Docker-mailserver: legit email is considered unsolicited bulk e-mail

Created on 25 Apr 2020  路  17Comments  路  Source: tomav/docker-mailserver

Couple of days ago, a legit email got rejected. The sender got this as reply:

was considered unsolicited bulk e-mail (UBE).

Our internal reference code for your message is 2543112-06/Q8cmmCBHhq9r

The message carried your return address, so it was either a genuine mail
from you, or a sender address was faked and your e-mail address abused
by third party, in which case we apologize for undesired notification.

We do try to minimize backscatter for more prominent cases of UBE and
for infected mail, but for less obvious cases some balance between
losing genuine mail and sending undesired backscatter is sought,
and there can be some collateral damage on either side.

First upstream SMTP client IP address: [80.237.130.84]
  wp562.webpack.hosteurope.de
According to a 'Received:' trace, the message apparently originated at:
  [80.237.130.84], wp562.webpack.hosteurope.de wp562.webpack.hosteurope.de
  [80.237.130.84]

Return-Path: <[email protected]>
From: xxx xxx <[email protected]>
Message-ID: <[email protected]>
Subject: Post

Delivery of the email was stopped!

My log sais the following:

Apr 24 15:46:48 mx0 postfix/postscreen[2659970]: PASS OLD [80.237.130.84]:56258
Apr 24 15:46:49 mx0 postfix/smtpd[2660647]: connect from wp562.webpack.hosteurope.de[80.237.130.84]
Apr 24 15:46:49 mx0 postfix/smtpd[2660647]: Anonymous TLS connection established from wp562.webpack.hosteurope.de[80.237.130.84]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 24 15:46:49 mx0 policyd-spf[2660653]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=80.237.130.84; helo=wp562.webpack.hosteurope.de; [email protected]; receiver=<UNKNOWN> 
Apr 24 15:46:49 mx0 postfix/smtpd[2660647]: D0A57606B1: client=wp562.webpack.hosteurope.de[80.237.130.84]
Apr 24 15:46:49 mx0 postsrsd[2660659]: srs_forward: <[email protected]> rewritten as <[email protected]>
Apr 24 15:46:49 mx0 postfix/cleanup[2660658]: D0A57606B1: message-id=<[email protected]>
Apr 24 15:46:49 mx0 opendkim[340]: D0A57606B1: wp562.webpack.hosteurope.de [80.237.130.84] not internal
Apr 24 15:46:49 mx0 opendkim[340]: D0A57606B1: not authenticated
Apr 24 15:46:49 mx0 opendmarc[346]: D0A57606B1: sender.de none
Apr 24 15:46:49 mx0 postfix/qmgr[1146]: D0A57606B1: from=<[email protected]>, size=165859, nrcpt=1 (queue active)
Apr 24 15:46:50 mx0 postfix/smtpd[2660647]: disconnect from wp562.webpack.hosteurope.de[80.237.130.84] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 24 15:46:52 mx0 postfix/postscreen[2659970]: DNSBL rank 5 for [217.112.142.135]:48915
Apr 24 15:46:52 mx0 postfix/postscreen[2659970]: NOQUEUE: reject: RCPT from [217.112.142.135]:48915: 550 5.7.1 Service unavailable; client [217.112.142.135] blocked using zen.spamhaus.org; from=<[email protected]>, to=<[email protected]>, proto=ESMTP, helo=<recondite.drkhedri.com>
Apr 24 15:46:52 mx0 postfix/postscreen[2659970]: DISCONNECT [217.112.142.135]:48915
Apr 24 15:46:54 mx0 postfix/smtpd[2660682]: connect from localhost[127.0.0.1]
Apr 24 15:46:54 mx0 postfix/smtpd[2660682]: 21F2F619D2: client=localhost[127.0.0.1]
Apr 24 15:46:54 mx0 postsrsd[2660659]: srs_forward: <""> not rewritten: No at sign in sender address
Apr 24 15:46:54 mx0 postsrsd[2660660]: srs_reverse: <[email protected]> rewritten as <[email protected]>
Apr 24 15:46:54 mx0 postfix/cleanup[2660658]: 21F2F619D2: message-id=<[email protected]>
Apr 24 15:46:54 mx0 postsrsd[2660660]: srs_reverse: <[email protected]> rewritten as <[email protected]>
Apr 24 15:46:54 mx0 postfix/qmgr[1146]: 21F2F619D2: from=<>, size=5322, nrcpt=1 (queue active)
Apr 24 15:46:54 mx0 postfix/smtpd[2660682]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr 24 15:46:54 mx0 amavis[2543112]: (2543112-06) Blocked SPAM {BouncedInbound,Quarantined}, [80.237.130.84]:56258 [80.237.130.84] <[email protected]> -> <[email protected]>, quarantine: Q/spam-Q8cmmCBHhq9r.gz, Queue-ID: D0A57606B1, Message-ID: <[email protected]>, mail_id: Q8cmmCBHhq9r, Hits: 3.749, size: 166910, 4264 ms
Apr 24 15:46:54 mx0 postfix/smtp[2660661]: D0A57606B1: to=<[email protected]>, orig_to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.8, delays=0.57/0.01/0.01/4.3, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=2543112-06, BOUNCE)
Apr 24 15:46:54 mx0 postfix/qmgr[1146]: D0A57606B1: removed

Spamassasin settings:

ENABLE_SPAMASSASSIN=1
SPAMASSASSIN_SPAM_TO_INBOX=1
SA_TAG=0.0
SA_TAG2=3.0
SA_KILL=3.0
SA_SPAM_SUBJECT=undef

Is this related to #1396 ?

Why do I not get any notification about this?

Where is the "Quarantaine"?

How can I configure the mailserver to deliver such emails?

picture mindrunner
👀2

All 17 comments

Well, as I understand it the SPAMASSASSIN_SPAM_TO_INBOX option was added in #1396? So as you have defined it to 1 you are using that fix, but the message is still bounced?

erik-wramner picture erik-wramner on 26 Apr 2020

Well, I just found out that I am using my openarc branch, so I probably do not have the current fixes in there. Will switch to latest and report back. Is there any Spam-Email-Tester to reproduce this behaviour?

mindrunner picture mindrunner on 26 Apr 2020

Using this to test the spam filter:
https://en.wikipedia.org/wiki/GTUBE

Using latest tag of docker-mailserver.

Seeing in the log that my message gets quarantied and not delivered:

 -> spam-quarantine, mbx=/var/lib/amavis/virusmails/D/spam-D0iDJuvb9dKN.gz

I suppose, this is NOT expected behavior, right?

mindrunner picture mindrunner on 26 Apr 2020

How can I deliver virusmails into a dedicated mailbox instead of /var/lib/amavis/virusmails/?

mindrunner picture mindrunner on 26 Apr 2020

I figured out that SA_KILL=3.0 overrides SPAMASSASSIN_SPAM_TO_INBOX=1 which was not clear to me. I set SA_KILL to a very high value (10000) now and it seems that spam is delivered to my inbox and then filtered by my sieve filter to the Junk folder, which is exactly what I want.

However, I am not sure about virusmails still.

mindrunner picture mindrunner on 26 Apr 2020

Seems I'm lagging behind here. I can merge stable to arc if you like, or even latest but it might break things? I think that viruses will go to the quarantine with an e-mail to you that they were blocked. At least that is how the integration test works.

erik-wramner picture erik-wramner on 27 Apr 2020

I can merge stable to arc if you like, or even latest but it might break things?

Yeah, we could try that. However, I think the OpenARC project is pretty dead, even though they state they are not. I changed my setup so that I do not need ARC anymore at all. So not important for me, but would be nice to keep the feature

I think that viruses will go to the quarantine with an e-mail to you that they were blocked

  • What exactly means quarantine here? dumped into the filesystem with no easy way to recover?
  • What means "to you"? Postmaster? I never receive such emails.

Edit:
More confusion.... My observations:

  • If SA_KILL gets triggered, email will be quarantined into virusmails and I do not get any notification. Neither of which I do understand. Why does a spam go to virusmails? And why is there no notification on the receiver side?

  • If I send a real virus (https://www.aleph-tec.com/eicar/index.php), I am getting a notification email to [email protected]. (Even though POSTMASTER_ADDRESS is set to something else)

Oh by the way. I have CLAMAV disabled at the moment. The virus gets banned with the message

No viruses were found.

Banned name: eicar.com,UNDECIPHERABLE
Content type: Banned
Internal reference code for the message is 01151-17/FDm4prvd69M7

I am confused...

mindrunner picture mindrunner on 27 Apr 2020

Alright, I am not able to answer all my previous questions, but I found a solution for myself.
I created a dedicated mailbox for the quarantine: [email protected]
then in config/amavis.cf:

$clean_quarantine_to      = "amavis\@domain.com";
$virus_quarantine_to      = "amavis\@domain.com";
$banned_quarantine_to     = "amavis\@domain.com";
$bad_header_quarantine_to = "amavis\@domain.com";
$spam_quarantine_to       = "amavis\@domain.com";

This will prevent losing any mails I suppose. Everything which is either infected or exeeds the SA_KILL threshold will be delivered to this mailbox.

mindrunner picture mindrunner on 27 Apr 2020
👍1

Great, perhaps you could document that in the FAQ for the future and close this then?

erik-wramner picture erik-wramner on 29 Apr 2020
👍1

Great idea!

mindrunner picture mindrunner on 29 Apr 2020

Just for curiosity. I think there are a lot of more mails blocked on my domain which do not even get checked by amavis. I think those are the IP blacklist checks which preceeds the actual receiving of the email.

Is there an easy way to disable this as well and/or receive them into another separate mailbox. I would be curious whats going on there. Also this would complete the FAQ entry :)

mindrunner picture mindrunner on 29 Apr 2020

Take a look at my comment: https://github.com/tomav/docker-mailserver/issues/1396#issuecomment-597385750

casperklein picture casperklein on 29 Apr 2020

https://github.com/tomav/docker-mailserver/wiki/FAQ-and-Tips#how-do-i-have-more-control-about-what-spamassasin-is-filtering

mindrunner picture mindrunner on 2 May 2020
👍1

Nice documentation @mindrunner!

The current spamassassin filtering behavior is discussed in https://github.com/tomav/docker-mailserver/issues/1396, as SPAMASSASSIN_SPAM_TO_INBOX is currently bugged, you will not receive any spam in the mailbox. Fix: https://github.com/tomav/docker-mailserver/pull/1485.

youtous picture youtous on 2 May 2020

Don't really understand. What is bugged? It seems quite functional here in my setup.

mindrunner picture mindrunner on 3 May 2020

SPAMASSASSIN_SPAM_TO_INBOX=1 wasn't working as excepted: amavis/conf.d/49-docker-mailserver wasn't updated, amavis was still using $final_spam_destiny = D_BOUNCE; as spam destiny.

It seems quite functional here in my setup.

You are using SA_KILL=higth value, in this case the spam are always delivered (README)

SA_KILL To inhibit this behaviour and deliver spam emails, set this to a very high value e.g. 100.0.
README.md

It might not affect your setup because $final_spam_destiny was never used due to SA_KILL=hight value.

Regarding your sieve Junk rule, it might not be required anymore if SPAMASSASSIN_SPAM_TO_INBOX=1 and MOVE_SPAM_TO_JUNK=1 are set but I didn't tried with
SA_TAG=-100000.0 SA_KILL=100000.0

With the fix, you could try just setting SPAMASSASSIN_SPAM_TO_INBOX=1 and MOVE_SPAM_TO_JUNK=1 without defining custom SA_TAG/SA_KILL/custom sieve rule, I think legit emails marked as spam will pass and will be delivered directly in the Junk folder.

Be sure to use SA Learn cronjob in order to reduce the next false positives.

youtous picture youtous on 3 May 2020

Yes. that all makes sense. Might update my config as soon as the fix is merged. sa-learn is running once a day here.

mindrunner picture mindrunner on 3 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nicklayb picture nicklayb  路  4Comments
xiao1201 picture xiao1201  路  4Comments
H4R0 picture H4R0  路  3Comments
Hamsterman picture Hamsterman  路  3Comments
dragonito picture dragonito  路  5Comments