Mystic behavior of multiple recipients mail

Chan Joe joechan2 at gmail.com
Wed Oct 26 08:03:37 CEST 2011 

Hello,

I know this has been raised for million times, but my situation is a bit
different, googled for weeks but no goal.

I have a Postfix + Amavisd-new + SpamAssassin as a mail gateway to filter
out the mails by using whitelist_to and blacklist_to in SpamAssassin only,
yes everything is so simply, no virus checking, no others. Just check the
recipient address to decide relay or discard.

But the thing is, when there is a multiple-recipient mail, lets say to
white_user1 at test.com, white_user2 at test.com,black_user3 at test.com,
black_user4 at test.com.

This mail will go to all these 4 users, the mails to black_user are maked as
"Passed CLEAN", they are receiving the mails, but they shouldn't.

transfer_destination_recipient_limit has set to 1 already
in main.cf
smtp-amavis_destination_recipient_limit = 1

This parameter is working, I can see the mail is splitted into 4 copies,
sending to amavis one by one.

The mystic behavior is, if I telnet to 127.0.0.1:25, and send a multiple
recipients mail, it is working fine, white_users are getting the mails,
black_users are not receiving (Blocked SPAM).

If I send the same mail via SqWebmail or Outlook, all 4 users are receiving
the mails (Passed CLEAN).

In all other cases, sending mails to 1 white user, 1 black user, or multiple
white users or multiple black users are fine. No matter from telnet or
webmail.

Please can anyone give me some idea? Many thanks! Sorry for the long mail :/

Thanks & Regards,
Joe



System:
Redhat EL 5.5
postfix-2.8.2-1.rhel5
amavisd-new-2.6.4-4.el5.rf
spamassassin-3.2.5-1.el5


Config:
# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix-2.8.2-documentation/html
inet_interfaces = all
mail_owner = postfix
mailbox_command =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydomain = test.com
myhostname = name.test.com
mynetworks = 127.0.0.0/8, 172.0.0.0/8, 57.0.0.0/8, 0.0.0.0/0
mynetworks_style = class
myorigin = name.test.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.8.2-documentation/readme
relay_domains = $mydestination
relayhost = mail.test.com
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550


# amavisd.conf
use strict;
$max_servers = 2;            # num of pre-forked children (2..30 is common),
-m
$daemon_user  = "amavis";     # (no default;  customary: vscan or amavis),
-u
$daemon_group = "amavis";     # (no default;  customary: vscan or amavis),
-g
$mydomain = 'example.com';   # a convenient default for other settings
$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = "/var/virusmails";
$db_home   = "$MYHOME/db";      # dir for bdb nanny/cache/snmp databases, -D
$log_level = 0;              # verbosity 0..5, -d
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
           # e.g.: mail, daemon, user, local0, ... local7
$syslog_priority = 'debug';  # Syslog base (minimal) priority as a string,
           # choose from: emerg, alert, crit, err, warning, notice, info,
debug
$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and
nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if
$enable_db=1
$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
$enable_dkim_verification = 1;  # enable DKIM signatures verification
$enable_dkim_signing = 1;    # load DKIM signing code, keys defined by
dkim_key
@local_domains_maps = ( [".$mydomain"] );  # list of all local domains
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
                  10.0.0.0/8 172.16.0.0/12 172.20.0.0/16 192.168.0.0/16 );
$unix_socketname = "$MYHOME/amavisd.sock";  # amavisd-release or
amavis-milter
               # option(s) -p overrides $inet_socket_port and
$unix_socketname
$inet_socket_port = 10024;   # listen on this local TCP port(s)
$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it
explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
};
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our
users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and
types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS
option
};
$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with
$unix_socketname
$policy_bank{'AM.PDP-SOCK'} = {
  protocol => 'AM.PDP',
  auth_required_release => 0,  # do not require secret_id for
amavisd-release
};
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that
level
$sa_tag2_level_deflt = 6.2;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.9;  # triggers spam evasive actions (e.g. blocks
mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid
From
$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn
database)
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi
spam
$bounce_killer_score = 100;  # spam score points to add for joe-jobbed
bounces
$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is
larger
$sa_local_tests_only = 0;    # only tests which do not require internet
access?
$virus_admin               = "virusalert\@$mydomain";  # notifications
recip.
$mailfrom_notify_admin     = "virusalert\@$mydomain";  # notifications
sender
$mailfrom_notify_recip     = "virusalert\@$mydomain";  # notifications
sender
$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications
sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if
undef
@addr_extension_virus_maps      = ('virus');
@addr_extension_banned_maps     = ('banned');
@addr_extension_spam_maps       = ('spam');
@addr_extension_bad_header_maps = ('badh');
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not
enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not
enforced)
$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus  = 1;  # MIME-wrap passed infected mail
$defang_banned = 1;  # MIME-wrap passed mail containing banned name
$defang_by_ccat{+CC_BADH.",3"} = 1;  # NUL or CR character in header
$defang_by_ccat{+CC_BADH.",5"} = 1;  # header line longer than 998
characters
$defang_by_ccat{+CC_BADH.",6"} = 1;  # header field syntax error
$myhostname = 'name.test.com';
$final_spam_destiny       = D_DISCARD;
$spam_quarantine_to = 'mailadmin at name.test.com';
(the rest is default ... skipped)



#maillog: from webmail, to 1white 1black, both Passed CLEAN
Oct 26 13:42:06 MYHOST postfix/qmgr[10353]: AC2081400AB: from=<
mailadmin at MYHOST.MYDOMAIN.com>, size=680, nrcpt=2 (queue active)
Oct 26 13:42:06 MYHOST sendmail[10382]: p9Q5g69X010382:
to=black_user1 at MYDOMAIN.com,white_user1 at MYDOMAIN.com,
ctladdr=mailadmin at MYHOST (510/513), delay=00:00:00, xdelay=00:00:00,
mailer=relay, pri=60270, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent
(Ok: queued as AC2081400AB)
Oct 26 13:42:06 MYHOST postfix/smtpd[10349]: disconnect from
localhost.localdomain[127.0.0.1]
Oct 26 05:42:07 MYHOST postfix/smtpd[10362]: connect from unknown[127.0.0.1]
Oct 26 05:42:07 MYHOST postfix/smtpd[10362]: 02E021400A9:
client=unknown[127.0.0.1]
Oct 26 13:42:07 MYHOST postfix/cleanup[10352]: 02E021400A9:
message-id=<201110260542.p9Q5g69X010382 at MYHOST>
Oct 26 13:42:07 MYHOST postfix/qmgr[10353]: 02E021400A9: from=<
mailadmin at MYHOST.MYDOMAIN.com>, size=1182, nrcpt=1 (queue active)
Oct 26 13:42:07 MYHOST amavis[10374]: (10374-01) Passed CLEAN
{RelayedOutbound}, MYNETS LOCAL [127.0.0.1]:45049 [127.0.0.1] <
mailadmin at MYHOST.MYDOMAIN.com> -> <black_user1 at MYDOMAIN.com>, Queue-ID:
AC2081400AB, Message-ID: <201110260542.p9Q5g69X010382 at MYHOST>, mail_id:
KgZB572jGg2i, Hits: -65.031, size: 680, queued_as: 02E021400A9, 290 ms
Oct 26 05:42:07 MYHOST postfix/smtp[10354]: AC2081400AB:
to=<black_user1 at MYDOMAIN.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.35,
delays=0.05/0.01/0.01/0.29, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 02E021400A9)
Oct 26 13:42:07 MYHOST postfix/smtpd[10389]: connect from unknown[127.0.0.1]
Oct 26 05:42:07 MYHOST postfix/smtpd[10389]: 226231400AA:
client=unknown[127.0.0.1]
Oct 26 13:42:07 MYHOST postfix/cleanup[10352]: 226231400AA:
message-id=<201110260542.p9Q5g69X010382 at MYHOST>
Oct 26 13:42:07 MYHOST postfix/qmgr[10353]: 226231400AA: from=<
mailadmin at MYHOST.MYDOMAIN.com>, size=1180, nrcpt=1 (queue active)
Oct 26 13:42:07 MYHOST amavis[10375]: (10375-01) Passed CLEAN
{RelayedOutbound}, MYNETS LOCAL [127.0.0.1]:45049 [127.0.0.1] <
mailadmin at MYHOST.MYDOMAIN.com> -> <white_user1 at MYDOMAIN.com>, Queue-ID:
AC2081400AB, Message-ID: <201110260542.p9Q5g69X010382 at MYHOST>, mail_id:
L93xjk2OAuAe, Hits: -65.041, size: 680, queued_as: 226231400AA, 392 ms
Oct 26 05:42:07 MYHOST postfix/smtp[10355]: AC2081400AB:
to=<white_user1 at MYDOMAIN.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.47,
delays=0.05/0.01/0.02/0.39, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 226231400AA)
Oct 26 13:42:07 MYHOST postfix/qmgr[10353]: AC2081400AB: removed


#maillog: from telnet, to 1white 1black, 1 Passed CLEAN, 1 Blocked SPAM
Oct 26 13:59:19 MYHOST postfix/qmgr[10353]: 8DCAA1400AD:
from=<mailadmin at MYDOMAIN.com>, size=369, nrcpt=2 (queue active)
Oct 26 13:59:20 MYHOST postfix/smtpd[10461]: connect from unknown[127.0.0.1]
Oct 26 05:59:20 MYHOST postfix/smtpd[10461]: 553021400AE:
client=unknown[127.0.0.1]
Oct 26 13:59:20 MYHOST postfix/cleanup[10453]: 553021400AE: message-id=<
20111026055903.8DCAA1400AD at MYHOST.MYDOMAIN.com>
Oct 26 13:59:20 MYHOST postfix/qmgr[10353]: 553021400AE:
from=<mailadmin at MYDOMAIN.com>, size=869, nrcpt=1 (queue active)
Oct 26 13:59:20 MYHOST amavis[10375]: (10375-02) Passed CLEAN
{RelayedOutbound}, MYNETS LOCAL [127.0.0.1]:36045 [127.0.0.1]
<mailadmin at MYDOMAIN.com> -> <white_user1 at cathaypacific.com>, Queue-ID:
8DCAA1400AD, Message-ID: <20111026055903.8DCAA1400AD at MYHOST.MYDOMAIN.com>,
mail_id: Q2xMkirv0Lky, Hits: -61.145, size: 369, queued_as: 553021400AE, 392
ms
Oct 26 13:59:20 MYHOST postfix/smtp[10458]: 8DCAA1400AD: to=<
white_user1 at cathaypacific.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=25,
delays=25/0.02/0.01/0.39, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 553021400AE)
Oct 26 05:59:20 MYHOST postfix/smtpd[10461]: disconnect from
unknown[127.0.0.1]
Oct 26 13:59:20 MYHOST postfix/smtpd[10449]: disconnect from
localhost.localdomain[127.0.0.1]
Oct 26 05:59:21 MYHOST postfix/smtpd[10461]: connect from unknown[127.0.0.1]
Oct 26 05:59:21 MYHOST postfix/smtpd[10461]: CD81D1400AF:
client=unknown[127.0.0.1]
Oct 26 13:59:21 MYHOST postfix/cleanup[10453]: CD81D1400AF: message-id=<
20111026055903.8DCAA1400AD at MYHOST.MYDOMAIN.com>
Oct 26 13:59:21 MYHOST postfix/qmgr[10353]: CD81D1400AF: from=<>, size=1346,
nrcpt=1 (queue active)
Oct 26 05:59:21 MYHOST postfix/smtpd[10461]: disconnect from
unknown[127.0.0.1]
Oct 26 13:59:21 MYHOST amavis[10374]: (10374-02) Blocked SPAM
{DiscardedOutbound,Quarantined}, MYNETS LOCAL [127.0.0.1]:36045 [127.0.0.1]
<mailadmin at MYDOMAIN.com> -> <black_user1 at cathaypacific.com>, quarantine:
mailadmin at MYHOST.MYDOMAIN.com, Queue-ID: 8DCAA1400AD, Message-ID: <
20111026055903.8DCAA1400AD at MYHOST.MYDOMAIN.com>, mail_id: rLzdynCV41ce,
Hits: 38.855, size: 369, 1876 ms
Oct 26 13:59:21 MYHOST postfix/smtp[10457]: 8DCAA1400AD: to=<
black_user1 at cathaypacific.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=26,
delays=25/0.01/0.02/1.9, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded,
id=10374-02 - spam)
Oct 26 13:59:21 MYHOST postfix/qmgr[10353]: 8DCAA1400AD: removed
Oct 26 13:59:21 MYHOST postfix/local[10463]: warning: database
/etc/postfix/aliases.db is older than source file /etc/postfix/aliases
Oct 26 13:59:21 MYHOST postfix/local[10463]: CD81D1400AF: to=<
mailadmin at MYHOST.MYDOMAIN.com>, relay=local, delay=0.07,
delays=0.01/0.04/0/0.02, dsn=2.0.0, status=sent (delivered to maildir)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20111026/d9c89d9a/attachment.html>

More information about the amavis-users mailing list