Hi Dominic, Thanks for taking your time to read my message and respond.
I've now changed my configuration so postfix rejects the clients based on reject_rbl_client with zen.spamhaus.com. I've put this after the permit_sasl_authenticated so users who login won't be affected. For Mailscanner / Spamassassin I've disabled the use of zen.spamhaus.org and pbl.spamhaus.org. Now only sbl and xbl are being used for authenticated. This way I hope that if credentials get hacked at some point in time perhaps this might still block some spam sent through my mailserver. There's one downside to such a setup in my opinion. While before I could see all mails in mailwatch that are received and blocked, I don't have such an overview now as they'll be blcoked at the connection level already. Thanks for the help! 2017-06-16 12:07 GMT+02:00 Dominic Raferd <[email protected]>: > > > On 16 June 2017 at 10:29, PenguinWhispererThe . < > [email protected]> wrote: > >> Hi all, >> >> I'm having a problem with valid mails being marked as spam on the MX mail >> server for a domain. See my description below. If you'd need more details >> let me know and I'll be happy to provide. I'm posting this here while this >> might not be a postfix issue itself it is related with how postfix is >> configured an how it might need a configuration change. >> >> Users are sending email, authenticated, through the submission port on my >> mailserver (their domain MX record points to mailserver; postfix). >> >> What's been setup >> >> - A record >> - MX record (pointing to same mailserver for all domains) >> - PTR record resolving to mailserver name >> - DKIM: pass >> - SPF: pass >> - DMARC: pass >> - MailScanner with clamd and spamassassin >> - SASL authentication (mail headers mention user is authenticated) >> - No open relay >> - TLS >> - ... >> >> I see that mails are authenticated in the headers. >> >> However I see that spamassassin marks it as spam (it mentions that the IP >> of the client is on the RBL). When I query spamhaus I see that the client >> IP (which is dynamic due to mobile ISP). Zenhaus says it's on the PBL, so >> basically it is marked as spam as a policy based on the client IP.as >> >> Apart from that there's nothing wrong with those emails. The other ISPs >> don't have this problem and the emails are then delivered properly. >> >> Now on to my questions... :) >> >> - is mail send through submission port supposed to go through >> Mailscanner (spamassassin + clamd)? I would suppose yes as it would >> already >> prevent people from sending spam in the first place (instead of preventing >> spam email to be delivered). On the other hand a receiving mailserver >> can't >> trust what's in the headers so it'll probably check it anyway. >> - Is there a way to not mark as spam if only mentioned on the PBL? >> - Will releasing the message make it deliverable? Or will it just >> move the problem? (so the receiving mailserver might check and mark as >> spam >> due to the PBL) If it moves the problem it doesn't seem a valid solution >> to >> try to bypass the PBL for authenticated users. >> - Will a receiving mailserver only check the last header (so the >> header added by my mail server)? In this case disabling spam check might >> actually resolve the issue and not move it on to the next machine). >> - another thing that comes to mind is removing/modifying the first >> header so the IP is no longer mentioned. However this seems like a bad >> practice. >> - What's the proper/appropriate way to handle this? >> >> For clarity: the mails are received on the smtp server that the users >> have configured on their laptop/mobile and put in the postfix queue. So no >> direct rejection to the clients. Only after mailscanner jumps in and checks >> the email before sending (in this case marking it as spam and not sending >> it). >> > > The reason that other mailservers don't have any problem with emails from > your dynamic ips is that the emails are 'cleansed' of their dynamic IP by > being forwarded through your static-ip server. So no problem releasing them > for onward delivery - the only IP that an onward server is likely to > consider is the client's (i.e. of your server), not what any headers might > say in the message about previous hops. > > I'm not sure what the 'proper' way to handle this, but here are a few > possibilities: > > ​A way to prevent spamassassin from inspecting mail from authenticated​ > senders is suggested at https://serverfault.com/ > questions/33518/postfix-skip-spam-checks-for-authorized-smtp. > > I use spamassassin+clamd via amavis; it does check mail from authenticated > senders but I have turned off all RBL checks in spamassassin and instead > have postfix perform these - but only for non-authenticated senders. Like > this (suggestions for improvement welcome): > > smtpd_sender_restrictions = > permit_sasl_authenticated > permit_mynetworks # only the local machine > # check_sender_access: REJECT emails (by envelope address) from a few > known spam senders, OK a very few 'false positives' > check_sender_access hash:/etc/postfix/check_sender_access > # check_client_access: OK a very few ips prone to 'false positives' > check_client_access hash:/etc/postfix/check_client_access > reject_unauth_pipelining > # accept whitelisted per hostkarma, dnswl.org, uribl.com > permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1 > permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3] > permit_dnswl_client white.uribl.com > # check against spamhaus etc > reject_rbl_client zen.spamhaus.org > [... and others similar] > reject_rhsbl_helo dbl.spamhaus.org > [... and others similar] > reject_rhsbl_sender dbl.spamhaus.org > [... and others similar] > reject_rhsbl_reverse_client dbl.spamhaus.org > [... and others similar] > > I think it is regarded as better practice to use postscreen instead, but > my setup is working well for now. >
