Hello everyone. I installed and configured the mail server this summer (Debian 9.6, postfix + dovecot + mysql + amavis-new + spamassassin) by manual in howtoforge website. SSL - mark A+ on ssllabs SPF - "v=spf1 a mx include:MX.MYDOMAIN.LTD -all" DMARC - valid DKIM - signed, valid Everything works as expected, relaying is prohibited, copying incoming and outgoing emails to the archive. Recently began to crumble emails like: from: [email protected] To: [email protected] In fact it was not users, but spammers. I fixed that problem but last week spam letters began to arrive with UNCKECKED mark on subject and with RAR attachment archive. I thought that amavis-new or spamassassin crushing but - no, everything is fine they are alive with no errors in logs. I am also confused by the fact that there are several "Received from " headers inside the letters, one of which is 127.0.0.1 (maybe that's why spassassin not responding to them), and the second (and sometimes third) headers with the real address of sending server. Maybe log file and one of email body will help to understand what's goimg on and how to fix it? Expand: Email body Code: Return-Path: <[email protected]> Delivered-To: [email protected] Received: from localhost (localhost [127.0.0.1]) by MX.MYDOMAIN.LTD (Postfix) with ESMTP id 635277D99F for <[email protected]>; Tue, 13 Nov 2018 12:09:19 +0200 (EET) X-Virus-Scanned: Debian amavisd-new at MX.MYDOMAIN.LTD X-Spam-Flag: NO X-Spam-Score: 1.672 X-Spam-Level: * X-Spam-Status: No, score=1.672 tagged_above=1 required=5.25 tests=[DEAR_SOMETHING=1.731, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MISSING_MID=0.14, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: MX.MYDOMAIN.LTD (amavisd-new); dkim=pass (2048-bit key) header.d=cescorp.ph Received: from MX.MYDOMAIN.LTD ([127.0.0.1]) by localhost (MX.MYDOMAIN.LTD [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iNCo-ONE1yhX for <[email protected]>; Tue, 13 Nov 2018 12:09:18 +0200 (EET) Received: from server.phildns.com (server.phildns.com [138.128.189.218]) by MX.MYDOMAIN.LTD (Postfix) with ESMTPS id ECE037D50B for <[email protected]>; Tue, 13 Nov 2018 12:09:15 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cescorp.ph; s=default; h=Date:From:To:Subject:MIME-Version:Content-Type:Sender:Reply-To: Message-ID:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UrwN+grjG/GAORanT0bQ7ycKzbPNNTEoIFhcOU8nLno=; b=HVQvJaKxgCVQzgZIil28ZYSuAs cyrAFTucOTvbM1gXZEhAK6jOipz+hCpg6QOdEyHrQfmXl8E2Cj67Az8j9zNyKBMbl32hLDWH7ZyA2 aHt57TAXjkGlA5UWNmi+I6dm1SjcVY5Ndb9arKB/gErQukkvRhetgOR/VZMqzvI1NqYFJqlkcsu7f 3HmuCl1TKstkp2m1DBghlRX1TpQYxmmVleOJFC57JXHv+WIfxeAJruf/C3yK5C/3aTiam/fWN5GUN Lw9Zi5OoG74kuEyuIimIaiK9v8QkZye0d0pdge3IU5vFLA9p78n4yXEnvRO3i9Z6lnXIjzcUrAad/ Q22Imb0g==; Received: from [84.38.130.177] (port=61125 helo=IP-130-177.dataclub.eu) by server.phildns.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.91) (envelope-from <[email protected]>) id 1gMVd4-0004d6-AU; Tue, 13 Nov 2018 05:09:08 -0500 Content-Type: multipart/mixed; boundary="===============1500715244==" MIME-Version: 1.0 Subject: ***UNCHECKED*** Request for commercial offer - KCS/E/1211/13B/311017 To: Recipients <[email protected]> From: "Commercial Invoice" <[email protected]> Date: Tue, 13 Nov 2018 12:08:53 +0200 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server.phildns.com X-AntiAbuse: Original Domain - MYDOMAIN.LTD X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - cescorp.ph X-Get-Message-Sender-Via: server.phildns.com: authenticated_id: [email protected] X-Authenticated-Sender: server.phildns.com: [email protected] X-Source: X-Source-Args: X-Source-Dir: Message-Id: <[email protected]> You will not see this in a MIME-aware mail reader. --===============1500715244== Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Description: Mail message body Our Ref: - KCS/E/1211/13B/311017 Dear Sir/ Madam, We have requirement of your commercial offer for the attached list of Items to bid against tender for onward supply to Government of Kuwait. We request you to kindly forward your commercial offer latest by 29 Sept 2017 Please consider this RFQ our formal request for your commercial offer. In case this enquiry is not in area of your interest, you may kindly ignore the same. With Best Regards, Mrs. Lisa Lin, PARTNER APOZA TRADING LLP Apoza Head Quarters. P.O. Box 9758 Ahmadi. 61008 Ahmadi, Kuwait E-MAIL: [email protected] Web: www.apoza.com.kw --===============1500715244== Content-Type: application/octet-stream MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Commercial _Offer_ KCS-311017-pdf.rar" UmFyIRoHAQBv3GP8DAEFCAAHAQHGgZOAAGSlRjA1AgML+4ATBICkKCBqjBh2gBsAF3NjYW4tMDAw ***cut*** MDAwMDM5OTQtcGRmLmV4ZQoDAkB6HTbletQBHXdWUQMFBAA= --===============1500715244==-- log file in first comment...
Log file of receiving this email Expand Code: Nov 13 12:09:15 mx postfix/smtpd[9866]: connect from server.phildns.com[138.128.189.218] Nov 13 12:09:15 mx postfix/smtpd[9866]: NOQUEUE: filter: RCPT from server.phildns.com[138.128.189.218]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<server.phildns.com> Nov 13 12:09:15 mx postfix/smtpd[9866]: NOQUEUE: filter: RCPT from server.phildns.com[138.128.189.218]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<server.phildns.com> Nov 13 12:09:15 mx postfix/smtpd[9866]: ECE037D50B: client=server.phildns.com[138.128.189.218] Nov 13 12:09:16 mx postfix/cleanup[12368]: ECE037D50B: message-id=<> Nov 13 12:09:18 mx postfix/qmgr[2748]: ECE037D50B: from=<[email protected]>, size=429624, nrcpt=1 (queue active) Nov 13 12:09:18 mx postfix/smtpd[9866]: disconnect from server.phildns.com[138.128.189.218] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Nov 13 12:09:19 mx postfix/smtpd[12378]: connect from localhost[127.0.0.1] Nov 13 12:09:19 mx postfix/smtpd[12378]: 635277D50F: client=localhost[127.0.0.1] Nov 13 12:09:19 mx postfix/cleanup[12368]: 635277D50F: message-id=<[email protected]> Nov 13 12:09:19 mx postfix/qmgr[2748]: 635277D50F: from=<[email protected]>, size=430544, nrcpt=1 (queue active) Nov 13 12:09:19 mx postfix/smtpd[12378]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Nov 13 12:09:19 mx amavis[1655]: (01655-17) Passed UNCHECKED {RelayedTaggedInbound}, [138.128.189.218]:57614 [84.38.130.177] <[email protected]> -> <[email protected]>, Queue-ID: ECE037D50B, mail_id: iNCo-ONE1yhX, Hits: 1.672, size: 429624, queued_as: 635277D50F, dkim_sd=default:cescorp.ph, 1047 ms Nov 13 12:09:19 mx postfix/smtp[12374]: ECE037D50B: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.7, delays=2.6/0.01/0/1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 635277D50F) Nov 13 12:09:19 mx postfix/qmgr[2748]: ECE037D50B: removed Nov 13 12:09:19 mx postfix/pickup[10616]: A75C77D50B: uid=5000 from=<[email protected]> Nov 13 12:09:19 mx postfix/cleanup[12368]: A75C77D50B: message-id=<[email protected]> Nov 13 12:09:19 mx dovecot: lda([email protected]): sieve: [email protected] subj=***UNCHECKED*** Request for commercial offer - KCS/E/1211/13B/311017 msgid=<[email protected]>: forwarded to <[email protected]> Nov 13 12:09:19 mx postfix/qmgr[2748]: A75C77D50B: from=<[email protected]>, size=430788, nrcpt=1 (queue active) Nov 13 12:09:19 mx postfix/pickup[10616]: BBC3F7D511: uid=5000 from=<[email protected]> Nov 13 12:09:19 mx dovecot: lda([email protected]): sieve: [email protected] subj=***UNCHECKED*** Request for commercial offer - KCS/E/1211/13B/311017 msgid=<[email protected]>: forwarded to <[email protected]> Nov 13 12:09:19 mx postfix/cleanup[12368]: BBC3F7D511: message-id=<[email protected]> Nov 13 12:09:19 mx postfix/qmgr[2748]: BBC3F7D511: from=<[email protected]>, size=430788, nrcpt=1 (queue active) Nov 13 12:09:19 mx dovecot: lda([email protected]): sieve: [email protected] subj=***UNCHECKED*** Request for commercial offer - KCS/E/1211/13B/311017 msgid=<[email protected]>: stored mail into mailbox 'INBOX' Nov 13 12:09:19 mx postfix/pipe[12379]: 635277D50F: to=<[email protected]>, relay=dovecot, delay=0.49, delays=0.15/0.03/0/0.31, dsn=2.0.0, status=sent (delivered via dovecot service) Nov 13 12:09:19 mx postfix/qmgr[2748]: 635277D50F: removed Nov 13 12:09:20 mx postfix/smtpd[12378]: connect from localhost[127.0.0.1] Nov 13 12:09:20 mx postfix/smtpd[12378]: 795A47D50F: client=localhost[127.0.0.1] Nov 13 12:09:20 mx postfix/cleanup[12368]: 795A47D50F: message-id=<[email protected]> Nov 13 12:09:20 mx postfix/qmgr[2748]: 795A47D50F: from=<[email protected]>, size=431227, nrcpt=1 (queue active) Nov 13 12:09:20 mx postfix/smtpd[12378]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Nov 13 12:09:20 mx amavis[1656]: (01656-17) Passed UNCHECKED {RelayedTaggedInternal}, LOCAL [127.0.0.1] [84.38.130.177] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: 7q09PqVl-Ng4, Hits: 1.842, size: 430788, queued_as: 795A47D50F, 838 ms Nov 13 12:09:20 mx postfix/smtp[12374]: A75C77D50B: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.93, delays=0.08/0/0.01/0.84, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 795A47D50F) Nov 13 12:09:20 mx postfix/qmgr[2748]: A75C77D50B: removed Nov 13 12:09:20 mx dovecot: lda([email protected]): sieve: [email protected] subj=***UNCHECKED*** Request for commercial offer - KCS/E/1211/13B/311017 msgid=<[email protected]>: stored mail into mailbox 'INBOX' Nov 13 12:09:20 mx postfix/pipe[12379]: 795A47D50F: to=<[email protected]>, relay=dovecot, delay=0.12, delays=0.05/0.01/0/0.06, dsn=2.0.0, status=sent (delivered via dovecot service) Nov 13 12:09:20 mx postfix/qmgr[2748]: 795A47D50F: removed Nov 13 12:09:20 mx postfix/smtpd[12378]: connect from localhost[127.0.0.1] Nov 13 12:09:20 mx postfix/smtpd[12378]: D118D7D50B: client=localhost[127.0.0.1] Nov 13 12:09:20 mx postfix/cleanup[12368]: D118D7D50B: message-id=<[email protected]> Nov 13 12:09:20 mx postfix/qmgr[2748]: D118D7D50B: from=<[email protected]>, size=431237, nrcpt=1 (queue active) Nov 13 12:09:20 mx amavis[1655]: (01655-18) Passed UNCHECKED {RelayedTaggedInternal}, LOCAL [127.0.0.1] [84.38.130.177] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: o8V-e-RWxR_x, Hits: 1.842, size: 430788, queued_as: D118D7D50B, 1076 ms Nov 13 12:09:20 mx postfix/smtp[12385]: BBC3F7D511: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.2, delays=0.13/0.01/0/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as D118D7D50B) Nov 13 12:09:20 mx postfix/qmgr[2748]: BBC3F7D511: removed Nov 13 12:09:21 mx postfix/pickup[10616]: 068837D50F: uid=5000 from=<[email protected]> Nov 13 12:09:21 mx postfix/cleanup[12368]: 068837D50F: message-id=<[email protected]> Nov 13 12:09:21 mx dovecot: lda([email protected]): sieve: [email protected] subj=***UNCHECKED*** Request for commercial offer - KCS/E/1211/13B/311017 msgid=<[email protected]>: forwarded to <[email protected]> Nov 13 12:09:21 mx postfix/qmgr[2748]: 068837D50F: from=<[email protected]>, size=431402, nrcpt=1 (queue active) Nov 13 12:09:21 mx dovecot: lda([email protected]): sieve: [email protected] subj=***UNCHECKED*** Request for commercial offer - KCS/E/1211/13B/311017 msgid=<[email protected]>: stored mail into mailbox 'INBOX' Nov 13 12:09:21 mx postfix/pipe[12379]: D118D7D50B: to=<[email protected]>, relay=dovecot, delay=0.26, delays=0.07/0/0/0.19, dsn=2.0.0, status=sent (delivered via dovecot service) Nov 13 12:09:21 mx postfix/qmgr[2748]: D118D7D50B: removed Nov 13 12:09:21 mx postfix/smtpd[12397]: connect from localhost[127.0.0.1] Nov 13 12:09:21 mx postfix/smtpd[12397]: E64A57D50B: client=localhost[127.0.0.1] Nov 13 12:09:21 mx postfix/cleanup[12368]: E64A57D50B: message-id=<[email protected]> Nov 13 12:09:22 mx postfix/qmgr[2748]: E64A57D50B: from=<[email protected]>, size=431854, nrcpt=1 (queue active) Nov 13 12:09:22 mx amavis[1656]: (01656-18) Passed UNCHECKED {RelayedTaggedInternal}, LOCAL [127.0.0.1] [84.38.130.177] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: NRN-zy8mf4Si, Hits: 1.842, size: 431402, queued_as: E64A57D50B, 1360 ms Nov 13 12:09:22 mx postfix/smtp[12374]: 068837D50F: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.5, delays=0.11/0/0.01/1.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E64A57D50B) Nov 13 12:09:22 mx postfix/qmgr[2748]: 068837D50F: removed Nov 13 12:09:22 mx dovecot: lda([email protected]): sieve: [email protected] subj=***UNCHECKED*** Request for commercial offer - KCS/E/1211/13B/311017 msgid=<[email protected]>: stored mail into mailbox 'INBOX' Nov 13 12:09:22 mx postfix/pipe[12379]: E64A57D50B: to=<[email protected]>, relay=dovecot, delay=0.92, delays=0.5/0/0/0.42, dsn=2.0.0, status=sent (delivered via dovecot service) Nov 13 12:09:22 mx postfix/qmgr[2748]: E64A57D50B: removed According to the mail.log file email going to USER1 and then sending a copy to MAILARCHIVE and to USER2 Do you have any ideas what is going on? Why there is several headers "received from"? Why my amavis-new + SP not checking this spam email? I'm asking for a help because googling and reading manuals did no helped me.
So, guys nobody knows how to help me even admin? Will somebody help me If I will buy 5euro/month subscription? Is this real cost of linux community?
Install an 'unrar' utility and restart amavis, eg. in debian a quick search shows it should be in any of these packages: Code: unp - unpack (almost) everything with one command unrar-free - Unarchiver for .rar files libclamunrar7 - anti-virus utility for Unix - unrar support unrar - Unarchiver for .rar files (non-free version) That should allow amavis/clamav to inspect the message (maybe it'll find malware, maybe it won't). You can require users of your domains to authenticate when sending, which would stop that message from being sent (reject_sender_login_mismatch). There's a checkbox for that in your server config. It looks like you have a copy setup at the postfix level to MAILARCHIVE user, and mail copies to USER2 in dovecot; check what is set in the ispconfig mailbox for copying and outgoing bcc, check the mail filters for the user, and also check what you might have for always_bcc or the sender/recipient bcc maps in postfix config. That's normal, they get added by various servers/services along the delivery route. You probably don't have an unrar utility.
First of all, Jesse, thank you so so much for your answer, I'm really appreciate it. I will try to install it It was always required to authenticate all users but in defaults IPSconfig setup it is in wrong order on parameters in main.cf "smtpd_sender_restrictions" and I reordered it after reading of manual This setting was made by me intentionally, my boss wants all income and outgoing emails of all employees to be copied. Excuse me if it was confusing. Just asked because thought somehow it is connected to multiple "received from" headers.
