2 Problems: Spamassasin not working / Postfix tries connection to false servers

Report bugs and workarounds
Post Reply
DeRaptor
Posts: 9
Joined: 25 Oct 2017 15:47

2 Problems: Spamassasin not working / Postfix tries connection to false servers

Post by DeRaptor » 08 Nov 2017 13:40

Hello,

i just installed the eFa 3.0.2.5 Hyper-V image and configured it. Everything is fine, really impressive. :shock:

But i have 2 litte problems:

1. i recognized in the /var/log/maillog, that postfix tries a connection to 3 other servers besides of my mailserver:
  • Nov 8 12:16:30 MW24MailGate postfix/smtp[7621]: connect to w2k.local[193.168.0.248]:25: Connection refused
    Nov 8 12:18:24 MW24MailGate postfix/smtp[7901]: connect to w2k.local[193.168.0.230]:25: Connection refused
    Nov 8 12:18:54 MW24MailGate postfix/smtp[7901]: connect to w2k.local[193.168.10.100]:25: Connection timed out
248 = Second DC (2012 R2), 230 = Terminal Server (2008 R2), 100 = No Computer

Any ideas why ?

2. it seems to me, that Spamassassin not working proper - testmails i send to me are delivered without recognition they are spam.
  • Body of the testmail:
    XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

Spamassassin is running:
  • 10167 ? Ss 0:02 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid
    10174 ? S 0:00 spamd child
    10175 ? S 0:00 spamd child
    27179 pts/1 S+ 0:00 grep spamd
This is a log receiving a mail, which is spam (a porn spam mail)
  • Nov 8 14:14:02 MW24MailGate postfix/smtpd[27180]: connect from localhost[127.0.0.1]
    Nov 8 14:14:02 MW24MailGate postfix/smtpd[27180]: ABB4D1000B7: client=localhost[127.0.0.1]
    Nov 8 14:14:02 MW24MailGate postfix/cleanup[27182]: ABB4D1000B7: hold: header Received: from MW24MailGate.w2k.local (localhost [127.0.0.1])??by MW24MailGate.w2k.local (Postfix) with ESMTP id ABB4D1000B7??for <oehmke@localhost>; Wed, 8 Nov 2017 14:14:02 +0100 (CET) from localhost[127.0.0.1]; from=<victor@magisa.cl> to=<oehmke@localhost> proto=ESMTP helo=<MW24MailGate.w2k.local>
    Nov 8 14:14:02 MW24MailGate postfix/cleanup[27182]: ABB4D1000B7: message-id=<e5be716c464d35e5d53fd88ee8c821e0@107.170.73.100>
    Nov 8 14:14:02 MW24MailGate postfix/smtpd[27180]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
    Nov 8 14:14:04 MW24MailGate MailScanner[15250]: New Batch: Scanning 1 messages, 6431 bytes
    Nov 8 14:14:04 MW24MailGate MailScanner[15250]: Virus and Content Scanning: Starting
    Nov 8 14:14:26 MW24MailGate MailScanner[15250]: Spam Checks: Starting
    Nov 8 14:14:26 MW24MailGate MailScanner[15250]: Message ABB4D1000B7.A80F7 from 127.0.0.1 (victor@magisa.cl) is whitelisted
    Nov 8 14:14:26 MW24MailGate MailScanner[15250]: Requeue: ABB4D1000B7.A80F7 to BDBE5100395
    Nov 8 14:14:26 MW24MailGate postfix/qmgr[2546]: BDBE5100395: from=<victor@magisa.cl>, size=5756, nrcpt=1 (queue active)
    Nov 8 14:14:26 MW24MailGate MailScanner[15250]: Uninfected: Delivered 1 messages
    Nov 8 14:14:26 MW24MailGate MailScanner[15250]: Deleted 1 messages from processing-database
    Nov 8 14:14:26 MW24MailGate MailScanner[15250]: MailWatch: Logging message ABB4D1000B7.A80F7 to SQL
    Nov 8 14:14:26 MW24MailGate postfix/cleanup[27182]: 7D1981000B7: message-id=<e5be716c464d35e5d53fd88ee8c821e0@107.170.73.100>
    Nov 8 14:14:26 MW24MailGate postfix/local[27208]: BDBE5100395: to=<oehmke@localhost>, relay=local, delay=24, delays=24/0.01/0/0, dsn=2.0.0, status=sent (forwarded as 7D1981000B7)
    Nov 8 14:14:26 MW24MailGate postfix/qmgr[2546]: 7D1981000B7: from=<victor@magisa.cl>, size=6581, nrcpt=1 (queue active)
    Nov 8 14:14:26 MW24MailGate postfix/qmgr[2546]: BDBE5100395: removed
    Nov 8 14:14:26 MW24MailGate postfix/smtp[27209]: 7D1981000B7: to=<oehmke@ourdomainwhereiwork.de>, orig_to=<oehmke@localhost>, relay=193.168.0.250[193.168.0.250]:25, delay=0.04, delays=0/0.01/0/0.02, dsn=2.0.0, status=sent (250 Message accepted for delivery)
    Nov 8 14:14:26 MW24MailGate postfix/qmgr[2546]: 7D1981000B7: removed
Spamassassin is enabled in /etc/Mailscanner/Mailscanner.conf - Option "Use SpamAssassin = yes.

How can i debug this and get Spamassassin to work ?

Greetings,
Frank

User avatar
pdwalker
Posts: 849
Joined: 18 Mar 2015 09:16

Re: 2 Problems: Spamassasin not working / Postfix tries connection to false servers

Post by pdwalker » 09 Nov 2017 04:54

I'm just making a guess, but this line seems relevant:
Nov 8 14:14:26 MW24MailGate MailScanner[15250]: Message ABB4D1000B7.A80F7 from 127.0.0.1 (victor@magisa.cl) is whitelisted
Whitelisting means the message will be accepted without doing any checks on it.

Either send from a different email address, or remove this from the whitelist and see if you get different results.

DeRaptor
Posts: 9
Joined: 25 Oct 2017 15:47

Re: 2 Problems: Spamassasin not working / Postfix tries connection to false servers

Post by DeRaptor » 09 Nov 2017 13:41

Thx for the input .... i read a lot this day - now it's all working like expected. :o

Again, a great appliance !

Greets,
Frank

DeRaptor
Posts: 9
Joined: 25 Oct 2017 15:47

Re: 2 Problems: Spamassasin not working / Postfix tries connection to false servers

Post by DeRaptor » 10 Nov 2017 15:37

Hi,

i still have the problem, that spamassassin scans the mail, detects spam. but don't modifies the subject.
Does anybody know a good Mailscanner/Spamassin forum, where i can post my problem ?
(because the EFA works, but i'm to stupid to get it to work like i want)


For example:
  • Code: Select all

    X-MailScanner-MW24MAILGATE-Information: Please contact administrator@domaene.de for more information
    X-MailScanner-MW24MAILGATE-ID: F1A04100395.A4890
    X-MailScanner-MW24MAILGATE: Found to be clean
    X-MailScanner-MW24MAILGATE-SpamCheck: not spam (whitelisted),
    SpamAssassin (score=7.586, required 6, AWL 3.89, BODY_EMPTY 2.00,
    FREEMAIL_FROM 0.00, HTML_MIME_NO_HTML_TAG 0.64,
    KB_WAM_FROM_NAME_SINGLEWORD 0.20, MIME_HTML_ONLY 1.10,
    PYZOR_CHECK 1.98, RCVD_IN_DNSWL_LOW -0.70, RCVD_IN_MSPIKE_H2 -2.80,
    RDNS_NONE 1.27, TO_NO_BRKTS_NORDNS_HTML 0.00)
    X-MailScanner-MW24MAILGATE-From: user@web.de
    X-Spam-Status: Not recognized as Spam by MW24MailGate
The mail i receive isn't marked - i tried to configure the whitelist / blacklist, so that every mail should be scanned except domains on the whitelist - with no luck.

Greedies,
Frank

User avatar
shawniverson
Posts: 2432
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: 2 Problems: Spamassasin not working / Postfix tries connection to false servers

Post by shawniverson » 12 Nov 2017 11:18

You want subject modified? Check out /etc/MailScanner/MailScanner.conf:

Code: Select all

# If the message is spam, do you want to modify the subject line?
# This can be 1 of 4 values:
#      no    = Do not modify the subject line, or
#      start = Add text to the start of the subject line, or
#      yes   = Add text to the start of the subject line, or
#      end   = Add text to the end of the subject line.
# This makes filtering in Outlook very easy.
# This can also be the filename of a ruleset.
Spam Modify Subject = start

# This is the text to add to the start of the subject if the
# "Spam Modify Subject" option is set.
# The exact string "_SCORE_" will be replaced by the numeric
# SpamAssassin score.
# The exact string "_STARS_" will be replaced by a row of stars
# whose length is the SpamAssassin score.
# This can also be the filename of a ruleset.
Spam Subject Text = {Spam?}

Version 3.0.2.5 released! Update now to keep your eFa secure!

DeRaptor
Posts: 9
Joined: 25 Oct 2017 15:47

Re: 2 Problems: Spamassasin not working / Postfix tries connection to false servers

Post by DeRaptor » 13 Nov 2017 08:31

Hi,

i have already checked this:

Code: Select all

# If the message is spam, do you want to modify the subject line?
# This can be 1 of 4 values:
#      no    = Do not modify the subject line, or
#      start = Add text to the start of the subject line, or
#      yes   = Add text to the start of the subject line, or
#      end   = Add text to the end of the subject line.
# This makes filtering in Outlook very easy.
# This can also be the filename of a ruleset.
Spam Modify Subject = start

# This is the text to add to the start of the subject if the
# "Spam Modify Subject" option is set.
# The exact string "_SCORE_" will be replaced by the numeric
# SpamAssassin score.
# The exact string "_STARS_" will be replaced by a row of stars
# whose length is the SpamAssassin score.
# This can also be the filename of a ruleset.
Spam Subject Text = {***MW24MAILGATE - SPAM DETECTED***}
This is the whole mailscanner.conf i actually use -> http://www.elektro-musswessels.de/downl ... anner.conf
I don't know, why virus mails are modified - spam mails are not.

LG
Frank

DeRaptor
Posts: 9
Joined: 25 Oct 2017 15:47

Re: 2 Problems: Spamassasin not working / Postfix tries connection to false servers

Post by DeRaptor » 13 Nov 2017 09:14

I also edited /etc/mail/spamassassin/local.cf like i found here: https://www.lifewire.com/spamassassin-m ... am-1166252


LG
Frank


DeRaptor
Posts: 9
Joined: 25 Oct 2017 15:47

Re: 2 Problems: Spamassasin not working / Postfix tries connection to false servers

Post by DeRaptor » 14 Nov 2017 12:56

Hi guys,

finally i got it - i have to read the earlier post of pdwalker exactly :hand: - he gave the hint to solve my problem.

After readings his post detailed than the last time, i search the /var/log/maillog and got this - all mails from outside are whitelisted and came from localhost: (and a lot of spammails !)

Code: Select all

Nov 12 05:18:26 MW24MailGate MailScanner[19421]: Message 16134100395.AF804 from 127.0.0.1 (anne-marie.w@servicios-limpieza.com) is whitelisted
Nov 12 07:50:23 MW24MailGate MailScanner[18992]: Message 16149100395.A9AC2 from 127.0.0.1 (hagan.g@ssemenov.com.ua) is whitelisted
Nov 12 09:48:28 MW24MailGate MailScanner[19408]: Message 5F16E100395.A546A from 127.0.0.1 (hannelore.a@bihaberimvar.com) is whitelisted
Nov 12 10:00:27 MW24MailGate MailScanner[32506]: Message 5E0A5100395.A4A05 from 127.0.0.1 (norbertf@pontis.media.hu) is whitelisted
Nov 12 11:20:26 MW24MailGate MailScanner[32506]: Message EEFE6100395.AF265 from 127.0.0.1 (vreni.m@moreshin.com.ua) is whitelisted
Nov 12 12:16:28 MW24MailGate MailScanner[32506]: Message 38609100395.ABC57 from 127.0.0.1 (betlinde.b@puer.hk) is whitelisted
Nov 12 12:48:29 MW24MailGate MailScanner[8214]: Message DB3D1100395.AF257 from 127.0.0.1 (admin@juju.co.ke) is whitelisted
Nov 12 13:02:30 MW24MailGate MailScanner[19421]: Message C3B99100395.A7A95 from 127.0.0.1 (return-a221-48670-48711-ced9760b=117015768=8@mail.bio-gurus.de) is whitelisted
Nov 12 13:22:27 MW24MailGate MailScanner[8071]: Message CD6AA100395.AE31A from 127.0.0.1 (hgrewal@renegade83.com) is whitelisted
Nov 12 14:18:24 MW24MailGate MailScanner[5046]: Message 0E7C3100395.A7BD9 from 127.0.0.1 (frank.oehmke@oehmke-familie.de) is whitelisted
Nov 12 14:30:25 MW24MailGate MailScanner[8071]: Message 07D63100395.A51D8 from 127.0.0.1 (frank.oehmke@oehmke-familie.de) is whitelisted
Nov 12 14:42:28 MW24MailGate MailScanner[5046]: Message 34E4E100395.ACB42 from 127.0.0.1 (verena.k@benisonbabies.com) is whitelisted
Nov 12 17:34:24 MW24MailGate MailScanner[63342]: Message 2B668100395.AC357 from 127.0.0.1 (radulf.w@1253redmountainranchroad.com) is whitelisted
Nov 12 18:02:23 MW24MailGate MailScanner[8071]: Message A3B44100395.AC9B1 from 127.0.0.1 (dieter.h@teszt.mme.hu) is whitelisted
Nov 12 18:56:24 MW24MailGate MailScanner[19066]: Message 12FB2100395.AFF9C from 127.0.0.1 (wilda.a@fiorenzatoimpianti.it) is whitelisted
Nov 12 20:18:24 MW24MailGate MailScanner[5355]: Message F18A7100395.A8361 from 127.0.0.1 (velten.m@chinaninecontinent.com) is whitelisted
Nov 12 21:56:24 MW24MailGate MailScanner[33480]: Message A09DE100395.A9BDC from 127.0.0.1 (karl.a@design4india.in) is whitelisted
Nov 12 22:16:25 MW24MailGate MailScanner[64297]: Message 6D1AF100395.A65CA from 127.0.0.1 (info@send-mail05.trade) is whitelisted
Nov 12 23:16:26 MW24MailGate MailScanner[58141]: Message 93BB3100395.AC56E from 127.0.0.1 (ottoline.t@repairitshop.nl) is whitelisted
Nov 13 00:34:26 MW24MailGate MailScanner[16651]: Message 46D42100395.AED76 from 127.0.0.1 (zelda.a@lajm.tv) is whitelisted
Nov 13 02:16:27 MW24MailGate MailScanner[21492]: Message BBE0B100395.A8E41 from 127.0.0.1 (wilbert.f@accionistasbyc.es) is whitelisted
Nov 13 04:20:26 MW24MailGate MailScanner[62824]: Message 21110100397.AEE3A from 127.0.0.1 (zakaz@uwc.kz) is whitelisted
Nov 13 04:20:31 MW24MailGate MailScanner[62824]: Message B0AD4100395.A29CC from 127.0.0.1 (joe.ho@shin-communications.com) is whitelisted
Nov 13 05:50:25 MW24MailGate MailScanner[62824]: Message 662BD100395.A50BE from 127.0.0.1 (hadwigis.r@gerardvinarmusic.com.au) is whitelisted
Nov 13 06:52:25 MW24MailGate MailScanner[23747]: Message A2F44100395.A5E0A from 127.0.0.1 (support@hausmannwynen.de) is whitelisted
Nov 13 07:32:24 MW24MailGate MailScanner[23747]: Message 2A05F100395.ABA70 from 127.0.0.1 (gunda.e@ebook4full.com) is whitelisted
Nov 13 08:02:26 MW24MailGate MailScanner[62811]: Message 4AD47100395.AA8B5 from 127.0.0.1 (bounce+30767@bounce.crsend.com) is whitelisted
Nov 13 08:17:40 MW24MailGate MailScanner[62469]: Message 8916A100395.A498B from 127.0.0.1 (frank.oehmke@web.de) is whitelisted
Nov 13 08:19:57 MW24MailGate MailScanner[54585]: Message 84652100395.A4696 from 127.0.0.1 (frank.oehmke@web.de) is whitelisted

I was wondering :doh: what causes this - yesterday i experimented with the whitelist with no success. Today i was thinking about the way i receive my mails: not through MX Record of your domain but via fetchmail - which causes that all mails are accepted via localhost (127.0.0.1) and whitelisted.

Now i changed my origin ./fetchmailrc

Code: Select all

poll <PROVIDER> proto pop3 user user@domain.de password <PASSWORD> is user@domain.de ssl
(which connects the EFA Server via localhost !) into

Code: Select all

poll <PROVIDER> proto pop3 user user@domain.de password <PASSWORD> is user@domain.de ssl smtphost <NAMEOFTHEEFAPROJECTSERVER.domain.de>/25



Voila:

Code: Select all

Nov 14 13:23:02 MW24MailGate postfix/smtpd[50641]: connect from MW24MailGate.w2k.local[193.168.0.202]
Nov 14 13:23:02 MW24MailGate sqlgrey: grey: new: 193.168.0(193.168.0.202), user@gmx.de -> user@elektro-musswessels.de
Nov 14 13:23:02 MW24MailGate postfix/smtpd[50641]: NOQUEUE: reject: RCPT from MW24MailGate.w2k.local[193.168.0.202]: 451 4.7.1 <user@elektro-musswessels.de>: Recipient address rejected: Greylisted for 5 minutes; from=<user@gmx.de> to=<user@elektro-musswessels.de> proto=ESMTP helo=<MW24MailGate.w2k.local>
Nov 14 13:23:02 MW24MailGate postfix/smtpd[50641]: disconnect from MW24MailGate.w2k.local[193.168.0.202] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=4/5
Nov 14 13:24:02 MW24MailGate postfix/smtpd[50641]: connect from MW24MailGate.w2k.local[193.168.0.202]
Nov 14 13:24:02 MW24MailGate sqlgrey: grey: early reconnect: 193.168.0(193.168.0.202), user@gmx.de -> user@elektro-musswessels.de
.
-
-
Nov 14 13:30:02 MW24MailGate postfix/smtpd[52068]: connect from MW24MailGate.w2k.local[193.168.0.202]
Nov 14 13:30:02 MW24MailGate sqlgrey: grey: reconnect ok: 193.168.0(193.168.0.202), user@gmx.de -> user@elektro-musswessels.de (00:07:00)
Nov 14 13:30:02 MW24MailGate sqlgrey: grey: from awl: 193.168.0, user@gmx.de added
Nov 14 13:30:02 MW24MailGate postfix/smtpd[52068]: 8DBF61003A1: client=MW24MailGate.w2k.local[193.168.0.202]
Nov 14 13:30:02 MW24MailGate postfix/cleanup[52074]: 8DBF61003A1: hold: header Received: from MW24MailGate.w2k.local (MW24MailGate.w2k.local [193.168.0.202])??by MW24MailGate.w2k.local (Postfix) with ESMTP id 8DBF61003A1??for <wodzinski@elektro-musswessels.de>; Tue, 14 Nov 2017  from MW24MailGate.w2k.local[193.168.0.202]; from=<user@gmx.de> to=<user@elektro-musswessels.de> proto=ESMTP helo=<MW24MailGate.w2k.local>
Nov 14 13:30:02 MW24MailGate postfix/cleanup[52074]: 8DBF61003A1: message-id=<trinity-213b3e34-c0dd-47d9-8cb7-80026b8a9157-1510662120322@msvc-mesg-gmx018>
Nov 14 13:30:02 MW24MailGate postfix/smtpd[52068]: disconnect from MW24MailGate.w2k.local[193.168.0.202] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 14 13:30:03 MW24MailGate MailScanner[37932]: New Batch: Scanning 1 messages, 200514 bytes
Nov 14 13:30:03 MW24MailGate MailScanner[37932]: Virus and Content Scanning: Starting
Nov 14 13:30:25 MW24MailGate MailScanner[37932]: Spam Checks: Starting
Nov 14 13:30:25 MW24MailGate MailScanner[37932]: MailWatch: Whitelist refresh time reached
Nov 14 13:30:25 MW24MailGate MailScanner[37932]: MailWatch: Starting up MailWatch SQL Whitelist
Nov 14 13:30:25 MW24MailGate MailScanner[37932]: MailWatch: Read 1 whitelist entries
Nov 14 13:30:25 MW24MailGate MailScanner[37932]: MailWatch: Blacklist refresh time reached
Nov 14 13:30:25 MW24MailGate MailScanner[37932]: MailWatch: Starting up MailWatch SQL Blacklist
Nov 14 13:30:25 MW24MailGate MailScanner[37932]: MailWatch: Read 0 blacklist entries
Nov 14 13:30:33 MW24MailGate MailScanner[37932]: Requeue: 8DBF61003A1.A72F2 to 777861003A2
Nov 14 13:30:33 MW24MailGate MailScanner[37932]: Uninfected: Delivered 1 messages
Nov 14 13:30:33 MW24MailGate postfix/qmgr[2575]: 777861003A2: from=<user@gmx.de>, size=199759, nrcpt=1 (queue active)
Nov 14 13:30:33 MW24MailGate MailScanner[37932]: Deleted 1 messages from processing-database
Nov 14 13:30:33 MW24MailGate MailScanner[37932]: MailWatch: Logging message 8DBF61003A1.A72F2 to SQL
Nov 14 13:30:33 MW24MailGate postfix/smtp[52371]: 777861003A2: to=<user@elektro-musswessels.de>, relay=193.168.0.250[193.168.0.250]:25, delay=31, delays=31/0.01/0/0.22, dsn=2.0.0, status=sent (250 Message accepted for delivery)
Nov 14 13:30:33 MW24MailGate postfix/qmgr[2575]: 777861003A2: removed
Now i have to look to reduce the greylisting delay - i think 5 minutes are too long. :o

Thx !
Frank

User avatar
pdwalker
Posts: 849
Joined: 18 Mar 2015 09:16

Re: 2 Problems: Spamassasin not working / Postfix tries connection to false servers

Post by pdwalker » 15 Nov 2017 05:00

Glad my hint was able to help you find your problem. When people have such different configurations, it's hard to know exactly what the problem they might be having actually is.
DeRaptor wrote:
14 Nov 2017 12:56
Now i have to look to reduce the greylisting delay - i think 5 minutes are too long.
I wouldn't worry about it. Greylisting will not always delay the mail by 5 minutes. As time goes on, mailscanner will build up a database of valid senders/sending mail servers that it won't greylist. Until it does, every one gets greylisted until they prove they are not spammers (and this all happens automatically).

I found it annoying at first, but after a time, the important senders got their mail through immediately.

(Yesterday, someone was concerned about the mail being slow to deliver. When I checked the logs, the messages in question took a grand total of 26 seconds from leaving their mail client, passing through our mail server provider antispam service (4 seconds), and into our efa system (3) seconds and then a 19 second delay while the message was requeued for final delivery - not really a problem at all, is it?)

DeRaptor
Posts: 9
Joined: 25 Oct 2017 15:47

Re: 2 Problems: Spamassasin not working / Postfix tries connection to false servers

Post by DeRaptor » 15 Nov 2017 09:59

Hey,

after inspecting it i take the default settings - only 5 minutes if a sender is new - acceptable.

LG
Frank

Post Reply