How to make Postfix filter spam for entries in virtual?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

How to make Postfix filter spam for entries in virtual?

Miguel Almeida

My postfix installation is working correctly (delivery via dovecot, spam filtering via amavis - spamassasin).

I have some aliases in virtual, eg:

[hidden email]    johnDoe

However, for the emails that match an entry in virtual, amavis is not filtering for spam (resulting in lots of spam reaching my inbox).

How can the configuration be changed so that the emails that match virtual entries are also filtered for spam?

You can find my main.cf file here.


Thank you in advance for your help!


Miguel

Reply | Threaded
Open this post in threaded view
|

Re: How to make Postfix filter spam for entries in virtual?

Noel Jones-2
On 9/17/2018 5:44 AM, Miguel Almeida wrote:

> My postfix installation is working correctly (delivery via dovecot,
> spam filtering via amavis - spamassasin).
>
> I have some aliases in virtual, eg:
>
> |[hidden email] <mailto:[hidden email]> johnDoe |
>
> However, for the emails that match an entry in virtual, amavis is
> not filtering for spam (resulting in lots of spam reaching my inbox).
>
> How can the configuration be changed so that the emails that match
> virtual entries are also filtered for spam?
>
> You can find my main.cf <http://main.cf> file here
> <https://gist.github.com/mmalmeida/68dd0c7bce64675084807464c59b3801>.
>
>
> Thank you in advance for your help!
>
>
> Miguel
>

That sounds unusual.  For general debugging hints, please see
http://www.postfix.org/DEBUG_README.html

For further help from the list, please see:
http://www.postfix.org/DEBUG_README.html#mail

In your description of the problem, please be sure to include
"postconf -n" output.  It would also be helpful to include log
entries showing the problem (NOT debug logs).



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: How to make Postfix filter spam for entries in virtual?

Miguel Almeida
Thanks for the reply.

It seems that I might have something wrong in my amavis/spamassassin configuration, but the following log might show something obvious to a more experienced user - can you help?

Here is a log for a spam message that arrived:

Sep 17 16:07:15 mailserver postfix/smtpd[9970]: connect from localhost[127.0.0.1]
Sep 17 16:07:15 mailserver postfix/smtpd[9970]: 920C9507539: client=localhost[127.0.0.1]
Sep 17 16:07:15 mailserver postfix/cleanup[9965]: 920C9507539: message-id=<[hidden email]>
Sep 17 16:07:15 mailserver postfix/qmgr[18272]: 920C9507539: from=<[hidden email]>, size=1806, nrcpt=3 (queue active)
Sep 17 16:07:15 mailserver amavis[9250]: (09250-06) Passed SPAM {RelayedOpenRelay,Quarantined}, [180.125.253.237]:22311 [208.62.237.18] <[hidden email]> -> <[hidden email]>, quarantine: l/spam-lIL6tWw0gz1s.gz, Queue-ID: 910D6507538, Message-ID: <[hidden email]>, mail_id: lIL6tWw0gz1s, Hits: 15.778, size: 1320, queued_as: 920C9507539, 2695 ms
Sep 17 16:07:15 mailserver postfix/smtpd[9970]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 17 16:07:15 mailserver postfix/smtp[9966]: 910D6507538: to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.6, delays=1.9/0.01/0/2.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 920C9507539)
Sep 17 16:07:15 mailserver postfix/qmgr[18272]: 910D6507538: removed
Sep 17 16:07:16 mailserver dovecot: lda(admit): sieve: msgid=<[hidden email]>: stored mail into mailbox 'INBOX'
Sep 17 16:07:16 mailserver dovecot: lda(mma): sieve: msgid=<[hidden email]>: stored mail into mailbox 'INBOX'
Sep 17 16:07:16 mailserver postfix/local[9971]: 920C9507539: to=<[hidden email]>, orig_to=<[hidden email]>, relay=local, delay=1.3, delays=0.17/0.02/0/1.1, dsn=2.0.0, status=sent (delivered to command: /usr/lib/dovecot/deliver)
Sep 17 16:07:16 mailserver postfix/local[9972]: 920C9507539: to=<[hidden email]>, orig_to=<[hidden email]>, relay=local, delay=1.3, delays=0.17/0.04/0/1.1, dsn=2.0.0, status=sent (delivered to command: /usr/lib/dovecot/deliver)

It looks like it is being marked as quarentine, but going to the inbox nonetheless?

My /etc/amavis/conf.d/20-debian_defaults:

$QUARANTINEDIR = "$MYHOME/virusmails";
$quarantine_subdir_levels = 1; # enable quarantine dir hashing

$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug';  # switch to info to drop debug output, etc

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$inet_socket_port = 10024;   # default listening socket

#$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt  = -20;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 5; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
(...)
$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
$final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
$final_spam_destiny       = D_PASS;
$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)

And the header of this email:
Return-Path: <[hidden email]>
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from localhost (localhost [127.0.0.1])
	by mailserver.itc.com (Postfix) with ESMTP id 920C9507539
	for <[hidden email]>; Mon, 17 Sep 2018 16:07:15 +0100 (WEST)
X-Virus-Scanned: Debian amavisd-new at itclinical.com


Which is different from other emails received (I configured amavis to always add the X-Spam flags):

X-Virus-Scanned: Debian amavisd-new at itc.com X-Spam-Flag: NO X-Spam-Score: 2.441 X-Spam-Level: ** X-Spam-Status: No, score=2.441 tagged_above=-20 required=5 tests=[FROM_EXCESS_BASE64=0.105, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_IMAGE_ONLY_24=1.282, HTML_IMAGE_RATIO_02=0.805, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no

On Mon, Sep 17, 2018 at 4:16 PM Noel Jones <[hidden email]> wrote:
On 9/17/2018 5:44 AM, Miguel Almeida wrote:
> My postfix installation is working correctly (delivery via dovecot,
> spam filtering via amavis - spamassasin).
>
> I have some aliases in virtual, eg:
>
> |[hidden email] <mailto:[hidden email]> johnDoe |
>
> However, for the emails that match an entry in virtual, amavis is
> not filtering for spam (resulting in lots of spam reaching my inbox).
>
> How can the configuration be changed so that the emails that match
> virtual entries are also filtered for spam?
>
> You can find my main.cf <http://main.cf> file here
> <https://gist.github.com/mmalmeida/68dd0c7bce64675084807464c59b3801>.
>
>
> Thank you in advance for your help!
>
>
> Miguel
>

That sounds unusual.  For general debugging hints, please see
http://www.postfix.org/DEBUG_README.html

For further help from the list, please see:
http://www.postfix.org/DEBUG_README.html#mail

In your description of the problem, please be sure to include
"postconf -n" output.  It would also be helpful to include log
entries showing the problem (NOT debug logs).



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: How to make Postfix filter spam for entries in virtual?

Noel Jones-2
It appears postfix is operating properly; this is either an amavis
problem or a dovecot/sieve problem.  Those products have their own
support lists.


  -- Noel Jones




On 9/17/2018 10:33 AM, Miguel Almeida wrote:

> Thanks for the reply.
>
> It seems that I might have something wrong in my amavis/spamassassin
> configuration, but the following log might show something obvious to
> a more experienced user - can you help?
>
> Here is a log for a spam message that arrived:
>
> Sep 17 16:07:15 mailserver postfix/smtpd[9970]: connect from
> localhost[127.0.0.1]
> Sep 17 16:07:15 mailserver postfix/smtpd[9970]: 920C9507539:
> client=localhost[127.0.0.1]
> Sep 17 16:07:15 mailserver postfix/cleanup[9965]: 920C9507539:
> message-id=<[hidden email]
> <mailto:[hidden email]>>
> Sep 17 16:07:15 mailserver postfix/qmgr[18272]: 920C9507539:
> from=<[hidden email] <mailto:[hidden email]>>, size=1806,
> nrcpt=3 (queue active)
> Sep 17 16:07:15 mailserver amavis[9250]: (09250-06) Passed SPAM
> {RelayedOpenRelay,Quarantined}, [180.125.253.237]:22311
> [208.62.237.18] <[hidden email] <mailto:[hidden email]>> ->
> <[hidden email] <mailto:[hidden email]>>, quarantine:
> l/spam-lIL6tWw0gz1s.gz, Queue-ID: 910D6507538, Message-ID:
> <[hidden email]
> <mailto:[hidden email]>>, mail_id:
> lIL6tWw0gz1s, Hits: 15.778, size: 1320, queued_as: 920C9507539, 2695 ms
> Sep 17 16:07:15 mailserver postfix/smtpd[9970]: disconnect from
> localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
> Sep 17 16:07:15 mailserver postfix/smtp[9966]: 910D6507538:
> to=<[hidden email] <mailto:[hidden email]>>,
> relay=127.0.0.1[127.0.0.1]:10024, delay=4.6, delays=1.9/0.01/0/2.7,
> dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025):
> 250 2.0.0 Ok: queued as 920C9507539)
> Sep 17 16:07:15 mailserver postfix/qmgr[18272]: 910D6507538: removed
> Sep 17 16:07:16 mailserver dovecot: lda(admit): sieve:
> msgid=<[hidden email]
> <mailto:[hidden email]>>: stored mail into
> mailbox 'INBOX'
> Sep 17 16:07:16 mailserver dovecot: lda(mma): sieve:
> msgid=<[hidden email]
> <mailto:[hidden email]>>: stored mail into
> mailbox 'INBOX'
> Sep 17 16:07:16 mailserver postfix/local[9971]: 920C9507539:
> to=<[hidden email] <mailto:[hidden email]>>, orig_to=<[hidden email]
> <mailto:[hidden email]>>, relay=local, delay=1.3,
> delays=0.17/0.02/0/1.1, dsn=2.0.0, status=sent (delivered to
> command: /usr/lib/dovecot/deliver)
> Sep 17 16:07:16 mailserver postfix/local[9972]: 920C9507539:
> to=<[hidden email] <mailto:[hidden email]>>, orig_to=<[hidden email]
> <mailto:[hidden email]>>, relay=local, delay=1.3,
> delays=0.17/0.04/0/1.1, dsn=2.0.0, status=sent (delivered to
> command: /usr/lib/dovecot/deliver)
>
> It looks like it is being marked as quarentine, but going to the
> inbox nonetheless?
>
> My*/etc/amavis/conf.d/20-debian_defaults:*
>
> $QUARANTINEDIR = "$MYHOME/virusmails";
> $quarantine_subdir_levels = 1; # enable quarantine dir hashing
>
> $log_recip_templ = undef;    # disable by-recipient level-0 log entries
> $DO_SYSLOG = 1;              # log via syslogd (preferred)
> $syslog_ident = 'amavis';    # syslog ident tag, prepended to all
> messages
> $syslog_facility = 'mail';
> $syslog_priority = 'debug';  # switch to info to drop debug output, etc
>
> $enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP
> and nanny)
> $enable_global_cache = 1;    # enable use of libdb-based cache if
> $enable_db=1
>
> $inet_socket_port = 10024;   # default listening socket
>
> #$sa_spam_subject_tag = '***SPAM*** ';
> $sa_tag_level_deflt  = -20;  # add spam info headers if at, or above
> that level
> $sa_tag2_level_deflt = 5; # add 'spam detected' headers at that level
> $sa_kill_level_deflt = 5; # triggers spam evasive actions
> $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
> (...)
> $final_virus_destiny      = D_DISCARD;  # (data not lost, see virus
> quarantine)
> $final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
> $final_spam_destiny       = D_PASS;
> $final_bad_header_destiny = D_PASS;     # False-positive prone (for
> spam)
>
> And the header of this email:
>
> Return-Path: <[hidden email] <mailto:[hidden email]>>
> X-Original-To: [hidden email] <mailto:[hidden email]>
> Delivered-To: [hidden email] <mailto:[hidden email]>
> Received: from localhost (localhost [127.0.0.1])
> by mailserver.itc.com <http://mailserver.itc.com> (Postfix) with ESMTP id 920C9507539
> for <[hidden email] <mailto:[hidden email]>>; Mon, 17 Sep 2018 16:07:15 +0100 (WEST)
> X-Virus-Scanned: Debian amavisd-new at itclinical.com <http://itclinical.com>
>
>
> Which is different from other emails received (I configured amavis to always add the X-Spam flags):
>
> X-Virus-Scanned: Debian amavisd-new at itc.com <http://itc.com>
> X-Spam-Flag: NO
> X-Spam-Score: 2.441
> X-Spam-Level: **
> X-Spam-Status: No, score=2.441 tagged_above=-20 required=5
> tests=[FROM_EXCESS_BASE64=0.105, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
> HTML_IMAGE_ONLY_24=1.282, HTML_IMAGE_RATIO_02=0.805,
> HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001,
> SPF_PASS=-0.001] autolearn=no autolearn_force=no
>
>
> On Mon, Sep 17, 2018 at 4:16 PM Noel Jones <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 9/17/2018 5:44 AM, Miguel Almeida wrote:
>     > My postfix installation is working correctly (delivery via
>     dovecot,
>     > spam filtering via amavis - spamassasin).
>     >
>     > I have some aliases in virtual, eg:
>     >
>     > |[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>> johnDoe |
>     >
>     > However, for the emails that match an entry in virtual, amavis is
>     > not filtering for spam (resulting in lots of spam reaching my
>     inbox).
>     >
>     > How can the configuration be changed so that the emails that match
>     > virtual entries are also filtered for spam?
>     >
>     > You can find my main.cf <http://main.cf> <http://main.cf> file
>     here
>     >
>     <https://gist.github.com/mmalmeida/68dd0c7bce64675084807464c59b3801>.
>     >
>     >
>     > Thank you in advance for your help!
>     >
>     >
>     > Miguel
>     >
>
>     That sounds unusual.  For general debugging hints, please see
>     http://www.postfix.org/DEBUG_README.html
>
>     For further help from the list, please see:
>     http://www.postfix.org/DEBUG_README.html#mail
>
>     In your description of the problem, please be sure to include
>     "postconf -n" output.  It would also be helpful to include log
>     entries showing the problem (NOT debug logs).
>
>
>
>       -- Noel Jones
>