Page 5 of 7 FirstFirst ... 34567 LastLast
Results 41 to 50 of 62

Thread: local mail getting marked as spam?

  1. #41
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Default

    Your suggestion does of course work, it's just that Pyzor and the DUL Blacklist are very powerful when it comes to recognizing spam. Lowering those scores does work better than globally raising my tag percent, but it still lets more spam through than if authenticated users were whitelisted.

  2. #42
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Default

    Anyone know if there's any work been done on this? It's been coming up on a year now that I've had this problem, and it's really getting difficult to manage.

    Anyone had this problem and found a way around it?

  3. #43
    Join Date
    Jun 2008
    Posts
    3
    Rep Power
    7

    Default Workaround

    Hi,

    following the discussion above I came up with the following workaround:

    • Setup a second mta server that accepts only authenticated users (smtpd_recipient_restrictions = permit_sasl_authenticated, reject)
    • Disable Services Anti-Spam (and Anti-Virus) on that server


    Do you think that could be a working solution?

  4. #44
    Join Date
    Feb 2009
    Location
    Bahrain
    Posts
    34
    Rep Power
    6

    Default

    Hi,

    Its much better , train your spamassasin your self by reading header , url and subject values and study how to block malware

    might it will help you to reduce your spam and it will take time to setup and maintain rules

    Bilal

  5. #45
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by bjquinn View Post
    Anyone know if there's any work been done on this? It's been coming up on a year now that I've had this problem, and it's really getting difficult to manage.
    No work wil be 'done on this' because you haven't filed any bug report.

    Quote Originally Posted by bjquinn View Post
    Anyone had this problem and found a way around it?
    You should actually have your users send mail through the correct Submission Port which is 587, there's several descriptions in the forums of how to enable but here's one of them. Try that and see if that does anything to help.

    Which version of Zimbra do you currently have installed and what's the contents of your MyNetwork setting? Do you have any hardware firewall in front of this server? Does the server sit on a public or private IP? Is this only one user or all users?
    Last edited by phoenix; 04-07-2009 at 02:22 AM.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #46
    Join Date
    Jun 2008
    Posts
    3
    Rep Power
    7

    Default

    Using
    Code:
    zcs-5.0.14_GA_2850.UBUNTU8.20090303190551
    I'll try to use the submission-port instead of 25, but I wonder how SpamAssassin will know about that, if there is no additional header information added.

    Found this information, that helped fixing the problem in an other mailserver setup

    DynablockIssues - Spamassassin Wiki
    Code:
    smtpd_sasl_authenticated_header = yes

  7. #47
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Default

    Quote Originally Posted by phoenix View Post
    No work wil be 'done on this' because you haven't filed any bug report.
    Yes I did, please see post #34 of this thread and bug 31333. It's been outstanding for seven months.

    Quote Originally Posted by phoenix View Post
    You should actually have your users send mail through the correct Submission Port which is 587, there's several descriptions in the forums of how to enable but here's one of them. Try that and see if that does anything to help.
    Thanks, but if you read over the thread, we've been over this and that doesn't solve the problem.


    However, after looking for nearly a year on this, here's what DOES solve the problem, and it is actually fairly easy and doesn't require setting up a second email server, etc. This is basically what sniechzial found, although I wish I had read his post and saved myself some trouble, as it would have pointed me in the right direction.

    Zimbra sending local mail to trash -

    This happens when a remote authenticated user (i.e. someone with an email account on the server but who is currently outside of the local network and NOT using the web client or Zimbra Desktop) sends an email to another email address local to the email server. What happens is that instead of the local email server's IP address getting counted as the originating email server IP (after all, it's both that user's incoming and outgoing mail server and they are authenticated), instead the IP of the internet connection they're on (probably a DHCP DSL connection or something) gets correctly identified as being a bad IP to be sending email from. Problem is, they're not really sending email FROM that IP in the sense that it's not the IP of their email server -- the originating mail server is the local Zimbra server, and it should detect itself as such. There are a couple of ways to handle this.

    If you're using a version of Zimbra which contains Postfix >= 2.3 and < 2.5 (any relatively modern version of Zimbra), then set smtpd_sasl_authenticated_header = yes in zmmta.cf. Versions of Zimbra with Postfix >= 2.5 should enable the desired feature by default without having to set this option. This will allow SpamAssassin? >= 3.1.4 (again, most relatively modern Zimbras) to know that an SMTP sender is authenticated and it will consequently flag a rule called ALL_TRUST for authenticated users and subtracts by default 1.8 points from the score. Sometimes this problem can flag RCVD_IN_SORBS_DUL (2.046), PYZOR_CHECK (3.7), and TVD_RCVD_SINGLE (1.351), but in addition to subtracting 1.8 points from the score, this rule should also prevent all tests about the source IP of the message from running. This doesn't mean ALL spam tests, just ones like the RBL ones above.

    Secondarily, if in doubt, one could also create meta rules that awarded a negative score equivalent to the positive score for the RBL checks we're having problems with above based on the fact that the sender at least CLAIMS to be using a domain local to the email server. Of course checking to see that they're ALL_TRUST (or authenticated SMTP users) is better, but this could work if your Zimbra version is too old or you have other problems. Any other rules, like FORGED_MUA_OUTLOOK or something which seem too often to get flagged for local users could be negated this way or in combination with the ALL_TRUST rule as well.

  8. #48
    Join Date
    Dec 2006
    Posts
    184
    Rep Power
    8

    Default

    Quote Originally Posted by bjquinn View Post
    If you're using a version of Zimbra which contains Postfix >= 2.3 and < 2.5 (any relatively modern version of Zimbra), then set smtpd_sasl_authenticated_header = yes in zmmta.cf. Versions of Zimbra with Postfix >= 2.5 should enable the desired feature by default without having to set this option.
    Latest 4.5 version still uses postfix-2.2.9 - Where would this change exactly go? I've enabled 587 submission protocol (as well as 465) (via ~zimbra/postfix/conf/master.cf). Would this be an option in master.cf in each submission port or via a section inside zmmta.cf (and if so where)?

    IE:

    Code:
    SECTION mta
         ....
         POSTCONF smtpd_sasl_authenticated_header   yes
         ....

  9. #49
    Join Date
    Jun 2008
    Posts
    3
    Rep Power
    7

    Default

    Quote Originally Posted by bjquinn View Post
    This is basically what sniechzial found, [...]
    Thanks for the feedback and detailed explanation of your solution. After not feeling comfortable with my way of having two mailservers I implemented exactly your solution, just didn't have the time to write it down here.

    Quote Originally Posted by su_A_ve
    Where would this change exactly go
    Postfix configuration can be changed by using
    Code:
    postconf -ev key=value
    postfix reload
    Don't forget to make backups, as changes will get lost during upgrades of Zimbra.

    Tested and in production with 5.0.14_GA_2850.UBUNTU8

  10. #50
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Can bug #31333 please be reopened and re-assigned a severity of Normal or higher?

    I don't think the solution in this thread really qualifies as a fix unless the rule is configured as a default in Zimbra.

    (Also the recommendation in http://www.zimbra.com/forums/113800-post7.html doesn't address the issue.)

    I'm using ZCS 5.0.18 NE and mail sent by an authenticated user got this header:

    X-Spam-Status: Yes, score=6.862 tagged_above=-10 required=6.6
    tests=[AWL=0.267, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13,
    FH_HELO_ALMOST_IP=3.565, HELO_DYNAMIC_SPLIT_IP=3.493,
    HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1]

    I was able to locate a session that occurred under circumstances similar to those of this email, with these log entries:

    Jul 26 21:24:38 zimbra saslauthd[19653]: zmauth: authenticating against elected url 'https://zimbra.company.com:7071/service/admin/soap/' ...
    Jul 26 21:24:38 zimbra saslauthd[19653]: zmpost: url='https://zimbra.company.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="23583"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_c3b99ddcbbc aef0824f739fe9d48b29ed0a78b24_69643d33363a62633932 373635362d623334372d346166342d393532642d3130656266 646232306264343b6578703d31333a31323438383431343738 3133333b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>sky</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Jul 26 21:24:38 zimbra saslauthd[19653]: auth_zimbra: myboss@mycompany.com auth OK
    Jul 26 21:24:38 zimbra postfix/smtpd[32621]: lost connection after RCPT from unknown[117.81.93.214]
    Jul 26 21:24:38 zimbra postfix/smtpd[32621]: disconnect from unknown[117.81.93.214]
    Jul 26 21:24:38 zimbra postfix/smtpd[32623]: B3D732D60001: client=234.sub-75-210-148.myvzw.com[75.210.148.234], sasl_method=PLAIN, sasl_username=myboss@mycompany.com
    Jul 26 21:24:40 zimbra postfix/cleanup[32625]: B3D732D60001: message-id=<F60DE104-0599-47AD-893D-51D47E89CDF8@mycompany.com>
    Jul 26 21:24:40 zimbra postfix/qmgr[4638]: B3D732D60001: from=<myboss@mycompany.com>, size=4337, nrcpt=1 (queue active)
    Jul 26 21:24:40 zimbra amavis[5716]: (05716-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090726T212440-05716: <myboss@mycompany.com> -> <recipient_name@yahoo.com> SIZE=4337 Received: from zimbra.company.com ([127.0.0.1]) by localhost (zimbra.company.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <recipient_name@yahoo.com>; Sun, 26 Jul 2009 21:24:40 -0700 (PDT)
    Jul 26 21:24:40 zimbra amavis[5716]: (05716-01) Checking: rj4QngtKye1C [75.210.148.234] <myboss@mycompany.com> -> <recipient_name@yahoo.com>
    Jul 26 21:24:44 zimbra postfix/smtpd[32632]: connect from localhost.localdomain[127.0.0.1]
    Jul 26 21:24:44 zimbra postfix/smtpd[32632]: 49E382D60002: client=localhost.localdomain[127.0.0.1]
    Jul 26 21:24:44 zimbra postfix/cleanup[32625]: 49E382D60002: message-id=<F60DE104-0599-47AD-893D-51D47E89CDF8@mycompany.com>
    Jul 26 21:24:44 zimbra postfix/smtpd[32632]: disconnect from localhost.localdomain[127.0.0.1]
    Jul 26 21:24:44 zimbra postfix/qmgr[4638]: 49E382D60002: from=<myboss@mycompany.com>, size=4804, nrcpt=1 (queue active)
    Jul 26 21:24:44 zimbra amavis[5716]: (05716-01) FWD via SMTP: <myboss@mycompany.com> -> <recipient_name@yahoo.com>,BODY=7BIT 250 2.6.0 Ok, id=05716-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 49E382D60002
    Jul 26 21:24:44 zimbra amavis[5716]: (05716-01) Passed SPAMMY, [75.210.148.234] [75.210.148.234] <myboss@mycompany.com> -> <recipient_name@yahoo.com>, Message-ID: <F60DE104-0599-47AD-893D-51D47E89CDF8@mycompany.com>, mail_id: rj4QngtKye1C, Hits: 5.999, size: 4337, queued_as: 49E382D60002, 4284 ms
    Jul 26 21:24:44 zimbra postfix/smtp[32628]: B3D732D60001: to=<recipient_name@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.8, delays=1.6/0.01/0.01/4.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 49E382D60002)
    Jul 26 21:24:44 zimbra postfix/qmgr[4638]: B3D732D60001: removed
    Jul 26 21:24:45 zimbra postfix/smtp[32633]: 49E382D60002: to=<recipient_name@yahoo.com>, relay=b.mx.mail.yahoo.com[66.196.97.250]:25, delay=0.82, delays=0/0.01/0.32/0.49, dsn=2.0.0, status=sent (250 ok dirdel)
    Jul 26 21:24:45 zimbra postfix/qmgr[4638]: 49E382D60002: removed
    Jul 26 21:25:20 zimbra zmmailboxdmgr[515]: status requested
    Jul 26 21:25:20 zimbra zmmailboxdmgr[515]: status OK
    Jul 26 21:25:20 zimbra zmmailboxdmgr[585]: status requested
    Jul 26 21:25:20 zimbra zmmailboxdmgr[585]: status OK
    Jul 26 21:25:41 zimbra postfix/smtpd[32623]: disconnect from 234.sub-75-210-148.myvzw.com[75.210.148.234]
    As you can see the user is authenticating, but because they're using a Verizon Wireless connection, they're getting hit by a ton of positive scores--and ALL_TRUSTED is not firing.
    Last edited by ewilen; 07-27-2009 at 05:46 PM.

Similar Threads

  1. Replies: 7
    Last Post: 02-03-2011, 06:01 AM
  2. Problem with Postfix and MTA
    By ZMilton in forum Administrators
    Replies: 16
    Last Post: 04-16-2008, 06:47 AM
  3. [SOLVED] Mailserver down when send file attach of 50Mb
    By ZMilton in forum Administrators
    Replies: 20
    Last Post: 04-10-2008, 11:44 AM
  4. fresh install down may be due to tomcat
    By gon in forum Installation
    Replies: 10
    Last Post: 07-25-2007, 08:09 AM
  5. receiveing mail
    By maybethistime in forum Administrators
    Replies: 15
    Last Post: 12-09-2005, 03:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •