[SOLVED] No SPAM check when mail is "transported"

[moren]

The scenario:

Internet -- mail gateway (z5.0.9) -- mail store 1 ( z6.0.3)
-- mail store 2 ( z6.0.3)

The "mail gateway" is doing anti-virus and anti-spam and then transports the "cleaned" mail to end users at the two mail stores down stream. There is no real end users at mail gateway.

This configuration is working right now and have done so for 1-2 years.


The problem:

At a test "mail gateway" we upgraded to z6.0.6 and now this setup is not working. There is no Anti-SPAM check done for transported mails, only anti-virus check is done (ie X-Virus-Scanned: amavisd-new, no X-Spam-Flag)

If I try send a mail to a local dummy account on the gateway it gets SPAM-checked.


The "transport" of mail messages to the mail store machines is done with:

# su - zimbra
$ zmlocalconfig -e postfix_transport_maps=ldap:/opt/zimbra/conf/ldap-transport.cf,hash:/etc/zimbra/transport

$ postconf -ev relay_recipient_maps=hash:/etc/zimbra/relay_recipients

$ postconf -ev relay_domains=hash:/etc/zimbra/relay_domains

Where:
/etc/zimbra/transport contains down-stream mail store machines
/etc/zimbra/relay_recipients contains all end users
/etc/zimbra/relay_domains contains the mail domains we allow relay of
(ie down stream mail domains)

[uxbod]

Welcome to the forums

May I ask why you are even using transport maps ? If you are running a front-end ZCS MTA then it should know where each users mailstore resides. Once a email has passed through Amavis it is injected back into Postfix which in turn looks at zimbraMailTransport. By default that is set to lmtp:<mailstore_FQDN>:7025.

[moren]

Tnx for a reply.

The reason for this is that we do not share the LDAP between systems. We use one "Network Edition" for about 900 accounts and use the open-source version at the gateway and for the second mail store.

The relay_recipients is created by scrips from the down-stream systems. We have also some more mail-servers down-stream but those are not relevant to this current problem.

[uxbod]

What do you have defined for @mynetworks in /opt/zimbra/conf/amavisd.conf ?

[moren]

We have never modified this file on the "currently working" system and it is set to the default (se below). This is the same on the new z6.0.6 test gate-way.

# @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
# 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );

[uxbod]

Hmmm, you could try turning up the amavis logging level to see what is happening ?

[moren]

Now I have run amavisd with loglevel 4 and noticed some interesting things.

It looks like the SPAM-check *is* performed for all messages (see below) but the headers is not written in to the mail.

Some output from log file (I can send full log files if needed). Two cases, 1 local and 1 down-stream account:

[local account] (This gets a local=1 and a SPAM-TAG line)

Apr 12 14:10:13 molud2 amavis[18183]: (18183-01) headers CLUSTERING: NEW CLUSTER <dummy.987@molud2.hh.se>: score=14.802, tag=1, tag2=1, local=1, bl=, s=[SPAM?]_, mangle=
Apr 12 14:10:13 molud2 amavis[18183]: (18183-01) SPAM-TAG, <mxxx.mxxx@gmail.com> -> <dummy.987@molud2.hh.se>, Yes, score=14.802 tagged_above=-10 required=6.6 tests=[AWL=-12.198, BAYES_50=0.001, HH_PATTERN=7, HH_PATTERN2=20, SPF_PASS=-0.001] autolearn=spam


[down-stream account] (This gets a local=0 and a *no* SPAM-TAG line)

Apr 12 14:09:46 molud2 amavis[18208]: (18208-01) headers CLUSTERING: NEW CLUSTER <zimbra.ett@test.hh.se>: score=14.366, tag=1, tag2=1, local=0, bl=, s=, mangle=

[uxbod]

Hmm, in the code I see

Code:

  if (ll(2) && defined($cluster_full_spam_status) && @recip_cluster) {
    my($s) = $cluster_full_spam_status; $s =~ s/\n[ \t]/ /g;
    do_log(2, "SPAM-TAG, %s -> %s, %s", $msginfo->sender_smtp,
              join(',', map { $_->recip_addr_smtp } @recip_cluster), $s);

So my guess is that as the recipient is not local to the ZCS installation then it is not adding the header.

[uxbod]

In /opt/zimbra/conf/amavisd.conf what is $mydomain set to ?

[moren]

Hmm, have this behavior changed from z5.0.9 (ie the version we run today)? And when did this changed. We would like to upgrade the gateway before 15 April (the last day for clamd 0.94). We could go to version 5.0.23 instead of 6.0.x

Can there be some config tweak/workaround to add those headers anyway? There are no local account on this machine except the default system accounts, admin, spam*, ham* et. al.