efa-project.org

Okay,

So I am trying to get rid of a header from my bSMTP provider.
This will eventually take care of SPF_FAIL and other added spam scores to the message when it actually isn't spam.

As an example(!) I added this rule in /etc/postfix/header_checks

/^Received:\ from\ mx01.shosted.com\ \(smtp01.shosted.com\ \[21.14.21.111\]\)/ IGNORE

Even did a simplified version trying to prevent any regular expression errors

/^Received:\ from\ mx01.shosted.com/ IGNORE

Did a postfix reload, did even do a reboot.

But I still see message header in mailwatch webpage showing the exact header which I try to remove.
Am I missing something?

Maybe your search string is the issue. Do you have an example of a real header?

You may wish to use the WARN or INFO actions and see if your rule is being triggered correctly. Or even use PREPEND to add a header - just to see if it is working correctly for you.

This is an example of a real header. (all but the addresses)

I don't know much about postfix (I'm just a MS guy (but all servers are linux at home anyway lol) ) so what about WARN or INFO?
Is that something to trigger the logs?

Received: from mx03.bhosted.nl (smtp21.bhosted.nl [94.124.121.33])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(no client certificate requested)
by mailgtw.e-d-i-t.nl (MailScanner Milter) with SMTP id 49jY2W6MGjz52w3N
for <me@mydomain.nl>; Thu, 11 Jun 2020 20:55:15 +0200 (CEST)
X-Spam-Status: DKIM_SIGNED=0.1 DKIM_VALID=-0.1 DKIM_VALID_AU=-0.1
DKIM_VALID_EF=-0.1 HTML_FONT_LOW_CONTRAST=0.001 HTML_MESSAGE=0.001
RCVD_IN_MSPIKE_H3=0.001 RCVD_IN_MSPIKE_WL=0.001 SPF_HELO_NONE=0.001
SPF_PASS=-0.001 T_REMOTE_IMAGE=0.01 URIBL_BLOCKED=0.001
X-Spam-Score: Whitelisted
X-Spam-Filter: 0
X-Spam-ID: 13c3d0c5-ac15-11ea-bcf0-0050569d11ae
Received: from outbyoip13.pod18.euc1.zdsys.com (outbyoip13.pod18.euc1.zdsys.com [188.172.138.13])
by mx03.bhosted.nl (Halon) with ESMTPS
id 13c3d0c5-ac15-11ea-bcf0-0050569d11ae;
Thu, 11 Jun 2020 20:55:11 +0200 (CEST)
Received: from zendesk.com (unknown [10.218.217.198])
by outbyoip13.pod18.euc1.zdsys.com (Postfix) with ESMTP id 49jY2R1hVsz3hhTS
for <me@mydomain.nl>; Thu, 11 Jun 2020 18:55:11 +0000 (UTC)
Date: Thu, 11 Jun 2020 18:55:11 +0000
From: "Helpdesk" <helpdesk@provider.nl>
Reply-To: "Helpdesk" <helpdesk@provider.nl>
To: Info <me@mydomain.nl>
Message-ID: <YD600KPZXK_5ee27e0f88c5_6468e5c08513f_sprut@zendesk.com>
In-Reply-To: <YD600KPZXK@zendesk.com>
Subject: [bHosted] SPF ?...
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_5ee27e0f2f553_6468e5c085281";
charset=utf-8
Content-Transfer-Encoding: 7bit
X-Delivery-Context: event-id-579259140420
Auto-Submitted: auto-generated
X-Auto-Response-Suppress: All
X-Mailer: Zendesk Mailer
X-Zendesk-From-Account-Id: 3c1e32a
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bhosted.nl;
q=dns/txt; s=zendesk1; t=1591901711;
bh=7HMbgYTrgEBGgtIZS9adsoAycThqsEMVWQqFkyixAOg=;
h=date:from:reply-to:to:message-id:in-reply-to:subject:mime-version:content-type:content-transfer-encoding;
b=cIrlF0D+eoOPRrGx8qO+UzaHe5SxwaxnTWZL3sBKHjuiz4ECDIIApIlFBWp5sTYFHPXNkO5yNF0a2H0/m7ygq+qve3DO3wfnQkw7Wceh4ONWe0Z6Ol/JjZe+Ve0zfUaSj/6ejrJOSPELynjqgS8seydqqNYillg1ucy80tCGyuzp0eYnLiAyMfn6IpgHfgBtj1nz1TfWEsntuB1V5mnJMcUMAC8n31VIFUCvPz+96GBQ1hasoQGmgf7ceYrRsz781orCyWpbcSu9JsC/OSmDS3KSQwhMyopOYdefieXYyP6XgO2YRsB3AYSKWwYSw6gPk6YmYEjAqaePrScTEAxD5g==

Found out about WARN. Thanks!

Jun 12 12:30:07 mailgtw postfix/cleanup[8742]: 49jxnC1STHz52w32: warning: header Received: from mx01.bsmtpprovider.nl (smtp01.bsmtpprovider.nl [94.124.121.11])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(No client certificate requested)??by mygtw.mydomain.nl (Po from smtp01.bsmtpprovider.nl[94.124.121.11]; from=<someoneexternal@faraway.nl> to=<my@domain.nl> proto=ESMTP helo=<mx01.bsmtpprovider.nl>: headerchecktest

So it seems to trigger the rule, but my IGNORE statement didn't prevent it from showing in the header info and actually it is still being processed by the spamfilter adding scores for SPF_FAIL or SPF_SOFTFAIL

I wonder if STRIP might work?

No it remains prety much the same. It now states strip: instead of ignore: in the logs

Fun fact: Looking at the headers in my received e-mail, it is actually gone!!
But in Mailwatch, it is shown and therefore cannot be acted upon

So it is probably a process-order of some kind.

2 things that popup during search on Google:
Make a temp postfix queue, let it be cleaned and send it back to postfix (Nah, too difficult and altering EFA too much for succesfull updates)
Alter the Spam Assasin Score for SPF_FAIL and SPF_SOFTFAIL (Might just do that if it can't be fixed with header_checks)



Here's a (somewhat anonymised) copy of the log.


Jun 12 15:06:23 mailgtw postfix/smtpd[32244]: connect from smtp21.bsmtpprovider.nl[12.345.678.33]
Jun 12 15:06:23 mailgtw postfix/smtpd[32244]: Anonymous TLS connection established from smtp21.bsmtpprovider.nl[12.345.678.33]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 12 15:06:24 mailgtw postfix/smtpd[32244]: 49k1FX3BRdz52w39: client=smtp21.bsmtpprovider.nl[12.345.678.33]
Jun 12 15:06:24 mailgtw postfix/cleanup[32406]: 49k1FX3BRdz52w39: strip: header Received: from mx03.bsmtpprovider.nl (smtp21.bsmtpprovider.nl [12.345.678.33])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(No client certificate requested)??by mailgtw.e-d-i-t.nl (Po from smtp21.bsmtpprovider.nl[12.345.678.33]; from=<me@somewhereelse.nl> to=<me@home.nl> proto=ESMTP helo=<mx03.bsmtpprovider.nl>: stripheader
Jun 12 15:06:24 mailgtw postfix/cleanup[32406]: 49k1FX3BRdz52w39: message-id=<AM0PR10MB2849FC649028D71EC847BDBFAC810@AM0PR10MB2849.EURPRD10.PROD.OUTLOOK.COM>
Jun 12 15:06:26 mailgtw MSMilter[32404]: MailWatch: Whitelist refresh time reached
Jun 12 15:06:26 mailgtw MSMilter[32404]: MailWatch: Starting up MailWatch SQL Whitelist
Jun 12 15:06:26 mailgtw MSMilter[32404]: MailWatch: Read 29 whitelist entries
Jun 12 15:06:26 mailgtw MSMilter[32404]: MailWatch: Blacklist refresh time reached
Jun 12 15:06:26 mailgtw MSMilter[32404]: MailWatch: Starting up MailWatch SQL Blacklist
Jun 12 15:06:26 mailgtw MSMilter[32404]: MailWatch: Read 16 blacklist entries
Jun 12 15:06:27 mailgtw postfix/cleanup[32406]: 49k1FX3BRdz52w39: milter-discard: END-OF-MESSAGE from smtp21.bsmtpprovider.nl[12.345.678.33]: milter triggers DISCARD action; from=<me@somewhereelse.nl> to=<me@home.nl> proto=ESMTP helo=<mx03.bsmtpprovider.nl>
Jun 12 15:06:27 mailgtw postfix/smtpd[32244]: disconnect from smtp21.bsmtpprovider.nl[12.345.678.33] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jun 12 15:06:28 mailgtw MailScanner[23382]: New Batch: Scanning 1 messages, 49671 bytes
Jun 12 15:06:28 mailgtw MailScanner[23382]: Virus and Content Scanning: Starting
Jun 12 15:06:28 mailgtw MailScanner[23382]: <A> tag found in message 49k1FX3BRdz52w39 from me@somewhereelse.nl
Jun 12 15:06:28 mailgtw MailScanner[23382]: HTML Img tag found in message 49k1FX3BRdz52w39 from me@somewhereelse.nl
Jun 12 15:06:28 mailgtw MailScanner[23382]: Spam Checks: Starting
Jun 12 15:06:28 mailgtw MailScanner[23382]: MailWatch: Whitelist refresh time reached
Jun 12 15:06:28 mailgtw MailScanner[23382]: MailWatch: Starting up MailWatch SQL Whitelist
Jun 12 15:06:28 mailgtw MailScanner[23382]: MailWatch: Read 29 whitelist entries
Jun 12 15:06:28 mailgtw MailScanner[23382]: MailWatch: Blacklist refresh time reached
Jun 12 15:06:28 mailgtw MailScanner[23382]: MailWatch: Starting up MailWatch SQL Blacklist
Jun 12 15:06:28 mailgtw MailScanner[23382]: MailWatch: Read 16 blacklist entries
Jun 12 15:06:34 mailgtw postfix/smtpd[32244]: connect from unknown[192.168.10.50]
Jun 12 15:06:34 mailgtw postfix/smtpd[32244]: disconnect from unknown[192.168.10.50] ehlo=1 quit=1 commands=2
Jun 12 15:06:35 mailgtw MailScanner[32437]: Found phishing fraud from https://www.covidopstart.nl/c-19/nl-NL/ ... gn=veenman claiming to be www.veenman.nl in 49k1FX3BRdz52w39
Jun 12 15:06:35 mailgtw MailScanner[23382]: Content Checks: Detected and have disarmed phishing tags in HTML message in 49k1FX3BRdz52w39 from me@somewhereelse.nl
Jun 12 15:06:35 mailgtw MailScanner[23382]: Requeue: 49k1FX3BRdz52w39 to 49k1Fl25F6zs4Pj
Jun 12 15:06:35 mailgtw postfix/qmqpd[32439]: connect from localhost[127.0.0.1]
Jun 12 15:06:35 mailgtw postfix/qmqpd[32439]: 49k1Fl27Ryz52w39: client=localhost[127.0.0.1]
Jun 12 15:06:35 mailgtw postfix/cleanup[32406]: 49k1Fl27Ryz52w39: strip: header Received: from mx03.bsmtpprovider.nl (smtp21.bsmtpprovider.nl [12.345.678.33])? (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))? (no client certificate requested)? by m from localhost[127.0.0.1]; from=<me@somewhereelse.nl> to=<me@home.nl> proto=QMQP: stripheader
Jun 12 15:06:35 mailgtw postfix/cleanup[32406]: 49k1Fl27Ryz52w39: message-id=<AM0PR10MB2849FC649028D71EC847BDBFAC810@AM0PR10MB2849.EURPRD10.PROD.OUTLOOK.COM>
Jun 12 15:06:35 mailgtw postfix/qmqpd[32439]: disconnect from localhost[127.0.0.1]
Jun 12 15:06:35 mailgtw postfix/qmgr[32021]: 49k1Fl27Ryz52w39: from=<me@somewhereelse.nl>, size=50187, nrcpt=1 (queue active)
Jun 12 15:06:35 mailgtw MailScanner[23382]: Uninfected: Delivered 1 messages
Jun 12 15:06:35 mailgtw MailScanner[23382]: Deleted 1 messages from processing-database
Jun 12 15:06:35 mailgtw MailScanner[23382]: MailWatch: Logging message 49k1FX3BRdz52w39 to SQL
Jun 12 15:06:35 mailgtw MailScanner[30442]: MailWatch: 49k1FX3BRdz52w39: Logged to MailWatch SQL
Jun 12 15:06:35 mailgtw postfix/smtp[32440]: 49k1Fl27Ryz52w39: to=<me@home.nl>, relay=192.168.10.65[192.168.10.65]:25, delay=0.07, delays=0.01/0.01/0.02/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 57043E4005E)
Jun 12 15:06:35 mailgtw postfix/qmgr[32021]: 49k1Fl27Ryz52w39: removed

EFA does use mailscanner right?

https://www.mailscanner.info/postfix/

Because it seems to be a bit different than explained at their website.

I don't have the /^Recieved/ HOLD action in the header_checks file.

Well, tried the HOLD but that doesn't work (setup is clearly different from other mailscanner setups it seems)

I see that we have a "Milter" queu as well, so looks like the header_checks might be done after mailscanner...

So we need to alter the scores of spamassassin.

Made a new z_MyConfig.cf in /etc/mail/spamassassin

Tried some things, but basically these two SPF checks keep remaining their original value.

1.00 FORGED_SPF_HELO
0.92 SPF_FAIL SPF: sender does not match SPF record (fail)

Any way to set them lower? Or even zero as I am stucked with the bSMTP server until my home-provider will allow port 25 and RBL's won't list me as "Dynamic IP user thus illegal"....

Found it.

score FORGED_SPF_HELO 0.01
score SPF_SOFTFAIL 0.01
score SPF_FAIL 0.01

After a reboot it now works.