Hi all One of our servers has a big influx of spam recently, so I am trying to baton down the antispam config. Most of the spam seems fairly obvious, but is being sent from seemingly legitimate mail servers (pass RBL Checks etc), see headers: Code: Return-Path: <[email protected]> Delivered-To: [email protected] Received: from ispconfigserverhostname.domain.tld by ispconfigserverhostname.domain.tld (Dovecot) with LMTP id GSvVMp4mbWFnWgAA3qAYAg for <[email protected]>; Mon, 18 Oct 2021 08:47:42 +0100 Received: from localhost (localhost [127.0.0.1]) by ispconfigserverhostname.domain.tld (Postfix) with ESMTP id C6BAA2006D2F for <[email protected]>; Mon, 18 Oct 2021 08:47:42 +0100 (BST) X-Virus-Scanned: Debian amavisd-new at ispconfigserverhostname.domain.tld X-Spam-Flag: NO X-Spam-Score: 1.9 X-Spam-Level: * X-Spam-Status: No, score=1.9 tagged_above=1 required=2 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from ispconfigserverhostname.domain.tld ([127.0.0.1]) by localhost (ispconfigserverhostname.domain.tld [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Jm_i4j_rOnRC for <[email protected]>; Mon, 18 Oct 2021 08:47:42 +0100 (BST) X-Greylist: delayed 600 seconds by postgrey-1.36 at ispconfigserverhostname; Mon, 18 Oct 2021 08:47:42 BST Received: from appliedvoice.co (appliedvoice.co [195.133.39.167]) by ispconfigserverhostname.domain.tld (Postfix) with ESMTP id 3DFC72006C80 for <[email protected]>; Mon, 18 Oct 2021 08:47:42 +0100 (BST) Date: Mon, 18 Oct 2021 02:33:09 -0500 From: "School Of Squirt" <[email protected]> MIME-Version: 1.0 Precedence: bulk To: <[email protected]> Subject: Check Out These Crazy WhatsApp Messages From The Girls Message-ID: <QEM8h4H69NAF1fajjkiIzeEyFsZkhc48JvcIYio_upo._Xgmw7ExXe7vsRgGxLrzYOr41flyQpb3jsL9Xz6z5go@appliedvoice.co> Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Something that may be interesting is that the Tagged=above=1 and the score is 1.9 but it was not tagged? Anyway, I am trying to implement more aggressive RBL Checks, but whenever I add an RBL through the GUI, it places it BEFORE "Permit_sasl_authenticated" on "smtpd_sender_restrictions" meaning that users are unable to authenticate and send outbound mail if they are on an RBL (common if they are using dynamic ip etc). Other than editing the main.cf manually, any thoughts?
To improve spam scanning, I recommend switching from Amavis to Rspamd: https://www.howtoforge.com/replacing-amavisd-with-rspamd-in-ispconfig/ This is a bug that gets fixed in the next version.
I wouldn't really consider that a "workaround," that is the proper config you should be using. Port 25 is for server-to-server mail and has a lot more restrictions in place, you shouldn't use it for client mail submission.