A lot of deferred and bounced messages

[Labsy]

Hi,

on my ZCS I host approx. 100 domains and I notice a lot of messages from <> and <localhost> sent out and being refused by recipent server. For example, this is my DAILY statistics for yesterday:

Grand Totals
------------
messages

6588 received
8341 delivered
0 forwarded
28 deferred (485 deferrals)
52 bounced
480 rejected (5%)
0 reject warnings
0 held
0 discarded (0%)

Host/Domain Summary: Messages Received (top 50)
msg cnt bytes host/domain
-------- ------- -----------
1596 162061k localhost
1137 94897k someproperdomain.com
235 151504k gmail.com
....etc

top 50 Senders by message count
-------------------------------
3192 from=<>
230 one.user@one-of-domains.com
120 another.user@another-domain.com
...etc

And one example from log, one of deferred messages:

Code:

0892220C1CD     4759 Sun Nov  7 18:30:03  MAILER-DAEMON
(host alt1.gmail-smtp-in.l.google.com[74.125.127.27] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450 4.2.1 visit http://mail.google.com/support/bin/answer.py?answer=6592 c22si2926382ana.195 (in reply to RCPT TO command))
                                         joelpeterson1977@gmail.com

(I'd love to see headers of this message, but when trying to go into postfix mail queue directory, I get Access denied, and also when issuing command postcat -q 0892220C1CD as zimbra user, I get Permission denied.)

Is such a behaviour normal?
I mean, so many messages from <> and <localhost> being in DEFERRED queue?

[Labsy]

Another weird thing I discovered:
When I Forward daily mail statistics FROM admin in my Zimbra server TO my address on the same Zimbra server, message is marked as PROBABLY SPAM!!??
Huh?
Server is 100% clean, has never been listed in any blacklist neither for a second! How is it possible that Zimbra marks its own message as probable spam based on URIBL?
Any explanation?

Code:

Return-Path: admin@zimbra.server.com
Received: from zimbra.server.com (LHLO zimbra.server.com)
 (195.246.15.126) by zimbra.server.com with LMTP; Thu, 11 Nov 2010
 12:27:24 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by zimbra.server.com (Postfix) with ESMTP id 5AF6120C1C2
	for <labsy@mydomain.com>; Thu, 11 Nov 2010 12:27:24 +0100 (CET)
X-Virus-Scanned: amavisd-new at zimbra.server.com
X-Spam-Flag: YES
X-Spam-Score: 8.544
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.544 tagged_above=-10 required=6.6
	tests=[BAYES_00=-1.9, EM_ROLEX=0.618, HELO_NO_DOMAIN=0.001,
	HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242,
	RDNS_NONE=0.793, T_URIBL_BLACK_OVERLAP=0.01, URIBL_BLACK=1.725,
	URIBL_DBL_SPAM=1.7, URIBL_SBL=1.623, URIBL_WS_SURBL=1.608,
	URI_HEX=1.122] autolearn=no
Received: from zimbra.server.com ([127.0.0.1])
	by localhost (zimbra.server.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id PE1CJW69HnPK for <labsy@mydomain.com>;
	Thu, 11 Nov 2010 12:27:19 +0100 (CET)
Received: from zimbra.server.com (zimbra.server.com [195.246.15.126])
	by zimbra.server.com (Postfix) with ESMTP id A257F20C053
	for <labsy@mydomain.com>; Thu, 11 Nov 2010 12:27:19 +0100 (CET)
Date: Thu, 11 Nov 2010 12:27:19 +0100 (CET)
From: admin@zimbra.server.com
To: andrej  <labsy@mydomain.com>
Message-ID: <365315637.17084.1289474839560.JavaMail.root@zimbra.server.com>
In-Reply-To: <20101110223009.3F7EE20C03E@zimbra.server.com>
Subject: - PROBABLY SPAM -Fwd: Daily mail report for 2010-11-10
MIME-Version: 1.0
Content-Type: multipart/alternative;

[phoenix]

Quote:

Originally Posted by Labsy

Another weird thing I discovered:
When I Forward daily mail statistics FROM admin in my Zimbra server TO my address on the same Zimbra server, message is marked as PROBABLY SPAM!!??
Huh?
Server is 100% clean, has never been listed in any blacklist neither for a second! How is it possible that Zimbra marks its own message as probable spam based on URIBL?
Any explanation?

It's most likely not the server that's the problem. I'd guess you have the "X-Originating-IP" header set in the Admin UI and you're connecting from an external (to the Zimbra LAN) IP, is that correct? If that's what's happening then unchecking that option should fix the problem, there's also an RFE for stopping Zimbra from doing a spam check on local mail.

[Labsy]

Hi Phoenix,
thank you for quick reply!

Regarding connection from LAN...NO, I forwarded mail from Zimbra's WEBMAIL from admin account to my private account, so I was connected directly to Zimbra.
Weird...

And YES, I have "Add X-Originating IP" checked, but I wanted to be so, for security and easier tracking.

But under the same tab (Global Server Settings --> MTA) I have few problems:

Authentication
Enable authentication YES
TLS authentication only YES

Network
Web mail MTA Hostnames: localhost (PROBLEM: each of hosted domain uses "webmail.domain.com" FQDN to access webmail, but I don't want to enter one by one domain here...there are more than 100 domains)
Web mail MTA Port: 25
Relay MTA for external delivery: <empty>
If your MX records point to a spam-relay or any other external non-zimbra server, enter the name of that server in "Inbound SMTP host name" field.
Inbound SMTP host name: <empty> (PROBLEM: 50% of hosted domains have redundant antispam filter proxy for MX, and there is a cluster of 12 servers, configured as 3 MX records and also round-robin on DNS. So I cannot enter only 1 of them here, should be all 12 listed...but interface accepts only 1 entry.)
Enable DNS lookups: YES

Messages
Maximum message size (kb): 80000
Add X-Originating-IP to messages: YES
Protocol checks
Hostname in greeting violates RFC (reject_invalid_hostname) NO
Client must greet with a fully qualified hostname (reject_non_fqdn_hostname) NO
Sender address must be fully qualified (reject_non_fqdn_sender) YES
DNS checks
Client's IP address (reject_unknown_client) NO
Hostname in greeting (reject_unknown_hostname) NO
Sender's domain (reject_unknown_sender_domain) YES
List of RBLs: EMPTY

Might some of these settings be problematic?

[phoenix]

Quote:

Originally Posted by Labsy

Hi Phoenix,
thank you for quick reply!

Regarding connection from LAN...NO, I forwarded mail from Zimbra's WEBMAIL from admin account to my private account, so I was connected directly to Zimbra.

I understand that but my point was - are you on the same LAN as your Zimbra server or were you on an external IP? If you are on an external IP and you have the X-Originating-IP enabled then you will get the spam checks for the external IP not the Zimbra server IP.

Quote:

Originally Posted by Labsy

And YES, I have "Add X-Originating IP" checked, but I wanted to be so, for security and easier tracking.

That's OK but it may cause problems for the reason stated above.

Quote:

Originally Posted by Labsy

But under the same tab (Global Server Settings --> MTA) I have few problems:

Authentication
Enable authentication YES
TLS authentication only YES

Network
Web mail MTA Hostnames: localhost (PROBLEM: each of hosted domain uses "webmail.domain.com" FQDN to access webmail, but I don't want to enter one by one domain here...there are more than 100 domains)
Web mail MTA Port: 25
Relay MTA for external delivery: <empty>
If your MX records point to a spam-relay or any other external non-zimbra server, enter the name of that server in "Inbound SMTP host name" field.
Inbound SMTP host name: <empty> (PROBLEM: 50% of hosted domains have redundant antispam filter proxy for MX, and there is a cluster of 12 servers, configured as 3 MX records and also round-robin on DNS. So I cannot enter only 1 of them here, should be all 12 listed...but interface accepts only 1 entry.)
Enable DNS lookups: YES

Messages
Maximum message size (kb): 80000
Add X-Originating-IP to messages: YES
Protocol checks
Hostname in greeting violates RFC (reject_invalid_hostname) NO
Client must greet with a fully qualified hostname (reject_non_fqdn_hostname) NO
Sender address must be fully qualified (reject_non_fqdn_sender) YES
DNS checks
Client's IP address (reject_unknown_client) NO
Hostname in greeting (reject_unknown_hostname) NO
Sender's domain (reject_unknown_sender_domain) YES
List of RBLs: EMPTY

Might some of these settings be problematic?

The 'problematic' entry from my point of view would be that there is nothing in your RBL list, I also don't find the following particularly useful:

Code:

Sender address must be fully qualified (reject_non_fqdn_sender) 
Sender's domain (reject_unknown_sender_domain)

I only use the following Protocol check & RBLs and I don't have any great spam problem:

Code:

Hostname in greeting violates RFC (reject_invalid_hostname)

zen.spamhaus.org
psbl.surriel.com
dnsbl.dronebl.org
bl.spameatingmonkey.net

Most of the spam gets rejected by the Spamhaus RBL. You also haven't mentioned your Kill/Tag percentages, what are they set at? Is there any specific reason you don't use any RBLs?

Don't forget that tuning your ant-spam system is specific to your environment and there is no one 'right way' to do it, adding RBLs and Kill/Tag changes might be a good place to start.

[Labsy]

Thanx, Phoenix,

I removed "X-Originating IP" from headers, since some of our customers are actually on suspicious IP subnets, and also nobody can be on Zimbra server's LAN subnet, since it is hosting server, separated from any other computer.

Also I added some RBLs.
Regarding RBL...where Zimbra got all those *RBL* X-header tags in message scoring, if there was no RBL entered? I assumed there must be some default RBLs, which are not shown.