Identification of Spam sources with DNSBL doesn't work

UCS - Univention Corporate Server
,
#1

Hi all, as described here https://docs.software-univention.de/manual-4.3.html#mail::dnsbl on UCS manual I tried to add these smtpd_recipient_restrictions rules to my Postfix main.cf file:

ucr set mail/postfix/smtpd/restrictions/recipient/75="reject_rbl_client b.barracudacentral.org"
ucr set mail/postfix/smtpd/restrictions/recipient/76="reject_rbl_client zen.spamhaus.org"

After that I reloaded Postfix with: service postfix reload

and checked Postfix with postconf-n

postconf: warning: /etc/postfix/main.cf, line 196: overriding earlier entry: content_filter=smtp-amavis:[127.0.0.1]:10024
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
content_filter = smtp:127.0.0.1:10030
daemon_directory = /usr/lib/postfix/sbin
disable_vrfy_command = no
inet_interfaces = all
inet_protocols = ipv4
local_header_rewrite_clients =
masquerade_domains = $mydomain
masquerade_exceptions = root
message_size_limit = 20480000
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = mail.xxxxxx.it
mynetworks = 127.0.0.0/8, 192.168.0.10/32, 192.168.0.240/32
mynetworks_style = subnet
myorigin = mail.xxxxxx.it
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_blacklist_action = ignore
postscreen_dnsbl_action =
postscreen_dnsbl_sites =
postscreen_dnsbl_threshold = 3
postscreen_greet_action = drop
postscreen_greet_ttl = 1d
postscreen_helo_required = no
postscreen_non_smtp_command_action = ignore
postscreen_non_smtp_command_enable = no
relay_domains = $mydestination
relocated_maps = hash:/etc/postfix/relocated
smtp_helo_name = mail.xxxxxx.it
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_loglevel = 0
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:12340
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_CAfile = /etc/myssl/mail.xxxxxx.it.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/myssl/mail.xxxxxx.it.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /etc/myssl/mail.xxxxxx.it.key
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols =
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
smtputf8_enable = no
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport, ldap:/etc/postfix/ldap.transport
virtual_alias_domains =
virtual_alias_maps = hash:/etc/postfix/virtual, ldap:/etc/postfix/ldap.groups, ldap:/etc/postfix/ldap.distlist, ldap:/etc/postfix/ldap.virtual, ldap:/etc/postfix/ldap.external_aliases, ldap:/etc/postfix/ldap.sharedfolderremote, ldap:/etc/postfix/ldap.sharedfolderlocal_aliases
virtual_mailbox_domains = ldap:/etc/postfix/ldap.virtualdomains
virtual_mailbox_maps = ldap:/etc/postfix/ldap.virtual_mailbox, ldap:/etc/postfix/ldap.sharedfolderlocal
virtual_transport = lmtp:unix:private/dovecot-lmtp

Except the first line with a warning, everything seems to be ok, but the Identification of Spam sources with DNS-based Blackhole Lists (DNSBL) doesn’t filter.

I checked Barracuda has described here http://www.barracudacentral.org/rbl/how-to-use and seems to be ok:

root@mail:/etc/postfix# host 2.0.0.127.b.barracudacentral.org
2.0.0.127.b.barracudacentral.org has address 127.0.0.2

I checked Spamhaus has described here https://www.spamhaus.org/faq/section/DNSBL%20Usage#261 and seems to be ok:

root@mail:/etc/postfix# host 2.0.0.127.zen.spamhaus.org
2.0.0.127.zen.spamhaus.org has address 127.0.0.4
2.0.0.127.zen.spamhaus.org has address 127.0.0.10
2.0.0.127.zen.spamhaus.org has address 127.0.0.2

Last i checked sending a mail as described here http://www.crynwr.com/spam/ and I receive this mail that confirm that my configuration is not working as expected:

Testing your SBL block.  See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for
relaying.  Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.

Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so
I use your envelope sender as the To: address.

I connected to xxx.xxx.xxx.xxx and here's the conversation I had:

220 mail.xxxxxx.it ESMTP Postfix
helo sbl.crynwr.com
250 mail.xxxxxx.it
mail from:<>
250 2.1.0 Ok
rcpt to:<user@xxxxxx.it>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
From: nelson-SBL-test@crynwr.com
To: user@xxxxxx.it
Date: Wed, 4 Apr 2018 9:22:37 -0000
Message-Id: <1522833757@sbl.crynwr.com>
Precedence: junk

Test message
.
250 2.0.0 Ok: queued as BEB6A1F013CB
quit
Successful termination.  As far as I can tell, the email was delivered.
That might not be what you want.

I also checked the header of some SPAM messages I received this morning and I checked the Received: ⁨from IP here https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3A181.64.241.163&run=toolpage
This ip is blacklisted on Barracuda and Zen Spamhaus but my UCS Mail server didn’t block the message as expected.

What’s the problem? What can I check more? Any suggestions?
Thanks!

1 Like
#2

Hey,

is there an SMTP server between the internet and your UCS server? Because RBL checks only apply to the machine that’s currently connecting, not to the servers listed in the Received headers. Or to put it differently: when the sbl.crynwr.com server connects to mail.xxxxxx.it, does it connect to your UCS server, or is mail.xxxxxx.it another server? Judging from the host name shown in the prompt of your tests, root@mail, I guess that this is indeed a direct connection, but I’d like to make sure.

Can you please post the corresponding lines from /var/log/mail.log from your delivery test with sbl.crynwr.com?

You can also ask Postfix to generate more in-depth log messages for connections from/to specific hosts. In the case of sbl.crynwr.com, you’d do something like this:

postconf debug_peer_list=192.203.178.107 debug_peer_level=3
postfix reload

Then trigger the crynwr.com robot again and observe your mail.log. Adjust the debug_peer_level up or down depending on whether or not you get useful output.

Kind regards,
mosu

#3

Thanks @Moritz_Bunkus for your reply.
There’s not any smtp server between internet and my UCS Mail Server: sbl.crynwr.com connects directly to mail.xxxxxx.it server that’s my UCS Mail Server.

Here’s my /var/log/mail.log

Apr  4 15:51:17 mail postfix/smtpd[5826]: connect from imac-01.xxxxxx.it[192.168.0.100]
Apr  4 15:51:17 mail postfix/smtpd[5826]: 8949D1F02446: client=imac-01.xxxxxx.it[192.168.0.100], sasl_method=PLAIN, sasl_username=user
Apr  4 15:51:17 mail postfix/cleanup[5527]: 8949D1F02446: message-id=<E5821892-0484-470A-8DBD-A1799AD62338@xxxxxx.it>
Apr  4 15:51:17 mail postfix/qmgr[12068]: 8949D1F02446: from=<user@xxxxxx.it>, size=2094, nrcpt=1 (queue active)
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.disclaimers.smtp.smtp_factory INFO connecting to upstream gateway "127.0.0.1:10031"
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.smtp.esmtpd.__init__ INFO accepted new client, from=127.0.0.1
Apr  4 15:51:17 mail postfix/smtpd[5529]: connect from localhost[127.0.0.1]
Apr  4 15:51:17 mail postfix/smtpd[5529]: 94EFD1F02469: client=localhost[127.0.0.1]
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.disclaimers.smtp.rewrite_message INFO handling mail from=user@xxxxxx.it
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.accounts.ldap.get_objectinfo_by_email INFO retrieving user/group data for email=user@xxxxxx.it from ldap
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.accounts.ldap.get_objectinfo_by_email INFO retrieving additional group data for email=user@xxxxxx.it from ldap
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.disclaimers.storage.find_disclaimer INFO using sender_info: {'system:gids': ['5051', '5000', '5001', '5045', '5076', '5016', '5044', '5074', '5086', '5050', '5052'], 'city': u'City', 'fax': None, 'template:domain': ['Standard'], 'from': 'user@xxxxxx.it', 'zip': u'zip', 'office': None, 'system:uid': '2073', 'lastname': u'lastname', 'company': None, 'pobox': None, 'template:group': [], 'phone': u'phone', 'state': u'IT', 'street': None, 'country': None, 'department': u'IT e Sicurezza', 'fullname': u'user', 'givenname': u'user', 'template:user': None, 'email': u'user@xxxxxx.it'}
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.disclaimers.storage.try_names INFO will try the following names for type=txt: ['Standard', 'global']
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.disclaimers.storage.try_names INFO using disclaimer file '/etc/maildisclaimer/templates/Standard.txt'
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.disclaimers.storage.find_disclaimer INFO using sender_info: {'system:gids': ['5051', '5000', '5001', '5045', '5076', '5016', '5044', '5074', '5086', '5050', '5052'], 'city': u'city', 'fax': None, 'template:domain': ['Standard'], 'from': 'user@xxxxxx.it', 'zip': u'zip', 'office': None, 'system:uid': '2073', 'lastname': u'lastname', 'company': None, 'pobox': None, 'template:group': [], 'phone': u'phone', 'state': u'IT', 'street': None, 'country': None, 'department': u'IT e Sicurezza', 'fullname': u'user', 'givenname': u'user', 'template:user': None, 'email': u'user@xxxxxx.it'}
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.disclaimers.storage.try_names INFO will try the following names for type=html: ['Standard', 'global']
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.disclaimers.storage.try_names INFO using disclaimer file '/etc/maildisclaimer/templates/Standard.html'
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.disclaimers.email._integrate_disclaimer_directly_into_part INFO disclaimer successfully embedded (directly, default pattern txt|html ($))
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.disclaimers.email._integrate_disclaimer_directly_into_part INFO disclaimer successfully embedded (directly, default-pattern html (body))
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.disclaimers.smtp.rewrite_message INFO appended disclaimer to mail from=user@xxxxxx.it
Apr  4 15:51:17 mail postfix/cleanup[5527]: 94EFD1F02469: message-id=<E5821892-0484-470A-8DBD-A1799AD62338@xxxxxx.it>
Apr  4 15:51:17 mail postfix/smtp[5629]: 8949D1F02446: to=<nelson-sbl-test@crynwr.com>, relay=127.0.0.1[127.0.0.1]:10030, delay=0.16, delays=0.02/0/0.04/0.09, dsn=2.0.0, status=sent (221 2.0.0 Bye)
Apr  4 15:51:17 mail bitbone-maildisclaimer: bitbone.smtp.esmtpd.disconnect INFO client (from=127.0.0.1) disconnecting
Apr  4 15:51:17 mail postfix/qmgr[12068]: 8949D1F02446: removed
Apr  4 15:51:17 mail postfix/qmgr[12068]: 94EFD1F02469: from=<user@xxxxxx.it>, size=60143, nrcpt=1 (queue active)
Apr  4 15:51:17 mail postfix/smtpd[5529]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr  4 15:51:18 mail postfix/smtpd[5533]: connect from localhost[127.0.0.1]
Apr  4 15:51:18 mail postfix/smtpd[5533]: 3A6481F02446: client=localhost[127.0.0.1], orig_queue_id=94EFD1F02469, orig_client=localhost[127.0.0.1]
Apr  4 15:51:18 mail postfix/cleanup[5527]: 3A6481F02446: message-id=<E5821892-0484-470A-8DBD-A1799AD62338@xxxxxx.it>
Apr  4 15:51:18 mail postfix/smtpd[5533]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Apr  4 15:51:18 mail postfix/qmgr[12068]: 3A6481F02446: from=<user@xxxxxx.it>, size=60632, nrcpt=1 (queue active)
Apr  4 15:51:18 mail amavis[5200]: (05200-06) Passed CLEAN {RelayedOutbound}, LOCAL [127.0.0.1]:36704 <user@xxxxxx.it> -> <nelson-sbl-test@crynwr.com>, Queue-ID: 94EFD1F02469, Message-ID: <E5821892-0484-470A-8DBD-A1799AD62338@xxxxxx.it>, mail_id: ofmIH891pEfP, Hits: -2.908, size: 60135, queued_as: 3A6481F02446, 543 ms
Apr  4 15:51:18 mail postfix/smtp[5530]: 94EFD1F02469: to=<nelson-sbl-test@crynwr.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.64, delays=0.1/0/0/0.54, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3A6481F02446)
Apr  4 15:51:18 mail postfix/qmgr[12068]: 94EFD1F02469: removed
Apr  4 15:51:19 mail postfix/smtp[5528]: 3A6481F02446: to=<nelson-sbl-test@crynwr.com>, relay=ns1.crynwr.com[192.203.178.14]:25, delay=1.2, delays=0.01/0/0.51/0.71, dsn=2.0.0, status=sent (250 ok 1522849879 qp 12358)
Apr  4 15:51:19 mail postfix/qmgr[12068]: 3A6481F02446: removed
Apr  4 15:51:19 mail postfix/smtpd[5553]: connect from unknown[xxx.xxx.xxx.254]
Apr  4 15:51:20 mail postfix/smtpd[5553]: 0242A1F02446: client=unknown[xxx.xxx.xxx.254]
Apr  4 15:51:20 mail postfix/cleanup[5527]: 0242A1F02446: message-id=<1522849879@sbl.crynwr.com>
Apr  4 15:51:20 mail postfix/qmgr[12068]: 0242A1F02446: from=<>, size=382, nrcpt=1 (queue active)
Apr  4 15:51:20 mail bitbone-maildisclaimer: bitbone.disclaimers.smtp.smtp_factory INFO connecting to upstream gateway "127.0.0.1:10031"
Apr  4 15:51:20 mail bitbone-maildisclaimer: bitbone.smtp.esmtpd.__init__ INFO accepted new client, from=127.0.0.1
Apr  4 15:51:20 mail postfix/smtpd[5529]: connect from localhost[127.0.0.1]
Apr  4 15:51:20 mail postfix/smtpd[5529]: 6419A1F02469: client=localhost[127.0.0.1]
Apr  4 15:51:20 mail bitbone-maildisclaimer: bitbone.disclaimers.smtp.rewrite_message INFO handling mail from=nelson-sbl-test@crynwr.com
Apr  4 15:51:20 mail bitbone-maildisclaimer: bitbone.disclaimers.smtp.rewrite_message INFO passing through non-local mail from=nelson-sbl-test@crynwr.com
Apr  4 15:51:20 mail postfix/cleanup[5527]: 6419A1F02469: message-id=<1522849879@sbl.crynwr.com>
Apr  4 15:51:20 mail postfix/smtp[5629]: 0242A1F02446: to=<user@xxxxxx.it>, relay=127.0.0.1[127.0.0.1]:10030, delay=0.57, delays=0.46/0/0.05/0.05, dsn=2.0.0, status=sent (221 2.0.0 Bye)
Apr  4 15:51:20 mail bitbone-maildisclaimer: bitbone.smtp.esmtpd.disconnect INFO client (from=127.0.0.1) disconnecting
Apr  4 15:51:20 mail postfix/qmgr[12068]: 0242A1F02446: removed
Apr  4 15:51:20 mail postfix/qmgr[12068]: 6419A1F02469: from=<>, size=734, nrcpt=1 (queue active)
Apr  4 15:51:20 mail postfix/smtpd[5529]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr  4 15:51:20 mail postfix/smtpd[5553]: disconnect from unknown[xxx.xxx.xxx.254] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr  4 15:51:20 mail postfix/smtpd[5533]: connect from localhost[127.0.0.1]
Apr  4 15:51:20 mail postfix/smtpd[5533]: 955901F02446: client=localhost[127.0.0.1], orig_queue_id=6419A1F02469, orig_client=localhost[127.0.0.1]
Apr  4 15:51:20 mail postfix/cleanup[5527]: 955901F02446: message-id=<1522849879@sbl.crynwr.com>
Apr  4 15:51:20 mail postfix/qmgr[12068]: 955901F02446: from=<>, size=1408, nrcpt=1 (queue active)
Apr  4 15:51:20 mail postfix/smtpd[5533]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Apr  4 15:51:20 mail amavis[5293]: (05293-06) Passed CLEAN {RelayedInternal}, LOCAL [127.0.0.1]:36716 <> -> <user@xxxxxx.it>, Queue-ID: 6419A1F02469, Message-ID: <1522849879@sbl.crynwr.com>, mail_id: TlCofvoqRS81, Hits: 0.799, size: 734, queued_as: 955901F02446, 155 ms
Apr  4 15:51:20 mail postfix/smtp[5530]: 6419A1F02469: to=<user@xxxxxx.it>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.06/0/0/0.16, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 955901F02446)
Apr  4 15:51:20 mail postfix/qmgr[12068]: 6419A1F02469: removed
Apr  4 15:51:20 mail postfix/lmtp[5534]: 955901F02446: to=<user@xxxxxx.it>, relay=mail.xxxxxx.it[private/dovecot-lmtp], delay=0.03, delays=0.01/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 <user@xxxxxx.it> +H9gJVjYxFrHFgAAe6R98g Saved)
Apr  4 15:51:20 mail postfix/qmgr[12068]: 955901F02446: removed
Apr  4 15:51:21 mail postfix/smtpd[5553]: connect from unknown[xxx.xxx.xxx.254]
Apr  4 15:51:21 mail postfix/smtpd[5553]: 65C151F02446: client=unknown[xxx.xxx.xxx.254]
Apr  4 15:51:21 mail postfix/cleanup[5527]: 65C151F02446: message-id=<20180404135119.12364.qmail@ns0.crynwr.com>
Apr  4 15:51:21 mail postfix/qmgr[12068]: 65C151F02446: from=<nelson-expn@crynwr.com>, size=1499, nrcpt=1 (queue active)
Apr  4 15:51:21 mail bitbone-maildisclaimer: bitbone.disclaimers.smtp.smtp_factory INFO connecting to upstream gateway "127.0.0.1:10031"
Apr  4 15:51:21 mail bitbone-maildisclaimer: bitbone.smtp.esmtpd.__init__ INFO accepted new client, from=127.0.0.1
Apr  4 15:51:21 mail postfix/smtpd[5529]: connect from localhost[127.0.0.1]
Apr  4 15:51:21 mail postfix/smtpd[5529]: C7BAC1F024E6: client=localhost[127.0.0.1]
Apr  4 15:51:21 mail bitbone-maildisclaimer: bitbone.disclaimers.smtp.rewrite_message INFO handling mail from=nelson-sbl-test@crynwr.com
Apr  4 15:51:21 mail bitbone-maildisclaimer: bitbone.disclaimers.smtp.rewrite_message INFO passing through non-local mail from=nelson-sbl-test@crynwr.com
Apr  4 15:51:21 mail postfix/smtp[5528]: 65C151F02446: to=<user@xxxxxx.it>, relay=127.0.0.1[127.0.0.1]:10030, delay=0.57, delays=0.47/0/0.05/0.05, dsn=2.0.0, status=sent (221 2.0.0 Bye)
Apr  4 15:51:21 mail bitbone-maildisclaimer: bitbone.smtp.esmtpd.disconnect INFO client (from=127.0.0.1) disconnecting
Apr  4 15:51:21 mail postfix/qmgr[12068]: 65C151F02446: removed
Apr  4 15:51:21 mail postfix/cleanup[5527]: C7BAC1F024E6: message-id=<20180404135119.12364.qmail@ns0.crynwr.com>
Apr  4 15:51:21 mail postfix/qmgr[12068]: C7BAC1F024E6: from=<nelson-expn@crynwr.com>, size=1851, nrcpt=1 (queue active)
Apr  4 15:51:21 mail postfix/smtpd[5529]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr  4 15:51:21 mail postfix/smtpd[5553]: disconnect from unknown[xxx.xxx.xxx.254] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr  4 15:51:22 mail postfix/smtpd[5533]: connect from localhost[127.0.0.1]
Apr  4 15:51:22 mail postfix/smtpd[5533]: 4AC181F02446: client=localhost[127.0.0.1], orig_queue_id=C7BAC1F024E6, orig_client=localhost[127.0.0.1]
Apr  4 15:51:22 mail postfix/cleanup[5527]: 4AC181F02446: message-id=<20180404135119.12364.qmail@ns0.crynwr.com>
Apr  4 15:51:22 mail postfix/smtpd[5533]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Apr  4 15:51:22 mail postfix/qmgr[12068]: 4AC181F02446: from=<nelson-expn@crynwr.com>, size=2552, nrcpt=1 (queue active)
Apr  4 15:51:22 mail amavis[5200]: (05200-07) Passed CLEAN {RelayedInternal}, LOCAL [127.0.0.1]:36726 <nelson-expn@crynwr.com> -> <user@xxxxxx.it>, Queue-ID: C7BAC1F024E6, Message-ID: <20180404135119.12364.qmail@ns0.crynwr.com>, mail_id: LX2o-mfyT79Y, Hits: 1.523, size: 1851, queued_as: 4AC181F02446, 440 ms
Apr  4 15:51:22 mail postfix/smtp[5530]: C7BAC1F024E6: to=<user@xxxxxx.it>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.5, delays=0.06/0/0/0.44, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4AC181F02446)
Apr  4 15:51:22 mail postfix/qmgr[12068]: C7BAC1F024E6: removed
Apr  4 15:51:22 mail postfix/lmtp[5534]: 4AC181F02446: to=<user@xxxxxx.it>, relay=mail.xxxxxx.it[private/dovecot-lmtp], delay=0.03, delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (250 2.0.0 <user@xxxxxx.it> IR+BElrYxFrHFgAAe6R98g Saved)
Apr  4 15:51:22 mail postfix/qmgr[12068]: 4AC181F02446: removed

Do you see something wrong?
Do I need to increase log level as you described?
Thanks!

#4

Hey,

This seems to be the initial connection that delivers your test mail. I find it highly suspicious that the source address ends in 254. That’s not the outgoing mail server used by crywr.com:

[0 mbunkus@chai-latte ~] host sbl.crynwr.com
sbl.crynwr.com has address 192.203.178.107

Therefore your postfix will check the RBL lists for that x.x.x.254 address. You’re saying that there is no other mail server between the internet and your mail server — either that’s false (e.g. you’re running an anti-spam/anti-virus appliance in between), or you might have a firewall that does source NAT, too.

Kind regards,
mosu

#5

Yes, I was looking the same lines.

On my USC Mail Server I have Spamassasin and Amavis installed as default. I don’t think that these app are the cause. Do you?

I think I need to concentrate better to my firewall because xxx.xxx.xxx.254 is the address of my ISP gateway…

#6

Hey,

Definitely not. Those only come into play after the message has already been accepted. The problem occurs before that.

That’s what I was thinking of, too, when I mentioned source NATing. .254 is a typical gateway address.

This is most likely an issue with the configuration of that router/firewall, not an issue on the UCS server. Your Postfix configuration looks good to me.

Kind regards,
mosu

#7

Thanks @Moritz_Bunkus, problem solved!
I asked my ISP to check the gateway and they changed some rules.
Now looking at /var/log/mail.log I can correctly see the source address and Barracuda and Spamhaus started to filter messages.

Mastodon