ISPCONFIG 3.2.7p1 Debian 11 (bullseye) None of my servers are black listed, all names are fine. My issue is, some clients when sending email using outlook, they are being bounced back stating Code: mailgate.....[ip.ip.ip.ip] said: 550 5.7.1 xx.xx.xx.xx listed at zen.spamhaus.org (in reply to end of DATA command) The ip xx.xx.xx.xx is my clients starting IP, so their IP at work/home is blacklisted. what do i need to alter to not have their original IP, so it just shows the mail server IP as a originating point? thanks dave
On further thought, the default rbl is not implemented at end-of-data, so not sure what you have going on here. What is a full set of logs from when such a client attempts to send? And post your 'postconf -n' output and master.cf.
postconf -n Code: [email protected]:~# postconf -n address_verify_negative_refresh_time = 60s address_verify_sender_ttl = 15686s alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes compatibility_level = 2 dovecot_destination_recipient_limit = 1 enable_original_recipient = no greylisting = check_policy_service inet:127.0.0.1:10023 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all mailbox_size_limit = 0 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 message_size_limit = 0 milter_default_action = accept milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_protocol = 6 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = mx1.tlwebservices.co.uk, localhost, localhost.localdomain myhostname = mx1.tlwebservices.co.uk mynetworks = 127.0.0.0/8 [::1]/128 myorigin = /etc/mailname nested_header_checks = regexp:/etc/postfix/nested_header_checks non_smtpd_milters = inet:localhost:11332 owner_request_special = no proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps readme_directory = /usr/share/doc/postfix recipient_delimiter = + relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf relayhost = sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf smtp_dns_support_level = dnssec smtp_sasl_auth_enable = yes smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous, noplaintext smtp_sasl_tls_security_options = noanonymous smtp_sender_dependent_authentication = yes smtp_tls_CApath = /etc/ssl/certs smtp_tls_exclude_ciphers = RC4, aNULL smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining, permit smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_etrn_restrictions = permit_mynetworks, reject smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit smtpd_milters = inet:localhost:11332 smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status smtpd_reject_unlisted_sender = no smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_restriction_classes = greylisting smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_exclude_ciphers = RC4, aNULL smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_security_level = may smtpd_use_tls = yes tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA tls_preempt_cipherlist = yes transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf [email protected]:~# master.cf Code: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - y - - smtpd #smtp inet n - y - 1 postscreen #smtpd pass - - y - - smtpd #dnsblog unix - - y - 0 dnsblog #tlsproxy unix - - y - 0 tlsproxy submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp -o syslog_name=postfix/$service_name # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache postlog unix-dgram n - n - 1 postlogd # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
I had the same problem because zen.spamhaus.org include a lot of residential IPs. I solved it using sbl.spamhaus.org and xbl.spamhaus.org instead
Thats good, but the sender is my customer and where the emails are going to are bouncing them away saying "nah. you spam a lot - have a error 550.... blah" Code: <[email protected]>: host (receiving server)mailgate......gov.uk[xx.xx.xx.xx] said 550 5.7.1 (my customer)xx.xx.xx.xx listed at zen.spamhaus.org (in reply to end of DATA command)[code] the first IP at mailgate... is receivers server and last IP is my customer sending.
Ah, so that message is from an external server, not yours? (Having a full set of logs would be helpful to see what's going on.) It sounds like they simply have a bad filtering setup on their end, as zen (which includes pbl) should never be used like that. You could champion for change, explaining to them their error and trying to get them to fix it; or you could try to kill headers that reveal the client ip (eg. see https://serverfault.com/questions/413533/remove-hide-client-sender-ip-from-postfix); or if the receiving mail system "cares" about the sender for some particular reason, have your customer complain to the receiver about the issue and drive the change from that end.
That wont work, this is UK local government. you can never speak to the IT department. They all hide, have tried on mnay occasions and times.. Is it possible for when my client for example, opens their outlook (IMAP), sends email to an email address, but just display the server IP and not their originating IP? From the log.. (not sure how to just capture the 1 email only, have cut out other items from between the lines) Code: Apr 22 12:07:50 mx1 postfix/smtps/smtpd[1020832]: connect from host86-163-68-15.range86-163.btcentralplus.com[86.163.68.15] Apr 22 12:07:50 mx1 postfix/smtps/smtpd[1020832]: 6F6A1580641: client=host86-163-68-15.range86-163.btcentralplus.com[86.163.68.15], sasl_method=LOGIN, [email protected] Apr 22 12:07:50 mx1 postfix/cleanup[1018503]: 6F6A1580641: message-id=<[email protected]> Apr 22 12:07:50 mx1 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=86.163.68.15, lip=212.159.153.4, mpid=1022530, TLS, session=<dtrEPDz.............> Apr 22 12:07:50 mx1 postfix/qmgr[296989]: 6F6A1580641: from=<[email protected]r>, size=11141, nrcpt=4 (queue active) Apr 22 12:07:51 mx1 postfix/smtp[1022006]: 6F6A1580641: to=<[email protected]>, relay=mailgate-a.valeofglamorgan.gov.uk[194.83.245.24]:25, delay=1.1, delays=0.55/0.02/0.25/0.32, dsn=5.7.1, status=bounced (host mailgate-a.valeofglamorgan.gov.uk[194.83.245.24] said: 550 5.7.1 86.163.68.15 listed at zen.spamhaus.org (in reply to end of DATA command))
You can only solve that problem by contacting "zen.spamhaus.org" and request they pull your i.p away form their spam filters. Not sure if you will even be able to reach them.
My customers ISP is BT, they were on a dynamic range, they then requested a static IP for their modem. This also was being reported as spam. i found a solution to this, remove my customers IP from the header. correct me if this is bad security, but i didnt see another way, as many of my customers also have a ISP dynamic IP from their providers.. Code: vim /etc/postfix/smtp_header_checks /^Received: .*/ IGNORE /^X-Originating-IP:/ IGNORE This then stopped my customers originating IP from being published in their sent email. If there is a more elegant or secure way, please let me know.
And you added that file to your postfix main.cf? Just so it's clear for other users that might want to use this
Sorry missed this.. To stop your users original IP (if on a blacklisted IP) from being inserted in the email header, thus avoiding blacklisted originating blocks. Ok, i edited Code: /etc/postfix/main.cf and added this line Code: smtp_header_checks = regexp:/etc/postfix/smtp_header_checks then create/edit Code: /etc/postfix/smtp_header_checks and insert this Code: /^Received: .*/ IGNORE /^X-Originating-IP:/ IGNORE save and restart mail server, test to see it working.
