Re: How to make Postfix filter spam for entries in virtual?

[Noel Jones]

It appears postfix is operating properly; this is either an amavis
problem or a dovecot/sieve problem.  Those products have their own
support lists.


  -- Noel Jones




On 9/17/2018 10:33 AM, Miguel Almeida wrote:
> Thanks for the reply.
> 
> It seems that I might have something wrong in my amavis/spamassassin
> configuration, but the following log might show something obvious to
> a more experienced user - can you help?
> 
> Here is a log for a spam message that arrived:
> 
> Sep 17 16:07:15 mailserver postfix/smtpd[9970]: connect from
> localhost[127.0.0.1]
> Sep 17 16:07:15 mailserver postfix/smtpd[9970]: 920C9507539:
> client=localhost[127.0.0.1]
> Sep 17 16:07:15 mailserver postfix/cleanup[9965]: 920C9507539:
> message-id=<20180917150656.664ef152...@vps10593.com
> >
> Sep 17 16:07:15 mailserver postfix/qmgr[18272]: 920C9507539:
> from=mailto:mowu...@wvtmo.net>>, size=1806,
> nrcpt=3 (queue active)
> Sep 17 16:07:15 mailserver amavis[9250]: (09250-06) Passed SPAM
> {RelayedOpenRelay,Quarantined}, [180.125.253.237]:22311
> [208.62.237.18] mailto:mowu...@wvtmo.net>> ->
> mailto:i...@bbv.com>>, quarantine:
> l/spam-lIL6tWw0gz1s.gz, Queue-ID: 910D6507538, Message-ID:
> <20180917150656.664ef152...@vps10593.com
> >, mail_id:
> lIL6tWw0gz1s, Hits: 15.778, size: 1320, queued_as: 920C9507539, 2695 ms
> Sep 17 16:07:15 mailserver postfix/smtpd[9970]: disconnect from
> localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
> Sep 17 16:07:15 mailserver postfix/smtp[9966]: 910D6507538:
> to=mailto:i...@bbv.com>>,
> relay=127.0.0.1[127.0.0.1]:10024, delay=4.6, delays=1.9/0.01/0/2.7,
> dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025):
> 250 2.0.0 Ok: queued as 920C9507539)
> Sep 17 16:07:15 mailserver postfix/qmgr[18272]: 910D6507538: removed
> Sep 17 16:07:16 mailserver dovecot: lda(admit): sieve:
> msgid=<20180917150656.664ef152...@vps10593.com
> >: stored mail into
> mailbox 'INBOX'
> Sep 17 16:07:16 mailserver dovecot: lda(mma): sieve:
> msgid=<20180917150656.664ef152...@vps10593.com
> >: stored mail into
> mailbox 'INBOX'
> Sep 17 16:07:16 mailserver postfix/local[9971]: 920C9507539:
> to=mailto:ad...@itc.com>>, orig_to= >, relay=local, delay=1.3,
> delays=0.17/0.02/0/1.1, dsn=2.0.0, status=sent (delivered to
> command: /usr/lib/dovecot/deliver)
> Sep 17 16:07:16 mailserver postfix/local[9972]: 920C9507539:
> to=mailto:m...@itc.com>>, orig_to= >, relay=local, delay=1.3,
> delays=0.17/0.04/0/1.1, dsn=2.0.0, status=sent (delivered to
> command: /usr/lib/dovecot/deliver)
> 
> It looks like it is being marked as quarentine, but going to the
> inbox nonetheless?
> 
> My*/etc/amavis/conf.d/20-debian_defaults:*
> 
> $QUARANTINEDIR = "$MYHOME/virusmails";
> $quarantine_subdir_levels = 1; # enable quarantine dir hashing
> 
> $log_recip_templ = undef;    # disable by-recipient level-0 log entries
> $DO_SYSLOG = 1;  # log via syslogd (preferred)
> $syslog_ident = 'amavis';    # syslog ident tag, prepended to all
> messages
> $syslog_facility = 'mail';
> $syslog_priority = 'debug';  # switch to info to drop debug output, etc
> 
> $enable_db = 1;  # enable use of BerkeleyDB/libdb (SNMP
> and nanny)
> $enable_global_cache = 1;    # enable use of libdb-based cache if
> $enable_db=1
> 
> $inet_socket_port = 10024;   # default listening socket
> 
> #$sa_spam_subject_tag = '***SPAM*** ';
> $sa_tag_level_deflt  = -20;  # add spam info headers if at, or above
> that level
> $sa_tag2_level_deflt = 5; # add 'spam detected' headers at that level
> $sa_kill_level_deflt = 5; # triggers spam evasive actions
> $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
> (...)
> $final_virus_destiny  = D_DISCARD;  # (data not lost, see virus
> quarantine)
> $final_banned_destiny = D_BOUNCE;   # D_REJECT when front-end MTA
> $final_spam_destiny   = D_PASS;
> $final_bad_header_destiny = D_PASS; # False-positive prone (for
> spam)
> 
> And the header of this email:
> 
> Return-Path: mailto:mowu...@wvtmo.net>>
> X-Original-To: i...@bbv.com 
> Delivered-To: ad...@itc.com 
> Received: from localhost (localhost [127.0.0.1])
>   by mailserver.itc.com  (Postfix) with ESMTP 
> id 920C9507539
>   for mailto:i...@bbv.com>>; Mon, 17 Sep 2018 16:07:15 
> +0100 (WEST)
> X-Virus-Scanned: Debian amavisd-new at itclinical.com 
> 
> 
> Which is different from other emails received (I configured amavis to always 
> add the X-Spam flags):
> 
> X-Virus-Scanned: Debian amavisd-new at itc.com 
> X-Spam-Flag: NO
> X-Spam-Score: 2.441
> X-Spam-Level: **
> X-Spam-Status: No, score=2.441 tagged_above=-20 required=5
>   

Re: How to make Postfix filter spam for entries in virtual?

[Miguel Almeida]

Thanks for the reply.

It seems that I might have something wrong in my amavis/spamassassin
configuration, but the following log might show something obvious to a more
experienced user - can you help?

Here is a log for a spam message that arrived:

Sep 17 16:07:15 mailserver postfix/smtpd[9970]: connect from
localhost[127.0.0.1]
Sep 17 16:07:15 mailserver postfix/smtpd[9970]: 920C9507539:
client=localhost[127.0.0.1]
Sep 17 16:07:15 mailserver postfix/cleanup[9965]: 920C9507539: message-id=<
20180917150656.664ef152...@vps10593.com>
Sep 17 16:07:15 mailserver postfix/qmgr[18272]: 920C9507539: from=<
mowu...@wvtmo.net>, size=1806, nrcpt=3 (queue active)
Sep 17 16:07:15 mailserver amavis[9250]: (09250-06) Passed SPAM
{RelayedOpenRelay,Quarantined}, [180.125.253.237]:22311 [208.62.237.18] <
mowu...@wvtmo.net> -> , quarantine: l/spam-lIL6tWw0gz1s.gz,
Queue-ID: 910D6507538, Message-ID: <20180917150656.664ef152...@vps10593.com>,
mail_id: lIL6tWw0gz1s, Hits: 15.778, size: 1320, queued_as: 920C9507539,
2695 ms
Sep 17 16:07:15 mailserver postfix/smtpd[9970]: disconnect from
localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 17 16:07:15 mailserver postfix/smtp[9966]: 910D6507538: to=,
relay=127.0.0.1[127.0.0.1]:10024, delay=4.6, delays=1.9/0.01/0/2.7,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as 920C9507539)
Sep 17 16:07:15 mailserver postfix/qmgr[18272]: 910D6507538: removed
Sep 17 16:07:16 mailserver dovecot: lda(admit): sieve: msgid=<
20180917150656.664ef152...@vps10593.com>: stored mail into mailbox 'INBOX'
Sep 17 16:07:16 mailserver dovecot: lda(mma): sieve: msgid=<
20180917150656.664ef152...@vps10593.com>: stored mail into mailbox 'INBOX'
Sep 17 16:07:16 mailserver postfix/local[9971]: 920C9507539: to=<
ad...@itc.com>, orig_to=, relay=local, delay=1.3,
delays=0.17/0.02/0/1.1, dsn=2.0.0, status=sent (delivered to command:
/usr/lib/dovecot/deliver)
Sep 17 16:07:16 mailserver postfix/local[9972]: 920C9507539: to=,
orig_to=, relay=local, delay=1.3, delays=0.17/0.04/0/1.1,
dsn=2.0.0, status=sent (delivered to command: /usr/lib/dovecot/deliver)

It looks like it is being marked as quarentine, but going to the inbox
nonetheless?

My* /etc/amavis/conf.d/20-debian_defaults:*

$QUARANTINEDIR = "$MYHOME/virusmails";
$quarantine_subdir_levels = 1; # enable quarantine dir hashing

$log_recip_templ = undef;# disable by-recipient level-0 log entries
$DO_SYSLOG = 1;  # log via syslogd (preferred)
$syslog_ident = 'amavis';# syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug';  # switch to info to drop debug output, etc

$enable_db = 1;  # enable use of BerkeleyDB/libdb (SNMP and
nanny)
$enable_global_cache = 1;# enable use of libdb-based cache if
$enable_db=1

$inet_socket_port = 10024;   # default listening socket

#$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt  = -20;  # add spam info headers if at, or above that
level
$sa_tag2_level_deflt = 5; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 5; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
(...)
$final_virus_destiny  = D_DISCARD;  # (data not lost, see virus
quarantine)
$final_banned_destiny = D_BOUNCE;   # D_REJECT when front-end MTA
$final_spam_destiny   = D_PASS;
$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)

And the header of this email:

Return-Path: 
X-Original-To: i...@bbv.com
Delivered-To: ad...@itc.com
Received: from localhost (localhost [127.0.0.1])
by mailserver.itc.com (Postfix) with ESMTP id 920C9507539
for ; Mon, 17 Sep 2018 16:07:15 +0100 (WEST)
X-Virus-Scanned: Debian amavisd-new at itclinical.com


Which is different from other emails received (I configured amavis to
always add the X-Spam flags):

X-Virus-Scanned: Debian amavisd-new at itc.com
X-Spam-Flag: NO
X-Spam-Score: 2.441
X-Spam-Level: **
X-Spam-Status: No, score=2.441 tagged_above=-20 required=5
tests=[FROM_EXCESS_BASE64=0.105, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
HTML_IMAGE_ONLY_24=1.282, HTML_IMAGE_RATIO_02=0.805,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001] autolearn=no autolearn_force=no


On Mon, Sep 17, 2018 at 4:16 PM Noel Jones  wrote:

> On 9/17/2018 5:44 AM, Miguel Almeida wrote:
> > My postfix installation is working correctly (delivery via dovecot,
> > spam filtering via amavis - spamassasin).
> >
> > I have some aliases in virtual, eg:
> >
> > |i...@mydomain.com  johnDoe |
> >
> > However, for the emails that match an entry in virtual, amavis is
> > not filtering for spam (resulting in lots of spam reaching my inbox).
> >
> > How can the configuration be changed so that the emails that match
> > virtual entries are also filtered for spam?
> >
> > You can find my main.cf  file here
> > 

Re: How to make Postfix filter spam for entries in virtual?

[Noel Jones]

On 9/17/2018 5:44 AM, Miguel Almeida wrote:
> My postfix installation is working correctly (delivery via dovecot,
> spam filtering via amavis - spamassasin).
> 
> I have some aliases in virtual, eg:
> 
> |i...@mydomain.com  johnDoe |
> 
> However, for the emails that match an entry in virtual, amavis is
> not filtering for spam (resulting in lots of spam reaching my inbox).
> 
> How can the configuration be changed so that the emails that match
> virtual entries are also filtered for spam?
> 
> You can find my main.cf  file here
> .
> 
> 
> Thank you in advance for your help!
> 
> 
> Miguel
> 

That sounds unusual.  For general debugging hints, please see
http://www.postfix.org/DEBUG_README.html

For further help from the list, please see:
http://www.postfix.org/DEBUG_README.html#mail

In your description of the problem, please be sure to include
"postconf -n" output.  It would also be helpful to include log
entries showing the problem (NOT debug logs).



  -- Noel Jones

Re: best practice anti virus integration & custom reject messages

[Wietse Venema]

Stefan Bauer:
> Hi,
> 
> I like the clean and easy milter way and having clamd this way integrated
> in postfix. But i can not use custom reject message in case clamd detects
> virus.
> 
> postfix/cleanup[4292]: BD6BA80ACA: milter-reject: END-OF-MESSAGE from
> (...): 5.7.1 Command rejected; from= to= proto=ESMTP
> helo=
>
> This message lacks basic information - virus detected.

That is because the Milter did not provide that a reason in the
response to Postfix. The milter could be changed to provide a reason:
see discussion below.

>  smtp_delivery_status_filters seems to not work in this case. Right?

As documented that is applicable for SENDING, not RECEIVING email.

> Pulling in amavis as well might give option to have custom reject
> messages, but i do not like to have an additonal service in the
> chain.

Postfix has no 'milter reply filter' feature and it is unlikely to
happen.

To solve this problem you'd pass the Milter response through another
program, or you would use a virus detector that produces more
informative responses.

The Milter replies with code SMFIR_REJECT, which supports no
indication why mail is rejected:

  * SMFIR_REJECT 
In response to a RCPT command, indicates that the recipient
should be rejected with a permanent error. In any other context
this indicates that the entire message should be rejected with
a permanent error and that no further milter commands or responses
will be exchanged.

The Milter could be improved by sending SMFIR_REPLYCODE instead,
which allows the Milter to provide the complete SMTP server response
to Postfix, including SMTP code and text.
 
  * SMFIR_REPLYCODE 
In response to a RCPT command, indicates that the recipient
should be rejected with the specified error. In any other context
this indicates that the entire message should be rejected with
the specified error and that no further milter commands or
responses will be exchanged.

Below is the code that handles the Milter response.

Wietse

case SMFIR_REJECT:
if (data_size != 0)
break;
if (IN_CONNECT_EVENT(event)) {
#ifdef LIBMILTER_AUTO_DISCONNECT
milter8_close_stream(milter);
#endif
milter->state = MILTER8_STAT_REJECT_CON;
MILTER8_EVENT_BREAK(milter8_def_reply(milter, "550 5.7.1 
Command rejected"));
} else {
MILTER8_EVENT_BREAK("550 5.7.1 Command rejected");
}

Re: reject_unverified_recipient and /ect/aliases delay/issue

[Wietse Venema]

Wietse:
> Perhaps use the configurable features to control caching of 'negative'
> results:
>
> address_verify_negative_cache = yes
> address_verify_negative_expire_time = 3d
> address_verify_negative_refresh_time = 3h
>
> The 'negative' results are cached to avoid overloading the server
> with address verify messages.
>
> I guess that some people can wait for 5 minutes until the negative
> cache result has expired?

Stefan Bauer:
> 5 Minutes are no problem. The default values indicate 3 hours right?

Indeed. It's a trade-off between safety and instant gratification.

Wietse

How to make Postfix filter spam for entries in virtual?

[Miguel Almeida]

My postfix installation is working correctly (delivery via dovecot, spam
filtering via amavis - spamassasin).

I have some aliases in virtual, eg:

i...@mydomain.comjohnDoe

However, for the emails that match an entry in virtual, amavis is not
filtering for spam (resulting in lots of spam reaching my inbox).

How can the configuration be changed so that the emails that match virtual
entries are also filtered for spam?

You can find my main.cf file here
.


Thank you in advance for your help!


Miguel

Re: reject_unverified_recipient and /ect/aliases delay/issue

[Stefan Bauer]

5 Minutes are no problem. The default values indicate 3 hours right?

   *address_verify_negative_refresh_time

(3h)*
  The  time  after which a failed address verification probe needs
  to be refreshed.


Am Fr., 14. Sep. 2018 um 20:25 Uhr schrieb Wietse Venema <
wie...@porcupine.org>:

> Stefan Bauer:
> > Am Freitag, 14. September 2018 schrieb Wietse Venema :
> > > Stefan Bauer:
> > >> verify_cache.db seems to get corrupted or at least not updated
> properly
> > as
> > >> new/updated entries do not get correctly verified and postfix logs:
> > >>
> > >> close database /var/lib/postfix/verify_cache.db: No such file or
> > directory
> > >> > (possible Berkeley DB bug
> > >
> > > That is logged after 'postfix reload", and until now has not been
> > > a problem.  The warnming is logged just to be sure, because people
> > > keep imprving Berkeley DB.
> > >
> > >> only a postfix stop, rm verify_cache* , postfix start helps.
> > >
> > > That is complete and utter overkill.
> >
> > so what else is recommended to update the db to have recent data?
>
> Perhaps use the configurable features to control caching of 'negative'
> results:
>
> address_verify_negative_cache = yes
> address_verify_negative_expire_time = 3d
> address_verify_negative_refresh_time = 3h
>
> The 'negative' results are cached to avoid overloading the server
> with address verify messages.
>
> I guess that some people can wait for 5 minutes until the negative
> cache result has expired?
>
> Wietse
>