SPF and Client IP in SpamHaus

Questions and answers about how to do stuff
Post Reply
User avatar
conceptid
Posts: 5
Joined: 11 Jul 2015 19:38
Location: Sherbrooke, QC, Canada

SPF and Client IP in SpamHaus

Post by conceptid » 11 Jan 2022 00:50

Hi,

A user is registered to logon in EFA to send email (remote SMTP). EFA is efa.domainA.ca. The user send email with user@domaineB.ca.

If I go to see spam rules apply to each email, I have some problems with high spam score... One of the rules is "spf fail". But... the domainB DNS has a TXT record with SPF and "a:efa.domaineB.ca".

What I missed?

Another problem is that spam scores increase by 3.33 for an authenticated user IP in SpamHaus PBL... But I don't understand, it's is public home router IP (he is behind a NAT) and he is sending from Outlook (or Thunderbird not difference) to EFA directly. Sender IP shouldn't have impact... it's not an smtp relay...

Last thing, if the user use Outlook, a rule for outlook header appear...

This is the list of all rules applied...

Code: Select all

-1.90	BAYES_00						Bayes spam probability is 0 to 1%
1.10		DCC_CHECK					Detected as bulk mail by DCC (dcc-servers.net)
2.84		DOS_OUTLOOK_TO_MX			Delivered direct to MX with Outlook headers
0.00		DYN_RDNS_SHORT_HELO_HTML		Sent by dynamic rDNS, short HELO, and HTML
1.57		FSL_BULK_SIG					Bulk signature with no Unsubscribe
0.00		FSL_HELO_NON_FQDN_1	
0.00		HELO_NO_DOMAIN				Relay reports its domain incorrectly
1.40		HTML_IMAGE_ONLY_28			HTML: images with 2400-2800 bytes of words
0.00		HTML_MESSAGE				HTML included in message
0.40		KHOP_HELO_FCRDNS				Relay HELO differs from its IP's reverse DNS
0.00		PDS_RDNS_DYNAMIC_FP			RDNS_DYNAMIC with FP steps
3.33		RCVD_IN_PBL					Received via a relay in Spamhaus PBL
0.00		RCVD_IN_SORBS_DUL			SORBS: sent directly from dynamic IP address
0.98		RDNS_DYNAMIC					Delivered to internal network by host with dynamic-looking rDNS
0.67		SPF_SOFTFAIL					SPF: sender does not match SPF record (softfail)
-1.86	TXREP						Score normalizing based on sender's reputation
0.01		T_REMOTE_IMAGE				Message contains an external image
Also, I would like that all authenticated users using EFA for SMTP to pass free all spam rules... Without whitelisting email adresses (if I do that, spoofing will be possible) Possible to do that? How?

Something to fix here? (I am not sure to understand perfectly what this do...)

Code: Select all

smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname
smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501, reject_unverified_recipient
These files are empty:

[conceptid@efa postfix]$ ls -al *access
-rw-r--r--. 1 root root 21519 Apr 9 2020 access
-rw-r--r--. 1 root root 0 Apr 9 2020 helo_access
-rw-r--r--. 1 root root 0 Apr 9 2020 recipient_access
-rw-r--r--. 1 root root 0 Apr 9 2020 sender_access


Thanks.

User avatar
shawniverson
Posts: 3530
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: SPF and Client IP in SpamHaus

Post by shawniverson » 12 Jan 2022 14:49

Take a look at /etc/MailScanner/MailScanner.conf:

Code: Select all

# Postfix/Exim only: (yes/no)
# If an user sends a mails after authenticating to the local mta
# this option disables the rbl checks if set to "yes". If set to "no" or not
# defined the rbl check will be executed even when the user is authenticated.
Spam List Skip If Authenticated = yes

User avatar
conceptid
Posts: 5
Joined: 11 Jul 2015 19:38
Location: Sherbrooke, QC, Canada

Re: SPF and Client IP in SpamHaus

Post by conceptid » 17 Jan 2022 19:10

Thanks a lot! You are very nice.

I think it works now, I remove RBL check for auth users.

Now, what about this one for auth users?

0.67 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

and this one when a user use Outlook to send (auth) with EFA:

2.84 DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers

User avatar
conceptid
Posts: 5
Joined: 11 Jul 2015 19:38
Location: Sherbrooke, QC, Canada

Re: SPF and Client IP in SpamHaus

Post by conceptid » 17 Jan 2022 22:05

Spam List Skip If Authenticated = yes

Didn't work for a certain user using Outlook to send with Avast on the desktop... Spamhaus is checked... IP is blacklist... and spam score is too high.

User avatar
conceptid
Posts: 5
Joined: 11 Jul 2015 19:38
Location: Sherbrooke, QC, Canada

Re: SPF and Client IP in SpamHaus

Post by conceptid » 19 Jan 2022 12:57

shawniverson wrote:
12 Jan 2022 14:49
Take a look at /etc/MailScanner/MailScanner.conf:

Code: Select all

# Postfix/Exim only: (yes/no)
# If an user sends a mails after authenticating to the local mta
# this option disables the rbl checks if set to "yes". If set to "no" or not
# defined the rbl check will be executed even when the user is authenticated.
Spam List Skip If Authenticated = yes
Didn't work, seems to have no effect.
Yes I restarted MailScanner and also I rebooted the vm...

User avatar
shawniverson
Posts: 3530
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: SPF and Client IP in SpamHaus

Post by shawniverson » 23 Jan 2022 17:06

What is your version of MailScanner currently?

Code: Select all

rpm -qa | grep MailScanner

Post Reply