Hi everyone , i had a problem with amavis and spam detection. if an email is send from gmail, in the header of ispconfig mailbox i have : and it's ok. but if other provider send me email, i have : and so no spam detection working and i had plenty of spam in my mailbox. Do you have any idea why ? I attach my postfix conf and the report of php common issue thanks a lot Joffrey result php common issue : Code: ##### SERVER ##### IP-address (as per hostname): [localhost] IP-address(es) (as per ifconfig): ***.***.***.*** [WARN] ip addresses from hostname differ from ifconfig output. Please check your ip settings. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.1.6 ##### VERSION CHECK ##### [INFO] php (cli) version is 5.6.31-1~dotdeb+7.1 ##### PORT CHECK ##### [WARN] Port 22 (SSH server) seems NOT to be listening ##### MAIL SERVER CHECK ##### [WARN] I found no "submission" entry in your postfix master.cf [INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this. ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 25427) [INFO] I found the following mail server(s): Postfix (PID 25864) [INFO] I found the following pop3 server(s): Courier Mailserver (PID 25363) [INFO] I found the following imap server(s): Courier Mailserver (PID 25317) [INFO] I found the following ftp server(s): PureFTP (PID 25454) ##### LISTENING PORTS ##### (only () Local (Address) [localhost]:10024 (24202/amavisd-new) [localhost]:10025 (25864/master) [localhost]:10026 (24202/amavisd-new) [localhost]:3306 (22572/mysqld) [localhost]:10027 (25864/master) [anywhere]:111 (1540/rpcbind) [anywhere]:8080 (25427/apache2) [anywhere]:80 (25427/apache2) [anywhere]:465 (25864/master) [anywhere]:8081 (25427/apache2) [anywhere]:8852 (3820/sshd) ***.***.***.***:53 (25478/named) [localhost]:53 (25478/named) [anywhere]:21 (25454/pure-ftpd) [anywhere]:25 (25864/master) [localhost]:953 (25478/named) [anywhere]:443 (25427/apache2) *:*:*:*::*:993 (25343/couriertcpd) *:*:*:*::*:995 (25384/couriertcpd) [localhost]10 (25363/couriertcpd) [localhost]43 (25317/couriertcpd) [localhost]11 (1540/rpcbind) *:*:*:*::*:465 (25864/master) *:*:*:*::*:8852 (3820/sshd) *:*:*:*::*:53 (25478/named) *:*:*:*::*:21 (25454/pure-ftpd) *:*:*:*::*:25 (25864/master) ##### IPTABLES ##### Chain INPUT (policy DROP) target prot opt source destination fail2ban-courierauth tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25,465,143,220,993,110,995 fail2ban-postfix tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25,465 fail2ban-apache-phpmyadmin tcp -- [anywhere]/0 [anywhere]/0 multiport dports 80,443 fail2ban-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25,465,143,220,993,110,995 ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8852 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spts:1024:65535 dpt:53 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:465 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpts:29799:29899 ACCEPT all -- [anywhere]/0 [anywhere]/0 state RELATED,ESTABLISHED ACCEPT all -- [anywhere]/0 [anywhere]/0 state NEW Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spts:1024:65535 dpt:53 Chain fail2ban-apache-phpmyadmin (1 references) target prot opt source destination DROP all -- ***.***.***.*** [anywhere]/0 DROP all -- ***.***.***.*** [anywhere]/0 DROP all -- ***.***.***.*** [anywhere]/0 DROP all -- ***.***.***.*** [anywhere]/0 RETURN all -- [anywhere]/0 [anywhere]/0 Chain fail2ban-courierauth (1 references) target prot opt source destination DROP all -- ***.***.***.*** [anywhere]/0 RETURN all -- [anywhere]/0 [anywhere]/0 Chain fail2ban-postfix (1 references) target prot opt source destination DROP all -- ***.***.***.*** [anywhere]/0 RETURN all -- [anywhere]/0 [anywhere]/0 Chain fail2ban-sasl (1 references) target prot opt source destination DROP all -- ***.***.***.*** [anywhere]/0 RETURN all -- [anywhere]/0 [anywhere]/0
tagged_above - specifies the value from which the "spam lines" are inserted into the header. Check the SPAM tag level for the Spamfilter policy.
Hi, thanks for your answer. why in some header i have and in some header, i don't see X-Spam ... ? i attach the screenshot of SPAM tag level. I use the strategy "Normal" of anti spam on this mailbox (and this domain) Joffrey
Each mail gets an individual score from spamassassin. If the score is < your SPAM tag level (0.70), you will not see the additional lines.
Ok, i didn't know that. how can i do to see the spam tag level of one spam? put tag level value 0 and then check the header of email that i receive in my mailbox, who is spam but amavis didn't recognise it ? thanks
i make a test, i configure my anti-spam strategy like the princtscreen, so normally all my email's object does contain **, no? this is not the case, some email have it, some not
Ensure to set the filter policy on the domain as well and not just on the mailbox. when you receive emails trough aliases, then these will use the domain wide policy.
Ok thanks, last question, spam assassin tagg some spam with this score : X-Virus-Scanned: Debian amavisd-new at www.*******.be X-Spam-Flag: NO X-Spam-Score: -0.098 X-Spam-Level: X-Spam-Status: No, score=-0.098 tagged_above=-1.7 required=0.8 is it normal to have spam with negative score ? thanks a lot Joffrey
Yes. The score is the sum of the applied rules and there are trust rules (negative score) and spam rules (positive score), so a trusted mail can get a negative score as well.
thanks for your answer, unfortunately, 75% of spam had a score of -0.9 . there is somewhere a list with this rules? my filter spam is normal (see last post) but with tag level 0.00 and tag level2 2.00, so much spam in my mailbox. thanks Joffrey [edit] in all my spam, the test BAYES_00 is always at -1.9 ? i will search about that X-Spam-Status: No, score=0.351 tagged_above=-1.8 required=0.8 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_BRBL_LASTEXT=1.449, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=no
Seems as if your Bayes filter (self learning spam detection system) has learnt something wrong "BAYES_00=-1.9". You should remove the bayes db so that it starts to learn again from scratch 8or seed it with known ham / spam messages to speed up the learning process.
ok thanks, i remove de bays db Code: su amavis -c 'sa-learn --clear' then recreate the db with one mail Code: su amavis -c 'printf "\n\nHello World\n" | sa-learn --ham' Then the db was created Code: Sep 18 11:39:26.300 [25661] dbg: bayes: found bayes db version 3 0.000 0 3 0 non-token data: bayes db version 0.000 0 0 0 non-token data: nspam 0.000 0 2 0 non-token data: nham 0.000 0 549 0 non-token data: ntokens 0.000 0 1505726653 0 non-token data: oldest atime 0.000 0 1505727152 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count Sep 18 11:39:26.300 [25661] dbg: bayes: untie-ing the i force sa-learn to re-scan all mailbox for learning spam. i will check the next mail the spam score. the sa-learn command must be launch under vmail user for amavis? thanks
For information, i use this command learning : Code: sa-learn --username=amavis --spam --dir /var/vmail/*/*/* Joffrey
Just last question and after i stop Does anyone know why when i run this two command, the results are different? thanks a lot Code: root@www:~# sa-learn --username=amavis --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 654 0 non-token data: nspam 0.000 0 1432 0 non-token data: nham 0.000 0 210612 0 non-token data: ntokens 0.000 0 1428938461 0 non-token data: oldest atime 0.000 0 1505730672 0 non-token data: newest atime 0.000 0 1505730749 0 non-token data: last journal sync atime 0.000 0 1505727067 0 non-token data: last expiry atime 0.000 0 691200 0 non-token data: last expire atime delta 0.000 0 69049 0 non-token data: last expire reduction count root@www:~# su amavis -c 'sa-learn --dump magic' 0.000 0 3 0 non-token data: bayes db version 0.000 0 0 0 non-token data: nspam 0.000 0 6 0 non-token data: nham 0.000 0 820 0 non-token data: ntokens 0.000 0 1505726653 0 non-token data: oldest atime 0.000 0 1505730621 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count
man su: For backward compatibility, su defaults to not change the current directory and to only set the environment variables HOME and SHELL (plus USER and LOGNAME if the target user is not root). It is recommended to always use the --login option (instead of its shortcut -) to avoid side effects caused by mixing environments.
Ok thanks. after reseting bayes db's, anti-spam works fine. last question, is that the end user can modify the white list filter on its own?