RE: Amavis and OpenDMARC

[Dino Edwards]

>the domain you're using now has quarantine policy :)

 

It sure does, but I don’t have a problem with outgoing e-mail. Only incoming 
unless I’m not understanding what you are saying.

>That's correct, if you're using  only opendmarc just the inet:127.0.0.1:54321 
>is needed, thats all you need, are you sure it >is adding sigs on sending? 
>send an email to check-a...@verifier.port25.com 
>  wait a minute then  check its results 
>email.

If opendmarc requires dkim signature verification before it makes a decision, I 
will need something that checks dkim first, right? I did send an e-mail to the 
e-mail address you suggested and everything looks good:

Thank you for using the verifier,

 

The Port25 Solutions, Inc. team

 

==

Summary of Results

==

SPF check:  pass

"iprev" check:  pass

DKIM check: pass

 

 

RE: Amavis and OpenDMARC

[Dino Edwards]

>to be more precise: OpenDMARC running as milter only sees output from
milters applied before it.

>Milter is run pre-queue and content_filter is run after queue, so opendmarc
does not see that amavis produced, because it was added later.

>If you used amavisd-milter at SMTP port, opendmarc could see its output.

>I run amavisd-milter at SMTP port, so it can reject spam/viruses
immediately and amavis as content-filter by default (local and trusted
submission).

So it looks like I can run amavis as content_filter AND milter. This sounds
like a good solution. Do you mind sharing your postfix config for amavis
milter? I'm assuming I need a separate program called amavis-milter?

Thanks

RE: Amavis and OpenDMARC

[Dino Edwards]

 

On 11/11/2023 18:07, Damian wrote:

Also, since they allude to "some passing", I guess they did remember to set 
enable_dkim_verification=1 ?


"Some passing OpenDMARC" might mean that they pass SPF-based only.

>true if using fo=1

To be clear, Amavis is setup like below:

$enable_dkim_verification = 1;

$enable_dkim_signing = 1;

 

 

 

RE: Amavis and OpenDMARC

[Dino Edwards]

>most DMARC's I find still use quarantine, what responses are you seeing for 
>them?

I don’t have any p=quarantine examples right now.

>You also dont need to setup amavisd as a milter if its working fine already.

 

Well, I can see Damien’s point here. Originally with OpenDKIM the Postfix 
milter was setup in the following  order where 8891 is OpenDKIM and 54321 is 
OpenDMARC:

smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:54321

So OpenDKIM would insert the authentication headers and OpenDMARC would parse 
them. By using the amavis as content_filter i.e. post-queue, OpenDMARC never 
sees the authentication headers so it always fails but in the case of p=none it 
doesn’t make a difference and it passes anyway.

Unless I’m thinking about it wrong.

 

RE: Amavis and OpenDMARC

[Dino Edwards]

> You can't do that. OpenDMARC needs to see Authentication-Results for DKIM.

It looks like you might be on to something. The e-mails that pass have a p=none 
and the e-mails that fail have a p=reject. So, I need to setup amavis as a 
milter in Postfix instead of a content_filter that I have now? How would that 
affect spam with SA if at all? As I understand milter is pre-queue where 
content_filter is post-queue. Does the milter require a separate package called 
amavisd-milter?

Thanks

RE: Amavis and OpenDMARC

[Dino Edwards]

> I've seen no problems with mail from MS, so how about you elaborate on your 
> problems and what version of OD are you using?

Here’s the exact issue that I just ran into with o365 mail and note this issue 
was reported 3 years ago. No fix yet.

https://github.com/trusteddomainproject/OpenDKIM/issues/73

Granted, is it Microsoft omitting ADMD on DKIM signatures but it’s not like we 
cannot not do business with o365 customers. This particular issue was with one 
of my e-mail customers doing business with the secret service and that’s the 
issue. You have high profile organizations using o365 and your customers don’t 
want to hear that the problem is on their end. “What do you mean the problem is 
on their end? This is the secret service!. It’s got to be your problem!”. 

Here’s my OpenDKIM version and related info:

opendkim -V

opendkim: OpenDKIM Filter v2.11.0

Compiled with OpenSSL 1.1.1f  31 Mar 2020

SMFI_VERSION 0x101

libmilter version 1.0.1

Supported signing algorithms:

rsa-sha1

rsa-sha256

ed25519-sha256

Supported canonicalization algorithms:

relaxed

simple

Active code options:

QUERY_CACHE

USE_DB

USE_LDAP

USE_LUA

USE_ODBX

USE_UNBOUND

_FFR_ATPS

_FFR_RBL

_FFR_REPLACE_RULES

_FFR_SENDER_MACRO

_FFR_STATS

_FFR_VBR

libopendkim 2.11.0: atps query_cache

 

RE: Amavis and OpenDMARC

[Dino Edwards]

> So Amavis is setup as an smtpd_milter as well?

No, Amavis is setup as a content_filter (content_filter = 
amavis:[127.0.0.1]:10021)

> Do you see DKIM-related Authentication-Results headers in incoming mails?

Yes, please see below at an example e-mail from gmail:

Authentication-Results: smtp.domain.tld (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com

Amavis and OpenDMARC

[Dino Edwards]

Hello,

 

In the past I used OpenDKIM to sign and verify DKIM signatures. However
considering the fact that it hasn't been updated in a very long time and
constant issues with e-mails from O365 senders, I decided to give Amavis
DKIM a try. I have it configured and it looks like it works verifying and
signing outgoing e-mails. However, I seem to be having some weird issues
with OpenDMARC which I also use. OpenDMARC is setup as a smtpd_milter in
Postfix. For the most part, incoming e-mails pass the OpenDMARC test but I
have a few select ones that fail and get rejected. Now these e-mails from
the same senders would pass DMARC when I was using OpenDKIM. So the only
that has changed is using Amavis instead of OpenDKIM for DKIM verification.

 

Can someone maybe shed some light on why this would be happening or is there
a different way to handle DMARC? 

 

Thanks in advance.

 

 

RE: Excluding blocking macro/xlsx/docx files to specific recipients?

[Dino Edwards]

That seems to be the holy grail. I would be interested in that too. I've looked 
into it before and the only thing I came up with was a all or nothing approach.

-Original Message-
From: amavis-users 
 On Behalf Of 
Alex
Sent: Thursday, February 24, 2022 2:37 PM
To: amavis-users@amavis.org
Subject: Excluding blocking macro/xlsx/docx files to specific recipients?

Hi,
We have some users who receive machine-generated Excel spreadsheets that have 
macros, but our policy is to block them outright.

Is it possible to allow certain file types from certain addresses to certain 
recipients without knowing the sending IP to add them to a policy bank?

I thought score_sender_maps might work, but it appears to be an all-or-nothing 
kind of thing.

Maybe an approach would be to move it to SA and build a meta that excludes this 
specific sender and the specific recipient?

Thanks,
Alex

RE: Per User Bayes

[Dino Edwards]

> how is your dbi config in spamassassin ?

I don't have dbi config in spamassassin. I'm using file based bayes

if you force specifik username, then comment that line, not configured 
spamd/spamc ?

> all is simply if using fuglu, bah

Sorry what's fuglu?

Per User Bayes

[Dino Edwards]

I was trying to setup Per User Bayes with SA and Amavis but I couldn't get it 
to work. Then I read somewhere that even though SA's default behavior is Per 
User Bayes, using Amavis forces you with Global Bayes. Is that still the case? 
If so, are there plans to add that functionality?

Thanks

RE: Issue with mails in sql quarantine

[Dino Edwards]

Try the following query:

SELECT msgrcpt.mail_id, msgrcpt.ds, msgs.sid, msgs.spam_level, msgs.mail_id, 
msgs.secret_id, msgs.time_iso, msgs.subject, msgs.from_addr, msgs.content, 
msgs.client_addr FROM msgs INNER
JOIN msgrcpt ON msgs.mail_id = msgrcpt.mail_id where msgs.time_iso between 
'2021-05-01 12:00:00' and '2021-05-01 23:00:00' and msgs.content like binary 
'S' order by msgs.time_iso desc

Here are the quarantined msgs.content types:

V = Virus
B = Banned
S = Quarantined Spam
M = Bad-Mime
H = Bad-Header
O = Oversized

Hope this helps.

Many more queries can be found here:

https://github.com/deeztek/Hermes-Secure-Email-Gateway/blob/master/dirstructure/var/www/html/admin/message_history_new.cfm






From: amavis-users 
 On Behalf Of 
Benedict White
Sent: Sunday, June 13, 2021 7:26 PM
To: amavis-users@amavis.org
Subject: Issue with mails in sql quarantine

I had an issue for two days over a weekend where most emails got quarantined.

Does anyone have an sql statement to list quarantined emails by user please?

Kind Regards,

Benedict White

Our business grows by referrals. If you know someone who would benefit from our 
help, please pass on our details.

[cid:image001.jpg@01D12C21.CE196A10]

Tel:

01444 238070

Tech:

01444 238080

Fax:

01444 238099

Web:

www.cse-ltd.co.uk

Registered in England and Wales No: 8666450
Unit D, Consort Way, Burgess Hill, West Sussex,
RH15 9TJ

[cid:image002.png@01D760DF.38A54E10]

  [cid:image004.png@01D12C21.CE196A10] 
  
[cid:image005.png@01D12C21.CE196A10] 
  
[cid:image006.png@01D12C21.CE196A10]   
[cid:image007.jpg@01D12C21.CE196A10] 


[Description: 
Q:\marketing\Logos\NewCo\ActionPress\Help.jpg]









Legal Disclaimer: This message and any attachment may be confidential and 
privileged. If you are not the intended recipient please notify the sender and 
delete this e-mail and any attachment from your system. Any unauthorised 
copying, disclosure or distribution of the material in this e-mail is strictly 
forbidden. All information given in this e-mail is provided in good faith but 
not binding for legal reasons.

Re: Amavis stats

[Dino Edwards]

> I am not aware of a script, which extracts all that data, > > but amavis is 
> able
> to push such events to SNMP and IIRC it can send such > data to an ELK stack.

Grafana might be a simpler option. This article should be a good start:


https://techexpert.tips/grafana/grafana-monitoring-snmp-devices/

Re: clamav (under amavis) not filtering out viruses!

[Dino Edwards]

I have never heard of that. Do you have any info to substantiate your claim?



From: Michael Orlitzky 
Sent: Thursday, October 15, 2020 9:35 AM
To: amavis-users@amavis.org
Subject: Re: clamav (under amavis) not filtering out viruses!

On 2020-10-15 08:48, Dino Edwards wrote:
> Hi Niko,
>
> Try this:
>
> https://github.com/extremeshok/clamav-unofficial-sigs
>
> This has worked wonderfully for us.
>

That script comes packed with silly root exploits. You'll be safer with
fangfrisch:

  https://github.com/rseichter/fangfrisch

And these days, most of the unofficial databases can simply be added to
freshclam.conf, making life even easier (but you have to track down
their http(s) URLs).

RE: clamav (under amavis) not filtering out viruses!

[Dino Edwards]

I would make a backup of the /var/clamav directory first and then I would 
delete the stale databases and then ensure clamav starts up and see if it's 
complaining about anything.


-Original Message-
From: amavis-users 
 On Behalf Of 
Nikolaos Milas
Sent: Thursday, October 15, 2020 9:20 AM
To: amavis-users@amavis.org
Subject: Re: clamav (under amavis) not filtering out viruses!

On 15/10/2020 3:48 μ.μ., Dino Edwards wrote:

> https://github.com/extremeshok/clamav-unofficial-sigs
>
> This has worked wonderfully for us.


Sounds great.

Should I first remove the stale databases installed by the legacy scamp script?

If so, is it sufficient to delete the undesired / stale databases from the db 
directory?

In this case I would delete everything below main.cld in the listing below:

==
# ls -lt /var/clamav/
total 777108
drwxr-xr-x 6 clamav clamav  4096 Oct 15 12:14 tmp
-rw-rw-r-- 1 clamav clamav    181612 Oct 15 12:10 blurl.ndb
-rw-rw-r-- 1 clamav clamav    186688 Oct 15 12:10 jurlbla.ndb
-rw-rw-r-- 1 clamav clamav   2643313 Oct 15 12:10 jurlbl.ndb
-rw-rw-r-- 1 clamav clamav    372935 Oct 15 12:10 rogue.hdb
-rw-rw-r-- 1 clamav clamav   2005796 Oct 15 12:00 phishtank.ndb
-rw-rw-r-- 1 clamav clamav    639043 Oct 15 12:00 porcupine.ndb
-rw-rw-r-- 1 clamav clamav    226541 Oct 15 11:11 foxhole_filename.cdb
-rw--- 1 clamav clamav  3692 Oct 15 04:02 mirrors.dat
-rw-r--r-- 1 clamav clamav 346183680 Oct 15 04:02 daily.cld
-rw-rw-r-- 1 clamav clamav   1925105 Oct 14 17:09 scam.ndb
-rw-rw-r-- 1 clamav clamav   7502124 Oct 14 13:10 junk.ndb
-rw-rw-r-- 1 clamav clamav   260 Oct 12 11:13 sigwhitelist.ign2
-rw-rw-r-- 1 clamav clamav   4137409 Sep 28 18:10 phish.ndb
srw-r--r-- 1 clamav clamav 0 Sep 18 00:49 clmilter.socket
-rw-rw-r-- 1 clamav clamav 51865 Sep 11 13:09 foxhole_generic.cdb
-rw-rw-r-- 1 clamav clamav 19115 Feb 12  2020 spamimg.hdb
-rw-rw-r-- 1 clamav clamav 14709 Nov 26  2019 winnow_malware_links.ndb
-rw-r--r-- 1 clamav clamav 307403264 Nov 26  2019 main.cld
-rw-rw-r-- 1 clamav clamav  3448 Oct 27  2019 bofhland_cracked_URL.ndb
-rw-rw-r-- 1 clamav clamav  9676 Oct 27  2019 bofhland_phishing_URL.ndb
-rw-rw-r-- 1 clamav clamav   610 Oct 27  2019 bofhland_malware_URL.ndb
-rw-rw-r-- 1 clamav clamav    245189 Oct  3  2019 lott.ndb
-rw-r--r-- 1 clamav clamav   1458176 Sep 20  2019 bytecode.cld
-rw-rw-r-- 1 clamav clamav   115 Aug 15  2019 spear.ndb
-rw-rw-r-- 1 clamav clamav   115 Nov 27  2018 spearl.ndb
-rw-rw-r-- 1 clamav clamav   5379419 Nov 14  2018 scamnailer.ndb
-rw-rw-r-- 1 clamav clamav  6577 Nov 13  2018 winnow_phish_complete_url.ndb
-rw-rw-r-- 1 clamav clamav 14825 Jul 16  2018 winnow.attachments.hdb
-rw-rw-r-- 1 clamav clamav 18189 Mar  5  2018 winnow_malware.hdb
-rw-rw-r-- 1 clamav clamav 16271 Feb 26  2018 winnow_extended_malware.hdb
-rw-rw-r-- 1 clamav clamav  1391 Apr 28  2017 spamattach.hdb
-rw-rw-r-- 1 clamav clamav 11098 Oct 18  2016 sanesecurity.ftm
-rw-rw-r-- 1 clamav clamav   556 Oct  6  2016 spam.ldb
-rw-rw-r-- 1 clamav clamav    82 Jul 13  2016 crdfam.clamav.hdb
-rw-rw-r-- 1 clamav clamav    66 Jul 21  2015 winnow_bad_cw.hdb
-rw-rw-r-- 1 clamav clamav  27900334 Apr 22  2015 securiteinfohtml.hdb
-rw-rw-r-- 1 clamav clamav  86032796 Apr 22  2015 securiteinfo.hdb
-rw-rw-r-- 1 clamav clamav 51819 Feb 25  2015 securiteinfopdf.hdb
-rw-rw-r-- 1 clamav clamav 75040 Jan 21  2014 securiteinfoelf.hdb
-rw-rw-r-- 1 clamav clamav    391274 Nov 28  2013 securiteinfodos.hdb
-rw-rw-r-- 1 clamav clamav   159 Sep 19  2013 
winnow_extended_malware_links.ndb
-rw-rw-r-- 1 clamav clamav    65 Jul 25  2013 doppelstern.hdb
-rw-rw-r-- 1 clamav clamav   185 Jul 25  2013 doppelstern.ndb
-rw-rw-r-- 1 clamav clamav    264154 Jan 15  2013 securiteinfooffice.hdb
-rw-rw-r-- 1 clamav clamav   660 Oct  2  2012 winnow.complex.patterns.ldb
-rw-rw-r-- 1 clamav clamav 29520 Aug 21  2012 securiteinfosh.hdb
-rw-rw-r-- 1 clamav clamav    200405 Aug 21  2012 securiteinfobat.hdb
-rw-rw-r-- 1 clamav clamav 22549 Feb 15  2012 honeynet.hdb 
==

Please clarify!

Thanks,
Nick

RE: clamav (under amavis) not filtering out viruses!

[Dino Edwards]

Hi Niko,

Try this:

https://github.com/extremeshok/clamav-unofficial-sigs

This has worked wonderfully for us.



-Original Message-
From: amavis-users 
 On Behalf Of 
Nikolaos Milas
Sent: Thursday, October 15, 2020 8:41 AM
To: amavis-users@amavis.org
Subject: Re: clamav (under amavis) not filtering out viruses!

On 15/10/2020 3:26 μ.μ., Nikolaos Milas wrote:

> This doesn't seem to be the problem, because the infected attachments 
> are simply found CLEAN;


For your reference, here is a verbose log of the AV check on a message which 
should have been found INFECTED, but it is rather judged CLEAN:

==

Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) Extracting mime components 
from a string Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) Issued a new 
file name: 
p001
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) Issued a new file name: 
p002
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) Issued a new pseudo
part: p003
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) p003 1 Content-Type: 
multipart/mixed
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) mime_decode_epilogue: 1 lines 
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) Charging 239 bytes to 
remaining quota 97559500 (out of 97559500, (0%)) - by mime_decode Oct 15 
14:43:44 mailgw3 amavis[3253]: (03253-10) p001 1/1 Content-Type: 
text/html, size: 239 B, name:
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) reparenting p001 from
p000 to p003
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) Charging 140468 bytes to 
remaining quota 97559261 (out of 97559500, (0%)) - by mime_decode Oct 15 
14:43:44 mailgw3 amavis[3253]: (03253-10) p002 1/2 Content-Type: 
application/msword, size: 140468 B, name: attachments 54972.doc Oct 15 14:43:44 
mailgw3 amavis[3253]: (03253-10) reparenting p002 from
p000 to p003
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) get_deadline mime_decode - 
deadline in 480.0 s, set to 336.000 s Oct 15 14:43:44 mailgw3 amavis[3253]: 
(03253-10) prolong_timer
mime_decode: timer 336, was 336, deadline in 480.0 s Oct 15 14:43:44 mailgw3 
amavis[3253]: (03253-10) get_deadline
mime_decode-1 - deadline in 480.0 s, set to 336.000 s Oct 15 14:43:44 mailgw3 
amavis[3253]: (03253-10) prolong_timer
mime_decode-1: timer 336, was 336, deadline in 480.0 s Oct 15 14:43:44 mailgw3 
amavis[3253]: (03253-10) decode_parts: level=1,
#parts=3 : p001, p002, p003
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) running file(1) on 2 files, 
arglist size 23 Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) run_command: 
[3286] /usr/bin/file p001 p002 &1 Oct 15 14:43:44 mailgw3 
amavis[3286]: (03253-10) open_on_specific_fd: 
target fd0 closing, to become < /dev/null Oct 15 14:43:44 mailgw3 amavis[3286]: 
(03253-10) open_on_specific_fd: 
target fd1 closing, to become (65) &=13
Oct 15 14:43:44 mailgw3 amavis[3286]: (03253-10) open_on_specific_fd: 
target fd1 dup2 from fd13 (65) &=13
Oct 15 14:43:44 mailgw3 amavis[3286]: (03253-10) open_on_specific_fd: 
source fd13 closed
Oct 15 14:43:44 mailgw3 amavis[3286]: (03253-10) open_on_specific_fd: 
target fd2 closing, to become (65) &1
Oct 15 14:43:44 mailgw3 amavis[3286]: (03253-10) open_on_specific_fd: 
target fd2 dup2 from fd1 (65) &1
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) result line from
file(1): p001: HTML document text\n
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) lookup_re("HTML document 
text") matches key "(?-xism:^HTML document text\b)", result="html"
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) lookup 
[map_full_type_to_short_type] => true,  "HTML document text" matches, 
result="html", matching_key="(?-xism:^HTML document text\134b)"
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) File-type of p001: HTML 
document text; (html) Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) result 
line from
file(1): p002: CDF V2 Document, corrupt: Can't expand summary_info\n Oct 15 
14:43:44 mailgw3 amavis[3253]: (03253-10) lookup_re("CDF V2 Document, corrupt: 
Can't expand summary_info") matches key "(?-xism:^)", result="dat"
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) lookup 
[map_full_type_to_short_type] => true,  "CDF V2 Document, corrupt: Can't expand 
summary_info" matches, result="dat",matching_key="(?-xism:^)"
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) File-type of p002: CDF
V2 Document, corrupt: Can't expand summary_info; (dat) Oct 15 14:43:44 mailgw3 
amavis[3253]: (03253-10) decompose_part: p001 - atomic Oct 15 14:43:44 mailgw3 
amavis[3253]: (03253-10) decompose_part: p002 - atomic Oct 15 14:43:44 mailgw3 
amavis[3253]: (03253-10) get_deadline parts_decode - deadline in 479.9 s, set 
to 336.000 s Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) prolong_timer
parts_decode: timer 336, was 336, deadline in 479.9 s Oct 15 14:43:44 mailgw3 
amavis[3253]: (03253-10) lookup: (scalar) matches, result="1"
Oct 15 14:43:44 mailgw3 amavis[3253]: (03253-10) lookup [bypass_header_checks] 
=> tr

Re: Is my Bayes working?

[Dino Edwards]

The bayes_auto_learn is probably working against you. You should never turn 
that on until you have made absolutely sure your bayes filter is trained just 
right which usually happens after 200 spam and ham messages. I personally never 
turn that on even after I train my spam filter.

What messages are you running your cron script against?


From: sse450 
Sent: Saturday, May 23, 2020 4:07 AM
To: amavis-users@amavis.org
Subject: Is my Bayes working?

Hello,

I setup amavisd (2.12.0), spamassassin (3.4.2), postfix, dovecot on
CentOS8 about one month ago and run sa-learn every night as a crontab
entry. There are considerable data accumulated on the database. But,
still, I get BAYES_00=-1.9 for a very spammy mail:

X-Spam-Flag: YES
X-Spam-Score: 29.813
X-Spam-Level: *
X-Spam-Status: Yes, score=29.813 tagged_above=-999 required=3
tests=[AXB_XMAILER_MIMEOLE_OL_024C2=0.001, BAYES_00=-1.9,
CUSTOM_DMARC_FAIL=2, DCC_CHECK=1.1, DCC_REPUT_70_89=0.1,
DIGEST_MULTIPLE=0.293, DKIM_ADSP_CUSTOM_MED=0.001, DMARC_NONE=0.1,
FORGED_GMAIL_RCVD=2.5, FORGED_MUA_OUTLOOK=1.927, FORM_FRAUD_5=0.001,
FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
FREEMAIL_REPLYTO=1, FREEMAIL_REPLYTO_END_DIGIT=0.25,
FROM_MISSPACED=0.001, FROM_MISSP_EH_MATCH=0.001,
FROM_MISSP_FREEMAIL=2.01,
FROM_MISSP_MSFT=0.001,FROM_MISSP_REPLYTO=1.717, FROM_MISSP_XPRIO=0.001,
FROM_NOT_REPLYTO=2, FSL_BULK_SIG=0.001, FSL_CTYPE_WIN1251=0.001,
FSL_NEW_HELO_USER=0.001, HK_SCAM=0.001, KAM_DMARC_NONE=0.25,
KAM_DMARC_STATUS=0.01, MALFORMED_FREEMAIL=1.142, MISSING_HEADERS=1.021,
MISSING_MID=0.497, NML_ADSP_CUSTOM_MED=0.9, NSL_RCVD_HELO_USER=0.001,
PYZOR_CHECK=1.392,RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_L4=0.001,
RCVD_IN_RP_RNBL=1.31, RCVD_IN_SBL_CSS=3.335,
REPLYTO_WITHOUT_TO_CC=1.552, SPF_HELO_PASS=-0.001,
SPF_SOFTFAIL=0.665,SPOOFED_FREEMAIL=1.999, SPOOFED_FREEM_REPTO=0.693,
TO_NO_BRKTS_FROM_MSSP=1.655, TO_NO_BRKTS_MSFT=0.001,
T_DEAR_BENEFICIARY=0.01, T_FILL_THIS_FORM_SHORT=0.01,
T_HK_NAME_FM_MR_MRS=0.01] autolearn=no autolearn_force=no

It seems to me that Bayes is not working. But I don't know why. Here are
some info from my server:

/etc/mail/spamassassin/local.cf:

# bayes
use_bayes   1
bayes_auto_learn1
bayes_auto_expire   1
# Store bayesian data in MySQL
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn  DBI:mysql:sa_bayes:127.0.0.1:3306
bayes_sql_username sa_bayes
bayes_sql_password x
bayes_sql_override_username amavis

root@winsvr:/# sa-learn -D --dump magic

May 23 09:57:00.510 [23968] dbg: config: read file
/etc/mail/spamassassin/local.cf
...
May 23 09:57:02.270 [23968] dbg: plugin:
Mail::SpamAssassin::Plugin::Bayes=HASH(0x5621708f6b48) implements
'learner_new', priority 0
May 23 09:57:02.270 [23968] dbg: bayes: learner_new
self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x5621708f6b48),
bayes_store_module=Mail::SpamAssassin::BayesStore::MySQL
May 23 09:57:02.293 [23968] dbg: bayes: using username: amavis
May 23 09:57:02.293 [23968] dbg: bayes: learner_new: got
store=Mail::SpamAssassin::BayesStore::MySQL=HASH(0x5621725b6cd0)
May 23 09:57:02.293 [23968] dbg: plugin:
Mail::SpamAssassin::Plugin::Bayes=HASH(0x5621708f6b48) implements
'learner_is_scan_available', priority 0
May 23 09:57:02.304 [23968] dbg: bayes: database connection established
May 23 09:57:02.304 [23968] dbg: bayes: found bayes db version 3
May 23 09:57:02.305 [23968] dbg: bayes: Using userid: 1
May 23 09:57:02.305 [23968] dbg: config: score set 3 chosen.
May 23 09:57:02.306 [23968] dbg: dns: EDNS, UDP payload size 4096
May 23 09:57:02.306 [23968] dbg: dns: servers obtained from Net::DNS :
[xxx.162.133.5]:53, [xxx.162.130.5]:53, [xxx.162.137.5]:53
May 23 09:57:02.306 [23968] dbg: dns: nameservers set to xxx.162.133.5,
xxx.162.130.5, xxx.162.137.5
May 23 09:57:02.307 [23968] dbg: dns: using socket module:
IO::Socket::IP version 0.39
May 23 09:57:02.307 [23968] dbg: dns: is Net::DNS::Resolver available? yes
May 23 09:57:02.307 [23968] dbg: dns: Net::DNS version: 1.15
May 23 09:57:02.307 [23968] dbg: sa-learn: spamtest initialized
May 23 09:57:02.307 [23968] dbg: plugin:
Mail::SpamAssassin::Plugin::Bayes=HASH(0x5621708f6b48) implements
'learner_dump_database', priority 0
0.000  0  3  0  non-token data: bayes db version
0.000  0   5785  0  non-token data: nspam
0.000  0  14487  0  non-token data: nham
0.000  0 323279  0  non-token data: ntokens
0.000  0 1587406453  0  non-token data: oldest atime
0.000  0 1590215255  0  non-token data: newest atime
0.000  0  0  0  non-token data: last journal
sync atime
0.000  0 1590176626  0  non-token data: last expiry atime
0.000  0  43200  0  non-token data: last expire
atime delta
0.000  0 202221  0  non-token data: last expire
reduction count
May 23 09:57:02.308 [23968]

RE: web i/f ?

[Dino Edwards]

Actually there is a project that I have been working on for a few years and is 
actively maintained that has a Web UI that supports Amavisd-new, Postfix, 
Apache SpamAssassin, ClamAV etc. It's based on Ubuntu 18.04. It also supports 
SPF, OpenDKIM, opendmarc and ciphermail if you want to use e-mail encryption. 
It's all integrated in a unified Web GUI for easy management. I've deployed to 
many customers over the years with great results. Of course it's free and open 
source. 

Check it out here:

https://github.com/deeztek/Hermes-Secure-Email-Gateway

Feedback is always welcome.

Thanks

Dino

-Original Message-
From: amavis-users 
 On Behalf Of 
Patrick Ben Koetter
Sent: Sunday, April 5, 2020 5:17 PM
To: amavis-users@amavis.org
Subject: Re: web i/f ?

* li...@sbt.net.au :
> I have been using amavisd with postfix like forever, but, never went 
> beyond setting it up, few times looked at the various web i/f, but, 
> never did anything beyond looking
> 
> amavisd has just worked with no issues, with some help from Mark and 
> this forum, thank you
> 
> just thinking I should have a web i/f, looking from amavisd/#contrib 
> at some of the web frontends, some seem to have been abandonded
> 
> any suggestions what web frontends are 'current' and worth trying ?
> 
> thanks for any pointers
> 
> Centos, amavisd-new-2.11.1 (20181009), Postfix, Dovecot, MariaDB

I'm sorry, but there's no current Web UI I know of that supports amavis. The 
modoboa project had amavis, but I am not sure if it has switched to using 
rspamd.

Obviously the most prominent things would be a quarantine service and something 
that allows to create and maintain per-domain/per-recipient policies.

amavis can read/write both from a database, it's actually two databases or a 
database and a LDAP service, and any web UI could read/write accordingly.

For monitoring one can use either amavis' x-agent and hook it up to SNMP, which 
also gives you a status on Postfix queues or have it send it's data to an elk 
stack.

p@rick


--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

RE: Conversion to 7BIT required but not supported

[Dino Edwards]

I’m looking into enabling 8BITMIME on James. In the meantime a policy like this 
should suffice?

#This policy serves to persuade Postfix to convert mail to 7-bit before 
submitting to Amavis
$interface_policy{'10021'} = 'DISABLE8BITMIME';
$policy_bank{'DISABLE8BITMIME'} = {
smtpd_discard_ehlo_keywords => ['8BITMIME'],  # disable 8BITMIME
};


-Original Message-
From: amavis-users 
 On Behalf Of 
Damian
Sent: Sunday, January 5, 2020 1:28 PM
To: amavis-users@amavis.org
Subject: Re: Conversion to 7BIT required but not supported

>> What kind of software is that on 127.0.0.1:10025? It's neither amavis nor 
>> postfix.
> 
> Crap I missed that! it's James Java SMTP for Ciphermail.

If you cannot enable 8BITMIME support on it, you might try to discard the 
8BITMIME ehlo keyword on the 10021 amavis instance/policybank. This way, your 
postfix:25 should convert to 7BIT before feeding the mail into amavis:10021. 
This is also mentioned in [1] with its caveats.

[1] https://www.ijs.si/software/amavisd/amavisd-new-docs.html

RE: Conversion to 7BIT required but not supported

[Dino Edwards]

HI Damian,

> $interface_policy{'10021'} = 'FIRST';
> $interface_policy{'10025'} = 'SECOND'; $policy_bank{'FIRST'} = {
>   forward_method => 'smtp:[127.0.0.1]:10025', }; 
> $policy_bank{'SECOND'} = {
>   forward_method  => 'smtp:[127.0.0.1]:10026',
>   smtpd_discard_ehlo_keywords => ['8BITMIME'], };

I don't have any policy like that. The only one I have is one to bypass amavis 
altogether for certain senders but this particular sender is not affected with 
that policy:

$interface_policy{'10030'} = 'BYPASSALLCHECKS';
$policy_bank{'BYPASSALLCHECKS'} = { # mail from the pickup daemon
log_level => 5,
bypass_spam_checks_maps   => ['@whitelist_sender_maps'],  # don't 
spam-check this mail
bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't 
banned-check this mail
bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't 
header-check this mail
bypass_virus_checks_maps  => ['@whitelist_sender_maps'],  # don't 
virus-check this mail
};



> If that is not the case either, then a more complete log-snippet with 
> $log_level 5 could help. There you will see a log line that looks like:

> Remote host presents itself as: [127.0.0.1], handles DSN, PIPELINING

> Please verify that 8BITMIME is indeed not listed there, when your issue 
> occurs.

Here are logs with $log_level5:

Jan  5 08:39:40 smtp amavis[32190]: (32190-01) about to connect to 
smtp:[127.0.0.1]:10025, Pjqt83Ia4zs4 FWD from  -> 

Jan  5 08:39:40 smtp amavis[32190]: (32190-01) get_deadline fwd_init - deadline 
in 478.5 s, set to 479.000 s
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) smtp session: setting up a new 
session
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) establish_or_refresh, state: down
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) new socket using IO::Socket::IP 
to [127.0.0.1]:10025, timeout 35
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) connected to [127.0.0.1]:10025 
successfully
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: needline=1, flush=0, 
wr=0, timeout=35
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: receiving
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop read 67 chars< 220 smtp 
SMTP Server ready Sun, 5 Jan 2020 08:39:40 -0500 (EST)\r\n
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) smtp greeting: 220 smtp SMTP 
Server ready Sun, 5 Jan 2020 08:39:40 -0500 (EST), dt: 2.7 ms
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) smtp cmd> EHLO localhost
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: needline=0, flush=1, 
wr=1, timeout=300
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: sending 16 chars
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop sent 16> EHLO 
localhost\r\n
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: needline=1, flush=0, 
wr=0, timeout=300
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: receiving
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop read 52 chars< 250-smtp 
Hello localhost (localhost [127.0.0.1])\r\n
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: needline=1, flush=0, 
wr=0, timeout=300
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: receiving
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop read 65 chars< 
250-PIPELINING\r\n250-ENHANCEDSTATUSCODES\r\n250 XFORWARD NAME ADDR\r\n
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) smtp resp to EHLO: 250 smtp 
Hello localhost (localhost 
[127.0.0.1])\nPIPELINING\nENHANCEDSTATUSCODES\nXFORWARD NAME ADDR
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) tls active=0, capable=, 
sec_level=0
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) Remote host presents itself as: 
smtp Hello localhost (localhost [127.0.0.1]), handles PIPELINING
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) smtp cmd> XFORWARD 
ADDR=209.85.222.174 NAME=mail-qk1-f174.google.com
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: needline=0, flush=1, 
wr=1, timeout=300
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: sending 60 chars
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop sent 60> XFORWARD 
ADDR=209.85.222.174 NAME=mail-qk1-f174.google.com\r\n
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: needline=1, flush=0, 
wr=0, timeout=300
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: receiving
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop read 8 chars< 250 Ok\r\n
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) smtp resp to XFORWARD: 250 Ok
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) AUTH not needed, user='', MTA 
offers ''
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) (!)requested BODY type is 
8BITMIME, but MTA does not announce 8bit-MIMEtransport capability
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) no valid recipients, skip data 
transfer
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) smtp cmd> RSET
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: needline=1, flush=0, 
wr=1, timeout=20
Jan  5 08:39:40 smtp amavis[32190]: (32190-01) rw_loop: sending 6 chars
Jan  5 08:39:40 smtp am

RE: Conversion to 7BIT required but not supported

[Dino Edwards]

As requested:

 main.cf starts here 
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
bounce_queue_lifetime = 5d
maximal_queue_lifetime = 14d
data_directory = /var/lib/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
 ddd $daemon_directory/$process_name $process_id & sleep 5
myorigin = example.com
myhostname = SMTP.example.com
masquerade_domains = mail.example.com example.com
mynetworks = 127.0.0.1, 192.168.0.0/24
message_size_limit = 52428800
local_transport = ERROR: No local mail delivery is allowed
mydestination =
local_recipient_maps =
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf

#relay_recipient_maps = hash:/etc/postfix/relay_recipients
relay_recipient_maps= mysql:/etc/postfix/mysql-recipients.cf

transport_maps = hash:/etc/postfix/transport

relay_domains = mysql:/etc/postfix/mysql-domains.cf
recipient_delimiter =

smtpd_helo_required = yes

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, 
check_sender_access mysql:/etc/postfix/mysql-senders.cf, 
reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, 
reject_unknown_sender_domain, reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf

smtpd_data_restrictions = reject_unauth_pipelining

header_checks = regexp:/etc/postfix/regexp_header_checks
body_checks = pcre:/etc/postfix/body_checks
content_filter = amavis:[127.0.0.1]:10021
receive_override_options = no_address_mappings
smtpd_banner = $myhostname SMTP Secure Email Gateway ESMTP

policy-spf_time_limit = 3600s
#TLS Policy
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# TLS parameters
smtpd_tls_cert_file = /opt/SMTP/ssl/SMTP-tls.cer
smtpd_tls_key_file = /opt/SMTP/ssl/SMTP-tls.key
smtpd_tls_CAfile = /opt/SMTP/ssl/SMTP-tls.root.cer
#smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_loglevel = 1
postscreen_access_list = permit_mynetworks, 
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
#postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org, dnsbl.sorbs.net
postscreen_dnsbl_sites = bl.spameatingmonkey.net*2, 
list.dnswl.org=127.[0..255].[0..255].0*-2, 
list.dnswl.org=127.[0..255].[0..255].1*-3, 
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4, bl.spamcop.net*2, 
wl.mailspike.net*-2, psbl.surriel.com, dnsbl.sorbs.net*2, bl.mailspike.net*2, 
zen.spamhaus.org*3, b.barracudacentral.org*3
postscreen_dnsbl_threshold = 3
postscreen_pipelining_enable = no
postscreen_non_smtp_command_enable = no
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = no
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
relayhost =
smtp_sasl_auth_enable = no
smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination, 
check_sender_access mysql:/etc/postfix/mysql-senders.cf, 
reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, 
reject_unknown_sender_domain, reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:54321
non_smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:54321
smtpd_sender_restrictions = check_sender_access 
hash:/etc/postfix/amavis_senderbypass, reject_non_fqdn_sender, 
reject_unknown_sender_domain
 main.cf ends here 

 master.cf starts here 
# === Postscreen Enabled Configuration below this line ===
#Disable line 1 and enable lines 2, 3, 4, and 5 to enable postscreen
#smtp  inet  n   -   n   -   -   smtpd
smtpd  pass  -   -   n   -   -   smtpd
smtp  inet  n   -   n   -   1   postscreen
tlsproxy  unix  -   -   n   -   0   tlsproxy
dnsblog   unix  -   -   n   -   0   dnsblog
# === Postscreen Enabled Configuration above this line ===

amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes

pickupfifo  n   -   n   60  1   pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   n   300 1   oqmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer

RE: Conversion to 7BIT required but not supported

[Dino Edwards]

Hi Damian,

I'm using Postfix as the MTA. I don't have 
smtpd_discard_ehlo_keywords_address_maps set in my main.cf at all.

-Original Message-
From: amavis-users 
 On Behalf Of 
Damian
Sent: Saturday, January 4, 2020 3:35 PM
To: amavis-users@amavis.org
Subject: Re: Conversion to 7BIT required but not supported

Hi,

what kind of MTA does your amavis forward to? That MTA does not announce 
8BITMIME support. With a postfix this could have been achieved via 
smtpd_discard_ehlo_keyword_address_maps.

> dsn: . 550 MtaRejected  -> :
> on_succ=0, on_dly=1, on_fail=1, never=0, warn_sender=, 
> DSN_passed_on=0, destiny=-3, mta_resp: "550 5.6.3 id=02074-04 - 
> Rejected by next-hop MTA on relaying, Conversion to 7BIT required but not 
> supported"

Conversion to 7BIT required but not supported

[Dino Edwards]

Hi,

I've got an odd issue on a brand new Amavis install on Ubuntu 18.04. I'm 
getting rejections on certain incoming e-mails. I'm hoping someone can shed 
some light into this:

dsn: . 550 MtaRejected  -> : 
on_succ=0, on_dly=1, on_fail=1, never=0, warn_sender=, DSN_passed_on=0, 
destiny=-3, mta_resp: "550 5.6.3 id=02074-04 - Rejected by next-hop MTA on 
relaying, Conversion to 7BIT required but not supported"

Thanks!

RE: whitelist

[Dino Edwards]

>P.S.
>Any pre-queue process will introduce a noticable delay. This is imposed by the 
>scan process itself. It is the same delay you have in post-queue – its just 
>that now you get to "see" in SMTP sessions. Clients won't bother. The typical 
>client timeout is 600 second. That's ten minutes a >client will wait for your 
>amavis setup to get the job done. If it hasn't finished by then you have a 
>problem – no matter if you are using a pre- or a post-queue setup.

If this setup introduces “noticable” delays for up to 10 minutes, I see that as 
a problem. My customers will see that as a problem also. I was constantly being 
asked why does it take so long for emails to arrive and gmail doesn’t take that 
long etc… when I was using graylisting.  So you must have really understanding 
customers.

RE: whitelist

[Dino Edwards]

Gregory,

I don’t have direct experience, since I’ve never used it that way.

Additionally, as far as I understand, the Postfix Before-Queue setup is not 
recommended for amavisd-new since there is a risk of mail loss if amavis fails 
among other things and I’ve had it fail before with some message that amavis 
simply didn’t like (Russian language emails)

Any particular reason why you use it that way?


From: Gregory Sloop [mailto:gr...@sloop.net]
Sent: Friday, July 12, 2019 1:48 PM
To: Dino Edwards ; Curtis Vaughan 
; amavis-users@amavis.org
Subject: Re: whitelist

Dino...

IIRC the following doesn't work if Amavis is set in postfix as a pre-accept 
filter, right?
[It seems I looked at doing it this way, but since we use Amavis as a pre 
MTA-accpet filter, this wasn't even an option. Just wanting to confirm...]

-Greg

DE> Here's how to do it with BONUS blacklist:

DE> In postfix /etc/postfix/main.cf set the following for whitelist senders:

DE> smtpd_sender_restrictions = check_sender_access
DE> hash:/etc/postfix/amavis_senderbypass

DE> In the /etc/postfix/amavis_senderbypass file enter email
DE> addresses and/or domains you wish to whitelist (one per line) as follows:

DE> b...@example.com<mailto:b...@example.com>  FILTER amavis:[127.0.0.1]:10030
DE> example2.com  FILTER amavis:[127.0.0.1]:10030

DE> Ensure you postmap the file and reload postfix

DE> In Amavis /etc/amavis/conf/50_user set the following to whitelist
DE> recipients (ensure port 10030 is available in your system):

DE> $inet_socket_port = [10021, 10030];

DE> # This policy will bypass ALL checks.
DE> read_hash(\%whitelist_sender, '/etc/amavis/white.lst');
DE> @whitelist_sender_maps = (\%whitelist_sender);



DE> $interface_policy{'10030'} = 'BYPASSALLCHECKS';
DE> $policy_bank{'BYPASSALLCHECKS'} = { # mail from the pickup daemon
DE> log_level => 5,
DE> bypass_spam_checks_maps   => ['@whitelist_sender_maps'],  # don't 
spam-check this mail
DE> bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't 
banned-check this mail
DE> bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't 
header-check this mail
DE> bypass_virus_checks_maps  => ['@whitelist_sender_maps'],  # don't 
virus-check this mail
DE> };


DE> In /etc/amavis/white.lst enter the the SAME senders and/or
DE> domains as you set in the /etc/postfix/amavis_senderbypass file
DE> from above but without the  "FILTER amavis:[127.0.0.1]:10030" part as 
follows (one per line):

DE> b...@example.com<mailto:b...@example.com>
DE> example2.com

DE> So basically this tells postfix that any sender matching the list
DE> to inject to Amavis at port 10030 and then Amavis has an interface
DE> policy at 10030 where it takes action according to the policy
DE> settings. You can adjust the Amavis policy as you see fit. In the
DE> example above, it bypasses ALL checks (spam, banned, header and virus) 
checks.

DE> Here's the blacklist (much simpler)

DE> In /etc/amavis/conf/50_user set the following:

DE> # Blacklist Senders
DE> @blacklist_sender_maps=(read_hash(\%blacklist_sender, 
'/etc/amavis/black.lst'));

DE> And populate /etc/amavis/black.lst with senders you wish to block.

DE> There is also a way to do a sender to recipient block/allow but
DE> that only bypasses spam checks and it's a bit more complicated to
DE> set. I can send you info on that if you want.

DE> Thanks



DE> -Original Message-
DE> From: amavis-users
DE> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Curtis Vaughan
DE> Sent: Thursday, July 11, 2019 4:38 PM
DE> To: amavis-users@amavis.org<mailto:amavis-users@amavis.org>
DE> Subject: whitelist

DE> I have been unable for a very long time now to figure out how to
DE> whitelist certain email address or domains.
DE> I have found several different blogs/help sites that "provide" an
DE> answer, but none of them have ever worked.
DE> Creating whitelists for postfix that referred to by main.cf
DE> definitely haven't worked. Another "solution" involved including a
DE> line in main.cf that basically tried to bypass amavis.
DE> Anyhow, I feel I'm approaching the solution in either case the
DE> wrong way as they concentrate on postfix and not amavis.
DE> Hopefully someone can't point me in the right direction?
DE> Thanks!

DE> I'm using postfix with amavis on ubuntu.


--
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x82
EMail: gr...@sloop.net<mailto:gr...@sloop.net>
http://www.sloop.net
---

RE: whitelist

[Dino Edwards]

Here's how to do it with BONUS blacklist:

In postfix /etc/postfix/main.cf set the following for whitelist senders:

smtpd_sender_restrictions = check_sender_access 
hash:/etc/postfix/amavis_senderbypass

In the /etc/postfix/amavis_senderbypass file enter email addresses and/or 
domains you wish to whitelist (one per line) as follows:

b...@example.com  FILTER amavis:[127.0.0.1]:10030
example2.com  FILTER amavis:[127.0.0.1]:10030

Ensure you postmap the file and reload postfix

In Amavis /etc/amavis/conf/50_user set the following to whitelist recipients 
(ensure port 10030 is available in your system):

$inet_socket_port = [10021, 10030];

# This policy will bypass ALL checks.
read_hash(\%whitelist_sender, '/etc/amavis/white.lst');
@whitelist_sender_maps = (\%whitelist_sender);



$interface_policy{'10030'} = 'BYPASSALLCHECKS';
$policy_bank{'BYPASSALLCHECKS'} = { # mail from the pickup daemon
log_level => 5,
bypass_spam_checks_maps   => ['@whitelist_sender_maps'],  # don't 
spam-check this mail
bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't 
banned-check this mail
bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't 
header-check this mail
bypass_virus_checks_maps  => ['@whitelist_sender_maps'],  # don't 
virus-check this mail
};


In /etc/amavis/white.lst enter the the SAME senders and/or domains as you set 
in the /etc/postfix/amavis_senderbypass file from above but without the  
"FILTER amavis:[127.0.0.1]:10030" part as follows (one per line):

b...@example.com 
example2.com 

So basically this tells postfix that any sender matching the list to inject to 
Amavis at port 10030 and then Amavis has an interface policy at 10030 where it 
takes action according to the policy settings. You can adjust the Amavis policy 
as you see fit. In the example above, it bypasses ALL checks (spam, banned, 
header and virus) checks. 

Here's the blacklist (much simpler)

In /etc/amavis/conf/50_user set the following:

# Blacklist Senders
@blacklist_sender_maps=(read_hash(\%blacklist_sender, '/etc/amavis/black.lst'));

And populate /etc/amavis/black.lst with senders you wish to block.

There is also a way to do a sender to recipient block/allow but that only 
bypasses spam checks and it's a bit more complicated to set. I can send you 
info on that if you want.

Thanks



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Curtis Vaughan
Sent: Thursday, July 11, 2019 4:38 PM
To: amavis-users@amavis.org
Subject: whitelist

I have been unable for a very long time now to figure out how to whitelist 
certain email address or domains. 
I have found several different blogs/help sites that "provide" an answer, but 
none of them have ever worked. 
Creating whitelists for postfix that referred to by main.cf definitely haven't 
worked. Another "solution" involved including a line in main.cf that basically 
tried to bypass amavis.
Anyhow, I feel I'm approaching the solution in either case the wrong way as 
they concentrate on postfix and not amavis. 
Hopefully someone can't point me in the right direction?
Thanks!

I'm using postfix with amavis on ubuntu. 

RE: Recommended web UI for Amavisd quarantine?

[Dino Edwards]

Maybe not be exactly what you need since this is relay appliance (not a full 
blown mail server) but maybe take a look at open source Hermes SEG:

https://www.deeztek.com/products/hermes-secure-email-gateway/

The functionality you desire plus much more is described in the docs:

https://www.deeztek.com/documentation/hermes-seg-documentation/hermes-seg-administrator-guide/content-checks/message-history-archive/


Full disclosure: I'm the author of the Hermes SEG project

Thanks

-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Rich Wales
Sent: Monday, July 8, 2019 9:08 PM
To: amavis-users@amavis.org
Subject: Recommended web UI for Amavisd quarantine?

I'm running amavisd-new version 2.11.0 on my Ubuntu mail server, which I 
recently upgraded to Ubuntu 18.04 LTS.

Up till now, I've been using a locally patched version of MailZu to manage the 
Amavis quarantine.  (This server is just for my family, and I'm the only person 
who deals with the quarantine.)  And amavisd-new itself is running just fine 
for me.

But with my latest OS upgrade, something has caused my hacked MailZu to break, 
and I'm not sure I'm up to finding/fixing the problem right now, and (as most 
people here probably already know) the MailZu project was abandoned years ago, 
so I can't upgrade to a newer version anymore.

So . . . .  What do people use nowadays to list their Amavis quarantine, delete 
and release messages, and view an individual message before deciding whether to 
release it or not?

I was considering something called PostVisAdmin, but that program wants PHP 5, 
and its dependencies won't recognize the PHP 7 which I have on my server.

Any other suggestions?

Rich Wales
ri...@richw.org

RE: mysql error in amavis

[Dino Edwards]

Anyone have any insight on this?

From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Dino Edwards
Sent: Tuesday, April 9, 2019 2:44 PM
To: amavis-users@amavis.org
Subject: mysql error in amavis

I've noticed the following errors on certain messages in mail.log:

amavis[4270]: (04270-02) (!)WARN save_info_final: sql exec: err=1366, HY000, 
DBD::mysql::st execute failed: Incorrect string value: '\\xF0\\x9F\\x8E\\x89' 
for column 'subject' at row 1 at (eval 100) line 172

After looking in the msgs table, I found a bunch of messages that have an empty 
subject as well as other empty fields. These are obviously the messages that 
amavis was not able to store in the MySQL database because of the above error.

As far as I can tell, these are most likely messages with special characters in 
the subject line (emojis etc) that amavis is not able to store in the database.

After some research, I have gathered that I most likely need to enable  4-Byte 
support in MySQL.

I have a couple of questions:


1.   Has anyone ran into a similar problem and what have they done to solve 
it

2.   Would enabling 4-Byte support in MySQL affect amavis in any way?


Thanks in advance

RE: amavis minimal db config for whitelist/blacklist

[Dino Edwards]

This is what I have for the wblist lookup:

$sql_select_white_black_list =
  'SELECT wb FROM wblist,mailaddr,users'
  . ' WHERE (users.id=?)'
  . ' AND (wblist.rid=users.id)'
  . ' AND (wblist.sid=mailaddr.id)'
  . ' AND (mailaddr.email IN (%k))';
#  . ' ORDER BY mailaddr.priority DESC';


This is for the policy lookup:

$sql_select_policy = 'SELECT *, users.id FROM users,policy'.
' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))';
' ORDER BY users.priority DESC';

And of course your   @lookup_sql_dsn  you posted below. I'm using MySQL so the 
queries might be a bit different. 



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of mabi
Sent: Thursday, April 11, 2019 10:16 AM
To: amavis-users@amavis.org
Subject: amavis minimal db config for whitelist/blacklist

Hello,

I am using amavis with spamassassin and clamav for checking incoming mails. At 
the moment I am not using any database as I don't use any user specific 
settings but now I would like to enable the whitelist/blacklist feature of 
amavis so that the users can have their own whitelist/blacklist.

If I understand amavis sql documentation correctly all I need for that purpose 
is a lookup database with the mailaddr, users, wblist and policy tables as well 
as the following config:

  @lookup_sql_dsn =
   ([ 'DBI:Pg:database=mail_prefs', 'username', 'passowrd' ]);

is that it? or am I maybe missing something?

I will be using PostgreSQL as database and would like to keep the config 
minimal. For example I don't need custom policies just plain default.

Regards,
Mabi

mysql error in amavis

[Dino Edwards]

I've noticed the following errors on certain messages in mail.log:

amavis[4270]: (04270-02) (!)WARN save_info_final: sql exec: err=1366, HY000, 
DBD::mysql::st execute failed: Incorrect string value: '\\xF0\\x9F\\x8E\\x89' 
for column 'subject' at row 1 at (eval 100) line 172

After looking in the msgs table, I found a bunch of messages that have an empty 
subject as well as other empty fields. These are obviously the messages that 
amavis was not able to store in the MySQL database because of the above error.

As far as I can tell, these are most likely messages with special characters in 
the subject line (emojis etc) that amavis is not able to store in the database.

After some research, I have gathered that I most likely need to enable  4-Byte 
support in MySQL.

I have a couple of questions:


1.   Has anyone ran into a similar problem and what have they done to solve 
it

2.   Would enabling 4-Byte support in MySQL affect amavis in any way?


Thanks in advance

RE: Send recipient notification of quarantined spam

[Dino Edwards]

We have been able to accomplish what you are asking for with our appliance. We 
have a job that runs on a scheduled basis (2, 4, 8 hours or daily depending on 
recipient preferences) that goes through the msgs table and selects any 
messages that were quarantined during that time period  (viruses, banned files, 
spam, bad headers) and creates a report that it sends to the recipient with a 
list of the messages that were quarantined. The report contains the listing as 
well as a link to view/release the message back to the recipients mailbox.

Our appliance is open source and free. You can read it about it and download it 
here if you are interested:

https://www.deeztek.com/products/hermes-secure-email-gateway/

Source code is also posted on github if you wanna see how we went about 
implementing that functionality, or you can simply download and implement our 
appliance in your environment. We also have very extensive documentation.




From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Tom Robinson
Sent: Thursday, February 7, 2019 5:23 PM
To: amavis-users@amavis.org
Subject: Re: Send recipient notification of quarantined spam


On 7/2/19 6:00 pm, Dominic Raferd wrote:
>
>
> On Thu, 7 Feb 2019 at 04:46, Tom Robinson mailto:tom.robin...@motec.com.au%20%0b>> > 
wrote:
>
> bump
>
> On 5/2/19 12:08 pm, Tom Robinson wrote:
>>
>> Hi,
>>
>> I'm sure this has been answered before but I just can't seem to find the 
>> right settings.
>>
>> I want the recipient of a quarantined SPAM email to receive a 
>> notification that it was
>> quarantined.
>>
>> Notifications are working for viruses that get quarantined but I can't 
>> get it to work for SPAM.
>>
>> I have the following in my amavisd.conf
>>
>> $virus_admin   = "postmaster\@$mydomain";   
>> # notifications recip.
>> $mailfrom_notify_admin = "virusalert\@$mydomain";   
>> # notifications sender
>> $mailfrom_notify_recip = "virusalert\@$mydomain";   
>> # notifications sender
>> $mailfrom_notify_spamadmin = "spamalert\@$mydomain";
>> # notifications sender
>> $mailfrom_to_quarantine = ''; # null return path; uses original sender 
>> if undef
>>
>> $final_virus_destiny  = D_DISCARD;
>> $final_banned_destiny = D_DISCARD;
>> $final_spam_destiny   = D_DISCARD;  #!!!  D_DISCARD / D_REJECT
>> $final_bad_header_destiny = D_PASS;
>> $virus_quarantine_method= 'local:virus/%m';
>> $spam_quarantine_method = 'local:spam/%m.gz';
>> $banned_files_quarantine_method = 'local:banned/%m';
>> $bad_header_quarantine_method   = 'local:badh/%m';
>>
>> $warnvirusrecip = 1;
>> $warnbannedrecip = 1;
>> $warnbannedsender = 0;
>>
> Try: https://lists.amavis.org/pipermail/amavis-users/2012-July/001717.html
> I'm not clear how amavis decides whether a recipient is 'local'. Might be 
> worth setting
> $warn_offsite to 1 if only to rule this out.
>
> Looking at comments in amavisd-new code 2.11.0 it seems that warnbannedrecip 
> is deprecated in
> favour of warnbannedrecip_maps (although it should still work).
>
> You aren't using any named policy banks are you? If so, it might also need to 
> be set explicitly
> inside each named policy bank (as do a lot of things, sadly), and with 
> different syntax
> (warnbannedrecip  => 1,).

Thanks Dominic.

Just to be clear, I'm using CentOS 7, amavisd-new 2.11.0.

I can't find ANY decent documentation about how to configure 
warnbannedrecip_maps. How can I use
this configuration option?

The only policy banks in my amavisd.conf are the default ones that are already 
configured in the
CentOS 7 packages:

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
$policy_bank{'AM.PDP-SOCK'} = {

The warnbannedrecip_maps is nowhere to be found in my amavisd.conf

I've also read that setting $warn_offsite on can create backscatter. Really not 
sure how to handle this.

Where is the documentation? RTFM comes to mind but it's hard when you can't 
find any!

The following is an interesting read but the discussion is about 'sender 
notification'

https://lists.amavis.org/pipermail/amavis-users/2016-November/004649.html

I need 'recipient notification'

I'm very hesitant to set $warn_offsite until I can be sure what it will do. :-/

RE: Example for amavisd-signer as separate systemd service?

[Dino Edwards]

If you want it as a separate service, wouldn't be better to use opendkim 
instead?



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of ge...@ssl-mail.com
Sent: Thursday, November 1, 2018 8:00 PM
To: amavis-users@amavis.org
Subject: Example for amavisd-signer as separate systemd service?

Hi

I am just installing Amavisd-New to use with Postfix.

I am working on DKIM signing.

I read the docs about amavisd-signer and have some questions.

I want to set up amavisd-signer as a separate signing service.

I am looking for an example of launching it with systemd .service.

Also I want to understand if it uses then a separate configuration file? From 
the amavisd.conf?

Is there a good example or documentation of these?


Thanks.

Gerd

RE: originating flag not working - critical bug - RelayedOpenRelay / DKIM signing not working

[Dino Edwards]

Wouldn't this be avoided by simply using opendkim for DKIM signing instead of 
relying on amavis for that? Or are there other use scenarios for the 
originating flag where this would come into play?



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Giovanni
Sent: Monday, February 12, 2018 4:43 AM
To: amavis-users@amavis.org
Subject: Re: originating flag not working - critical bug - RelayedOpenRelay / 
DKIM signing not working

Karol Augustin  wrote:
> Hi,
> 
> I am explicitly copying original authors of threads I am referring to 
> in this email, as I don't know if they are still monitoring the list 
> for solution to the problem.
> I would like to thank Giovanni for supplying the patch, which has now 
> spread across internet.
> 
> There is evidence of a critical bug in quite a few threads on this 
> list that manifests itself in various ways. Some users have problems 
> with DKIM signatures of outgoing mail, others with mail marked as 
> RelayedOpenRelay in the logs.
> 
> The issue is caused by Amavis not honoring originating flag, which 
> causes all sender addresses to be treated as "foreign", which 
> obviously has a huge potential of breaking mail flow especially in 
> environments where there are multiple e-mail paths and policy banks 
> configured.
> 
> 
> I hit the same problem when I upgraded to 2.11.0 few days ago and 
> asked similar question in a reply to existing thread.
> https://lists.amavis.org/pipermail/amavis-users/2018-February/005284.h
> tml
> 
> The same issue was described earlier in following thread:
> https://lists.amavis.org/pipermail/amavis-users/2017-November/005116.h
> tml
> 
> Original mention of this problem was made by Giovanni, who kindly 
> provided a one line fix to the problem:
> https://lists.amavis.org/pipermail/amavis-users/2016-July/004428.html
> 
for the records, the patch I sumbitted 2 years ago fixes the bug with postfix; 
there are some corner cases (spotted by an Opensmtpd instance, maybe by some 
other mta as well) that needs an additianal one line fix.
Full patch follows.
 Giovanni

--- amavisd.origTue Apr 26 21:24:33 2016
+++ amavisd Fri Aug  5 12:32:39 2016
@@ -22806,6 +22806,7 @@ sub process_smtp_request() {
 }
 # load policy banks from the 'client_ipaddr_policy' lookup
 Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;
+$msginfo->originating(c('originating'));
 
 $msginfo->client_addr($cl_ip);  # ADDR
 $msginfo->client_port($cl_port);# PORT
@@ -34338,6 +34330,7 @@ sub collect_some_dkim_info($) {
 $sig_ind++;
   }
   Amavis::load_policy_bank($_,$msginfo) for @bank_names;
+  $msginfo->originating(c('originating'));
   $msginfo->dkim_signatures_valid(\@signatures_valid)  if @signatures_valid;  
# if (ll(5) && $sig_ind > 0) {
 #   # show which header fields are covered by which signature

RE: Open relay? Nonlocal recips but not originating: in my maillog

[Dino Edwards]

Sorry Karol, 

I misspoke. I thought this was another issue. Ignore my comment.



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Karol Augustin
Sent: Friday, February 9, 2018 8:05 PM
To: amavis-users@amavis.org
Subject: Re: Open relay? Nonlocal recips but not originating: in my maillog

On 2018-02-10 0:44, Dino Edwards wrote:

> This has been a well publicized issue. As far as I can tell there is no fix, 
> it seems to be a perl issue. Are you using Fedora? 

I couldn't find anything about it. I am using Debian. Can you point me to any 
info about it?

It seems weird to be a Perl issue. There are some changes between these 
versions around handling policy banks. Do you know what is exact cause of this? 
For me it looks like a bug.

This is diff between the versions relating handling policy banks.
Haven't got a chance to dive into that yet...


@@ -12629,14 +13000,20 @@ sub after_chroot_init() {  # 
$policy_bank{$policy_bank_name}, or load the default policy bank (empty name)  
#  sub load_policy_bank($;$) {
-  my($policy_bank_name,$msginfo) = @_;
-  if (!exists $policy_bank{$policy_bank_name}) {
-do_log(-1,'policy bank "%s" does not exist, ignored',
$policy_bank_name);
-  } elsif ($policy_bank_name eq '') {
+  my($policy_bank_name, $msginfo) = @_;  if (!defined 
+ $policy_bank_name) {
+# silently ignore
+  } elsif (!exists $policy_bank{$policy_bank_name}) {
+do_log(5,'policy bank "%s" does not exist, ignored',
$policy_bank_name);
+  } elsif ($policy_bank_name eq '') {  # special case
 %current_policy_bank = %{$policy_bank{$policy_bank_name}};  # copy base
 update_current_log_level();
 do_log(4,'loaded base policy bank');
+  } elsif ($policy_bank_name eq c('policy_bank_name')) {
+do_log(5,'policy bank "%s" just loaded, ignored',
$policy_bank_name);
   } else {
+# compatibility: policy bank MYNETS implicitly pre-sets
'originating' flag
+$current_policy_bank{'originating'} = 1  if $policy_bank_name eq
'MYNETS';
 my $cpbp = c('policy_bank_path');  # currently loaded bank
 my $new_bank_ref = $policy_bank{$policy_bank_name};
 my $do_log5 = ll(5);
@@ -12683,10 +13060,59 @@ sub load_policy_bank($;$) {
 }
 $current_policy_bank{'policy_bank_path'} =
   ($cpbp eq '' ? '' : $cpbp.'/') . $policy_bank_name;
-update_current_log_level();
 ll(3) && do_log(3,'loaded policy bank "%s"%s', $policy_bank_name,
   $cpbp eq '' ? '' : " over \"$cpbp\"");
+# update global settings which may have changed
+update_current_log_level();
+$msginfo->originating(c('originating')) if $msginfo;
+  }
+}
+



> 
> -
> 
> FROM: Karol Augustin 
> SENT: Friday, February 9, 2018 7:32 PM
> TO: amavis-users@amavis.org
> SUBJECT: Re: Open relay? Nonlocal recips but not originating: in my 
> maillog
> 
> Hi,
> 
> I have the same problem when I upgraded to 2.11. It looks like 
> originating -> 1 is not respected and Amavis decides that all e-mail 
> is send from non-local addresses.
> 
> As soon as I update to 2.11 I get this problem:
> 
> amavis[24157]: (24157-01) Passed CLEAN {AcceptedInternal}, AM.PDP-SOCK 
> LOCAL [66.220.155.153] [66.220.155.153] /AM.PDP  -> 
> 
> amavis[23558]: (23558-01) Passed CLEAN {RelayedOpenRelay}, ORIGINATING
> [127.0.0.1]:43008 ESMTP/ESMTP  -> 
> amavis[23371]: (23371-01) Passed CLEAN {RelayedInbound}, ORIGINATING
> [86.47.99.235]:57284 [86.47.99.235] ESMTP/ESMTP  -> 
> 
> 
> With 2.10 (same config):
> 
> amavis[25242]: (25242-01) Passed CLEAN {AcceptedInbound}, AM.PDP-SOCK 
> [2607:f8b0:4001:c0b::234] [2607:f8b0:4001:c0b::234] /AM.PDP 
>  -> ,
> amavis[25244]: (25244-01) Passed CLEAN {RelayedOutbound}, ORIGINATING 
> LOCAL [127.0.0.1]:43684 ESMTP/ESMTP  -> 
> 
> amavis[25250]: (25250-01) Passed CLEAN {RelayedInternal}, ORIGINATING 
> LOCAL [127.0.0.1]:43838 ESMTP/ESMTP  -> 
> 
> I have following relevant config:
> 
> $inet_socket_port = [10026,10027];
> $interface_policy{'10026'} = 'ORIGINATING'; $interface_policy{'10027'} 
> = 'PICKUP';
> 
> $policy_bank{'AM.PDP-SOCK'} = {
> protocol => 'AM.PDP',
> originating => [1],
> };
> 
> $policy_bank{'PICKUP'} = {  # mail originating from @mynetworks 
> originating => [1], enable_dkim_verification => 1, enable_dkim_signing 
> => 0,
> bypass_spam_checks_maps   => 1,  # don't spam-check internal mail
> bypass_banned_checks_maps =&

RE: Open relay? Nonlocal recips but not originating: in my maillog

[Dino Edwards]

Sorry Karol, 

I misspoke. I thought this was another issue. Ignore my comment.



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Karol Augustin
Sent: Friday, February 9, 2018 8:05 PM
To: amavis-users@amavis.org
Subject: Re: Open relay? Nonlocal recips but not originating: in my maillog

On 2018-02-10 0:44, Dino Edwards wrote:

> This has been a well publicized issue. As far as I can tell there is no fix, 
> it seems to be a perl issue. Are you using Fedora? 

I couldn't find anything about it. I am using Debian. Can you point me to any 
info about it?

It seems weird to be a Perl issue. There are some changes between these 
versions around handling policy banks. Do you know what is exact cause of this? 
For me it looks like a bug.

This is diff between the versions relating handling policy banks.
Haven't got a chance to dive into that yet...


@@ -12629,14 +13000,20 @@ sub after_chroot_init() {  # 
$policy_bank{$policy_bank_name}, or load the default policy bank (empty name)  
#  sub load_policy_bank($;$) {
-  my($policy_bank_name,$msginfo) = @_;
-  if (!exists $policy_bank{$policy_bank_name}) {
-do_log(-1,'policy bank "%s" does not exist, ignored',
$policy_bank_name);
-  } elsif ($policy_bank_name eq '') {
+  my($policy_bank_name, $msginfo) = @_;  if (!defined 
+ $policy_bank_name) {
+# silently ignore
+  } elsif (!exists $policy_bank{$policy_bank_name}) {
+do_log(5,'policy bank "%s" does not exist, ignored',
$policy_bank_name);
+  } elsif ($policy_bank_name eq '') {  # special case
 %current_policy_bank = %{$policy_bank{$policy_bank_name}};  # copy base
 update_current_log_level();
 do_log(4,'loaded base policy bank');
+  } elsif ($policy_bank_name eq c('policy_bank_name')) {
+do_log(5,'policy bank "%s" just loaded, ignored',
$policy_bank_name);
   } else {
+# compatibility: policy bank MYNETS implicitly pre-sets
'originating' flag
+$current_policy_bank{'originating'} = 1  if $policy_bank_name eq
'MYNETS';
 my $cpbp = c('policy_bank_path');  # currently loaded bank
 my $new_bank_ref = $policy_bank{$policy_bank_name};
 my $do_log5 = ll(5);
@@ -12683,10 +13060,59 @@ sub load_policy_bank($;$) {
 }
 $current_policy_bank{'policy_bank_path'} =
   ($cpbp eq '' ? '' : $cpbp.'/') . $policy_bank_name;
-update_current_log_level();
 ll(3) && do_log(3,'loaded policy bank "%s"%s', $policy_bank_name,
   $cpbp eq '' ? '' : " over \"$cpbp\"");
+# update global settings which may have changed
+update_current_log_level();
+$msginfo->originating(c('originating')) if $msginfo;
+  }
+}
+



> 
> -
> 
> FROM: Karol Augustin 
> SENT: Friday, February 9, 2018 7:32 PM
> TO: amavis-users@amavis.org
> SUBJECT: Re: Open relay? Nonlocal recips but not originating: in my 
> maillog
> 
> Hi,
> 
> I have the same problem when I upgraded to 2.11. It looks like 
> originating -> 1 is not respected and Amavis decides that all e-mail 
> is send from non-local addresses.
> 
> As soon as I update to 2.11 I get this problem:
> 
> amavis[24157]: (24157-01) Passed CLEAN {AcceptedInternal}, AM.PDP-SOCK 
> LOCAL [66.220.155.153] [66.220.155.153] /AM.PDP  -> 
> 
> amavis[23558]: (23558-01) Passed CLEAN {RelayedOpenRelay}, ORIGINATING
> [127.0.0.1]:43008 ESMTP/ESMTP  -> 
> amavis[23371]: (23371-01) Passed CLEAN {RelayedInbound}, ORIGINATING
> [86.47.99.235]:57284 [86.47.99.235] ESMTP/ESMTP  -> 
> 
> 
> With 2.10 (same config):
> 
> amavis[25242]: (25242-01) Passed CLEAN {AcceptedInbound}, AM.PDP-SOCK 
> [2607:f8b0:4001:c0b::234] [2607:f8b0:4001:c0b::234] /AM.PDP 
>  -> ,
> amavis[25244]: (25244-01) Passed CLEAN {RelayedOutbound}, ORIGINATING 
> LOCAL [127.0.0.1]:43684 ESMTP/ESMTP  -> 
> 
> amavis[25250]: (25250-01) Passed CLEAN {RelayedInternal}, ORIGINATING 
> LOCAL [127.0.0.1]:43838 ESMTP/ESMTP  -> 
> 
> I have following relevant config:
> 
> $inet_socket_port = [10026,10027];
> $interface_policy{'10026'} = 'ORIGINATING'; $interface_policy{'10027'} 
> = 'PICKUP';
> 
> $policy_bank{'AM.PDP-SOCK'} = {
> protocol => 'AM.PDP',
> originating => [1],
> };
> 
> $policy_bank{'PICKUP'} = {  # mail originating from @mynetworks 
> originating => [1], enable_dkim_verification => 1, enable_dkim_signing 
> => 0,
> bypass_spam_checks_maps   => 1,  # don't spam-check internal mail
> bypass_banned_checks_maps =&

Re: Open relay? Nonlocal recips but not originating: in my maillog

[Dino Edwards]

This has been a well publicized issue. As far as I can tell there is no fix, it 
seems to be a perl issue. Are you using Fedora?



From: Karol Augustin 
Sent: Friday, February 9, 2018 7:32 PM
To: amavis-users@amavis.org
Subject: Re: Open relay? Nonlocal recips but not originating: in my maillog

Hi,

I have the same problem when I upgraded to 2.11. It looks like
originating -> 1 is not respected and Amavis decides that all e-mail is
send from non-local addresses.


As soon as I update to 2.11 I get this problem:

amavis[24157]: (24157-01) Passed CLEAN {AcceptedInternal}, AM.PDP-SOCK
LOCAL [66.220.155.153] [66.220.155.153] /AM.PDP  ->

amavis[23558]: (23558-01) Passed CLEAN {RelayedOpenRelay}, ORIGINATING
[127.0.0.1]:43008 ESMTP/ESMTP  -> 
amavis[23371]: (23371-01) Passed CLEAN {RelayedInbound}, ORIGINATING
[86.47.99.235]:57284 [86.47.99.235] ESMTP/ESMTP  ->


With 2.10 (same config):

amavis[25242]: (25242-01) Passed CLEAN {AcceptedInbound}, AM.PDP-SOCK
[2607:f8b0:4001:c0b::234] [2607:f8b0:4001:c0b::234] /AM.PDP
 -> ,
amavis[25244]: (25244-01) Passed CLEAN {RelayedOutbound}, ORIGINATING
LOCAL [127.0.0.1]:43684 ESMTP/ESMTP  ->

amavis[25250]: (25250-01) Passed CLEAN {RelayedInternal}, ORIGINATING
LOCAL [127.0.0.1]:43838 ESMTP/ESMTP  -> 


I have following relevant config:

$inet_socket_port = [10026,10027];
$interface_policy{'10026'} = 'ORIGINATING';
$interface_policy{'10027'} = 'PICKUP';

$policy_bank{'AM.PDP-SOCK'} = {
  protocol => 'AM.PDP',
  originating => [1],
};



$policy_bank{'PICKUP'} = {  # mail originating from @mynetworks
originating => [1],
enable_dkim_verification => 1,
  enable_dkim_signing => 0,
  bypass_spam_checks_maps   => 1,  # don't spam-check internal mail
  bypass_banned_checks_maps => 1,  # don't banned-check internal mail
#  spam_kill_level_maps => 4,
  bypass_decode_parts => 1,
  bypass_header_checks_maps => 1,
  bypass_virus_checks_maps  => 1,
  bypass_banned_checks_maps => 1,
#  remove_existing_x_scanned_headers => 1.
};

$policy_bank{'ORIGINATING'} = {  # mail originating from our users
  originating => 0,
  enable_dkim_verification => 1,
  final_virus_destiny  => D_BOUNCE,
  final_banned_destiny => D_BOUNCE,
  final_spam_destiny   => D_BOUNCE,

};

$sql_select_policy = 'SELECT name, 3.5 as spam_tag2_level, 9 as
spam_kill_level FROM virtual_domains WHERE CONCAT("@",name) IN (%k)';



Thanks,
Karol




--
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

RE: "Split config" into multiple files

[Dino Edwards]

I’m not sure if amavis will allow you to do an include as you are suggesting. 
Someone else can maybe chime in on that. Have you considered using opendkim 
instead of amavis to accomplish this? This will give you the separate file 
functionality you are looking for.


From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Jonathan Sélea
Sent: Thursday, February 1, 2018 5:37 AM
To: amavis-users@amavis.org
Subject: "Split config" into multiple files

Hi,

I in the process of creating a mailrelay for thousands of email users and 
thousands of domains. The idea is to sign the messages with a DKIM key (and 
also ARC) in that relay because Exchange 2013 does not have support for it yet.
I have searched the man pages and net after a answer to this, but was unable to 
find it (if it is due to my incompetence or the fact that amavis does not have 
that function - I dont know)

I know that I can generate the .pem files with amavisd-new genrsa filename.pem 
1024 (for example) and then define the keys in /etc/amavis/conf.d/50-users like 
this:


dkim_key("DOMAIN.TLD", "SELECTOR", "/PATH/TO/PEM.FILE");

@dkim_signature_options_bysender_maps = ( {
"DOMAIN.TLD"  => { d => "DOMAIN.TLD", a => 'rsa-sha256', ttl => 10*24*3600 
},
'.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
} );


What I want to do is to create separate files containing this:

dkim_key("DOMAIN.TLD", "SELECTOR", "/PATH/TO/PEM.FILE");

@dkim_signature_options_bysender_maps = ( {
"DOMAIN.TLD"  => { d => "DOMAIN.TLD", a => 'rsa-sha256', ttl => 10*24*3600 
},
'.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
} );

Can I make amavis include all the configfiles in a certain catalogue? For 
example "/etc/amavis/domains/*"
(Like apache does with the "Include" directive, probably the easiest way to 
describe it)

Many thanks!

RE: Scoring questions

[Dino Edwards]

I haven’t had the chance to look at it. Is the debug log you sent from the new 
16.04 install or the 14.04 install?



From: Computer Bob [mailto:b...@inter-control.com]
Sent: Tuesday, January 30, 2018 1:10 PM
To: Dino Edwards ; amavis-users@amavis.org
Subject: Re: Scoring questions

I have now, results below.  Your thoughts on the Amavis debug ?

Results:
root@M1-2:~# /usr/bin/pyzor ping
public.pyzor.org:24441  (200, 'OK')
root@M1-2:~# /bin/rm /etc/razor/identity*
/bin/rm: cannot remove '/etc/razor/identity*': No such file or directory
root@M1-2:~# /bin/rm /etc/razor/razor-agent.conf
root@M1-2:~# /usr/bin/razor-admin -home=/etc/razor -create
root@M1-2:~# /usr/bin/razor-admin -home=/etc/razor -register
Register successful.  Identity stored in /etc/razor/identity-ru041Fju8H
root@M1-2:~#

On 1/30/18 11:51 AM, Dino Edwards wrote:

/usr/bin/razor-admin -home=/etc/razor -register

RE: Scoring questions

[Dino Edwards]

Did you? 

Initialize pyzor:

/usr/bin/pyzor ping

Initialize Razor:

/bin/rm /etc/razor/identity*
/bin/rm /etc/razor/razor-agent.conf
/usr/bin/razor-admin -home=/etc/razor -create
/usr/bin/razor-admin -home=/etc/razor -register




-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Computer Bob
Sent: Tuesday, January 30, 2018 12:45 PM
To: amavis-users@amavis.org
Subject: Re: Scoring questions

I modified the following SA local.cf items:
---
#   Add *SPAM* to the Subject header of spam e-mails #
  rewrite_header Subject *SPAM*   < Uncommented

#   Use Bayesian classifier (default: 1) #
  use_bayes 1   < Uncommented

#   Bayesian classifier auto-learning (default: 1) #
  bayes_auto_learn 1    < Uncommented

#   Set headers which may provide inappropriate cues to the Bayesian #   
classifier # # bayes_ignore_header X-Bogosity # bayes_ignore_header X-Spam-Flag 
# bayes_ignore_header X-Spam-Status
---
I added the following:
---
#dcc
use_dcc 1
dcc_path /usr/local/bin/dccproc

#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor

#razor
use_razor2 1
razor_config /etc/razor/razor-agent.conf
--
I also copied the current KAM.cf to the /etc/spamassassin folder.
Any further suggestions ?

RE: Scoring questions

[Dino Edwards]

Did you send all the headers of the emails that do not get handled correctly?



From: Computer Bob [mailto:b...@inter-control.com]
Sent: Monday, January 29, 2018 5:25 PM
To: Dino Edwards ; amavis-users@amavis.org
Subject: Re: Scoring questions

Interestingly, most mail gets handled correctly, only a few get through and 
show the odd scores and such.
If I try and forward one of those that got through to another account, they get 
handled properly and quarantined as spam !
So I am waiting for one of those odd-balls.
It's perplexing to me.
On 1/29/18 3:58 PM, Dino Edwards wrote:
If you are using putty, can you enable logging in your session, send an 
obviously spam message and send the debug output?


Thanks



From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Computer Bob
Sent: Monday, January 29, 2018 4:49 PM
To: amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Subject: Re: Scoring questions

It starts with debug-sa, stays in the console window and puts does not put 
debug-sa info into mail.log but displays it at the console that called it.
On 1/29/18 2:33 PM, Dino Edwards wrote:
Please run amavisd in debug mode.

Stop the service

/etc/init.d/amavis stop

Then start in debug mode:

/etc/init.d/amavis debug

Open another session to your mail server and look at you /var/log/mail.log and 
you should see the following upon amavisd startup (or similar):

Jan 29 15:30:55.078 mail.domain.tld /usr/sbin/amavisd-new[8330]: initializing 
Mail::SpamAssassin (0)
Jan 29 15:30:55.078 mail.domain.tld /usr/sbin/amavisd-new[8330]: SpamAssassin 
debug facilities: info
Jan 29 15:30:55.712 mail.domain.tld /usr/sbin/amavisd-new[8330]: SA info: zoom: 
able to use 315/360 'body_0' compiled rules (87.5%)
Jan 29 15:30:56.454 mail.domain.tld /usr/sbin/amavisd-new[8330]: SpamAssassin 
loaded plugins: AskDNS, AutoLearnThreshold, Bayes, BodyEval, Check, DCC, DKIM, 
DNSEval, FreeMail, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, 
MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, Rule2XSBody, SPF, 
SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
Jan 29 15:30:56.455 mail.domain.tld /usr/sbin/amavisd-new[8330]: SpamControl: 
init_pre_fork on SpamAssassin done
Jan 29 15:30:56.455 mail.domain.tld /usr/sbin/amavisd-new[8330]: extra modules 
loaded after daemonizing/chrooting: 
/usr/lib/perl5/auto/NetAddr/IP/InetBase/inet_n2dx.al, 
Mail/SpamAssassin/CompiledRegexps/body_0.pm, 
Mail/SpamAssassin/Plugin/FreeMail.pm, Net/DNS/RR/OPT.pm





From: Computer Bob [mailto:b...@inter-control.com]
Sent: Monday, January 29, 2018 3:24 PM
To: Dino Edwards 
<mailto:dino.edwa...@mydirectmail.net>; 
amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Subject: Re: Scoring questions

Changes made, amavis restarted.
I have seen the following on all mails, I just was too lazy to include it 
because I had to blank the server name...skuza..

X-Virus-Scanned: Debian amavisd-new at M1-2.myorganization.org




On 1/29/18 2:15 PM, Dino Edwards wrote:
Please try

$sa_tag_level_deflt = undef;

In

/etc/amavis/conf.d/50-user

Do you see the X-Virus-Scanned header in the emails that amavisd processes?




From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Computer Bob
Sent: Monday, January 29, 2018 2:40 PM
To: amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Subject: Re: Scoring questions

I also agree that at this point auto learn should be off and cleared as I have 
done.
But I still continue to get garbage mails through showing headers such as:

X-Spam-Flag: NO

X-Spam-Score: 0.61

X-Spam-Level:

X-Spam-Status: No, score=0.61 tagged_above=- required=5

tests=[HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_04=0.61,

HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,

T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01]

autolearn=no autolearn_force=no


And as I said, when I run them through SA at the command line they seem to 
score correctly.
The scores being given in the headers can't be correct as they all are 
similarly low and wrong.
An interesting note is that if I try and forward one of these received, they 
get flagged and sent to spam.
Without knowing the intricacies of the amavis procedural steps, or were to 
start, it is not possible for me to troubleshoot.




On 1/29/18 1:20 PM, Dino Edwards wrote:

I disagree it's bad advice considering it's autolearn that seems to be creating 
at least some of the problems he's experiencing.



However, I do agree, the AutoLearn Threshold should definitely be set IF you 
are going to be using autolearn but in my experience auto-learn creates more 
problems than it solves. I believe that only humans should be be used for 
training the bayes database. Auto-learning has the tendency to exaggerate 
issues over time.



Keep it simple for now and trai

RE: Scoring questions

[Dino Edwards]

Please run amavisd in debug mode.

Stop the service

/etc/init.d/amavis stop

Then start in debug mode:

/etc/init.d/amavis debug

Open another session to your mail server and look at you /var/log/mail.log and 
you should see the following upon amavisd startup (or similar):

Jan 29 15:30:55.078 mail.domain.tld /usr/sbin/amavisd-new[8330]: initializing 
Mail::SpamAssassin (0)
Jan 29 15:30:55.078 mail.domain.tld /usr/sbin/amavisd-new[8330]: SpamAssassin 
debug facilities: info
Jan 29 15:30:55.712 mail.domain.tld /usr/sbin/amavisd-new[8330]: SA info: zoom: 
able to use 315/360 'body_0' compiled rules (87.5%)
Jan 29 15:30:56.454 mail.domain.tld /usr/sbin/amavisd-new[8330]: SpamAssassin 
loaded plugins: AskDNS, AutoLearnThreshold, Bayes, BodyEval, Check, DCC, DKIM, 
DNSEval, FreeMail, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, 
MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, Rule2XSBody, SPF, 
SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
Jan 29 15:30:56.455 mail.domain.tld /usr/sbin/amavisd-new[8330]: SpamControl: 
init_pre_fork on SpamAssassin done
Jan 29 15:30:56.455 mail.domain.tld /usr/sbin/amavisd-new[8330]: extra modules 
loaded after daemonizing/chrooting: 
/usr/lib/perl5/auto/NetAddr/IP/InetBase/inet_n2dx.al, 
Mail/SpamAssassin/CompiledRegexps/body_0.pm, 
Mail/SpamAssassin/Plugin/FreeMail.pm, Net/DNS/RR/OPT.pm





From: Computer Bob [mailto:b...@inter-control.com]
Sent: Monday, January 29, 2018 3:24 PM
To: Dino Edwards ; amavis-users@amavis.org
Subject: Re: Scoring questions

Changes made, amavis restarted.
I have seen the following on all mails, I just was too lazy to include it 
because I had to blank the server name...skuza..

X-Virus-Scanned: Debian amavisd-new at M1-2.myorganization.org




On 1/29/18 2:15 PM, Dino Edwards wrote:
Please try

$sa_tag_level_deflt = undef;

In

/etc/amavis/conf.d/50-user

Do you see the X-Virus-Scanned header in the emails that amavisd processes?




From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Computer Bob
Sent: Monday, January 29, 2018 2:40 PM
To: amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Subject: Re: Scoring questions

I also agree that at this point auto learn should be off and cleared as I have 
done.
But I still continue to get garbage mails through showing headers such as:

X-Spam-Flag: NO

X-Spam-Score: 0.61

X-Spam-Level:

X-Spam-Status: No, score=0.61 tagged_above=- required=5

tests=[HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_04=0.61,

HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,

T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01]

autolearn=no autolearn_force=no


And as I said, when I run them through SA at the command line they seem to 
score correctly.
The scores being given in the headers can't be correct as they all are 
similarly low and wrong.
An interesting note is that if I try and forward one of these received, they 
get flagged and sent to spam.
Without knowing the intricacies of the amavis procedural steps, or were to 
start, it is not possible for me to troubleshoot.


On 1/29/18 1:20 PM, Dino Edwards wrote:

I disagree it's bad advice considering it's autolearn that seems to be creating 
at least some of the problems he's experiencing.



However, I do agree, the AutoLearn Threshold should definitely be set IF you 
are going to be using autolearn but in my experience auto-learn creates more 
problems than it solves. I believe that only humans should be be used for 
training the bayes database. Auto-learning has the tendency to exaggerate 
issues over time.



Keep it simple for now and train your bayes database and after you've trained 
it and it's scoring well, then consider using autolearn.











-Original Message-

From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Benny Pedersen

Sent: Monday, January 29, 2018 1:06 PM

To: amavis-users@amavis.org<mailto:amavis-users@amavis.org>

Subject: Re: Re: Scoring questions



Computer Bob skrev den 2018-01-29 18:57:

I assume you mean bayes_auto_learn in local.cf. I set it to 0 from 1

and restarted.



yes its just bad advise, but setting this is what disables autolearn



i suggest see autolearnthreashold instaed



https://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_AutoLearnThreshold.html



bayes_auto_learn_threshold_nonspam -5

bayes_auto_learn_threshold_spam 7.5



let the spammers win now :)

RE: Scoring questions

[Dino Edwards]

Please try

$sa_tag_level_deflt = undef;

In

/etc/amavis/conf.d/50-user

Do you see the X-Virus-Scanned header in the emails that amavisd processes?




From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Computer Bob
Sent: Monday, January 29, 2018 2:40 PM
To: amavis-users@amavis.org
Subject: Re: Scoring questions

I also agree that at this point auto learn should be off and cleared as I have 
done.
But I still continue to get garbage mails through showing headers such as:

X-Spam-Flag: NO

X-Spam-Score: 0.61

X-Spam-Level:

X-Spam-Status: No, score=0.61 tagged_above=- required=5

tests=[HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_04=0.61,

HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,

T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01]

autolearn=no autolearn_force=no


And as I said, when I run them through SA at the command line they seem to 
score correctly.
The scores being given in the headers can't be correct as they all are 
similarly low and wrong.
An interesting note is that if I try and forward one of these received, they 
get flagged and sent to spam.
Without knowing the intricacies of the amavis procedural steps, or were to 
start, it is not possible for me to troubleshoot.

On 1/29/18 1:20 PM, Dino Edwards wrote:

I disagree it's bad advice considering it's autolearn that seems to be creating 
at least some of the problems he's experiencing.



However, I do agree, the AutoLearn Threshold should definitely be set IF you 
are going to be using autolearn but in my experience auto-learn creates more 
problems than it solves. I believe that only humans should be be used for 
training the bayes database. Auto-learning has the tendency to exaggerate 
issues over time.



Keep it simple for now and train your bayes database and after you've trained 
it and it's scoring well, then consider using autolearn.











-Original Message-

From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Benny Pedersen

Sent: Monday, January 29, 2018 1:06 PM

To: amavis-users@amavis.org<mailto:amavis-users@amavis.org>

Subject: Re: Re: Scoring questions



Computer Bob skrev den 2018-01-29 18:57:

I assume you mean bayes_auto_learn in local.cf. I set it to 0 from 1

and restarted.



yes its just bad advise, but setting this is what disables autolearn



i suggest see autolearnthreashold instaed



https://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_AutoLearnThreshold.html



bayes_auto_learn_threshold_nonspam -5

bayes_auto_learn_threshold_spam 7.5



let the spammers win now :)

RE: Re: Scoring questions

[Dino Edwards]

I disagree it's bad advice considering it's autolearn that seems to be creating 
at least some of the problems he's experiencing. 

However, I do agree, the AutoLearn Threshold should definitely be set IF you 
are going to be using autolearn but in my experience auto-learn creates more 
problems than it solves. I believe that only humans should be be used for 
training the bayes database. Auto-learning has the tendency to exaggerate 
issues over time.

Keep it simple for now and train your bayes database and after you've trained 
it and it's scoring well, then consider using autolearn.





-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Benny Pedersen
Sent: Monday, January 29, 2018 1:06 PM
To: amavis-users@amavis.org
Subject: Re: Re: Scoring questions

Computer Bob skrev den 2018-01-29 18:57:
> I assume you mean bayes_auto_learn in local.cf. I set it to 0 from 1 
> and restarted.

yes its just bad advise, but setting this is what disables autolearn

i suggest see autolearnthreashold instaed

https://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_AutoLearnThreshold.html

bayes_auto_learn_threshold_nonspam -5
bayes_auto_learn_threshold_spam 7.5

let the spammers win now :)

RE: Scoring questions

[Dino Edwards]

Comments like this is why people dislike "Linux" people. This comment was not 
helpful in any way, didn't add to the conversation and it merely demonstrated 
that your email client can't handle HTML or you are just so annoyed by someone 
using HTML in their email that you can't function until someone immediately 
starts doing things your way.

Really?



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Benny Pedersen
Sent: Monday, January 29, 2018 11:35 AM
To: amavis-users@amavis.org
Subject: Re: Scoring questions

Computer Bob skrev den 2018-01-29 17:22:
> Greetings to all,

disable html in thunderbird first

RE: perl-DBD-MySQL (Fedora 24)

[Dino Edwards]

Don't know much about Fedora, but tt looks like Fedora is using some bleeding 
edge packages? Cause I'm looking at Ubuntu 16.04 and libdbd-mysql-perl is still 
in version 4.033. Maybe you should consider using a distro that it's not on the 
bleeding edge for these purposes?

Not trying to get smart, just a suggestion.

Thanks



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Alan Munday
Sent: Wednesday, January 3, 2018 1:22 PM
To: amavis-users@amavis.org
Subject: Re: perl-DBD-MySQL (Fedora 24)

On 03/01/18 18:15, Dino Edwards wrote:
> Not sure, what's happening there. I can tell you on my end that those fields 
> are float type also. What does your sql_select_policy look like? Mine looks 
> like this:
> 
> $sql_select_policy = 'SELECT *, users.id FROM users,policy'.
> ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'; ' 
> ORDER BY users.priority DESC';
> 


I'm still looking at this and it looks like there is a long standing bug in 
DBD-MySQL.


 From what I've found so far see:


https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856064

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847311

https://github.com/perl5-dbi/DBD-mysql/issues/78



What I'm currently searching for is a temporary workaround, a couple of 
things I've tried so far have not worked.

Alan

RE: perl-DBD-MySQL (Fedora 24)

[Dino Edwards]

Also reading through the comments, I wasn't sure if it only affected MySQL and 
not MariaDB. 


-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Alan Munday
Sent: Wednesday, January 3, 2018 1:22 PM
To: amavis-users@amavis.org
Subject: Re: perl-DBD-MySQL (Fedora 24)

On 03/01/18 18:15, Dino Edwards wrote:
> Not sure, what's happening there. I can tell you on my end that those fields 
> are float type also. What does your sql_select_policy look like? Mine looks 
> like this:
> 
> $sql_select_policy = 'SELECT *, users.id FROM users,policy'.
> ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'; ' 
> ORDER BY users.priority DESC';
> 


I'm still looking at this and it looks like there is a long standing bug in 
DBD-MySQL.


 From what I've found so far see:


https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856064

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847311

https://github.com/perl5-dbi/DBD-mysql/issues/78



What I'm currently searching for is a temporary workaround, a couple of 
things I've tried so far have not worked.

Alan

RE: perl-DBD-MySQL (Fedora 24)

[Dino Edwards]

Have you installed this patch?

https://github.com/kentnl-gentoo/DBD-mysql/commit/b6b8540216bd03b68f3bc076b3d3106f4be23f9d




-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Alan Munday
Sent: Wednesday, January 3, 2018 1:22 PM
To: amavis-users@amavis.org
Subject: Re: perl-DBD-MySQL (Fedora 24)

On 03/01/18 18:15, Dino Edwards wrote:
> Not sure, what's happening there. I can tell you on my end that those fields 
> are float type also. What does your sql_select_policy look like? Mine looks 
> like this:
> 
> $sql_select_policy = 'SELECT *, users.id FROM users,policy'.
> ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'; ' 
> ORDER BY users.priority DESC';
> 


I'm still looking at this and it looks like there is a long standing bug in 
DBD-MySQL.


 From what I've found so far see:


https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856064

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847311

https://github.com/perl5-dbi/DBD-mysql/issues/78



What I'm currently searching for is a temporary workaround, a couple of 
things I've tried so far have not worked.

Alan

RE: perl-DBD-MySQL (Fedora 24)

[Dino Edwards]

Not sure, what's happening there. I can tell you on my end that those fields 
are float type also. What does your sql_select_policy look like? Mine looks 
like this:

$sql_select_policy = 'SELECT *, users.id FROM users,policy'.
' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))';
' ORDER BY users.priority DESC';




-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Alan Munday
Sent: Wednesday, January 3, 2018 11:11 AM
To: amavis-users@amavis.org
Subject: Re: perl-DBD-MySQL (Fedora 24)



 From this question I've been able to do some more testing and can see what is 
going on.


Running the same query from on Fedora 26 (using perl-DBD-MySQL-4.037)  I 
can see it retrieve all the set values from the policy table correctly.



On Fedora 27 (using perl-DBD-MySQL-4.043) the query returns all the set 
values from the policy table except those of type float. I.e.

spam_tag_level=>"0",
spam_tag2_level=>"0",
spam_tag3_level=>"0",
spam_kill_level=>"0",
spam_dsn_cutoff_level=>"0",
spam_quarantine_cutoff_level=>"0",


I've been through the release notes and the SQL readme files and I can't 
see a change for these fields.

Did I miss something?

Alan

RE: perl-DBD-MySQL (Fedora 24)

[Dino Edwards]

On policy_id=9 in your database, what are the values of the following columns?

Spam_tag_level
Spam_tag2_level
Spam_kill_level

Thanks



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Alan Munday
Sent: Tuesday, January 2, 2018 10:41 AM
To: amavis-users@amavis.org
Subject: Re: perl-DBD-MySQL (Fedora 24)

On 31/12/17 11:24, Alan Munday wrote:
> On 30/12/17 15:55, Alan Munday wrote:
>> On 26/11/16 15:17, Alan Munday wrote:
>>>
>>> Found an issue following an update to perl-DBD-MySQL (4.039-1.fc24 
>>> arrived here 2016-11-24) after which amavisd-new was scanning mail 
>>> as clean and processing as spam.
>>>
>>> I'm using SQL lookups and found this affected versions 2.11.0-4 and
>>> 2.10.1-7 of amavisd-new on my systems.
>>>
>>>
>>> Downgrading perl-DBD-MySQL appears to have resolved the problem.
>>
>>
>> A bit of a repeat but I'm now seeing similar behaviour having 
>> upgraded a mail server to Fedora 27 (perl-DBD-MySQL-4.043-6)
>>
>> Currently amavis is passing mail with scores <0 but processing as 
>> spam for scores > 0 < SPAM_THRESHOLD
>>
>>
>> Anyone else running amavisd-new on Fedora 27 with SQL back end, and 
>> running OK?
>>
> 
> 
> Having increased the log level I can see the following:
> 
> 
> For amavis running on Fedora 26 (using perl-DBD-MySQL-4.037)
> 
> Dec 31 11:07:48 mx1 amavis[17513]: (17513-01) calling SA parse (0), SA 
> vers 3.4.1, 3.004001, data as STRING_REF, recips_ind [0], user: "amavis"
> 
> 
> 
> For amavis running on Fedora 27 (using perl-DBD-MySQL-4.043)
> 
> Dec 31 10:44:55 mx3 amavis[4182]: (04182-01) calling SA parse (0), SA 
> vers 3.4.1, 3.004001, data as GLOB, recips_ind [0], user: "amavis"


The above turned out to be a red herring.

I've spent some hours looking through logs at loglevel 5 and while I can see 
what is happening (that mails scoring less than the spam score are being 
treated as spam) I don't know why.


If anyone wouldn't mind looking at an example log, I've posted a sample at 
https://pastebin.com/GNNs3Vbz

Thanks

Alan

RE: Amavis doesn't mark mail as spam, and doesn't set spam headers

[Dino Edwards]

I suggest that all your customization be done on /etc/amavis/conf.d/50-user for 
simplicity sake instead of jumping around all those config files. Up to you.

On your particular issue, try this:


$mydomain = "mydomain.tld";


@local_domains_acl = ( "mydomain.tld", "localhost" );

The way you had it set “.$mydomain” I’m pretty sure it means all subdomains of 
mydomain.tld but not the actual domain. Someone correct me if I’m wrong here.





From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of chaouche yacine
Sent: Friday, December 1, 2017 2:24 PM
To: amavis-users@amavis.org
Subject: Re: Amavis doesn't mark mail as spam, and doesn't set spam headers

Hello Alexander,

I don't know how to check for that. Here's 05-domain_id

root@messagerie[10.10.10.19] 
/etc/amavis/conf.d # removeblanks 05-domain_id
use strict;
chomp($mydomain = `head -n 1 /etc/mailname`);
@local_domains_acl = ( ".$mydomain" );
1;  # ensure a defined return
root@messagerie[10.10.10.19] 
/etc/amavis/conf.d #

my /etc/mailname contains the hostname of the mail server, which is 
"messagerie.mydomain.tld", whereas I accept mail for "mydomain.tld"



Yassine.

On Friday, December 1, 2017 1:20 PM, Alexander Wirt 
mailto:formo...@formorer.de>> wrote:

On Fri, 01 Dec 2017, chaouche yacine wrote:

> Hello Alxander,
> This log entry seems to show that spam checking was done :
> Nov 28 16:33:16 messagerie amavis[46130]: (46130-07) Passed SPAMMY 
> {RelayedOpenRelay}, [101.55.71.90]:53783 [101.55.71.90] 
> mailto:bounce-3308-19491836-3512-...@frdww.com>>
>  -> mailto:a.chaou...@mydomain.tld>>, Queue-ID: 
> 738D73A80088, Message-ID: 
> mailto:bf680addabf683575f7cc153be8a9094@101.55.71.3>>,
>  mail_id: lBrIu_4QeHCa, Hits: 11.386, size: 46197, queued_as: 6609E3A8008E, 
> 736 ms
> And here is 15-content_filter_mode
> root@messagerie[10.10.10.19] /etc/amavis/conf.d # 
> removeblanks 15-content_filter_mode
> use strict;
> @bypass_virus_checks_maps = (
>\%bypass_virus_checks, \@bypass_virus_checks_acl, 
> \$bypass_virus_checks_re);
> @bypass_spam_checks_maps = (
>\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
> 1;  # ensure a defined return
> root@messagerie[10.10.10.19] /etc/amavis/conf.d #
>
> Should they be commented out ?
no, they are fine that way.
>
>
> Also, both spamd and amavis are running :
Amavis doesn't use spamd. Is "mydomain.tld" in localdomains?


Alex

RE: Amavisd missing spam headers

[Dino Edwards]

Try this instead:

$sa_tag_level_deflt = undef;




-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Filip Bartmann
Sent: Wednesday, November 22, 2017 2:22 PM
To: amavis-users@amavis.org
Subject: Amavisd missing spam headers

I use amavisd on on my CentOS 7 server, but I have problem with missing spam 
headers in messages. Next is my config file. What I have wrong?
-

@bypass_virus_checks_maps = (1);  # controls running of anti-virus code 
@bypass_spam_checks_maps  = (1);  # controls running of anti-spam code
$bypass_decode_parts = 1; # controls running of
decoders&dearchivers

$max_servers = 1;# num of pre-forked children (2..30 is
common), -m $daemon_user  = 'amavis';# (no default;  customary:
vscan or amavis), -u $daemon_group = 'amavis';# (no default;
customary: vscan or amavis), -g

$mydomain = 'filbar.name';   # a convenient default for other settings

$MYHOME = '/var/spool/amavisd';   # a convenient default for other
settings, -H $TEMPBASE = "$MYHOME/tmp";   # working directory, needs to
exist, -T $ENV{TMPDIR} = $TEMPBASE;# environment variable TMPDIR,
used by SA, etc. $QUARANTINEDIR = undef;  # -Q
# $quarantine_subdir_levels = 1;  # add level of subdirs to disperse
quarantine # $release_format = 'resend'; # 'attach', 'plain',
'resend' # $report_format  = 'arf';# 'attach', 'plain',
'resend', 'arf'

# $daemon_chroot_dir = $MYHOME;   # chroot directory or undef, -R

$db_home   = "$MYHOME/db";# dir for bdb nanny/cache/snmp
databases, -D # $helpers_home = "$MYHOME/var";  # working directory for 
SpamAssassin, -S $lock_file = "/var/run/amavisd/amavisd.lock";  # -L
$pid_file  = "/var/run/amavisd/amavisd.pid";   # -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually

$log_level = 0;  # verbosity 0..5, -d
$log_recip_templ = undef;# disable by-recipient level-0 log entries
$do_syslog = 1;  # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
   # e.g.: mail, daemon, user, local0, ... local7

$enable_db = 1;  # enable use of BerkeleyDB/libdb (SNMP and
nanny) # $enable_zmq = 1;   # enable use of ZeroMQ (SNMP and
nanny) $nanny_details_level = 2;# nanny verbosity: 1: traditional,
2: detailed $enable_dkim_verification = 1;  # enable DKIM signatures
verification $enable_dkim_signing = 1;# load DKIM signing code,
keys defined by dkim_key

@local_domains_maps = qw( . );

@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );

$unix_socketname = "/var/run/amavisd/amavisd.sock";  # amavisd-release or 
amavis-milter # option(s) -p overrides $inet_socket_port and $unix_socketname

$inet_socket_port = 10024;   # listen on this local TCP port(s)
# $inet_socket_port = [10024,10026];  # listen on multiple TCP ports

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit 
os_fingerprint_method => undef,  # don't query p0f for internal clients };

# it is up to MTA to re-route mail from authenticated roaming users or # from 
internal hosts to a dedicated TCP port (such as 10026) for filtering 
$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users 
originating => 1,  # declare that mail was submitted by our smtp client 
allow_disclaimers => 1,  # enables disclaimer insertion if available # notify 
administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types 
terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option };

$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname

# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c # 
(with amavis-milter.c from this package or old amavis.c client use 'AM.CL'): 
$policy_bank{'AM.PDP-SOCK'} = {
  protocol => 'AM.PDP',
  auth_required_release => 0,  # do not require secret_id for amavisd-release };

$sa_tag_level_deflt  = -999;  # add spam info headers if at, or above that 
level $sa_tag2_level_deflt = 8.0;  # add 'spam detected' headers at that level 
$sa_kill_level_deflt = 9.31;  # triggers spam evasive
actions (e.g. blocks mail) $sa_dsn_cutoff_level = 10;   # spam level
beyond which a DSN is not sent $sa_crediblefrom_dsn_cutoff_level = 18; # 
likewise, but for a likely

RE: submission, not originating ... for roaming, authenticated users?

[Dino Edwards]

Well I'm obviously confused. Can you elaborate on exactly what the problem is? 
Please specify source/destination email etc. 



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Django [BOfH]
Sent: Monday, November 20, 2017 3:19 AM
To: amavis-users@amavis.org
Subject: Re: submission, not originating ... for roaming, authenticated users?

HI Dino!

Am 20.11.2017 um 01:19 schrieb Dino Edwards:

> What's in  your /etc/postfix/all_local_domains_map file?

This file incudes all local Domains, whee Postfix is final destination or 
originator.

> This line below says that amavis can't match that email address:
> 
> Nov 19 21:33:09 mailslut amavis[26104]: (26104-01) lookup => false, 
> "dja...@nausch.org" matches, result="0", matching_key="(constant:0)"
> 
> Is the nausch.org domain in that file?

No! 'cause nausch.org is an external domain, where postix sends the message.


ttyl
Django

RE: submission, not originating ... for roaming, authenticated users?

[Dino Edwards]

What's in  your /etc/postfix/all_local_domains_map file?

This line below says that amavis can't match that email address:

Nov 19 21:33:09 mailslut amavis[26104]: (26104-01) lookup => false, 
"dja...@nausch.org" matches, result="0", matching_key="(constant:0)"

Is the nausch.org domain in that file?


-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Django [BOfH]
Sent: Sunday, November 19, 2017 4:39 PM
To: amavis-users@amavis.org
Subject: submission, not originating ... for roaming, authenticated users?

HI,

pardon for my little stupid question. But I'm on a point and have absolutly no 
idea, why my new installed amavisd-new installation won't accept my 
roaming-usermails.

O.K. in my master.cf of postfix I have:

submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_ask_ccert=no
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_etrn_restrictions=reject
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o content_filter=smtp:[127.0.0.1]:10024
  -o disable_dns_lookups=yes
  -o smtp_send_xforward_command=yes
  -o mynetworks=127.0.0.0/8
  -o smtp_data_done_timeout=1200


My amavisd.conf has the follwing definitions:

@listen_sockets = (
'127.0.0.1:10024',
'127.0.0.1:9998',
"$MYHOME/amavisd.sock"
);

$interface_policy{'10024'} = 'ORIGINATING';

@mynetworks = qw(
127.0.0.0/8
[:::127.0.0.0]/104
[::1]/128
);

@local_domains_maps = (
[".$mydomain"],
read_hash("/etc/postfix/all_local_domains_map"),
);

$policy_bank{'ORIGINATING'} = {
inet_acl => [qw( 127.0.0.1 )],
originating => 1,
allow_disclaimers => 1,
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps  => ["virusalert\@$mydomain"],
warnbadhsender   => 1,
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_spam_checks_maps => [0],
bypass_banned_checks_maps => [0],
bypass_virus_checks_maps => [0],
terminate_dsn_on_notify_success => 0,
notify_method  => 'smtp:[127.0.0.1]:10025',
forward_method => 'smtp:[127.0.0.1]:10025',
final_virus_destiny => 'D_BOUNCE',
};

So far so good. No voodoo or similar else - a standard config like all others, 
I made the last years.

If I send an testmail with swaks through Port 587 as an authenticated roaming 
user, the message is accepted and sen to the final recipient.

BUT:
The mail isn't DKIM signed, so I tried to understand why. AMaViS thought the 
mail was not from local:

Open relay? Nonlocal recips but not originating: dja...@nausch.org

The whole maillog is here:
Nov 19 21:33:08 mailslut postfix/submission/smtpd[26111]: connect from 
mx1.nausch.org[217.92.13.131] Nov 19 21:33:09 mailslut 
postfix/submission/smtpd[26111]: Anonymous TLS connection established from 
mx1.nausch.org[217.92.13.131]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 
(256/256 bits) Nov 19 21:33:09 mailslut postfix/submission/smtpd[26111]: 
7D744600048:
client=mx1.nausch.org[217.92.13.131], sasl_method=LOGIN, 
sasl_username=n...@omni128.de Nov 19 21:33:09 mailslut postfix/cleanup[26120]: 
7D744600048: message-id=<> Nov 19 21:33:09 mailslut postfix/qmgr[26096]: 
7D744600048:
from=, size=566, nrcpt=1 (queue active) Nov 19 21:33:09 
mailslut amavis[26104]: Net::Server: 2017/11/19-21:33:09 CONNECT TCP Peer: 
"[127.0.0.1]:48950" Local: "[127.0.0.1]:10024"
Nov 19 21:33:09 mailslut amavis[26104]: loaded base policy bank Nov 19 21:33:09 
mailslut amavis[26104]: loaded policy bank "ORIGINATING"
Nov 19 21:33:09 mailslut amavis[26104]: lookup_ip_acl (inet_acl)
arr.obj: key="127.0.0.1" matches "127.0.0.1", result=1 Nov 19 21:33:09 mailslut 
amavis[26104]: process_request: fileno sock=13, STDIN=0, STDOUT=1 Nov 19 
21:33:09 mailslut amavis[26104]: get_deadline switch_to_my_time(new request) - 
deadline in 480.0 s, set to 288.000 s Nov 19 21:33:09 mailslut amavis[26104]: 
prolong_timer switch_to_my_time(new request): timer 288, was 0, deadline in 
480.0 s Nov 19 21:33:09 mailslut amavis[26104]: process_request:
suggested_protocol="" on a TCP socket
Nov 19 21:33:09 mailslut amavis[26104]: (26104-01) SMTP> 220 [127.0.0.1] ESMTP 
amavisd-new service ready Nov 19 21:33:09 mailslut amavis[26104]: (26104-01) 
switch_to_client_time
480 s, smtp response sent
Nov 19 21:33:09 mailslut amavis[26104]: (26104-01) idle_proc, 4: was busy, 3.6 
ms, total idle 0.000 s, busy 0.004 s Nov 19 21:33:09 mailslut amavis[26104]: 
(26104-01) smtp readline: read
34 bytes, new size: 34
Nov 19 21:33:09 mailslut amavis[26104]: (26104-01) idle_proc, 5: was idle, 0.2 
ms, total idle 0.000 s, busy 0.004 s Nov 19 21:33:09 mailslut amavis[26104]: 
(26104-01) SMTP< EHLO mx.omni128.de\r\n Nov 19 21:33:09 mailslut amavis[26104]: 
(26104-01) get_deadline switch_to_my_time(rx SMT

RE: Urgent:Amavisd or ClamD not blocked .exe files when change it to .pdf or .txt

[Dino Edwards]

Attach your amavis conf file please. Are you blocking .exe files in your 
config? How does the file(1) utility detect said files? Amavis relies on that 
utility to determine file types. If file(1) is not working correctly in your 
system it will not block those files. Copy the file to your system and run the 
following command:

file example.pdf

For instance, I took the executable AeroAdmin.exe and renamed it to 
AeroAdmin.pdf and ran the following command:

file AeroAdmin.pdf

It got correctly identified as an executable, see below:

AeroAdmin.pdf: PE32 executable (GUI) Intel 80386, for MS Windows




Dino Edwards
Web: https://www.deeztek.com<https://www.deeztek.com/>

[hermes_logo3]
Hermes Secure Email Gateway
Hermes Secure Email Gateway is a Free Open Source (Hermes SEG Community Only) 
Email Gateway that provides Spam, Virus and Malware protection, full in-transit 
and at-rest email encryption as well as email archiving. Hermes Secure Email 
Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, 
ClamAV, Amavisd-new and CipherMail under one unified web based Web GUI for easy 
administration and management of your incoming and ougoing email for your 
organization. It can be deployed to protect your in-house email solution as 
well as cloud email solutions such as Google Mail and Microsoft Office 365.

Learn More & Download the free open-source appliance at:
https://www.deeztek.com/hermes-secure-email-gateway/









From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Razmik Baghdasaryan
Sent: Sunday, November 5, 2017 4:26 PM
To: amavis-users@amavis.org
Subject: Urgent:Amavisd or ClamD not blocked .exe files when change it to .pdf 
or .txt

URGENT WHO CAN HELP ME ?

Hello Dear all,
I want to test my Zimbra Mail server and change some example.exe file into 
example.pdf or example.txt and send email into my gmail account and zimbra 
account

Gmail detect that in pdf file header have .exe file and block it but Zimbra 
received it normally

P.S. Our old MailServer (Only Postfix +MailScanner detect it also )

In my mind it is problem!!!
How can I block that type of files ? In my mind it's amavisd or clamd problem 
who can help me with configuration ?
it is Urgent for me Please help

Thanks In Advance

RE: WMF file concerns

[Dino Edwards]

There have been WMF vulnerabilities in the past. Here's an example:

https://technet.microsoft.com/library/security/ms11-038

I know it's pretty old and but even if the systems are patched, it's probably 
best not to allow them. There could be some 0-day malware taking advantage of 
WMF vulnerabilities. 




-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Alex
Sent: Tuesday, October 24, 2017 2:30 PM
To: amavis-users@amavis.org
Subject: WMF file concerns

Hi, would someone confirm for me the risks of allowing Word files that include 
WMF files?

X-Amavis-Alert: BANNED, message contains .wmf,word/media/image1.wmf

I'm seeing it's quite common for Word files to include this image1.wmf file, 
and wondered what the risk would be for allowing them.

RE: drop NOTIFY= for spam mail

[Dino Edwards]

Maybe I'm not understanding what you need but it sounds like the following 
setting: 

$final_spam_destiny = D_DISCARD;




-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Matus UHLAR - fantomas
Sent: Wednesday, July 26, 2017 1:14 PM
To: amavis-users@amavis.org
Subject: drop NOTIFY= for spam mail

hello,

I use amavisd-new as postfix content filter, connected over LMTP 
(bidirectionally).

Since amavis supports DSN SMTP extension, MTA sends NOTIFY= command and amavis 
sends it back to after processing.

now, when mail is considered SPAM, I'd like to drop the notification.

I have configured $sa_dsn_cutoff_level, but it changed nothing - it's 
apparently only used for amavis' generated mail.

Is it possible to drop NOTIFY= request when sending mail back to MTA and thus 
stop (non)delivery notification for spam?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers. 

RE: clearing just ham data

[Dino Edwards]

I don't know if this would work or not since I have never done that. I think 
it's best to start off fresh but it's up to you. Maybe someone else can weigh 
in on this particular question.


From: Gabriele Bulfon [mailto:gabriele.bul...@sonicle.com]
Sent: Friday, June 30, 2017 3:31 AM
To: Dino Edwards ; amavis-users@amavis.org
Subject: [SUSPECTED SPAM]clearing just ham data

It's because I don't keep all the learnt messages, they get deleted once learnt.

Doing an sa-learn --backup I get a backup file containing a text file with data.
I see the first amount of data starts with a 't', then the second amount starts 
with an 's' and have a second column with 's' or 'h'.
Do you think I can remove all the 'h' entries from the file and restore from it?
What are the 't' rows?





Da: Dino Edwards 
mailto:dino.edwa...@mydirectmail.net>>
A: amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Data: 29 giugno 2017 19.02.56 CEST
Oggetto: RE: RE: RE: RE: RE: different spamassassin behaviours

I don't know of a why of just cleaning the ham. Unless someone knows of a way. 
I always have just cleared the whole database and started feeding it ham and 
spam.

From: Gabriele Bulfon [mailto:gabriele.bul...@sonicle.com]
Sent: Thursday, June 29, 2017 9:22 AM
To: Dino Edwards 
mailto:dino.edwa...@mydirectmail.net>>; 
amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Subject: RE: RE: RE: RE: different spamassassin behaviours

Great Dino! ;) I think you got to the point :)

My traning is almost just spam, we never feed ham to learn.
Do you think I can clear just the ham database? Is there any way?
I would like to retain the spam learnt.

Sonicle S.r.l. : http://www.sonicle.com<http://www.sonicle.com/>
Music: http://www.gabrielebulfon.com<http://www.gabrielebulfon.com/>
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon




Da: Dino Edwards 
mailto:dino.edwa...@mydirectmail.net>>
A: amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Data: 29 giugno 2017 14.14.57 CEST
Oggetto: RE: RE: RE: RE: different spamassassin behaviours
As you can see, this particular message has auto trained the bayes database 
that It's ham (autolearn=ham) when in fact it's supposed to be spam.

Here's what I recommend:


1.   Turn off autolearn

2.   Clear your bayes database and start 
over fresh

3.   Train your bayes database with 
legitimate ham and spam

It looks to me that the major issue you are having is your bayes database is 
completely jacked and the problem gets worse as each message comes in and 
incorrectly trains the bayes database.

The levels really depend on your setup, there is no magic levels per se. Train 
your database properly and you will be able to adjust them to a level that's 
good for your environment.




From: Gabriele Bulfon [mailto:gabriele.bul...@sonicle.com]
Sent: Thursday, June 29, 2017 7:58 AM
To: Dino Edwards 
mailto:dino.edwa...@mydirectmail.net>>; 
amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Subject: RE: RE: RE: different spamassassin behaviours

I will check your suggestions (sa_tag_level_deflt , bayes_auto_learn ).

BTW, what are the level you would suggest, instead of my 5.0,10.0,10?

Meanwhile, look at the email I attached: even manually, spamassassin does not 
detect anything, while it's and evident spam...
Here are the manual result:

X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_20,HTML_MESSAGE,
RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,TVD_RCVD_SPACE_BRACKET,UNPARSEABLE_RELAY
autolearn=ham autolearn_force=no version=3.4.1
--
Sonicle S.r.l. : http://www.sonicle.com<http://www.sonicle.com/>
Music: http://www.gabrielebulfon.com<http://www.gabrielebulfon.com/>
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon




Da: Dino Edwards 
mailto:dino.edwa...@mydirectmail.net>>
A: amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Data: 28 giugno 2017 20.12.17 CEST
Oggetto: RE: RE: RE: different spamassassin behaviours
Right off the bat, the following should be set like below:

$sa_tag_level_deflt = undef;

Setting it as such will add spam info headers to all email not just ones that 
score 2 or above. After you set this setting, do a test email normally and 
paste the headers generated and then run the same email manually and paste the 
headers. I would love to see the difference between the two to see what drives 
up the scores and what doesn't.


The following settings seem really high to me

$sa_tag2_level_deflt = 5.0;  # add 'spam detected' headers at that level
$sa_

RE: RE: RE: RE: RE: different spamassassin behaviours

[Dino Edwards]

I don't know of a why of just cleaning the ham. Unless someone knows of a way. 
I always have just cleared the whole database and started feeding it ham and 
spam.

From: Gabriele Bulfon [mailto:gabriele.bul...@sonicle.com]
Sent: Thursday, June 29, 2017 9:22 AM
To: Dino Edwards ; amavis-users@amavis.org
Subject: [SUSPECTED SPAM]RE: RE: RE: RE: different spamassassin behaviours

Great Dino! ;) I think you got to the point :)

My traning is almost just spam, we never feed ham to learn.
Do you think I can clear just the ham database? Is there any way?
I would like to retain the spam learnt.

Sonicle S.r.l. : http://www.sonicle.com<http://www.sonicle.com/>
Music: http://www.gabrielebulfon.com<http://www.gabrielebulfon.com/>
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon

____


Da: Dino Edwards 
mailto:dino.edwa...@mydirectmail.net>>
A: amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Data: 29 giugno 2017 14.14.57 CEST
Oggetto: RE: RE: RE: RE: different spamassassin behaviours

As you can see, this particular message has auto trained the bayes database 
that It's ham (autolearn=ham) when in fact it's supposed to be spam.

Here's what I recommend:


1.   Turn off autolearn

2.   Clear your bayes database and start 
over fresh

3.   Train your bayes database with 
legitimate ham and spam

It looks to me that the major issue you are having is your bayes database is 
completely jacked and the problem gets worse as each message comes in and 
incorrectly trains the bayes database.

The levels really depend on your setup, there is no magic levels per se. Train 
your database properly and you will be able to adjust them to a level that's 
good for your environment.




From: Gabriele Bulfon [mailto:gabriele.bul...@sonicle.com]
Sent: Thursday, June 29, 2017 7:58 AM
To: Dino Edwards 
mailto:dino.edwa...@mydirectmail.net>>; 
amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Subject: RE: RE: RE: different spamassassin behaviours

I will check your suggestions (sa_tag_level_deflt , bayes_auto_learn ).

BTW, what are the level you would suggest, instead of my 5.0,10.0,10?

Meanwhile, look at the email I attached: even manually, spamassassin does not 
detect anything, while it's and evident spam...
Here are the manual result:

X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_20,HTML_MESSAGE,
RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,TVD_RCVD_SPACE_BRACKET,UNPARSEABLE_RELAY
autolearn=ham autolearn_force=no version=3.4.1
--
Sonicle S.r.l. : http://www.sonicle.com<http://www.sonicle.com/>
Music: http://www.gabrielebulfon.com<http://www.gabrielebulfon.com/>
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon




Da: Dino Edwards 
A: amavis-users@amavis.org
Data: 28 giugno 2017 20.12.17 CEST
Oggetto: RE: RE: RE: different spamassassin behaviours
Right off the bat, the following should be set like below:

$sa_tag_level_deflt = undef;

Setting it as such will add spam info headers to all email not just ones that 
score 2 or above. After you set this setting, do a test email normally and 
paste the headers generated and then run the same email manually and paste the 
headers. I would love to see the difference between the two to see what drives 
up the scores and what doesn't.


The following settings seem really high to me

$sa_tag2_level_deflt = 5.0;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 10.0;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

You may want to add these settings:

$sa_spam_modifies_subj = 1;
$sa_spam_subject_tag = '[SPAM]';


Also I suggest you completely turn off auto learn in your SA until you get this 
figured out. As a matter of fact, I never turn it on because it has caused 
MAJOR issues for me in the past where the bayes database gets really screwy and 
things don't get tagged correctly. Up to you.

#bayes
bayes_path /path/to/your/bayes/database
bayes_file_mode 0777
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 0





Dino Edwards

[hermes_logo3]
Hermes Secure Email Gateway
Hermes Secure Email Gateway is a Free Open Source (Hermes SEG Community Only) 
Email Gateway that provides Spam, Virus and Malware protection, full in-transit 
and at-rest email encryption as well as email archiving. Hermes Secure Email 
Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, 
ClamAV, Amavisd-new and CipherMail under one unified web based Web GUI for easy 
administration and management of your incoming and ougoing email for your 
organization. It can be deployed to protect your in

RE: RE: RE: different spamassassin behaviours

[Dino Edwards]

Right off the bat, the following should be set like below:

$sa_tag_level_deflt = undef;

Setting it as such will add spam info headers to all email not just ones that 
score 2 or above. After you set this setting, do a test email normally and 
paste the headers generated and then run the same email manually and paste the 
headers. I would love to see the difference between the two to see what drives 
up the scores and what doesn't.


The following settings seem really high to me

$sa_tag2_level_deflt = 5.0;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 10.0;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

You may want to add these settings:

$sa_spam_modifies_subj = 1;
$sa_spam_subject_tag = '[SPAM]';


Also I suggest you completely turn off auto learn in your SA until you get this 
figured out. As a matter of fact, I never turn it on because it has caused 
MAJOR issues for me in the past where the bayes database gets really screwy and 
things don't get tagged correctly. Up to you.

#bayes
bayes_path /path/to/your/bayes/database
bayes_file_mode 0777
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 0





Dino Edwards

[hermes_logo3]
Hermes Secure Email Gateway
Hermes Secure Email Gateway is a Free Open Source (Hermes SEG Community Only) 
Email Gateway that provides Spam, Virus and Malware protection, full in-transit 
and at-rest email encryption as well as email archiving. Hermes Secure Email 
Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, 
ClamAV, Amavisd-new and CipherMail under one unified web based Web GUI for easy 
administration and management of your incoming and ougoing email for your 
organization. It can be deployed to protect your in-house email solution as 
well as cloud email solutions such as Google Mail and Microsoft Office 365.

Learn More & Download the free open-source appliance at:
https://www.deeztek.com/hermes-secure-email-gateway/

From: Gabriele Bulfon [mailto:gabriele.bul...@sonicle.com]
Sent: Tuesday, June 27, 2017 10:24 AM
To: Dino Edwards ; amavis-users@amavis.org
Subject: RE: RE: different spamassassin behaviours

Here it is, thanks!

Gabriele
---
Sonicle S.r.l. : http://www.sonicle.com<http://www.sonicle.com/>
Music: http://www.gabrielebulfon.com<http://www.gabrielebulfon.com/>
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon

____


Da: Dino Edwards 
mailto:dino.edwa...@mydirectmail.net>>
A: Gabriele Bulfon 
mailto:gabriele.bul...@sonicle.com>> 
amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Data: 27 giugno 2017 15.37.22 CEST
Oggetto: RE: RE: different spamassassin behaviours

the x-spam-status headers should always be present Spam or not. So what you are 
saying is that the x-spam-status headers are not present when email goes 
through normally or when they are run manually?
Can you paste your amavis config here?
From: Gabriele Bulfon [mailto:gabriele.bul...@sonicle.com]
Sent: Tuesday, June 27, 2017 9:03 AM
To: Dino Edwards 
mailto:dino.edwa...@mydirectmail.net>>; 
amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Subject: [SUSPECTED SPAM]RE: different spamassassin behaviours
The x-spam-status headers on that cases are not present, because the score is 
too low, and is considered non-spam.
Is there any way I can force the injection of the x-spam-status header even for 
low scores? This may help.

I meant that all the cf files (the rules files) are taken from the same place 
by spamassassin, both manually and automatically during postfix injection, as I 
can see it from the spam taken.

And finally, yes, I can find the logs you say, where the mail (that manually 
scores 18.0+) passes as "CLEAN" in amavis and back into postfix.

I attach an example email, and here is the relative log while passing in:

Jun 27 14:30:15 cloudserver amavis[28190]: [ID 702911 mail.notice] (28190-16) 
Passed CLEAN, [107.175.149.43] [107.175.149.43] 
mailto:vivint.premier-provi...@tmess.us>> -> 
mailto:davide.dicos...@eurovetrocap.com>>, 
Message-ID: 
<037996f410ef6dcfefa9bbb8b98e2681.3964721.19453093@tmess.us_ys9<mailto:037996f410ef6dcfefa9bbb8b98e2681.3964721.19453093@tmess.us_ys9>>,
 mail_id: tW7q84X98Ieq, Hits: -0.347, size: 5698, queued_as: 9C78D27B16D, 1781 
ms
---
Sonicle S.r.l. : http://www.sonicle.com<http://www.sonicle.com/>
Music: http://www.gabrielebulfon.com<http://www.gabrielebulfon.com/>
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon



--

Da: Dino Edwards 
mailto:dino.edwa...

RE: [SUSPECTED SPAM]RE: different spamassassin behaviours

[Dino Edwards]

the x-spam-status headers should always be present Spam or not. So what you are 
saying is that the x-spam-status headers are not present when email goes 
through normally or when they are run manually?

Can you paste your amavis config here?





From: Gabriele Bulfon [mailto:gabriele.bul...@sonicle.com]
Sent: Tuesday, June 27, 2017 9:03 AM
To: Dino Edwards ; amavis-users@amavis.org
Subject: [SUSPECTED SPAM]RE: different spamassassin behaviours

The x-spam-status headers on that cases are not present, because the score is 
too low, and is considered non-spam.
Is there any way I can force the injection of the x-spam-status header even for 
low scores? This may help.

I meant that all the cf files (the rules files) are taken from the same place 
by spamassassin, both manually and automatically during postfix injection, as I 
can see it from the spam taken.

And finally, yes, I can find the logs you say, where the mail (that manually 
scores 18.0+) passes as "CLEAN" in amavis and back into postfix.

I attach an example email, and here is the relative log while passing in:

Jun 27 14:30:15 cloudserver amavis[28190]: [ID 702911 mail.notice] (28190-16) 
Passed CLEAN, [107.175.149.43] [107.175.149.43] 
mailto:vivint.premier-provi...@tmess.us>> -> 
mailto:davide.dicos...@eurovetrocap.com>>, 
Message-ID: 
<037996f410ef6dcfefa9bbb8b98e2681.3964721.19453093@tmess.us_ys9<mailto:037996f410ef6dcfefa9bbb8b98e2681.3964721.19453093@tmess.us_ys9>>,
 mail_id: tW7q84X98Ieq, Hits: -0.347, size: 5698, queued_as: 9C78D27B16D, 1781 
ms
---
Sonicle S.r.l. : http://www.sonicle.com<http://www.sonicle.com/>
Music: http://www.gabrielebulfon.com<http://www.gabrielebulfon.com/>
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon



----------

Da: Dino Edwards 
mailto:dino.edwa...@mydirectmail.net>>
A: amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Data: 27 giugno 2017 13.59.37 CEST
Oggetto: RE: different spamassassin behaviours
Can you provide the x-spam-status headers for the same email when run through 
Postfix normally and then manually so we can see the differences?


Also, I'm a little confused, what do you mean when you say " All the files are 
taken from /sonicle/etc/mail/spamassassin and /sonicle/share/spamassassin"?

Also, in your mail log, do you say a lines similar to below? The first one is 
Amavis passing the message as CLEAN and then re-injecting it back to Postfix on 
port 10025 for delivery. Your port config may vary.

Jun 27 07:55:32 smtp amavis[22662]: (22662-15) Passed CLEAN 
[198.241.162.22]:12141 [198.241.162.22] 
mailto:nore...@visaprepaidprocessing.com>> 
-> , Queue-ID: D19FC40B0A, Message-ID: 
mailto:d5360d$6ue...@cportal1.visa.com>>, 
mail_id: X1sVYvfQoUFh, Hits: -0.877, size: 2490, queued_as: 250 2.6.0 Message 
received, dkim_sd=cportal:visaprepaidprocessing.com, 1280 ms


Jun 27 07:55:32 smtp postfix/smtp[22949]: D19FC40B0A: 
to=mailto:some...@domain.tld>>, 
relay=127.0.0.1[127.0.0.1]:10021, delay=2.6, delays=1.3/0/0/1.3, dsn=2.6.0, 
status=sent (250 2.6.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.6.0 Message 
received)




From: Gabriele Bulfon [mailto:gbul...@sonicle.com]
Sent: Tuesday, June 27, 2017 2:35 AM
To: Dino Edwards 
mailto:dino.edwa...@mydirectmail.net>>; 
amavis-users@amavis.org<mailto:amavis-users@amavis.org>
Subject: RE: different spamassassin behaviours

Hi, thanks for your response.

There are a lot of things rising the score manually:

X-Spam-Status: Yes, score=18.1 required=5.0 tests=BAYES_50,CUSTOM_MANY_BL,
HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSBL_INPS_DE,
RCVD_IN_HOSTKARMA_BL,RCVD_IN_MSPIKE_H2,RCVD_IN_UCEPROTECT2,
RCVD_IN_UCEPROTECT3,RCVD_IN_WPBL,SPF_HELO_PASS,TVD_RCVD_SPACE_BRACKET,
T_REMOTE_IMAGE,UNPARSEABLE_RELAY,URIBL_ABUSE_SURBL,URIBL_DBL_SPAM
autolearn=spam autolearn_force=no version=3.4.1

All the files are taken from /sonicle/etc/mail/spamassassin and 
/sonicle/share/spamassassin, and they looks to be read both manually and during 
postfix run, as many of the mails are caught and contains X-Spam-Status with 
tags taken from there (sare cf files, kam file, fili_br file etc).
Also, many of the auto-learnt mails get spammed after being trained.
The bayes is configured as :

use_bayes 1
bayes_auto_learn 1
bayes_path /sonicle/var/spamassassin/bayes_db/bayes
bayes_file_mode 0777

and here are the files:

sonicle@www:~$ ls -l /sonicle/var/spamassassin/bayes_db
total 12699
-rw-rw-rw- 1 snclamav snclamav 25680 Jun 27 08:28 bayes_journal
-rw-rw-rw- 1 snclamav snclamav 10567680 Jun 27 07:58 bayes_seen
-rw-rw-rw- 1 snclamav snclamav 5128192 Jun 27 07:58 bayes_toks

here are the amavis processes:

sonicle@www:~$ ps -ef | grep amavisd
snclamav 23517 20393 0 07:43:58 ? 0:04 /sonicle/b

RE: different spamassassin behaviours

[Dino Edwards]

Can you provide the x-spam-status headers for the same email when run through 
Postfix normally and then manually so we can see the differences?


Also, I'm a little confused, what do you mean when you say " All the files are 
taken from /sonicle/etc/mail/spamassassin and /sonicle/share/spamassassin"?

Also, in your mail log, do you say a lines similar to below? The first one is 
Amavis passing the message as CLEAN and then re-injecting it back to Postfix on 
port 10025 for delivery. Your port config may vary.

Jun 27 07:55:32 smtp amavis[22662]: (22662-15) Passed CLEAN  
[198.241.162.22]:12141 [198.241.162.22]  -> 
, Queue-ID: D19FC40B0A, Message-ID: 
, mail_id: X1sVYvfQoUFh, Hits: -0.877, size: 
2490, queued_as: 250 2.6.0 Message received, 
dkim_sd=cportal:visaprepaidprocessing.com, 1280 ms


Jun 27 07:55:32 smtp postfix/smtp[22949]: D19FC40B0A: to=, 
relay=127.0.0.1[127.0.0.1]:10021, delay=2.6, delays=1.3/0/0/1.3, dsn=2.6.0, 
status=sent (250 2.6.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.6.0 Message 
received)




From: Gabriele Bulfon [mailto:gbul...@sonicle.com] 
Sent: Tuesday, June 27, 2017 2:35 AM
To: Dino Edwards ; amavis-users@amavis.org
Subject: RE: different spamassassin behaviours

Hi, thanks for your response.

There are a lot of things rising the score manually:
 
X-Spam-Status: Yes, score=18.1 required=5.0 tests=BAYES_50,CUSTOM_MANY_BL,
HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSBL_INPS_DE,
RCVD_IN_HOSTKARMA_BL,RCVD_IN_MSPIKE_H2,RCVD_IN_UCEPROTECT2,
RCVD_IN_UCEPROTECT3,RCVD_IN_WPBL,SPF_HELO_PASS,TVD_RCVD_SPACE_BRACKET,
T_REMOTE_IMAGE,UNPARSEABLE_RELAY,URIBL_ABUSE_SURBL,URIBL_DBL_SPAM
autolearn=spam autolearn_force=no version=3.4.1

All the files are taken from /sonicle/etc/mail/spamassassin and 
/sonicle/share/spamassassin, and they looks to be read both manually and during 
postfix run, as many of the mails are caught and contains X-Spam-Status with 
tags taken from there (sare cf files, kam file, fili_br file etc).
Also, many of the auto-learnt mails get spammed after being trained.
The bayes is configured as :

use_bayes 1
bayes_auto_learn 1
bayes_path /sonicle/var/spamassassin/bayes_db/bayes
bayes_file_mode 0777

and here are the files:

sonicle@www:~$ ls -l /sonicle/var/spamassassin/bayes_db
total 12699
-rw-rw-rw- 1 snclamav snclamav 25680 Jun 27 08:28 bayes_journal
-rw-rw-rw- 1 snclamav snclamav 10567680 Jun 27 07:58 bayes_seen
-rw-rw-rw- 1 snclamav snclamav 5128192 Jun 27 07:58 bayes_toks

here are the amavis processes:

sonicle@www:~$ ps -ef | grep amavisd
snclamav 23517 20393 0 07:43:58 ? 0:04 /sonicle/bin/perl -T 
/sonicle/sbin/amavisd -u snclamav -c /sonicle/etc/amavis/a...
snclamav 20393 6278 0 May 12 ? 0:49 /sonicle/bin/perl -T /sonicle/sbin/amavisd 
-u snclamav -c /sonicle/etc/amavis/a...
snclamav 29614 20393 0 08:28:49 ? 0:00 /sonicle/bin/perl -T 
/sonicle/sbin/amavisd -u snclamav -c /sonicle/etc/amavis/a...

is there any way I can run amavisd manually exactly as postfix would do during 
an incoming email?
I bet I need debugging output, but enabling it live may fill my mail logs, and 
I would have to wait for some spam to get in.

Thanks again,
Gabriele




--
Sonicle S.r.l. : http://www.sonicle.com
Music: http://www.gabrielebulfon.com
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon

____


Da: Dino Edwards 
A: amavis-users@amavis.org
Data: 26 giugno 2017 19.08.11 CEST
Oggetto: RE: different spamassassin behaviours

Do you know for a fact that the bayes database is making those scores get 
higher when you run it in debug? If so, where is your bayes database stored and 
who is the owner of that path? Do you know for a fact that Amavis calls 
Spamassassin to scan emails?
 
 
 
 
 


Hermes Secure Email Gateway
Hermes Secure Email Gateway is a Free Open Source (Hermes SEG Community Only) 
Email Gateway that provides Spam, Virus and Malware protection, full in-transit 
and at-rest email encryption as well as email archiving. Hermes Secure Email 
Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, 
ClamAV, Amavisd-new and CipherMail under one unified web based Web GUI for easy 
administration and management of your incoming and ougoing email for your 
organization. It can be deployed to protect your in-house email solution as 
well as cloud email solutions such as Google Mail and Microsoft Office 365.
 
Learn More & Download the free open-source appliance at:
https://www.deeztek.com/hermes-secure-email-gateway/
 
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Gabriele Bulfon
Sent: Monday, June 26, 2017 11:57 AM
To: amavis-users@amavis.org
Subject: different spamassassin behaviours
 
Hi,

I have some installation of amavis+postfix, where I discovered that some spam 
is coming in with a very low score, but if

RE: different spamassassin behaviours

[Dino Edwards]

Do you know for a fact that the bayes database is making those scores get 
higher when you run it in debug? If so, where is your bayes database stored and 
who is the owner of that path? Do you know for a fact that Amavis calls 
Spamassassin to scan emails?






[hermes_logo3]
Hermes Secure Email Gateway
Hermes Secure Email Gateway is a Free Open Source (Hermes SEG Community Only) 
Email Gateway that provides Spam, Virus and Malware protection, full in-transit 
and at-rest email encryption as well as email archiving. Hermes Secure Email 
Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, 
ClamAV, Amavisd-new and CipherMail under one unified web based Web GUI for easy 
administration and management of your incoming and ougoing email for your 
organization. It can be deployed to protect your in-house email solution as 
well as cloud email solutions such as Google Mail and Microsoft Office 365.

Learn More & Download the free open-source appliance at:
https://www.deeztek.com/hermes-secure-email-gateway/

From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Gabriele Bulfon
Sent: Monday, June 26, 2017 11:57 AM
To: amavis-users@amavis.org
Subject: different spamassassin behaviours

Hi,

I have some installation of amavis+postfix, where I discovered that some spam 
is coming in with a very low score, but if I run spamassassin in debug mode on 
the same emails they get a very high score.

On my installations, amavisd runs under the "snclamav" user, while the 
smtp-amavis postfix daemons run under the "snclmail" user.
I run the bayes learn using the snclamav user, and also run spamassassin debug 
mode using the same user, that stores the bayes database in a specific path.

Any idea what may happen in amavisd spawn spamassassin that does not happen in 
manual debug mode?

Thanks for any help

Gabriele
--
Sonicle S.r.l. : http://www.sonicle.com
Music: http://www.gabrielebulfon.com
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon

RE: How many antivirus are recommended?

[Dino Edwards]

How about Eset?

-Original Message-
From: Alex [mysqlstud...@gmail.com]
Received: Tuesday, 20 Jun 2017, 9:56AM
To: Hugo Manuel Ojendiz Lemus [ojendi...@halmex.com.mx]; 
amavis-users@amavis.org [amavis-users@amavis.org]
Subject: Re: How many antivirus are recommended?

Hi,

On Tue, Jun 20, 2017 at 8:42 AM, Hugo Manuel Ojendiz Lemus
 wrote:
> I'm sorry to inform that I've abandoned the idea of installing COMODO
> antivirus. Mainly because the OS version incompatibility, and heavy use of the
> GUI.
>
> I'm still searching for another antivirus

That's very disappointing. Avira have confirmed to me via email that
they no longer have a Unix product.

Still waiting on a response from f-prot.

RE: Client host rejected: Access denied

[Dino Edwards]

Technically, this question belongs to the postfix mailing list since this is 
not an amavis related. They will be able to assist you better.



-Original Message-
From: Scappatura Rocco [rocco.scappat...@infracom.it]
Received: Wednesday, 14 Jun 2017, 6:09AM
To: 'amavis-users@amavis.org' [amavis-users@amavis.org]
Subject: Client host rejected: Access denied

Hello.

My MTA (Debian Lenny with postfix+amavisd-new+spamassassin+clamav) rejected an 
SMTP connection from Yahoo:

Jun 13 17:04:01 av7 postfix/smtpd[25250]: NOQUEUE: reject: RCPT from 
sonic317-25.consmr.mail.ir2.yahoo.com[87.248.110.215]: 554 5.7.1 
: Client host rejected: 
Access denied; from= to= proto=ESMTP 
helo=

I can't figure out why. Here my postfix config:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 60s
append_dot_mydomain = no
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 31457280
mydestination = xxx.example.com, localhost.example.com, , localhost
myhostname = xxx.example.com
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
proxy_read_maps = proxy:mysql:/etc/postfix/mysql-relay-recipients.cf 
proxy:mysql:/etc/postfix/mysql-relay-domains.cf 
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf 
proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf 
proxy:mysql:/etc/postfix/mysql-check-client-access.cf proxy:unix:passwd.byname 
proxy:mysql:/etc/postfix/mysql-virtual-transports.cf
readme_directory = no
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql-relay-domains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-relay-recipients.cf
relayhost =
smtp_host_lookup = native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 40
smtpd_client_message_rate_limit = 50
smtpd_client_recipient_rate_limit = 250
smtpd_error_sleep_time = 0s
smtpd_hard_error_limit = 10
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031 
permit_sasl_authenticated check_client_access 
proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworks 
reject_unauth_destination reject_non_fqdn_sender reject_non_fqdn_recipient 
reject_unlisted_sender reject_unlisted_recipient reject_unknown_sender_domain 
reject_invalid_hostname reject_rbl_client psbl.surriel.com, reject_rhsbl_sender 
dsn.rfc-ignorant.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client 
truncate.gbudb.net, reject_rbl_client zen.spamhaus.org, check_policy_service 
inet:127.0.0.1:2501
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_sender_access 
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access 
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access 
proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
smtpd_soft_error_limit = 5
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual-transports.cf

As you can see ' smtpd_client_restrictions' is not used.

Could someone explain the reason of the rejection?

Regards,

RS

RE: block exe in pdf-files? [SOLVED]

[Dino Edwards]

I would be interested in an example too

Sent from my Android phone using TouchDown (www.symantec.com)

-Original Message-
From: postmas...@wf-partner.com [postmas...@wf-partner.com]
Received: Sunday, 11 Jun 2017, 11:29AM
To: Daniel Rieken [danielrieke...@gmail.com]
CC: amavis-users@amavis.org [amavis-users@amavis.org]; amavis-users 
[amavis-users-bounces+postmaster=wf-partner@amavis.org]
Subject: Re: block exe in pdf-files? [SOLVED]

Hello Daniel,
do you have an example pdf to test if this is working?

Regards
Thomas
Am 2017-06-10 17:46, schrieb Daniel Rieken:
> Hello Dino,
> that worked for me, thanks a lot!
>
> Cheers Daniel
>
> 2017-05-30 16:17 GMT+02:00 Dino Edwards
> :
>> I think you are right. Probably not. If you are using clamav, I wonder
>> if setting the following in clamav would give you the desired result?
>>
>> ScanOLE2 true
>> OLE2BlockMacros true
>> ScanPDF true

RE: block exe in pdf-files? [SOLVED]

[Dino Edwards]

Great. Thanks for the feedback. I am glad it works.

-Original Message-
From: Daniel Rieken [danielrieke...@gmail.com]
Received: Saturday, 10 Jun 2017, 12:13PM
To: amavis-users@amavis.org [amavis-users@amavis.org]
Subject: Re: block exe in pdf-files? [SOLVED]

Hello Dino,
that worked for me, thanks a lot!

Cheers Daniel

2017-05-30 16:17 GMT+02:00 Dino Edwards :
> I think you are right. Probably not. If you are using clamav, I wonder if 
> setting the following in clamav would give you the desired result?
>
> ScanOLE2 true
> OLE2BlockMacros true
> ScanPDF true

RE: Tag spam only for recipients from a domain

[Dino Edwards]

First of all, for spam the following directive applies:

$final_spam_destiny = D_DISCARD;

Not 

$final_banned_destiny = D_DISCARD;   

$final_banned_destiny is for banned files not spam.

In order to accomplish what you want, you should probably set up

$final_spam_destiny = D_DISCARD;

That would probably take care of all the rest of the users and then for the 
example.com domain, create a policy for that has a really high spam_kill_level 
and assign the users you want to it. So, spam_kill_level of 999 would probably 
work. 

You are going to have to use a database to accomplish all this.



  

-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Scappatura Rocco
Sent: Monday, June 5, 2017 10:46 AM
To: 'amavis-users@amavis.org' 
Subject: Tag spam only for recipients from a domain

Hi,

I have Debian Lenny with postfix+amavisd-new+spamassassin+clamav.

The settings of amavisd-new port tagging spam are the following:

$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level 
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level 
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;# only tests which do not require internet access?

$final_banned_destiny = D_DISCARD;   # D_REJECT when front-end MTA

I need that the messages for recipents of a particular domain (say, 
example.com) will be scanned as all other messages. Moreover (Unlike the other 
domains), I would like that the messages for recipents of domain 'example.com', 
even if the score is >6.31, will not been discarded but have to be marked as 
SPAM and delivered. 

How I could get a such behaviour from my mail gateway?

Regards,

RS

RE: How many antivirus are recommended?

[Dino Edwards]

Short answer is: As many as you can have where it won't impact email delivery 
or performance.

-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Hugo Manuel Ojendiz Lemus
Sent: Thursday, June 1, 2017 8:30 AM
To: amavis-users@amavis.org
Subject: How many antivirus are recommended?

Hi everyone!

Currently we have installed Clamav and Sophos Antivirus. I'm considering to
install Comodo Antivirus, but I don't know if this will be beneficial or
won't have any impact in the battle against virus.
I'm not worried about the performance, the server has plenty resources and
low traffic.

Thanks in advance for any advice.

Good day!!

Hugo Manuel Ojendz Lemus | HAL México

RE: block exe in pdf-files?

[Dino Edwards]

I think you are right. Probably not. If you are using clamav, I wonder if 
setting the following in clamav would give you the desired result?

ScanOLE2 true
OLE2BlockMacros true
ScanPDF true



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Jakob Curdes
Sent: Tuesday, May 30, 2017 10:03 AM
To: amavis-users@amavis.org
Subject: Re: block exe in pdf-files?

But would this work for a docm that needs to be extracted from a PDF? I was not 
aware that amavisd or the tolls it uses is able to extract stuff embedded in a 
pdf.

JC


Am 30.05.2017 um 15:38 schrieb Dino Edwards:
> Have you tried the following in your file rule?
>
> [qr'.\.(docm)$'ix => 1],
> [qr'.\.(dotm)$'ix => 1],
> [qr'.\.(xlsm)$'ix => 1],
> [qr'.\.(xltm)$'ix => 1]
>
> The above SHOULD Block macro enabled office docs.
>
>
> -Original Message-
> From: amavis-users 
> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] 
> On Behalf Of Daniel Rieken
> Sent: Tuesday, May 30, 2017 9:02 AM
> To: amavis-users@amavis.org
> Subject: block exe in pdf-files?
>
> Hello,
>
> is it possible to block exe- or docm/xlsm/pptm-files inside of PDF-files?
>
> The new Jaff ransomware is sending a PDF-file with a docm inside this PDF. So 
> I would like to be able to block this emails with amavisd-new...
>
>
> Cheers!
> Daniel

RE: block exe in pdf-files?

[Dino Edwards]

Have you tried the following in your file rule?

[qr'.\.(docm)$'ix => 1],
[qr'.\.(dotm)$'ix => 1],
[qr'.\.(xlsm)$'ix => 1],
[qr'.\.(xltm)$'ix => 1]

The above SHOULD Block macro enabled office docs. 


-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Daniel Rieken
Sent: Tuesday, May 30, 2017 9:02 AM
To: amavis-users@amavis.org
Subject: block exe in pdf-files?

Hello,

is it possible to block exe- or docm/xlsm/pptm-files inside of PDF-files?

The new Jaff ransomware is sending a PDF-file with a docm inside this PDF. So I 
would like to be able to block this emails with amavisd-new...


Cheers!
Daniel

RE: Suppress delivery-notification/Read-receipt for spam?

[Dino Edwards]

How about an SA meta rule like this?

header __DISPOSITION_NOTIFICATION_TO exists:Disposition-Notification-To 
header   __SUBJECT_CONTAINS_SPAM Subject =~ /\bSPAM\b/i
meta SPAM_WITH_READ_RECEIPT  (__DISPOSITION_NOTIFICATION_TO && 
__SUBJECT_CONTAINS_SPAM)
score  SPAM_WITH_READ_RECEIPT 15

Assuming you have a MYNETS policy in amavis, they should in effect get blocked

$policy_bank{'MYNETS'} = {  # mail originating from @mynetworks
   originating => [1],  # is true in MYNETS by deflt, but let's make it explicit
   terminate_dsn_on_notify_success => [0],
   spam_kill_level_maps => [6.9],
   spam_subject_tag2_maps => ["***SPAM ORIGINATED FROM LOCAL NETWORK*** "],
   virus_admin_maps => ["postmaster\@$mydomain"], # alert of internal viruses
   spam_admin_maps  => ["postmaster\@$mydomain"],  # alert of internal spam
   warnbadhsender => [1],  # warn local senders about their broken MUA
   spam_quarantine_cutoff_level_maps => [15],
};



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Ralf Hildebrandt
Sent: Sunday, April 23, 2017 3:32 PM
To: amavis-users@amavis.org
Subject: Re: Suppress delivery-notification/Read-receipt for spam?

* Robert Schetterer :
> Am 23.04.2017 um 18:50 schrieb Ralf Hildebrandt:
> > * Benny Pedersen :
> >> Ralf Hildebrandt skrev den 2017-04-22 11:52:
> >>
> >>> Can this be suppressed somehow?
> >>
> >> you know postfix very well imho :=)
> >>
> >> header_checks ignore.
> > 
> > But WHICH headers to ignore? Primarily Outlook Read receipts are of 
> > my concern
> > 
> 
> on a postfix (spamassassin)  exchange gateway
> 
> /etc/postfix/header_checks
> 
> /^Subject: Abwesenheitsnotiz: .*.*.*.*SPAM*/ REJECT dont send 
> vaccation messages to senders allready marked as SPAM (2)
> /^Subject: Unzustellbar: .*.*.*.*SPAM*/ REJECT dont send ndrs to 
> senders allready marked as SPAM (3)

No, that's not what I'm looking for. That would suppress all Notices.

I want to suppress these ONLY for spammy mails (meaning: I have to deactivate 
the header telling Outlook "Send a read-receipt" whenever a mail is considered 
spammy)

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

RE: Open relay from localhost and other questions

[Dino Edwards]

In the @lookup_sql_dsn I have the following which works with no problem:

@lookup_sql_dsn = (
['DBI:mysql:database=dbase;host=127.0.0.1;port=3306',
 'sqluser',
 'somepassword']);

I’m not exactly sure what you are attempting to do with the $sql_select_policy 
statement, maybe you can elaborate?



From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Robert Moskowitz
Sent: Wednesday, April 19, 2017 4:49 PM
To: amavis-users@amavis.org
Subject: Open relay from localhost and other questions

This is my new test setup.

I end amavis.conf with:


1;  # insure a defined return value
$mydomain = 'test.htt-consult.com';
$helpers_home = "$MYHOME/var";  # working directory for 
SpamAssassin, -S
$myhostname = 'z9m9z.test.htt-consult.com';   #  must be a 
fully-qualified domain name!
$log_level = 1; # set the log level to one
$sa_tag_level_deflt = -99; # I want to see the headers so change to -99
$sa_tag2_level_deflt = 5.0; # start with 5
$sa_kill_level_deflt = 9;
$sa_dsn_cutoff_level = 9;
$sa_quarantine_cutoff_level = 50;
$notify_method = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[127.0.0.1]:10025';
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_PASS;
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 [2607:f4b8:3::]/48
  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 50.253.254.0/28);
@lookup_sql_dsn =
   ( 
['DBI:mysql:database=postfix;host=localhost;mysql_socket=/var/lib/mysql/mysql.sock',
 'postfix','postfixpassword] );
$sql_select_white_black_list = undef;
$sql_select_policy = 'SELECT "Y" as local, 1 as id FROM domain WHERE 
CONCAT("@",domain) IN (%k)';
1;  # insure a defined return value

This was done by appending my specific options after the 1; line then adding my 
own 1; line.

r...@z9m9z.test.htt-consult.com

is NOT in the postfix database

In postfix/mail.cf I have:

postconf -e 'content_filter = amavis:[127.0.0.1]:10024'

and in master.cf I have:

smtpd pass  -   -   n   -   -   smtpd

pickupunix  n   -   n   60  1   pickup

  -o content_filter=

amavis unix - - y - 2 lmtp

  -o lmtp_data_done_timeout=1200

  -o lmtp_send_xforward_command=yes

  -o disable_dns_lookups=yes

  -o max_use=20



I am seeing the following in maillog from logwatch:

Lots of questions.  The 4th line has a amavis SQL failure.
Then concern that it is coming from an open relay?
Amavis gets called a 2nd then 3rd time?  Should I put content_filter= with gmgr 
so it does not call amavis?

thanks

Apr 10 03:34:36 z9m9z postfix/pickup[1501]: C735BB25B: uid=0 from=

Apr 10 03:34:37 z9m9z postfix/cleanup[2077]: C735BB25B: 
message-id=<20170410073436.c735bb...@z9m9z.test.htt-consult.com>

Apr 10 03:34:37 z9m9z postfix/qmgr[3107]: C735BB25B: 
from=, 
size=5300, nrcpt=1 (queue active)

Apr 10 03:34:38 z9m9z amavis[2045]: (02045-11) NOTICE: reconnecting in response 
to: err=2006, HY000, DBD::mysql::st execute failed: MySQL server has gone away 
at (eval 129) line 172.

Apr 10 03:34:38 z9m9z amavis[2045]: (02045-11) LMTP [127.0.0.1]:10024 
/var/spool/amavisd/tmp/amavis-20170409T010521-02045-SZAIGFN5: 
 -> 
 
SIZE=5300 Received: from z9m9z.test.htt-consult.com ([127.0.0.1]) by localhost 
(z9m9z.test.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP 
for ; 
Mon, 10 Apr 2017 03:34:38 -0400 (EDT)

Apr 10 03:34:38 z9m9z amavis[2045]: (02045-11) Checking: SGMxb1MYeOCZ 
[127.0.0.1] 
 -> 


Apr 10 03:34:38 z9m9z amavis[2045]: (02045-11) Open relay? Nonlocal recips but 
not originating: 
r...@z9m9z.test.htt-consult.com

Apr 10 03:34:51 z9m9z postfix/smtpd[2120]: connect from localhost[127.0.0.1]

Apr 10 03:34:52 z9m9z postfix/smtpd[2120]: 9D31F6B28: 
client=localhost[127.0.0.1]

Apr 10 03:34:52 z9m9z postfix/cleanup[2077]: 9D31F6B28: 
message-id=<20170410073436.c735bb...@z9m9z.test.htt-consult.com>

Apr 10 03:34:52 z9m9z postfix/smtpd[2120]: disconnect from localhost[127.0.0.1]

Apr 10 03:34:52 z9m9z amavis[2045]: (02045-11) SGMxb1MYeOCZ FWD from 
 -> 
, 
BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 
9D31F6B28

Apr 10 03:34:52 z9m9z postfix/qmgr[3107]: 9D31F6B28: 
from=, 
size=5795, nrcpt=1 (queue active)

Apr 10 03:34:52 z9m9z amavis[2045]: (02045-11) Passed CLEAN {RelayedOpenRelay}, 
[127.0.0.1] 
 -> 

RE: Virus scanners with amavis and fedora

[Dino Edwards]

I guess a bigger question is, is there a legitimate reason to allow your users 
to receive macro enabled word docs? As far as encrypted word docs or pdfs or 
such you can always turn mark encrypted archives as viruses and effectively 
block them. Anything encrypted like that it's obviously trying to hide the 
content because it's either malicious or it's trying to encrypt sensitive 
information. If it's legitimate, a proper encrypted email solution would work 
much better. 

Point is, I don't care what AV solution you are using, some of them are going 
to get through no matter what. Hackers are getting slicker by the day, their 
methods are getting better and better. The AV industry is always trying to play 
catch-up. Is that an acceptable risk to your organization? You need to take 
steps to block as much as possible and let AV be the very last resort. If you 
are counting on your AV to protect everything you are going to get screwed in 
the end. It's as simple as that. 

In my organization we have deployed Snort IDS, DLP to prevent leaks, AV on the 
endpoints and servers, we do SSL decyption to look at all the encrypted 
traffic, Fireye appliances to look for advanced malware on the network, another 
layer with Palo Alto Wildfire and Antivirus at the perimeter, AV/spam filter 
for e-mail, AV on the e-mail server and after ALL that, things still manage to 
get in. It's a cat and mouse game. Nothing is ever perfect.

You can always start blocking .doc files, since let's face it, nobody should be 
using those 13-year old old file formats and if they are, they need to stop. 
Most of that malware comes through as .doc or .rtf files. 

 

-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Alex
Sent: Friday, April 14, 2017 3:03 PM
To: amavis-users@amavis.org
Subject: Re: Virus scanners with amavis and fedora

Hi,

On Fri, Apr 14, 2017 at 11:00 AM, Dino Edwards  
wrote:
> I mean what specific issues are you having? Do you have Macro enabled 
> encrypted word documents, encrypted PDFs? The reason I'm asking is 
> because there MAY be things you can do already with Amavis and clamav to 
> block a lot of those things.

Do you mean have I configured clamav to scan for these? Or do you mean simply 
have I received macro-enabled encrypted Word docs?

Yes, I have received quite a few. I've also configured clamav for ScanOLE2. 
OLE2BlockMacros is disabled because it then doesn't scan them at all, only 
marks them as having macros.

Thanks,
Alex

RE: Virus scanners with amavis and fedora

[Dino Edwards]

Actually I would be interested in a how-to integrate f-secure  with amavisd-new 
on  Ubuntu.

-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Andy Fawcett
Sent: Friday, April 14, 2017 11:02 AM
To: amavis-users@amavis.org
Subject: Re: Virus scanners with amavis and fedora

On Fri, 2017-04-14 at 09:00 -0400, Alex wrote:
> Hi,
> 
> On Fri, Apr 14, 2017 at 8:53 AM, Dino Edwards 
>  wrote:
> > What problem are you having with Macro Viruses and PDF spam?
> 
> They're not being caught properly :-)
> 
> The clamav filters just aren't updated sufficiently. And sophos is a 
> joke.
> 
> I'm interested in getting something like f-secure or another 
> commercial scanner working in conjunction with sophos and clamav.
> I've
> tried f-secure, and I can't get it configured properly.

I've been using F-Secure for a number of years with amavisd-new, but on  Ubuntu.

What specific problem are you having getting it configured?


Andy




> > 
> > -Original Message-
> > From: amavis-users [mailto:amavis-users-bounces+dino.edwards=mydire
> > ctmail@amavis.org] On Behalf Of Alex
> > Sent: Thursday, April 13, 2017 8:32 PM
> > To: amavis-users@amavis.org
> > Subject: Virus scanners with amavis and fedora
> > 
> > Hi,
> > 
> > Does anyone have a current list of virus scanners that work with the 
> > current version of amavis and fedora25? Of course clamav works, but 
> > are there others? Commercial?
> > 
> > We've had some success with Sophos, but clamav+sane+malware is far 
> > better. I think we need a third to help with the Word macro viruses 
> > and PDF spam.
> > 
> > Thanks,
> > Alex

RE: Virus scanners with amavis and fedora

[Dino Edwards]

I mean what specific issues are you having? Do you have Macro enabled encrypted 
word documents, encrypted PDFs? The reason I'm asking is because there MAY be 
things you can do already with Amavis and clamav to block a lot of those things.

-Original Message-
From: Alex [mailto:mysqlstud...@gmail.com] 
Sent: Friday, April 14, 2017 9:01 AM
To: Dino Edwards ; amavis-users@amavis.org
Subject: Re: Virus scanners with amavis and fedora

Hi,

On Fri, Apr 14, 2017 at 8:53 AM, Dino Edwards  
wrote:
> What problem are you having with Macro Viruses and PDF spam?

They're not being caught properly :-)

The clamav filters just aren't updated sufficiently. And sophos is a joke.

I'm interested in getting something like f-secure or another commercial scanner 
working in conjunction with sophos and clamav. I've tried f-secure, and I can't 
get it configured properly.

Thanks,
Alex

>
> -Original Message-
> From: amavis-users 
> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] 
> On Behalf Of Alex
> Sent: Thursday, April 13, 2017 8:32 PM
> To: amavis-users@amavis.org
> Subject: Virus scanners with amavis and fedora
>
> Hi,
>
> Does anyone have a current list of virus scanners that work with the current 
> version of amavis and fedora25? Of course clamav works, but are there others? 
> Commercial?
>
> We've had some success with Sophos, but clamav+sane+malware is far better. I 
> think we need a third to help with the Word macro viruses and PDF spam.
>
> Thanks,
> Alex

RE: Virus scanners with amavis and fedora

[Dino Edwards]

What problem are you having with Macro Viruses and PDF spam?

-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Alex
Sent: Thursday, April 13, 2017 8:32 PM
To: amavis-users@amavis.org
Subject: Virus scanners with amavis and fedora

Hi,

Does anyone have a current list of virus scanners that work with the current 
version of amavis and fedora25? Of course clamav works, but are there others? 
Commercial?

We've had some success with Sophos, but clamav+sane+malware is far better. I 
think we need a third to help with the Word macro viruses and PDF spam.

Thanks,
Alex

RE: "No SMTP response to data-dot"-message and delivered the message like 10 times

[Dino Edwards]

Absolutely correct. I've been looking at the log file and the problem starts 
here when amavis connects to your local MTA to deliver the email. This happens 
at Apr 10 15:32:29, see below:

Apr 10 15:32:29.077 rmm.li /usr/sbin/amavisd-new[17487]: (17487-01) smtp cmd> 
EHLO localhost
Apr 10 15:32:29.077 rmm.li /usr/sbin/amavisd-new[17487]: (17487-01) rw_loop: 
needline=0, flush=1, wr=1, timeout=300
Apr 10 15:32:29.077 rmm.li /usr/sbin/amavisd-new[17487]: (17487-01) rw_loop: 
sending 16 chars
Apr 10 15:32:29.077 rmm.li /usr/sbin/amavisd-new[17487]: (17487-01) rw_loop 
sent 16> EHLO localhost\r\n
Apr 10 15:32:29.078 rmm.li /usr/sbin/amavisd-new[17487]: (17487-01) rw_loop: 
needline=1, flush=0, wr=0, timeout=300
Apr 10 15:32:29.078 rmm.li /usr/sbin/amavisd-new[17487]: (17487-01) rw_loop: 
receiving
Apr 10 15:32:29.078 rmm.li /usr/sbin/amavisd-new[17487]: (17487-01) rw_loop 
read 129 chars< 250-rmm.li\r\n250-PIPELINING\r\n250-SIZE 
73400320\r\n250-VRFY\r\n250-ETRN\r\n250-STARTTLS\r\n250-ENHANCEDSTATUSCODES\r\n250-8BITMIME\r\n250
 DSN\r\n
Apr 10 15:32:29.078 rmm.li /usr/sbin/amavisd-new[17487]: (17487-01) smtp resp 
to EHLO: 250 rmm.li\nPIPELINING\nSIZE 
73400320\nVRFY\nETRN\nSTARTTLS\nENHANCEDSTATUSCODES\n8BITMIME

From that point on, amavis is attempts to deliver the email to your MTA and 
this goes on and on until Apr 10 16:01:00 almost 30 minutes later before your 
amavis sends the data-dot command to indicate end of data to your local MTA and 
your MTA responds with 250, see below:

Apr 10 16:01:00.260 rmm.li /usr/sbin/amavisd-new[17487]: (17487-05) smtp resp 
to data-dot (): 250 2.0.0 Ok: queued as 63C282E1C71, dt: 
96706.9 ms

Your problem may be with your MTA, because the problem doesn't arise until 
amavis tries to deliver the email to your MTA



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Tilman Schmidt
Sent: Tuesday, April 11, 2017 11:53 AM
To: amavis-users@amavis.org
Subject: Re: "No SMTP response to data-dot"-message and delivered the message 
like 10 times

On 11.04.2017 11:52, Michael Meier wrote:
> so now I tried sending an e-mail using amavisd-new debug
> 
> I tried to attach the logfile, but since it is too long the mailing 
> list didn't accept it, so I put it here:
> 
> https://rmm.li/cloud/index.php/s/jjVaWM6MOM0UtdP
> 
> As it seems most of the time do those rw_loop need. Which seem to be 
> really slow for copying only really small amounts of data. (as i said, 
> the cpu load of the server goes really high, while his doing that) In 
> the statistic at the end it states:
> fwd-data-contents: 183500 (64%)66, fwd-end-chkpnt: 98332 (34%)100,
> 
> anybody got an idea what I could check to find out what the exact 
> problem is?

That log spans half an hour and looks like it contains several mail 
transmissions. I would start by paring it down to a single mail transaction 
that took too long.

Also watch "top" in a second window during the test to see which process is 
causing the CPU load.

And third, it looks like the delay is happening when Amavis is forwarding the 
mail to the MTA on localhost:10025 so you should check your Postfix log, too, 
correlating it with the Amavis log.

HTH
T.

--
Tilman Schmidt
cardtech
Card & POS Service GmbH
Richard-Byrd-Straße 37
50829 Köln

RE: "No SMTP response to data-dot"-message and delivered the message like 10 times

[Dino Edwards]

How is the memory usage and the queue space?

-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Michael Meier
Sent: Friday, April 7, 2017 2:02 PM
To: amavis-users@amavis.org
Subject: Re: "No SMTP response to data-dot"-message and delivered the message 
like 10 times

thunderbird connects to neither.
thunderbird connects directly to rmm.li, which is a server which is standing 
around somewhere completely else ;-)

But I think it has something to do with how amavis processes the attachment.
I just send the same picture again, to an other address. Thunderbird needed 
severall minutes to send it, the first 30% were send quickly, but then it got 
slower and slower, meanwhile on the server (rmm.li) the load average went up 
from 0.00 to 3.5, and fell again as soon as the mail was finally sent. For a 
server with only two cpus a load of 3.5 is a lot.
The strange thing was, that "top" didn't show any process hogging the cpu.
Then afterwards I uploaded the same picture, to the same server to the 
nextcloud installation, and it took less than 2 seconds...

On 07.04.2017 16:16, Dino Edwards wrote:
> Does Thunderbird connect to the your external or internal IP address?
> 
> -Original Message-
> From: amavis-users 
> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] 
> On Behalf Of Michael Meier
> Sent: Friday, April 7, 2017 8:53 AM
> To: Amavis users 
> Subject: Re: "No SMTP response to data-dot"-message and delivered the 
> message like 10 times
> 
> 213.193.81.54 is not an open relay. I've got no idea where it got that idea 
> from.
> And I'm no even using 213.193.81.54 to send my e-mails, I'm using thunderbird 
> which directly connects to my smtp server. 213.193.81.54 is my external ip 
> address (and also the smtp server of the company I'm working at right now, 
> but it's neither an open relay, nor is used for those transactions in any 
> way).
> It also doesn't give me that openrelay message for the mail I'm sending right 
> now. I guess it must be related to the " No SMTP response to data-dot " error.
> 
> 
> On 07.04.2017 14:43, Dino Edwards wrote:
>> Maybe it's not related to the specific issue, but an Open Relay is a HUGE 
>> problem and I HIGHLY suggest before you look into any other problem, you 
>> should look into why this error is generated. Is the IP address 
>> 213.193.81.54 the IP of your email server? If indeed you have an Open Relay, 
>> you certainly have a big configuration issue.
>>
>>
>>
>> -Original Message-
>> From: amavis-users
>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org
>> ]
>> On Behalf Of Michael Meier
>> Sent: Friday, April 7, 2017 8:28 AM
>> To: Amavis users 
>> Subject: RE: "No SMTP response to data-dot"-message and delivered the 
>> message like 10 times
>>
>> I don't think so. I've send a lot of e-mails just before that e-mail and a 
>> lot afterwards from exactly the same ip address, also using thunderbird...
>> but the problem only appeared with that single message.
>> And as I said, the really annoying part was, that the message got 
>> delivered more than 10 times (each time I deleted it, it reappeared a 
>> few hours later again, first I thought I'm becoming crazy ;-)))
>>
>>
>> Am 7.4.2017 14:15, schrieb Dino Edwards:
>>> Could this be part of the problem? It says MTA-BLOCKED because it's 
>>> an open relay? Which host is IP address 213.193.81.54?
>>>
>>> Apr  6 13:56:25 rmm amavis[22678]: (22678-17) Passed MTA-BLOCKED 
>>> {TempFailedInbound,TempFailedOpenRelay}, [213.193.81.54]:49780 
>>> [213.193.81.54]  -> ,
>>> Queue-ID: EFB7C2E1317, Message-ID:
>>>
>>>
>>>
>>> -Original Message-
>>> From: amavis-users
>>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.or
>>> g
>>> ]
>>> On Behalf Of Michael Meier
>>> Sent: Friday, April 7, 2017 7:39 AM
>>> To: amavis-users@amavis.org
>>> Subject: "No SMTP response to data-dot"-message and delivered the 
>>> message like 10 times
>>>
>>> Hi all
>>>
>>> I've got my own server using postfix and amavis (2.10.1-2~deb8u1) 
>>> under the current debian stable (8).
>>> Yesterday I received a big jpg-file (11MB) which I wanted to resend 
>>> using Thunderbird.
>>> I've sent the jpg to 3 receivers, of which 2 are on my own server 
>>> and
>>> 1 i

RE: "No SMTP response to data-dot"-message and delivered the message like 10 times

[Dino Edwards]

Does Thunderbird connect to the your external or internal IP address?

-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Michael Meier
Sent: Friday, April 7, 2017 8:53 AM
To: Amavis users 
Subject: Re: "No SMTP response to data-dot"-message and delivered the message 
like 10 times

213.193.81.54 is not an open relay. I've got no idea where it got that idea 
from.
And I'm no even using 213.193.81.54 to send my e-mails, I'm using thunderbird 
which directly connects to my smtp server. 213.193.81.54 is my external ip 
address (and also the smtp server of the company I'm working at right now, but 
it's neither an open relay, nor is used for those transactions in any way).
It also doesn't give me that openrelay message for the mail I'm sending right 
now. I guess it must be related to the " No SMTP response to data-dot " error.


On 07.04.2017 14:43, Dino Edwards wrote:
> Maybe it's not related to the specific issue, but an Open Relay is a HUGE 
> problem and I HIGHLY suggest before you look into any other problem, you 
> should look into why this error is generated. Is the IP address 213.193.81.54 
> the IP of your email server? If indeed you have an Open Relay, you certainly 
> have a big configuration issue.
> 
> 
> 
> -Original Message-
> From: amavis-users 
> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] 
> On Behalf Of Michael Meier
> Sent: Friday, April 7, 2017 8:28 AM
> To: Amavis users 
> Subject: RE: "No SMTP response to data-dot"-message and delivered the 
> message like 10 times
> 
> I don't think so. I've send a lot of e-mails just before that e-mail and a 
> lot afterwards from exactly the same ip address, also using thunderbird...
> but the problem only appeared with that single message.
> And as I said, the really annoying part was, that the message got 
> delivered more than 10 times (each time I deleted it, it reappeared a 
> few hours later again, first I thought I'm becoming crazy ;-)))
> 
> 
> Am 7.4.2017 14:15, schrieb Dino Edwards:
>> Could this be part of the problem? It says MTA-BLOCKED because it's 
>> an open relay? Which host is IP address 213.193.81.54?
>>
>> Apr  6 13:56:25 rmm amavis[22678]: (22678-17) Passed MTA-BLOCKED 
>> {TempFailedInbound,TempFailedOpenRelay}, [213.193.81.54]:49780 
>> [213.193.81.54]  -> ,
>> Queue-ID: EFB7C2E1317, Message-ID:
>>
>>
>>
>> -Original Message-
>> From: amavis-users
>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org
>> ]
>> On Behalf Of Michael Meier
>> Sent: Friday, April 7, 2017 7:39 AM
>> To: amavis-users@amavis.org
>> Subject: "No SMTP response to data-dot"-message and delivered the 
>> message like 10 times
>>
>> Hi all
>>
>> I've got my own server using postfix and amavis (2.10.1-2~deb8u1) 
>> under the current debian stable (8).
>> Yesterday I received a big jpg-file (11MB) which I wanted to resend 
>> using Thunderbird.
>> I've sent the jpg to 3 receivers, of which 2 are on my own server and
>> 1 is on hotmail.
>> After a while a got a mail from my mail delivery system, saying 3 
>> times, for every receiver:
>>
>> : host 127.0.0.1[127.0.0.1] said: 451 4.5.0
>>  id=09573-03 - Temporary MTA failure on relaying, from
>>  MTA(smtp:[127.0.0.1]:10025): No resp. to data-dot (in reply to 
>> end of DATA
>>  command)
>>
>>
>> But at the least the receivers of my server received the mail anyway 
>> (i'm not sure about the hotmail account, I think there it arrived 
>> only once). The problem is, that the server tried to resend the mail 
>> several times. At the end I received the same email 12 times!
>> Each time it tried to resend it, the log files looked like that:
>>
>> Apr  6 13:56:25 rmm amavis[22678]: (22678-17) (!)rw_loop: leaving rw 
>> loop, no progress, last event (select) 60.058 s ago Apr  6 13:56:25 
>> rmm amavis[22678]: (22678-17) No SMTP response to data-dot 
>> (, etc.), dt: 60.058 s Apr  6 13:56:25 rmm
>> amavis[22678]: (22678-17) (!)U_MtABwr2Q_e FWD from 
>> 
>> -> ,,
>> BODY=7BIT 451 4.5.0 from MTA(smtp:[127.0.0.1]:10025): No resp. to 
>> data-dot Apr  6 13:56:25 rmm amavis[22678]: (22678-17) Passed 
>> MTA-BLOCKED {TempFailedInbound,TempFailedOpenRelay},
>> [213.193.81.54]:49780 [213.193.81.54]  -> 
>> ,
>> Queue-ID: EFB7C2E1317, Message-ID:
>> <5b76c430-e8a4-4a57-26b1-ae1c4b4f6...@example.com>, mail_id:
>> U_MtABwr2Q_e

RE: "No SMTP response to data-dot"-message and delivered the message like 10 times

[Dino Edwards]

Maybe it's not related to the specific issue, but an Open Relay is a HUGE 
problem and I HIGHLY suggest before you look into any other problem, you should 
look into why this error is generated. Is the IP address 213.193.81.54 the IP 
of your email server? If indeed you have an Open Relay, you certainly have a 
big configuration issue.



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Michael Meier
Sent: Friday, April 7, 2017 8:28 AM
To: Amavis users 
Subject: RE: "No SMTP response to data-dot"-message and delivered the message 
like 10 times

I don't think so. I've send a lot of e-mails just before that e-mail and a lot 
afterwards from exactly the same ip address, also using thunderbird...
but the problem only appeared with that single message.
And as I said, the really annoying part was, that the message got delivered 
more than 10 times (each time I deleted it, it reappeared a few hours later 
again, first I thought I'm becoming crazy ;-)))


Am 7.4.2017 14:15, schrieb Dino Edwards:
> Could this be part of the problem? It says MTA-BLOCKED because it's an 
> open relay? Which host is IP address 213.193.81.54?
> 
> Apr  6 13:56:25 rmm amavis[22678]: (22678-17) Passed MTA-BLOCKED 
> {TempFailedInbound,TempFailedOpenRelay}, [213.193.81.54]:49780 
> [213.193.81.54]  -> ,
> Queue-ID: EFB7C2E1317, Message-ID:
> 
> 
> 
> -Original Message-
> From: amavis-users
> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org]
> On Behalf Of Michael Meier
> Sent: Friday, April 7, 2017 7:39 AM
> To: amavis-users@amavis.org
> Subject: "No SMTP response to data-dot"-message and delivered the 
> message like 10 times
> 
> Hi all
> 
> I've got my own server using postfix and amavis (2.10.1-2~deb8u1) 
> under the current debian stable (8).
> Yesterday I received a big jpg-file (11MB) which I wanted to resend 
> using Thunderbird.
> I've sent the jpg to 3 receivers, of which 2 are on my own server and
> 1 is on hotmail.
> After a while a got a mail from my mail delivery system, saying 3 
> times, for every receiver:
> 
> : host 127.0.0.1[127.0.0.1] said: 451 4.5.0
>  id=09573-03 - Temporary MTA failure on relaying, from
>  MTA(smtp:[127.0.0.1]:10025): No resp. to data-dot (in reply to 
> end of DATA
>  command)
> 
> 
> But at the least the receivers of my server received the mail anyway 
> (i'm not sure about the hotmail account, I think there it arrived only 
> once). The problem is, that the server tried to resend the mail 
> several times. At the end I received the same email 12 times!
> Each time it tried to resend it, the log files looked like that:
> 
> Apr  6 13:56:25 rmm amavis[22678]: (22678-17) (!)rw_loop: leaving rw 
> loop, no progress, last event (select) 60.058 s ago Apr  6 13:56:25 
> rmm amavis[22678]: (22678-17) No SMTP response to data-dot 
> (, etc.), dt: 60.058 s Apr  6 13:56:25 rmm 
> amavis[22678]: (22678-17) (!)U_MtABwr2Q_e FWD from  
> -> ,,
> BODY=7BIT 451 4.5.0 from MTA(smtp:[127.0.0.1]:10025): No resp. to 
> data-dot Apr  6 13:56:25 rmm amavis[22678]: (22678-17) Passed 
> MTA-BLOCKED {TempFailedInbound,TempFailedOpenRelay}, 
> [213.193.81.54]:49780 [213.193.81.54]  -> 
> ,
> Queue-ID: EFB7C2E1317, Message-ID:
> <5b76c430-e8a4-4a57-26b1-ae1c4b4f6...@example.com>, mail_id:
> U_MtABwr2Q_e, Hits: -2.79, size: 15512712, queued_as: 2F1A02E1318,
> 526874 ms
> Apr  6 13:56:25 rmm amavis[22678]: (22678-17) Blocked MTA-BLOCKED 
> {TempFailedInbound,TempFailedOpenRelay}, [213.193.81.54]:49780 
> [213.193.81.54]  -> 
> ,, Queue-ID: EFB7C2E1317,
> Message-ID: <5b76c430-e8a4-4a57-26b1-ae1c4b4f6...@example.com>,
> mail_id:
> U_MtABwr2Q_e, Hits: -2.79, size: 15512712, 526874 ms Apr  6 13:56:25 
> rmm postfix/smtp[8176]: EFB7C2E1317:
> to=, relay=127.0.0.1[127.0.0.1]:10024, delay=802, 
> delays=275/0.01/0/527, dsn=4.5.0, status=deferred (host 
> 127.0.0.1[127.0.0.1] said: 451 4.5.0 id=22678-17 - Temporary MTA 
> failure on relaying, from MTA(smtp:[127.0.0.1]:10025): No resp. to 
> data-dot (in reply to end of DATA command)) Apr  6 13:56:25 rmm 
> postfix/smtp[8176]: EFB7C2E1317:
> to=, relay=127.0.0.1[127.0.0.1]:10024, delay=802, 
> delays=275/0.01/0/527, dsn=4.5.0, status=deferred (host 
> 127.0.0.1[127.0.0.1] said: 451 4.5.0 id=22678-17 - Temporary MTA 
> failure on relaying, from MTA(smtp:[127.0.0.1]:10025): No resp. to 
> data-dot (in reply to end of DATA command)) Apr  6 13:56:26 rmm 
> postfix/smtp[8176]: EFB7C2E1317:
> to=, relay=127.0.0.1[127.0.0.1]:10024, delay=802, 
> delays=275/0.01/0/527, dsn=4.5.0, status=deferred (host 
> 127.0.0.1[127.0.0.1] said: 451 4.5.0 id=22

RE: "No SMTP response to data-dot"-message and delivered the message like 10 times

[Dino Edwards]

Could this be part of the problem? It says MTA-BLOCKED because it's an open 
relay? Which host is IP address 213.193.81.54?

Apr  6 13:56:25 rmm amavis[22678]: (22678-17) Passed MTA-BLOCKED 
{TempFailedInbound,TempFailedOpenRelay}, [213.193.81.54]:49780 
[213.193.81.54]  -> ,
Queue-ID: EFB7C2E1317, Message-ID:



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Michael Meier
Sent: Friday, April 7, 2017 7:39 AM
To: amavis-users@amavis.org
Subject: "No SMTP response to data-dot"-message and delivered the message like 
10 times

Hi all

I've got my own server using postfix and amavis (2.10.1-2~deb8u1) under the 
current debian stable (8).
Yesterday I received a big jpg-file (11MB) which I wanted to resend using 
Thunderbird.
I've sent the jpg to 3 receivers, of which 2 are on my own server and 1 is on 
hotmail.
After a while a got a mail from my mail delivery system, saying 3 times, for 
every receiver:

: host 127.0.0.1[127.0.0.1] said: 451 4.5.0
 id=09573-03 - Temporary MTA failure on relaying, from
 MTA(smtp:[127.0.0.1]:10025): No resp. to data-dot (in reply to end of DATA
 command)


But at the least the receivers of my server received the mail anyway 
(i'm not sure about the hotmail account, I think there it arrived only 
once). The problem is, that the server tried to resend the mail several 
times. At the end I received the same email 12 times!
Each time it tried to resend it, the log files looked like that:

Apr  6 13:56:25 rmm amavis[22678]: (22678-17) (!)rw_loop: leaving rw 
loop, no progress, last event (select) 60.058 s ago
Apr  6 13:56:25 rmm amavis[22678]: (22678-17) No SMTP response to 
data-dot (, etc.), dt: 60.058 s
Apr  6 13:56:25 rmm amavis[22678]: (22678-17) (!)U_MtABwr2Q_e FWD from 
 -> ,, 
BODY=7BIT 451 4.5.0 from MTA(smtp:[127.0.0.1]:10025): No resp. to 
data-dot
Apr  6 13:56:25 rmm amavis[22678]: (22678-17) Passed MTA-BLOCKED 
{TempFailedInbound,TempFailedOpenRelay}, [213.193.81.54]:49780 
[213.193.81.54]  -> ,
Queue-ID: EFB7C2E1317, Message-ID: 
<5b76c430-e8a4-4a57-26b1-ae1c4b4f6...@example.com>, mail_id: 
U_MtABwr2Q_e, Hits: -2.79, size: 15512712, queued_as: 2F1A02E1318, 
526874 ms
Apr  6 13:56:25 rmm amavis[22678]: (22678-17) Blocked MTA-BLOCKED 
{TempFailedInbound,TempFailedOpenRelay}, [213.193.81.54]:49780 
[213.193.81.54]  -> 
,, Queue-ID: EFB7C2E1317, 
Message-ID: <5b76c430-e8a4-4a57-26b1-ae1c4b4f6...@example.com>, mail_id: 
U_MtABwr2Q_e, Hits: -2.79, size: 15512712, 526874 ms
Apr  6 13:56:25 rmm postfix/smtp[8176]: EFB7C2E1317: 
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=802, 
delays=275/0.01/0/527, dsn=4.5.0, status=deferred (host 
127.0.0.1[127.0.0.1] said: 451 4.5.0 id=22678-17 - Temporary MTA failure 
on relaying, from MTA(smtp:[127.0.0.1]:10025): No resp. to data-dot (in 
reply to end of DATA command))
Apr  6 13:56:25 rmm postfix/smtp[8176]: EFB7C2E1317: 
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=802, 
delays=275/0.01/0/527, dsn=4.5.0, status=deferred (host 
127.0.0.1[127.0.0.1] said: 451 4.5.0 id=22678-17 - Temporary MTA failure 
on relaying, from MTA(smtp:[127.0.0.1]:10025): No resp. to data-dot (in 
reply to end of DATA command))
Apr  6 13:56:26 rmm postfix/smtp[8176]: EFB7C2E1317: 
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=802, 
delays=275/0.01/0/527, dsn=4.5.0, status=deferred (host 
127.0.0.1[127.0.0.1] said: 451 4.5.0 id=22678-17 - Temporary MTA failure 
on relaying, from MTA(smtp:[127.0.0.1]:10025): No resp. to data-dot (in 
reply to end of DATA command))
Apr  6 13:56:54 rmm postfix/smtpd[8182]: disconnect from 
localhost[127.0.0.1]
Apr  6 13:56:54 rmm postfix/qmgr[3223]: B70932E137C: 
from=, size=1551, nrcpt=2 (queue active)
Apr  6 13:56:54 rmm dovecot: lmtp(8284): Connect from local
Apr  6 13:56:56 rmm dovecot: lmtp(8284, user1): txN7CAYt5lhcIAAAFCq16w: 
sieve: msgid=<5b76c430-e8a4-4a57-26b1-ae1c4b4f6...@example.com>: stored 
mail into mailbox 'INBOX'
Apr  6 13:56:56 rmm postfix/lmtp[8283]: B70932E137C: 
to=, relay=example.com[private/dovecot-lmtp], 
delay=287, delays=285/0.01/0.01/1.9, dsn=2.0.0, status=sent (250 2.0.0 
 txN7CAYt5lhcIAAAFCq16w Saved)
Apr  6 13:56:56 rmm dovecot: lmtp(8284, user2): txN7CAYt5lhcIAAAFCq16w: 
sieve: msgid=<5b76c430-e8a4-4a57-26b1-ae1c4b4f6...@example.com>: stored 
mail into mailbox 'INBOX'
Apr  6 13:56:56 rmm postfix/lmtp[8283]: B70932E137C: 
to=, relay=example.com[private/dovecot-lmtp], 
delay=288, delays=285/0.01/0.01/2.7, dsn=2.0.0, status=sent (250 2.0.0 
 txN7CAYt5lhcIAAAFCq16w Saved)
Apr  6 13:56:56 rmm dovecot: lmtp(8284): Disconnect from local: 
Successful quit

I guess amavis got some problem with the big attachment?
Could there be some kind of missconfiguration?
So far I never had problems with amavis. Well, it was the first time, 
that I accidentally send an e-mail to myself, otherwise I wouldn't have 
noticed the wh

RE: Handling spam, which is not yet on blacklists

[Dino Edwards]

You mean like graylisting?

-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Frank de Bot (lists)
Sent: Wednesday, March 15, 2017 3:36 PM
To: amavis-users@amavis.org
Subject: Handling spam, which is not yet on blacklists

Hi,

Lately one of my e-mailadresses is receiving a fair amount of spam. I use 
amavis for spam and virus filtering.

The spamscore at first of a message is about 3 or 4, too little to discard as 
spam. But when I do a second scan it easily matches spam.

An example:

First 3.5 points : BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_SBL=0.141,
RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
T_REMOTE_IMAGE=0.01, URIBL_SBL=1.623, URIBL_SBL_A=0.1

Second 13.6 points : BAYES_50,HTML_MESSAGE, PYZOR_CHECK, RCVD_IN_SBL, 
RCVD_IN_SBL_CSS, RDNS_NONE, SPF_FAIL, SPF_HELO_PASS, T_REMOTE_IMAGE, 
URIBL_ABUSE_SURBL, URIBL_BLACK, URIBL_DBL_SPAM, URIBL_SBL, URIBL_SBL_A

Notacible is that blacklist and pyzor tests are matching the second time, it 
looks like my address is some of the first that is being spammed.
The difference between the first and second check was less than 5 minutes.

Is there a good way to deal with this? Every day I need to remove dozens of 
spam messages from my inbox.
If I would delay a message at my incoming server it could do the trick to 
better detect spam, but I don't feel this is a good solution.
I've noticed that some e-mailproviders are stalling a first message coming from 
an unknown source, this whould be a better solution. Is this something amavis 
can do?

Frank de Bot

RE: spamtrap and dynamic blacklisting

[Dino Edwards]

It's interesting that you mentioned mailchimp. We've had the same issues with 
mailchimp. We have contacted them before about people abusing their services 
and they don't seem very interested in doing anything about it, hence I 
wouldn't consider blocking their IPs a bad thing but that's another discussion.

The only way that I know to add spam scores is by creating SA rules. I don't 
think Amavis can add scores on its own unless someone knows another approach to 
this. Regardless, if you don't want to use SQL then you are going to have to 
parse the log files for sender sending to your honeypot receivers and add those 
to a SA rule in order to add the +5 spam score. Again, the entire problem with 
this approach is you are using valuable resources processing e-mail (i.e. 
letting it get to Amavis) instead of stopping it at the front door with Postfix.



-Original Message-
From: Patrick Proniewski [mailto:patrick.proniew...@univ-lyon2.fr] 
Sent: Tuesday, March 14, 2017 7:29 AM
To: amavis-users@amavis.org
Cc: Dino Edwards 
Subject: Re: spamtrap and dynamic blacklisting

Hi Dino,

I'm not so sure. Of course sender is potentially forged, but I have a slightly 
different goal than just spam filtering here.

I have many users (about 40k students+staff+other), and get around 35K messages 
a day into Amavisd (way more try to come in and are blocked by 
greylist/blacklist/SPF/...). What we often see is mass mailing from "grey" 
senders, or from mailchimp or other mass mailing solutions : not totally spam. 
Some of these senders use address lists that are legitimate, but often it's 
only illegitimate address lists (web site harvesting, blackmarket/spam 
resell…). I want to block all these illegitimate mass mailings, while letting 
legitimate mass mailings in.
ie. I can't block Mailchimp servers, I want to block a specific Mailchimp user, 
hence rely on sender address.

Phishing also uses harvested email addresses, and to my experience, phishers 
don't change sender address, they use the same for thousands recipients, so I 
could easily block phishing campaign with only the sender address.

And I don't want to block immediately the sender, I want it to get a bonus to 
it's spam score, say +5. Complete blacklist using Postfix could be quite 
straightforward to setup as I already got a shell script able to push different 
files (client_access, client_access_cidr, header_checks, recipient_access, 
recipient_bcc, sender_access) to all MX servers.

(I'm subscribed to digest, please Cc me)


Patrick

RE: spamtrap and dynamic blacklisting

[Dino Edwards]

I'm currently using this on a machine that averages about 5k to 6k processed 
messages per day and the system load average is around 0.05% so it seems to be 
keeping up with no problems. I don't think you can increase the spam score with 
the wblist, it's either allow or deny. But like I said on my subsequent 
message, I don't think doing this with senders is the best idea. I think the 
address forging would be make the whole thing useless. I think doing it with 
IPs would be better and let Postfix reject the email right at the door before 
it even gets to amavis. All this can be accomplished without writing any code, 
just some SQL queries.



--------
Dino Edwards


Hermes Secure Email Gateway
Hermes Secure Email Gateway combines Open Source technologies such as Postfix, 
Apache SpamAssassin, ClamAV, Amavisd-new, MySQL and CipherMail under one 
unified web based Web GUI for easy administration and management of your 
incoming and ougoing email for your organization. Anti-spam, anti-virus and 
anti-malware protection, encrypted S/MIME, encrypted PDF and SMTP TLS support, 
built-in email archiving, end-user self-service web gui.

Learn More & Download the free open-source appliance at:
https://www.deeztek.com/hermes-secure-email-gateway/



-Original Message-
From: Patrick Proniewski [mailto:patrick.proniew...@univ-lyon2.fr] 
Sent: Friday, March 10, 2017 11:55 AM
To: Dino Edwards 
Cc: amavis-users@amavis.org
Subject: Re: spamtrap and dynamic blacklisting

Hi Dino,

Thanks for the idea, but I feel like the all-message-log-SQL-database is a bit 
too much (high resource consumption). If I need to rely on an SQL database for 
wblist I can populate this DB from outside: 

I'm aggregating logs from every MX hosts into Splunk. From there I can have a 
scheduled or realtime search job that will extract interesting data and can 
push them into an SQL master. Doing so I can even take action based upon 
milter-greylist logs, before Amavisd ever see the message. (AFAIK I can't 
populate a Redis DB from Splunk, it would require a custom script I can't code 
right now).

But, it still require SQL master server, SQL slave on each MX, and I'm afraid 
the SQL lookup inside Amavisd will slow it down (I'm doing 
before-queue-content-filtering). I already have Redis on every server for 
Amavisd logs, milter-greylist sync between MX, I'm a little bit reluctant to 
add SQL into the mix.
Nevertheless, it could be awesome. Is there any documentation about using a 
"wblist" SQL table for soft blacklisting? I don't want to block the sender, I 
just want to increase it's spam score.

Thanks,
pat

> On 10 Mar 2017, at 17:21, Dino Edwards  wrote:
> 
> This maybe a bit complicated but here's how I would approach this:
> 
> 1. Setup SQL tables for Amavis. This will allow amavis to log all messages 
> coming through along with the recipient and the sender (specific tables are 
> msgrcpt, msgs, maddr, mailaddr)
> 
> 2. Schedule queries to run against those messages and corresponding 
> recipients you are looking for. You are going to have to do some join 
> statements between 3 tables I believe. I can help with that if you need)
> 
> 3.Dump the senders of those messages into Amavis black/white list (wblist 
> table) with a block action. Maybe create a trigger in the wblist table to 
> insert a date/time stamp so that you can delete those entries after a set 
> amount of time. 
> 
> 4. Replicate your database across multiple MX hosts.
> 
> 
> 
> -Original Message-
> From: amavis-users 
> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
> Behalf Of Patrick Proniewski
> Sent: Thursday, March 9, 2017 5:49 PM
> To: amavis-users@amavis.org
> Subject: spamtrap and dynamic blacklisting
> 
> Hello,
> 
> I'm contemplating the following idea: 
> 
> - setting-up some spamtrap email addresses and publish them discretely on few 
> places
> - detect usage of these email addresses somewhere during SMTP session 
> (postfix, amavisd, milter-greylist, realtime log processing, whatever)
> - feed the corresponding sender address, or EHLO, or domain name, or whatever 
> to Amavisd so that I can soft-blacklist next emails from the same [sender 
> address|EHLO|domain name|...]
> - after a while (1 day?), expire the blacklist
> 
> Do you think it's possible to make such a setup with Amavisd-new? And by the 
> way, I use more than one MX server, so synchronisation between MX is 
> important.
> 
> I'm already using Redis for JSON logging, may be I could use the same 
> backend, not sure about the synchronisation though.
> 
> Another convoluted way to proceed would be something like this:
> 
> - setting-up a DNS server on each MX server with nsupdate cap

RE: spamtrap and dynamic blacklisting

[Dino Edwards]

Actually, now that I thought about it more, a better approach would be to 
instead of searching for the corresponding sender and trying to block that 
sender, look for the corresponding sender IP address (which amavis also 
records) and instead of using the amavis wblist table, dump those IPs in a 
Postfix senders table with reject action. Sender addresses are almost always 
forged so blocking the IP is probably better.



Dino Edwards


Hermes Secure Email Gateway
Hermes Secure Email Gateway combines Open Source technologies such as Postfix, 
Apache SpamAssassin, ClamAV, Amavisd-new, MySQL and CipherMail under one 
unified web based Web GUI for easy administration and management of your 
incoming and ougoing email for your organization. Anti-spam, anti-virus and 
anti-malware protection, encrypted S/MIME, encrypted PDF and SMTP TLS support, 
built-in email archiving, end-user self-service web gui.

Learn More & Download the free open-source appliance at:
https://www.deeztek.com/hermes-secure-email-gateway/



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Dino Edwards
Sent: Friday, March 10, 2017 11:21 AM
To: 'Patrick Proniewski' ; 
amavis-users@amavis.org
Subject: RE: spamtrap and dynamic blacklisting

This maybe a bit complicated but here's how I would approach this:

1. Setup SQL tables for Amavis. This will allow amavis to log all messages 
coming through along with the recipient and the sender (specific tables are 
msgrcpt, msgs, maddr, mailaddr)

2. Schedule queries to run against those messages and corresponding recipients 
you are looking for. You are going to have to do some join statements between 3 
tables I believe. I can help with that if you need)

3.Dump the senders of those messages into Amavis black/white list (wblist 
table) with a block action. Maybe create a trigger in the wblist table to 
insert a date/time stamp so that you can delete those entries after a set 
amount of time. 

4. Replicate your database across multiple MX hosts.



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Patrick Proniewski
Sent: Thursday, March 9, 2017 5:49 PM
To: amavis-users@amavis.org
Subject: spamtrap and dynamic blacklisting

Hello,

I'm contemplating the following idea: 

- setting-up some spamtrap email addresses and publish them discretely on few 
places
- detect usage of these email addresses somewhere during SMTP session (postfix, 
amavisd, milter-greylist, realtime log processing, whatever)
- feed the corresponding sender address, or EHLO, or domain name, or whatever 
to Amavisd so that I can soft-blacklist next emails from the same [sender 
address|EHLO|domain name|...]
- after a while (1 day?), expire the blacklist

Do you think it's possible to make such a setup with Amavisd-new? And by the 
way, I use more than one MX server, so synchronisation between MX is important.

I'm already using Redis for JSON logging, may be I could use the same backend, 
not sure about the synchronisation though.

Another convoluted way to proceed would be something like this:

- setting-up a DNS server on each MX server with nsupdate capability
- setting-up milter-greylist rules to update a RBL into those DNS server each 
time a spamtrap gets an email
- use the RBL hit to increase spamscore

But I feel like a native Amavisd option would be better and simpler.

Any idea?

thanks

RE: spamtrap and dynamic blacklisting

[Dino Edwards]

This maybe a bit complicated but here's how I would approach this:

1. Setup SQL tables for Amavis. This will allow amavis to log all messages 
coming through along with the recipient and the sender (specific tables are 
msgrcpt, msgs, maddr, mailaddr)

2. Schedule queries to run against those messages and corresponding recipients 
you are looking for. You are going to have to do some join statements between 3 
tables I believe. I can help with that if you need)

3.Dump the senders of those messages into Amavis black/white list (wblist 
table) with a block action. Maybe create a trigger in the wblist table to 
insert a date/time stamp so that you can delete those entries after a set 
amount of time. 

4. Replicate your database across multiple MX hosts.



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Patrick Proniewski
Sent: Thursday, March 9, 2017 5:49 PM
To: amavis-users@amavis.org
Subject: spamtrap and dynamic blacklisting

Hello,

I'm contemplating the following idea: 

- setting-up some spamtrap email addresses and publish them discretely on few 
places
- detect usage of these email addresses somewhere during SMTP session (postfix, 
amavisd, milter-greylist, realtime log processing, whatever)
- feed the corresponding sender address, or EHLO, or domain name, or whatever 
to Amavisd so that I can soft-blacklist next emails from the same [sender 
address|EHLO|domain name|...]
- after a while (1 day?), expire the blacklist

Do you think it's possible to make such a setup with Amavisd-new? And by the 
way, I use more than one MX server, so synchronisation between MX is important.

I'm already using Redis for JSON logging, may be I could use the same backend, 
not sure about the synchronisation though.

Another convoluted way to proceed would be something like this:

- setting-up a DNS server on each MX server with nsupdate capability
- setting-up milter-greylist rules to update a RBL into those DNS server each 
time a spamtrap gets an email
- use the RBL hit to increase spamscore

But I feel like a native Amavisd option would be better and simpler.

Any idea?

thanks

RE: Quarantine doc Files only with Macros?

[Dino Edwards]

do you have amavis policy setup that may specify virus_lover set to Y set on 
the server that accepts the macro enabled document by any chance?



-Original Message-
From: postmas...@wf-partner.com [mailto:postmas...@wf-partner.com] 
Sent: Monday, February 27, 2017 4:09 AM
To: Dino Edwards 
Cc: amavis-users@amavis.org; amavis-users 

Subject: Re: Quarantine doc Files only with Macros?

The testmail was cleaned by PC antivirus program. Therefore this strange 
behavior. No I tested with another file and mail was blocked every time.

Kind Regards
Thomas

Am 2017-02-25 20:35, schrieb postmas...@wf-partner.com:
> There is no difference in $final_virus_destiny ( = D_DISCARD;) an 
> other settings concerning virus.
> 
> I guess something with whitelisting or bypassing local mail senders.
> 
>> -Original Message-
>> 2017-02-24 17:39, wrote Dino Edwards:
>> Strange indeed. Just spit balling here, is the $final_virus_destiny 
>> in amavis on both servers set the same? Do you have amavis policies 
>> set on the servers?
>> 
>> 
>> 
>> -Original Message-
>> From: postmas...@wf-partner.com [mailto:postmas...@wf-partner.com]
>> Sent: Friday, February 24, 2017 11:30 AM
>> To: Dino Edwards 
>> Cc: amavis-users@amavis.org; amavis-users 
>> 
>> Subject: Re: Quarantine doc Files only with Macros?
>> 
>> You are right, we have two different linux servers with mailservers 
>> and they are both set in the clamav config files like below but one 
>> of them is blocking outbound OLE2 macro files and the other one only 
>> blocks incoming OLE2 marco files?
>> Services clamav-daemon and amavis were restarted.
>> 
>>> -Original Message- from Dino Edwards:
>>> Did you restart clamav? So you have two mailservers and they are 
>>> both set in the clamav config files like below but one of them is 
>>> blocking outbound OLE2 macro files and the other one only blocks 
>>> incoming OLE2 marco files? Am I understanding this correctly?
>>> 
>>> 
>>> 
>>> -Original Message-
>>> From: postmas...@wf-partner.com [mailto:postmas...@wf-partner.com]
>>> Sent: Friday, February 24, 2017 11:04 AM
>>> To: Dino Edwards 
>>> Cc: amavis-users@amavis.org; amavis-users 
>>> 
>>> Subject: Re: Quarantine doc Files only with Macros?
>>> 
>>> Both is set. I had to restart service amavis-daemon I think. But now 
>>> at one of two mailservers there is only outgoing mail blocked and at 
>>> the other only incoming mail.
>>> 
>>> Strange!
>>> 
>>> 
>>> Am 2017-02-24 11:04, schrieb Dino Edwards:
>>>> I believe both of these have to be set to true in order for that to 
>>>> work
>>>> 
>>>> ScanOLE2 true
>>>> OLE2BlockMacros true
>>>> 
>>>> 
>>>> -Original Message-
>>>> From: amavis-users
>>>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net@amavis.o
>>>> rg ] On Behalf Of postmas...@wf-partner.com
>>>> Sent: Friday, February 24, 2017 2:08 AM
>>>> To: amavis-users@amavis.org
>>>> Subject: Re: Quarantine doc Files only with Macros?
>>>> 
>>>> I turned on "OLE2BlockMacros true", but a word file containing a 
>>>> macro virus was not classified as "INFECTED". I had renamed the 
>>>> file before sending a test mail.
>>>> 
>>>> Any ideas what could I do to get all files with macros to be 
>>>> quarantined?
>>>> 
>>>> Kind regards
>>>> Thomas
>>>> 
>>>> -Original Message-
>>>>> From: amavis-users
>>>>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net@amavis.
>>>>> or g ] On Behalf Of Hoyer-Reuther, Christian 
>>>>> Christian.Hoyer-Reuther at cac-chem.de wrote
>>>>> Sent: Wednesday, December 14, 2016 11:42 AM
>>>>> To: amavis-users at amavis.org
>>>>> Subject: Quarantine doc Files only with Macros?
>>>>> 
>>>>> Hello Klaus,
>>>>> 
>>>>> if you use ClamAV, then you can set it's option "OLE2BlockMacros 
>>>>> true".
>>>>> This detects MS
>>>>> Office Macros regardless of the file extension. If a macro is 
>>>>> found, then the file is classified as a virus ("INFECTED:
>>>>> Heuristics.OLE2.ContainsMacros").
>>>>> 
>>>>> Regards,
>>>>> 
>>>>> Christian

RE: Quarantine doc Files only with Macros?

[Dino Edwards]

Strange indeed. Just spit balling here, is the $final_virus_destiny in amavis 
on both servers set the same? Do you have amavis policies set on the servers?



-Original Message-
From: postmas...@wf-partner.com [mailto:postmas...@wf-partner.com] 
Sent: Friday, February 24, 2017 11:30 AM
To: Dino Edwards 
Cc: amavis-users@amavis.org; amavis-users 

Subject: Re: Quarantine doc Files only with Macros?

You are right, we have two different linux servers with mailservers and they 
are both set in the clamav config files like below but one of them is blocking 
outbound OLE2 macro files and the other one only blocks incoming OLE2 marco 
files?
Services clamav-daemon and amavis were restarted.

> -Original Message- from Dino Edwards:
> Did you restart clamav? So you have two mailservers and they are both 
> set in the clamav config files like below but one of them is blocking 
> outbound OLE2 macro files and the other one only blocks incoming OLE2 
> marco files? Am I understanding this correctly?
> 
> 
> 
> -Original Message-
> From: postmas...@wf-partner.com [mailto:postmas...@wf-partner.com]
> Sent: Friday, February 24, 2017 11:04 AM
> To: Dino Edwards 
> Cc: amavis-users@amavis.org; amavis-users 
> 
> Subject: Re: Quarantine doc Files only with Macros?
> 
> Both is set. I had to restart service amavis-daemon I think. But now 
> at one of two mailservers there is only outgoing mail blocked and at 
> the other only incoming mail.
> 
> Strange!
> 
> 
> Am 2017-02-24 11:04, schrieb Dino Edwards:
>> I believe both of these have to be set to true in order for that to 
>> work
>> 
>> ScanOLE2 true
>> OLE2BlockMacros true
>> 
>> 
>> -Original Message-
>> From: amavis-users
>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org
>> ] On Behalf Of postmas...@wf-partner.com
>> Sent: Friday, February 24, 2017 2:08 AM
>> To: amavis-users@amavis.org
>> Subject: Re: Quarantine doc Files only with Macros?
>> 
>> I turned on "OLE2BlockMacros true", but a word file containing a 
>> macro virus was not classified as "INFECTED". I had renamed the file 
>> before sending a test mail.
>> 
>> Any ideas what could I do to get all files with macros to be 
>> quarantined?
>> 
>> Kind regards
>> Thomas
>> 
>> -Original Message-
>>> From: amavis-users
>>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.or
>>> g ] On Behalf Of Hoyer-Reuther, Christian Christian.Hoyer-Reuther at 
>>> cac-chem.de wrote
>>> Sent: Wednesday, December 14, 2016 11:42 AM
>>> To: amavis-users at amavis.org
>>> Subject: Quarantine doc Files only with Macros?
>>> 
>>> Hello Klaus,
>>> 
>>> if you use ClamAV, then you can set it's option "OLE2BlockMacros 
>>> true".
>>> This detects MS
>>> Office Macros regardless of the file extension. If a macro is found, 
>>> then the file is classified as a virus ("INFECTED:
>>> Heuristics.OLE2.ContainsMacros").
>>> 
>>> Regards,
>>> 
>>> Christian

RE: Quarantine doc Files only with Macros?

[Dino Edwards]

Did you restart clamav? So you have two mailservers and they are both set in 
the clamav config files like below but one of them is blocking outbound OLE2 
macro files and the other one only blocks incoming OLE2 marco files? Am I 
understanding this correctly?



-Original Message-
From: postmas...@wf-partner.com [mailto:postmas...@wf-partner.com] 
Sent: Friday, February 24, 2017 11:04 AM
To: Dino Edwards 
Cc: amavis-users@amavis.org; amavis-users 

Subject: Re: Quarantine doc Files only with Macros?

Both is set. I had to restart service amavis-daemon I think. But now at one of 
two mailservers there is only outgoing mail blocked and at the other only 
incoming mail.

Strange!


Am 2017-02-24 11:04, schrieb Dino Edwards:
> I believe both of these have to be set to true in order for that to 
> work
> 
> ScanOLE2 true
> OLE2BlockMacros true
> 
> 
> -Original Message-
> From: amavis-users
> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org]
> On Behalf Of postmas...@wf-partner.com
> Sent: Friday, February 24, 2017 2:08 AM
> To: amavis-users@amavis.org
> Subject: Re: Quarantine doc Files only with Macros?
> 
> I turned on "OLE2BlockMacros true", but a word file containing a macro 
> virus was not classified as "INFECTED". I had renamed the file before 
> sending a test mail.
> 
> Any ideas what could I do to get all files with macros to be 
> quarantined?
> 
> Kind regards
> Thomas
> 
> -Original Message-
>> From: amavis-users
>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org
>> ] On Behalf Of Hoyer-Reuther, Christian Christian.Hoyer-Reuther at 
>> cac-chem.de wrote
>> Sent: Wednesday, December 14, 2016 11:42 AM
>> To: amavis-users at amavis.org
>> Subject: Quarantine doc Files only with Macros?
>> 
>> Hello Klaus,
>> 
>> if you use ClamAV, then you can set it's option "OLE2BlockMacros 
>> true".
>> This detects MS
>> Office Macros regardless of the file extension. If a macro is found, 
>> then the file is classified as a virus ("INFECTED:
>> Heuristics.OLE2.ContainsMacros").
>> 
>> Regards,
>> 
>> Christian

RE: Quarantine doc Files only with Macros?

[Dino Edwards]

I believe both of these have to be set to true in order for that to work

ScanOLE2 true
OLE2BlockMacros true






-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of postmas...@wf-partner.com
Sent: Friday, February 24, 2017 2:08 AM
To: amavis-users@amavis.org
Subject: Re: Quarantine doc Files only with Macros?

I turned on "OLE2BlockMacros true", but a word file containing a macro virus 
was not classified as "INFECTED". I had renamed the file before sending a test 
mail.

Any ideas what could I do to get all files with macros to be quarantined?

Kind regards
Thomas

-Original Message-
> From: amavis-users
> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org]
> On Behalf Of Hoyer-Reuther, Christian Christian.Hoyer-Reuther at 
> cac-chem.de wrote
> Sent: Wednesday, December 14, 2016 11:42 AM
> To: amavis-users at amavis.org
> Subject: Quarantine doc Files only with Macros?
> 
> Hello Klaus,
> 
> if you use ClamAV, then you can set it's option "OLE2BlockMacros true". 
> This detects MS
> Office Macros regardless of the file extension. If a macro is found, 
> then the file is classified as a virus ("INFECTED: 
> Heuristics.OLE2.ContainsMacros").
> 
> Regards,
> 
> Christian

RE: amavisd-release does not work with SQL quarantine (missing quar_type = "Q")

[Dino Edwards]

Fair enough. I'm a little confused still. What type of message are you trying 
to release? A spam, virus or banned when you do amavis-release? So the 
following lines exist in your amavis config file?

$virus_quarantine_method = 'sql:';
$banned_files_quarantine_method = 'sql:';
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of postmas...@wf-partner.com
Sent: Tuesday, February 21, 2017 2:25 AM
To: Amavis Users 
Subject: Re: amavisd-release does not work with SQL quarantine (missing 
quar_type = "Q")

We only quarantine mails containing viruses or banned files. I would not 
recommend quarantining clean mails.

What I was looking for is a solution for people who use sql quarantine only for 
viruses and banned files and who want to release a quarantined mail.

This doesn't work because in amavisd-release the default value of $quar_type = 
''. And in amavisd-new $quar_type defaults to 'F' if $spam_quarantine_method 
does not contain "sql:" see:

>  # choose some reasonable default (simpleminded)
>  $quar_type = c('spam_quarantine_method') =~ /^sql:/i ? 'Q' : 'F';

My solution is to change default value of $quar_type to 'Q' in amamvisd-release.
But this does not fix the bug.

> Just out of curiosity, any particular reason you are using sql instead 
> of local to quarantine?

No there is no particular reason to use sql quarantine. But we have not so many 
quarantined mails in a week, so we can live with it.

Thomas

-Original Message-
 From: amavis-users
[mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org] On 
Behalf Of Dino Edwards dino.edwards at mydirectmail.net

Here's how to do it. In your amavis config file  set the following to get 
everything quarantined. :

$virus_quarantine_method = 'sql:';
$spam_quarantine_method = 'sql:';
$banned_files_quarantine_method = 'sql:'; $bad_header_quarantine_method = 
'sql:'; $clean_quarantine_method = 'sql:';

Just out of curiosity, any particular reason you are using sql instead of local 
to quarantine? I used to use sql and the database became unmanageable because 
of the sheer amount of email that was stored in it. 
So, I don't recommend storing your email in the database. If you want to go 
local storage, set it like below. Ensure you set your $QUARANtINEDIR path below 
to a mount point with plenty of space and ensure that it's owned by amavis:

$QUARANTINEDIR = "/some/mountpoint/with/plenty/of/space";
$virus_quarantine_method = 'local:virus/%m'; $spam_quarantine_method = 
'local:spam/%m'; $banned_files_quarantine_method = 'local:banned/%m'; 
$bad_header_quarantine_method = 'local:bad_header/%m'; $clean_quarantine_method 
= 'local:clean/%m';





Dino Edwards


Hermes Secure Email Gateway
Hermes Secure Email Gateway combines Open Source technologies such as Postfix, 
Apache SpamAssassin, ClamAV, Amavisd-new, MySQL and CipherMail under one 
unified web based Web GUI for easy administration and management of your 
incoming and ougoing email for your organization. 
Anti-spam, anti-virus and anti-malware protection, encrypted S/MIME, encrypted 
PDF and SMTP TLS support, built-in email archiving, end-user self-service web 
gui.

Learn More & Download the free open-source appliance at:
https://www.deeztek.com/hermes-secure-email-gateway/





-Original Message-
 From: amavis-users
[mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org] On 
Behalf Of postmaster at wf-partner.com
Sent: Monday, February 20, 2017 7:44 AM
To: Amavis Users 
Subject: Re: amavisd-release does not work with SQL quarantine (missing 
quar_type = "Q")

Am 2017-02-16 14:03, schrieb postmaster at wf-partner.com:
> Dominic Raferd  wrote
>> We use file-based quarantine. I tried this change and then 
>> amavisd-release does not work, I am sorry to report; there is no 
>> error message - just the mail is not released and the file remains in 
>> quarantine.
> 
> Thanks for your answer.
> 
> Could you try and write the whole filename including full path when 
> using amavisd-release.
> I think you should get the mail resent by amavisd-release like this.
> 
> If $fn_path is emtpy $quar_type = 'Q' is used with my change.
> 
> I don't know another way to get mails resent from SQL.

I found the underlying reason of this issue. We use the sql-based quarantine 
only for banned-files and virus, but not for spam. Therefore

$spam_quarantine_method = undefined;

In amavisd-new $quar_type defaults to 'F' if $spam_quarantine_method does not 
contain "sql:" see:

>  # choose some reasonable default (simpleminded)
>  $quar_type = c('spam_quarantine_method') =~ /^sql:/i ? 'Q' : 'F';

What do you recommend to solve this issue?

Thomas Sattler

RE: amavisd-release does not work with SQL quarantine (missing quar_type = "Q")

[Dino Edwards]

To be clear here's my config relating to quarantine:

$sa_spam_modifies_subj = 1;
$sa_spam_subject_tag = '[SUSPECTED SPAM]';
$sa_tag_level_deflt = undef;
$sa_tag2_level_deflt = 2;
$sa_kill_level_deflt = 5;
$sa_local_tests_only = 0;
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_DISCARD;

$QUARANTINEDIR = "/mnt/data/amavis";
$virus_quarantine_method = 'local:virus/%m';
$spam_quarantine_method = 'local:spam/%m';
$banned_files_quarantine_method = 'local:banned/%m';
$bad_header_quarantine_method = 'local:bad_header/%m';
$clean_quarantine_method = 'local:clean/%m';
$timestamp_fmt_mysql = 1;

I save all emails whether spam, clean, virus or bad headers cause I ALWAYS have 
users misplacing emails and they are looking for them months later. Besides, I 
don't have 100% confidence in the spam filter to always tag things as spam or 
ham like it's supposed to. You haven't lived until you had a VIP user looking 
for a very important email that your spam filter decided not to pass to the 
user because it scored too high. This way all I have to do is do an 
amavis-release and it's back in their mailbox like below:

amavisd-release /mnt/data/amavis/someemail  some...@domain.tld





-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of @lbutlr
Sent: Monday, February 20, 2017 2:37 PM
To: amavis-users@amavis.org
Subject: Re: amavisd-release does not work with SQL quarantine (missing 
quar_type = "Q")

On 2017-02-20 (06:16 MST), Dino Edwards  wrote:
> 
> $QUARANTINEDIR = "/some/mountpoint/with/plenty/of/space";
> $virus_quarantine_method = 'local:virus/%m'; $spam_quarantine_method = 
> 'local:spam/%m'; $banned_files_quarantine_method = 'local:banned/%m'; 
> $bad_header_quarantine_method = 'local:bad_header/%m'; 
> $clean_quarantine_method = 'local:clean/%m';

I'm puzzled, only the first exists in amavisd.conf

The only (non commented) lines with quarantine:

$QUARANTINEDIR = '/var/virusmails';  # -Q $sa_quarantine_cutoff_level = 12; # 
spam level beyond which quarantine is off $mailfrom_to_quarantine = ''; # null 
return path; uses original sender if undef
"-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

RE: amavisd-release does not work with SQL quarantine (missing quar_type = "Q")

[Dino Edwards]

There is a lot more to it than that. What's the setting for the following?

$final_virus_destiny =
$final_banned_destiny =
$final_bad_header_destiny =
 
$virus_quarantine_to =
$banned_quarantine_to =
$bad_header_quarantine_to =




-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of @lbutlr
Sent: Monday, February 20, 2017 2:37 PM
To: amavis-users@amavis.org
Subject: Re: amavisd-release does not work with SQL quarantine (missing 
quar_type = "Q")

On 2017-02-20 (06:16 MST), Dino Edwards  wrote:
> 
> $QUARANTINEDIR = "/some/mountpoint/with/plenty/of/space";
> $virus_quarantine_method = 'local:virus/%m'; $spam_quarantine_method = 
> 'local:spam/%m'; $banned_files_quarantine_method = 'local:banned/%m'; 
> $bad_header_quarantine_method = 'local:bad_header/%m'; 
> $clean_quarantine_method = 'local:clean/%m';

I'm puzzled, only the first exists in amavisd.conf

The only (non commented) lines with quarantine:

$QUARANTINEDIR = '/var/virusmails';  # -Q $sa_quarantine_cutoff_level = 12; # 
spam level beyond which quarantine is off $mailfrom_to_quarantine = ''; # null 
return path; uses original sender if undef
"-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

RE: amavisd-release does not work with SQL quarantine (missing quar_type = "Q")

[Dino Edwards]

Here's how to do it. In your amavis config file  set the following to get 
everything quarantined. :

$virus_quarantine_method = 'sql:';
$spam_quarantine_method = 'sql:';
$banned_files_quarantine_method = 'sql:';
$bad_header_quarantine_method = 'sql:';
$clean_quarantine_method = 'sql:';

Just out of curiosity, any particular reason you are using sql instead of local 
to quarantine? I used to use sql and the database became unmanageable because 
of the sheer amount of email that was stored in it. So, I don't recommend 
storing your email in the database. If you want to go local storage, set it 
like below. Ensure you set your $QUARANtINEDIR  path below to a mount point 
with plenty of space and ensure that it's owned by amavis:

$QUARANTINEDIR = "/some/mountpoint/with/plenty/of/space";
$virus_quarantine_method = 'local:virus/%m';
$spam_quarantine_method = 'local:spam/%m';
$banned_files_quarantine_method = 'local:banned/%m';
$bad_header_quarantine_method = 'local:bad_header/%m';
$clean_quarantine_method = 'local:clean/%m';





Dino Edwards


Hermes Secure Email Gateway
Hermes Secure Email Gateway combines Open Source technologies such as Postfix, 
Apache SpamAssassin, ClamAV, Amavisd-new, MySQL and CipherMail under one 
unified web based Web GUI for easy administration and management of your 
incoming and ougoing email for your organization. Anti-spam, anti-virus and 
anti-malware protection, encrypted S/MIME, encrypted PDF and SMTP TLS support, 
built-in email archiving, end-user self-service web gui.

Learn More & Download the free open-source appliance at:
https://www.deeztek.com/hermes-secure-email-gateway/





-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of postmas...@wf-partner.com
Sent: Monday, February 20, 2017 7:44 AM
To: Amavis Users 
Subject: Re: amavisd-release does not work with SQL quarantine (missing 
quar_type = "Q")

Am 2017-02-16 14:03, schrieb postmas...@wf-partner.com:
> Dominic Raferd  wrote
>> We use file-based quarantine. I tried this change and then 
>> amavisd-release does not work, I am sorry to report; there is no 
>> error message - just the mail is not released and the file remains in 
>> quarantine.
> 
> Thanks for your answer.
> 
> Could you try and write the whole filename including full path when 
> using amavisd-release.
> I think you should get the mail resent by amavisd-release like this.
> 
> If $fn_path is emtpy $quar_type = 'Q' is used with my change.
> 
> I don't know another way to get mails resent from SQL.

I found the underlying reason of this issue. We use the sql-based quarantine 
only for banned-files and virus, but not for spam. Therefore

$spam_quarantine_method = undefined;

In amavisd-new $quar_type defaults to 'F' if $spam_quarantine_method does not 
contain "sql:" see:

>  # choose some reasonable default (simpleminded)
>  $quar_type = c('spam_quarantine_method') =~ /^sql:/i ? 'Q' : 'F';

What do you recommend to solve this issue?

Thomas Sattler

RE: Amavis DNS query timeout

[Dino Edwards]

Well, that still indicates and issue with DNS. If the 1st server times out then 
there is obviously a problem with it. How about changing the order of the DNS 
servers and make the 1st one that works and see what happens? 



-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Tim Smith
Sent: Monday, February 13, 2017 8:24 AM
To: amavis-users@amavis.org
Subject: Re: Amavis DNS query timeout

I have done a little more investigatory work.  I have three servers listed in 
resolv.conf, and the first one times out when queried independently, so its 
looking like amavis is not correctly moving through to alternative resolvers ?

On 13 February 2017 at 13:21, Dominic Raferd  wrote:
> Ah yes you may be right, I have: $enable_dkim_verification = 0;
>
> On 13 February 2017 at 10:41, Dino Edwards 
> 
> wrote:
>>
>> I don't think you are correct. That header is usually generated when 
>> $enable_dkim_verification = 1; is set in the amavis config file.
>>
>> -Original Message-
>> From: amavis-users
>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org
>> ] On Behalf Of Dominic Raferd
>> Sent: Sunday, February 12, 2017 12:37 PM
>> To: amavis-users@amavis.org
>> Subject: Re: Amavis DNS query timeout
>>
>> > >>I don't think the presence of (amavisd-new) in the Authentication  
>> > >>Header means that the header was generated by or has anything to 
>> > >>do with  amavisd-new. The header looks to be from a dkim milter 
>> > >>such as opendkim,  which may not be correctly set up to generate 
>> > >>the dkim header for your  outgoing > >> emails.
>
>

RE: Amavis DNS query timeout

[Dino Edwards]

I don't think you are correct. That header is usually generated when 
$enable_dkim_verification = 1; is set in the amavis config file.

-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Dominic Raferd
Sent: Sunday, February 12, 2017 12:37 PM
To: amavis-users@amavis.org
Subject: Re: Amavis DNS query timeout

> >>I don't think the presence of (amavisd-new) in the Authentication Header 
> >>means that the header was generated by or has anything to do with 
> >>amavisd-new. The header looks to be from a dkim milter such as opendkim, 
> >>which may not be correctly set up to generate the dkim header for your 
> >>outgoing > >> emails.

RE: Amavis DNS query timeout

[Dino Edwards]

So what happens when you run this command:

dig @192.168.xxx.xxx -t txt 20161025._domainkey.google.com txt

where 192.168.xxx.xxx is the IP of your DNS server set in the resolv.conf file 
of your amavis server?





-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Tim Smith
Sent: Monday, February 13, 2017 3:19 AM
To: Deeztek Support 
Cc: amavis-users@amavis.org
Subject: Re: Amavis DNS query timeout

On 13 February 2017 at 00:13, Deeztek Support  wrote:
> Is this inbound email from another domain to your email server? Can 
> you be a bit more specific?
>


Yes, so for example on an email received from a @google.com email address, I'll 
see :

Authentication-Results: my.server.example.com (amavisd-new); dkim=neutral
reason="invalid (public key: DNS query timeout for 
20161025._domainkey.google.com)"
header.d=google.com


In the headers.

And what I'm saying is that "dig 20161025._domainkey.google.com txt"
on the same server does not time out.  Hence I've no idea why amavis is saying 
it is ?

Hope this helps ?

RE: Amavis to ClamAV TCP with DNS lookup

[Dino Edwards]

Try fqdn

-Original Message-
From: Cyril [cy...@moncoindunet.fr]
Received: Sunday, 29 Jan 2017, 6:11PM
To: amavis-users@amavis.org [amavis-users@amavis.org]
Subject: Re: Amavis to ClamAV TCP with DNS lookup

Hum it was a good idea but I have the same issue:

/usr/sbin/amavisd-new[17]: (00017-01) (!)ClamAV-clamd av-scanner FAILED: 
Unsupported AV protocol name: tcp:clamav1:3310 at (eval 96) line 686.

RE: Logging IP address in error logs

[Dino Edwards]

He said that he is not using postfix or any other SMTP servers as first 
receiver before Amavis so that can't be it, please see below. So, the way he 
describes it, amavis is listening on port 25 and I'm not sure how this whole 
thing works without a SMTP service. The original problem he describes wouldn't 
be a problem if a SMTP server was in front. 

> In Amavis. And I don't have postfix or any other SMTP server as first 
> receiver before amavis. Amavis is the frontend server.
> It's version is 2.10.1 on a dDebian Jessie.

-Original Message-
From: amavis-users 
[mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On 
Behalf Of Patrik Båt
Sent: Thursday, January 19, 2017 4:36 AM
To: amavis-users@amavis.org
Subject: Re: Logging IP address in error logs

http://www.postfix.org/SMTPD_PROXY_README.html

Read here to understand.


On 2017-01-18 17:31, Dino Edwards wrote:
> I still don't understand how email comes in. Is amavis listening on port 25?
>
> -Original Message-
> From: Martin Schmid [mailto:s...@aps-systems.ch] 
> Sent: Wednesday, January 18, 2017 11:15 AM
> To: Dino Edwards 
> Subject: Re: Logging IP address in error logs
>
> Difficult to say.
> I've installed this quite a time ago, and as I remember this was a new 
> feature by then.
> I think I liked the idea of not having to maintain three SMTP processors in a 
> row.
> There haven't been any issues so far.
>
> Am 18.01.2017 um 17:07 schrieb Dino Edwards:
>> This is an unusual setup. May I ask why? The reason I'm asking is because an 
>> SMTP server in front would cut down on that traffic.
>>
>> -Original Message-
>> From: Martin Schmid [mailto:s...@aps-systems.ch]
>> Sent: Wednesday, January 18, 2017 10:38 AM
>> To: Dino Edwards 
>> Subject: Re: Logging IP address in error logs
>>
>> In Amavis. And I don't have postfix or any other SMTP server as first 
>> receiver before amavis. Amavis is the frontend server.
>> It's version is 2.10.1 on a dDebian Jessie.
>>
>> Am 18.01.2017 um 16:15 schrieb Dino Edwards:
>>> Are you seeing this in postfix or amavis?
>>>
>>> -Original Message-
>>> From: amavis-users
>>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org
>>> ]
>>> On Behalf Of Martin Schmid
>>> Sent: Wednesday, January 18, 2017 9:56 AM
>>> To: amavis-users@amavis.org
>>> Subject: Logging IP address in error logs
>>>
>>> Hello everybody
>>>
>>> I'm seeing many connections that try a few commands an then leave an open 
>>> connection until it times out.
>>> I suspect most of them to try to block connections hich they do with a 
>>> certain success.
>>>
>>> I couldn't figure out how to add the remote ip to all SMTP loggings. Has 
>>> someone of you ever tried this?
>>>
>>> Regards
>>>
>>>

-- 
Best regard / Med vänlig hälsning

Patrik Båt

Storgatan 102B
171 55 Solna
+46 (0)76-628 39 43

RE: Logging IP address in error logs

[Dino Edwards]

I still don't understand how email comes in. Is amavis listening on port 25?

-Original Message-
From: Martin Schmid [mailto:s...@aps-systems.ch] 
Sent: Wednesday, January 18, 2017 11:15 AM
To: Dino Edwards 
Subject: Re: Logging IP address in error logs

Difficult to say.
I've installed this quite a time ago, and as I remember this was a new feature 
by then.
I think I liked the idea of not having to maintain three SMTP processors in a 
row.
There haven't been any issues so far.

Am 18.01.2017 um 17:07 schrieb Dino Edwards:
> This is an unusual setup. May I ask why? The reason I'm asking is because an 
> SMTP server in front would cut down on that traffic.
>
> -Original Message-
> From: Martin Schmid [mailto:s...@aps-systems.ch]
> Sent: Wednesday, January 18, 2017 10:38 AM
> To: Dino Edwards 
> Subject: Re: Logging IP address in error logs
>
> In Amavis. And I don't have postfix or any other SMTP server as first 
> receiver before amavis. Amavis is the frontend server.
> It's version is 2.10.1 on a dDebian Jessie.
>
> Am 18.01.2017 um 16:15 schrieb Dino Edwards:
>> Are you seeing this in postfix or amavis?
>>
>> -Original Message-
>> From: amavis-users
>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org
>> ]
>> On Behalf Of Martin Schmid
>> Sent: Wednesday, January 18, 2017 9:56 AM
>> To: amavis-users@amavis.org
>> Subject: Logging IP address in error logs
>>
>> Hello everybody
>>
>> I'm seeing many connections that try a few commands an then leave an open 
>> connection until it times out.
>> I suspect most of them to try to block connections hich they do with a 
>> certain success.
>>
>> I couldn't figure out how to add the remote ip to all SMTP loggings. Has 
>> someone of you ever tried this?
>>
>> Regards
>>
>>