<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
Hi,
<br>
</div>
<div>
<br>
</div>
<div>
I'm running Postfix + amavisd-new + spamassassin on my mailserver(s) and my users have access to a webmail system to send mails.
<br>
</div>
<div>
Just recently I got an unexpected spam classifiation from an outgoing mail which I do not really fully understand:
<br>
</div>
<div>
<br>
</div>
<div>
<pre class="moz-quote-pre">First upstream SMTP client IP address: [148.251.71.226]
Received from: 148.251.71.226<br>-> this is my webmail system which sends mail as a client via Submission and SMTP AUTH.
Return-Path: <a class="moz-txt-link-rfc2396E" href="mailto:christiane@rosenauer.org"><anonymized></a>
From: anonymized
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:1227337344.171.1534513303678@ox.an-netz.de"><1227337344.171.1534513303678@ox.an-netz.de></a>
X-Mailer: Open-Xchange Mailer v7.10.0-Rev12
Subject: Re: Anfrage
Not quarantined.
The message WILL BE relayed to:
<a class="moz-txt-link-rfc2396E" href="mailto:landgasthof.egerbach@aon.at"><anonymized></a>
Spam scanner report:
Spam detection software, running on the system "my mailserver",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
postmaster for details.
Content preview:
Content analysis details: (7.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 HTML_MESSAGE BODY: HTML included in message
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[80.187.102.207 listed in zen.spamhaus.org]
0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[80.187.102.207 listed in bb.barracudacentral.org]
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS</pre>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
The IP listed above is the dialup IP used send the mail via the webmailer. It is rightfully listed in PBL because it's "dialup".
<br>
</div>
<div>
But it only is listed/used as X-Originating-IP.
<br>
</div>
<div>
So this is a fully legitimate mail as it was sent authenticated.
<br>
</div>
<div>
<br>
</div>
<div>
I was quite a bit surprised. I guess (haven't checked yet) that I can workaround this issue by whitelisting something. I also would be interested in pointers to that but I'm wondering also from a more general point of view if looking at X-Originating-IP for RBLs really makes sense?
<br>
</div>
<div>
I already tag and filter authenticated delivered mail as originating and send it to a different amavis port and tag it there as "ORIGINATING" policy.
<br>
</div>
<div>
<br>
</div>
<div>
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
<br> originating => 1, # declare that mail was submitted by our smtp client
<br> allow_disclaimers => 0, # enables disclaimer insertion if available
<br>virus_admin_maps => ["virusalert\@$mydomain"],
<br> spam_admin_maps => ["virusalert\@$mydomain"],
<br> warnbadhsender => 1,
<br>smtpd_discard_ehlo_keywords => ['8BITMIME'],
<br> bypass_banned_checks_maps => [1], # allow sending any file names and types
<br> terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
<br>};
<br>
</div>
<div>
<br>
</div>
<div>
Any indicators about this issue? Does it make sense? How to fix it?
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
Thanks,
<br>
</div>
<div>
Wolfgang
<br>
</div>
</div>
</body>
</html>