50062
Apr  7 09:27:48 smtp postfix/smtpd[23888]: connect from _gateway[192.168.1.8]
Apr  7 09:27:49 smtp postfix/smtpd[23888]: Anonymous TLS connection established from _gateway[192.168.1.8]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr  7 09:27:51 smtp postfix/cleanup[23896]: warning: pcre map /etc/postfix/header_checks, line 16: out of range replacement index "2": skipping this rule
Apr  7 09:27:51 smtp postfix/cleanup[23896]: warning: pcre map /etc/postfix/body_checks.pcre, line 1: out of range replacement index "2": skipping this rule
Apr  7 09:27:51 smtp postfix/smtpd[23888]: 44cCXR0KzvzSjyV: client=_gateway[192.168.1.8]
Apr  7 09:27:51 smtp postfix/cleanup[23896]: 44cCXR0KzvzSjyV: message-id=<fhm6sz5qxapewcysor62grixt.jmq84bxig2.51492054873603.n4qmhqlo1g.r4wulllq@mail491.ifs94.riopreto.net>
Apr  7 09:27:53 smtp postfix/qmgr[23605]: 44cCXR0KzvzSjyV: from=<neder@riopreto.net>, size=267538, nrcpt=1 (queue active)
Apr  7 09:27:53 smtp postfix/smtpd[23888]: disconnect from _gateway[192.168.1.8] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr  7 09:27:54 smtp postfix/10025/smtpd[23904]: connect from localhost[127.0.0.1]
Apr  7 09:27:54 smtp postfix/10025/smtpd[23904]: 44cCXV4JwdzSjyw: client=localhost[127.0.0.1]
Apr  7 09:27:54 smtp postfix/cleanup[23896]: 44cCXV4JwdzSjyw: message-id=<fhm6sz5qxapewcysor62grixt.jmq84bxig2.51492054873603.n4qmhqlo1g.r4wulllq@mail491.ifs94.riopreto.net>
Apr  7 09:27:54 smtp postfix/qmgr[23605]: 44cCXV4JwdzSjyw: from=<neder@riopreto.net>, size=268444, nrcpt=1 (queue active)
Apr  7 09:27:54 smtp postfix/10025/smtpd[23904]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr  7 09:27:54 smtp amavis[20019]: (20019-02) Passed CLEAN {RelayedInbound}, [192.168.1.8]:50062 [177.73.8.22] <neder@riopreto.net> -> <user2@mydomain.com>, Queue-ID: 44cCXR0KzvzSjyV, Message-ID: <fhm6sz5qxapewcysor62grixt.jmq84bxig2.51492054873603.n4qmhqlo1g.r4wulllq@mail491.ifs94.riopreto.net>, mail_id: EExNB1dZyP1b, Hits: 5.298, size: 267538, queued_as: 44cCXV4JwdzSjyw, 1549 ms, Tests: [ALL_TRUSTED=-1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_IMAGE_ONLY_04=0.342,HTML_MESSAGE=0.001,LIST_PARTIAL_SHORT_MSG=2.499,LOCALPART_IN_SUBJECT=0.73,MIME_HTML_MOSTLY=0.001,MPART_ALT_DIFF=0.724,TO_NO_BRKTS_HTML_IMG=1.999,TVD_SPACE_RATIO=0.001]
Apr  7 09:27:54 smtp postfix/amavis/smtp[23901]: 44cCXR0KzvzSjyV: to=<user2@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.4, delays=2.8/0.02/0/1.6, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 44cCXV4JwdzSjyw)
Apr  7 09:27:54 smtp postfix/qmgr[23605]: 44cCXR0KzvzSjyV: removed
Apr  7 09:27:54 smtp postfix/pipe[23905]: 44cCXV4JwdzSjyw: to=<user2@mydomain.com>, relay=dovecot, delay=0.15, delays=0.02/0.04/0/0.09, dsn=2.0.0, status=sent (delivered via dovecot service (doveconf: Warning: SSLv2 not supported by OpenSSL. Please consider removing it from ssl_protocols.))
Apr  7 09:27:54 smtp postfix/qmgr[23605]: 44cCXV4JwdzSjyw: removed


Mathew


ZhangHuangbin wrote:
mathewfer wrote:

How can we setup to discard these SPAM rather than sending to junk mail folder?

*) There's a sieve rule in /var/vmail/sieve/dovecot.sieve, it moves detected spam to Junk folder. You can change the action to discard it (WARNING: email will be discarded and you can not get it back.)

*) With iRedAdmin-Pro, you can choose to quarantine spams to SQL database, and manage (release or delete) them with iRedAdmin-Pro. FYI: https://docs.iredmail.org/quarantining.html#screenshots

10

Re: POSTFIX - how to prevent own domain in the header of received emails

mathewfer wrote:

Do you think one of the two options you suggested help with this?

No. It only works for detected spam. You need some content filter or a.k.a. milter program to check mail header/body content.

mathewfer wrote:

X-Spam-Status: No, score=5.298 tagged_above=2 required=6.2
    tests=[ALL_TRUSTED=-1, HEADER_FROM_DIFFERENT_DOMAINS=0.001,
    HTML_IMAGE_ONLY_04=0.342, HTML_MESSAGE=0.001,
    LIST_PARTIAL_SHORT_MSG=2.499, LOCALPART_IN_SUBJECT=0.73,
    MIME_HTML_MOSTLY=0.001, MPART_ALT_DIFF=0.724,
    TO_NO_BRKTS_HTML_IMG=1.999, TVD_SPACE_RATIO=0.001]

As you can see, there're few spamassassin rules can be used to help detect this spam:

- ALL_TRUSTED=-1. Try to decrease this value to -0.001 if you don't need this rule, but do not set it to 0, because it's a switch to some other rules.
- HEADER_FROM_DIFFERENT_DOMAINS
- HTML_IMAGE_ONLY_04
- LOCALPART_IN_SUBJECT
- TO_NO_BRKTS_HTML_IMG

Slightly increase the score of (one or some, or all of) them will help catch the spam.

11

Re: POSTFIX - how to prevent own domain in the header of received emails

Hi Zhang,

Thanks again,

Can I please know where we get this/below configuration parameters?

I checked files on the folder "/etc/spamassassin" and also checked file "local.cf" in this folder but I can not find to modify.


- ALL_TRUSTED=-1. Try to decrease this value to -0.001 if you don't need this rule, but do not set it to 0, because it's a switch to some other rules.
- HEADER_FROM_DIFFERENT_DOMAINS
- HTML_IMAGE_ONLY_04
- LOCALPART_IN_SUBJECT
- TO_NO_BRKTS_HTML_IMG

Mathew

12

Re: POSTFIX - how to prevent own domain in the header of received emails

You can adjust spamassassin rule score in file /etc/mail/spamassassin/local.cf like this:

score LOCALPART_IN_SUBJECT 0.1

13

Re: POSTFIX - how to prevent own domain in the header of received emails

Hi Zhang,

I was spending lot of time to stop spams on this new iRedMail install.. but I could not reduce them.

I tested by redirecting to my domain provider "GoDaddy" with higher MX priority and then retrieving email with "fetchmail" (I got only one Godaddy mail account - fetchmail envelope X-Envelope-To feature) with 3min interval.
That cut-down the spam as expected. This shows iRedmail does not handle spam out of the box or allow an easy way to add/update rules. I am not sure iRedmailPro goes to that depth to reduce spam.

Can I please know whether iRedMail 0.9.9 comes with spamassassin cPanel to add rules?
if not installed by default, is there iRedMail blog post on this to setup?

Please let me know about spamassassin cPanel.

Mathew



ZhangHuangbin wrote:

You can adjust spamassassin rule score in file /etc/mail/spamassassin/local.cf like this:

score LOCALPART_IN_SUBJECT 0.1

14

Re: POSTFIX - how to prevent own domain in the header of received emails

iRedMail has SpamAssassin enabled by default, and you already saw it's working:

Apr  7 09:27:54 smtp amavis[20019]: (20019-02) Passed CLEAN {RelayedInbound}, [192.168.1.8]:50062 [177.73.8.22] <neder@riopreto.net> -> <user2@mydomain.com>, Queue-ID: 44cCXR0KzvzSjyV, Message-ID: <fhm6sz5qxapewcysor62grixt.jmq84bxig2.51492054873603.n4qmhqlo1g.r4wulllq@mail491.ifs94.riopreto.net>, mail_id: EExNB1dZyP1b, Hits: 5.298, size: 267538, queued_as: 44cCXV4JwdzSjyw, 1549 ms, Tests: [ALL_TRUSTED=-1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_IMAGE_ONLY_04=0.342,HTML_MESSAGE=0.001,LIST_PARTIAL_SHORT_MSG=2.499,LOCALPART_IN_SUBJECT=0.73,MIME_HTML_MOSTLY=0.001,MPART_ALT_DIFF=0.724,TO_NO_BRKTS_HTML_IMG=1.999,TVD_SPACE_RATIO=0.001]

The spams every server received are different, you may need to tune the spam scores yourself after analyzed the log.

15

Re: POSTFIX - how to prevent own domain in the header of received emails

Hi Zhang,

I am coming back again to see whether you can support me for the below 3 and I could not get anything to reduce incoming spam:

1. How to increase the SPAM score to higher value than the current value?
2. An example of a  Spamassassin rule to filter email based on a given keyword in an email body and/or subject
3. In which configuration file we should do the above 2 changes? is it in "/etc/mail/spamassassin/local.cf"?

Believe you can help us with the above 3 answers.

Regards,

Mathew

ZhangHuangbin wrote:

iRedMail has SpamAssassin enabled by default, and you already saw it's working:

Apr  7 09:27:54 smtp amavis[20019]: (20019-02) Passed CLEAN {RelayedInbound}, [192.168.1.8]:50062 [177.73.8.22] <neder@riopreto.net> -> <user2@mydomain.com>, Queue-ID: 44cCXR0KzvzSjyV, Message-ID: <fhm6sz5qxapewcysor62grixt.jmq84bxig2.51492054873603.n4qmhqlo1g.r4wulllq@mail491.ifs94.riopreto.net>, mail_id: EExNB1dZyP1b, Hits: 5.298, size: 267538, queued_as: 44cCXV4JwdzSjyw, 1549 ms, Tests: [ALL_TRUSTED=-1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_IMAGE_ONLY_04=0.342,HTML_MESSAGE=0.001,LIST_PARTIAL_SHORT_MSG=2.499,LOCALPART_IN_SUBJECT=0.73,MIME_HTML_MOSTLY=0.001,MPART_ALT_DIFF=0.724,TO_NO_BRKTS_HTML_IMG=1.999,TVD_SPACE_RATIO=0.001]

The spams every server received are different, you may need to tune the spam scores yourself after analyzed the log.

16

Re: POSTFIX - how to prevent own domain in the header of received emails

mathewfer wrote:

3. In which configuration file we should do the above 2 changes? is it in "/etc/mail/spamassassin/local.cf"?

Yes.

mathewfer wrote:

1. How to increase the SPAM score to higher value than the current value?

Easy:

score <RULE-NAME-HERE> 1.0

Replace "<RULE-NAME-HERE>" by the real rule name. For example, HEADER_FROM_DIFFERENT_DOMAINS, or HTML_IMAGE_ONLY_04.
Also replace score "1.0" by the proper score you prefer.

mathewfer wrote:

2. An example of a  Spamassassin rule to filter email based on a given keyword in an email body and/or subject

FYI: https://wiki.apache.org/spamassassin/WritingRules