Results 1 to 6 of 6

Thread: A lot of deferred and bounced messages

  1. #1
    Labsy is offline Elite Member
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    5

    Default A lot of deferred and bounced messages

    Hi,

    on my ZCS I host approx. 100 domains and I notice a lot of messages from <> and <localhost> sent out and being refused by recipent server. For example, this is my DAILY statistics for yesterday:

    Grand Totals
    ------------
    messages

    6588 received
    8341 delivered
    0 forwarded
    28 deferred (485 deferrals)
    52 bounced
    480 rejected (5%)
    0 reject warnings
    0 held
    0 discarded (0%)

    Host/Domain Summary: Messages Received (top 50)
    msg cnt bytes host/domain
    -------- ------- -----------
    1596 162061k localhost
    1137 94897k someproperdomain.com
    235 151504k gmail.com
    ....etc

    top 50 Senders by message count
    -------------------------------
    3192 from=<>
    230 one.user@one-of-domains.com
    120 another.user@another-domain.com
    ...etc

    And one example from log, one of deferred messages:
    Code:
    0892220C1CD     4759 Sun Nov  7 18:30:03  MAILER-DAEMON
    (host alt1.gmail-smtp-in.l.google.com[74.125.127.27] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450 4.2.1 visit http://mail.google.com/support/bin/answer.py?answer=6592 c22si2926382ana.195 (in reply to RCPT TO command))
                                             joelpeterson1977@gmail.com
    (I'd love to see headers of this message, but when trying to go into postfix mail queue directory, I get Access denied, and also when issuing command postcat -q 0892220C1CD as zimbra user, I get Permission denied.)

    Is such a behaviour normal?
    I mean, so many messages from <> and <localhost> being in DEFERRED queue?

  2. #2
    Labsy is offline Elite Member
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    5

    Default

    Another weird thing I discovered:
    When I Forward daily mail statistics FROM admin in my Zimbra server TO my address on the same Zimbra server, message is marked as PROBABLY SPAM!!??
    Huh?
    Server is 100% clean, has never been listed in any blacklist neither for a second! How is it possible that Zimbra marks its own message as probable spam based on URIBL?
    Any explanation?
    Code:
    Return-Path: admin@zimbra.server.com
    Received: from zimbra.server.com (LHLO zimbra.server.com)
     (195.246.15.126) by zimbra.server.com with LMTP; Thu, 11 Nov 2010
     12:27:24 +0100 (CET)
    Received: from localhost (localhost [127.0.0.1])
    	by zimbra.server.com (Postfix) with ESMTP id 5AF6120C1C2
    	for <labsy@mydomain.com>; Thu, 11 Nov 2010 12:27:24 +0100 (CET)
    X-Virus-Scanned: amavisd-new at zimbra.server.com
    X-Spam-Flag: YES
    X-Spam-Score: 8.544
    X-Spam-Level: ********
    X-Spam-Status: Yes, score=8.544 tagged_above=-10 required=6.6
    	tests=[BAYES_00=-1.9, EM_ROLEX=0.618, HELO_NO_DOMAIN=0.001,
    	HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242,
    	RDNS_NONE=0.793, T_URIBL_BLACK_OVERLAP=0.01, URIBL_BLACK=1.725,
    	URIBL_DBL_SPAM=1.7, URIBL_SBL=1.623, URIBL_WS_SURBL=1.608,
    	URI_HEX=1.122] autolearn=no
    Received: from zimbra.server.com ([127.0.0.1])
    	by localhost (zimbra.server.com [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id PE1CJW69HnPK for <labsy@mydomain.com>;
    	Thu, 11 Nov 2010 12:27:19 +0100 (CET)
    Received: from zimbra.server.com (zimbra.server.com [195.246.15.126])
    	by zimbra.server.com (Postfix) with ESMTP id A257F20C053
    	for <labsy@mydomain.com>; Thu, 11 Nov 2010 12:27:19 +0100 (CET)
    Date: Thu, 11 Nov 2010 12:27:19 +0100 (CET)
    From: admin@zimbra.server.com
    To: andrej  <labsy@mydomain.com>
    Message-ID: <365315637.17084.1289474839560.JavaMail.root@zimbra.server.com>
    In-Reply-To: <20101110223009.3F7EE20C03E@zimbra.server.com>
    Subject: - PROBABLY SPAM -Fwd: Daily mail report for 2010-11-10
    MIME-Version: 1.0
    Content-Type: multipart/alternative;

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by Labsy View Post
    Another weird thing I discovered:
    When I Forward daily mail statistics FROM admin in my Zimbra server TO my address on the same Zimbra server, message is marked as PROBABLY SPAM!!??
    Huh?
    Server is 100% clean, has never been listed in any blacklist neither for a second! How is it possible that Zimbra marks its own message as probable spam based on URIBL?
    Any explanation?
    It's most likely not the server that's the problem. I'd guess you have the "X-Originating-IP" header set in the Admin UI and you're connecting from an external (to the Zimbra LAN) IP, is that correct? If that's what's happening then unchecking that option should fix the problem, there's also an RFE for stopping Zimbra from doing a spam check on local mail.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    Labsy is offline Elite Member
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    5

    Default

    Hi Phoenix,
    thank you for quick reply!

    Regarding connection from LAN...NO, I forwarded mail from Zimbra's WEBMAIL from admin account to my private account, so I was connected directly to Zimbra.
    Weird...

    And YES, I have "Add X-Originating IP" checked, but I wanted to be so, for security and easier tracking.

    But under the same tab (Global Server Settings --> MTA) I have few problems:

    Authentication

    Enable authentication YES
    TLS authentication only YES

    Network
    Web mail MTA Hostnames: localhost (PROBLEM: each of hosted domain uses "webmail.domain.com" FQDN to access webmail, but I don't want to enter one by one domain here...there are more than 100 domains)
    Web mail MTA Port: 25
    Relay MTA for external delivery: <empty>
    If your MX records point to a spam-relay or any other external non-zimbra server, enter the name of that server in "Inbound SMTP host name" field.
    Inbound SMTP host name: <empty> (PROBLEM: 50% of hosted domains have redundant antispam filter proxy for MX, and there is a cluster of 12 servers, configured as 3 MX records and also round-robin on DNS. So I cannot enter only 1 of them here, should be all 12 listed...but interface accepts only 1 entry.)
    Enable DNS lookups: YES

    Messages
    Maximum message size (kb): 80000
    Add X-Originating-IP to messages: YES
    Protocol checks
    Hostname in greeting violates RFC (reject_invalid_hostname) NO
    Client must greet with a fully qualified hostname (reject_non_fqdn_hostname) NO
    Sender address must be fully qualified (reject_non_fqdn_sender) YES
    DNS checks
    Client's IP address (reject_unknown_client) NO
    Hostname in greeting (reject_unknown_hostname) NO
    Sender's domain (reject_unknown_sender_domain) YES
    List of RBLs: EMPTY

    Might some of these settings be problematic?

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by Labsy View Post
    Hi Phoenix,
    thank you for quick reply!

    Regarding connection from LAN...NO, I forwarded mail from Zimbra's WEBMAIL from admin account to my private account, so I was connected directly to Zimbra.
    I understand that but my point was - are you on the same LAN as your Zimbra server or were you on an external IP? If you are on an external IP and you have the X-Originating-IP enabled then you will get the spam checks for the external IP not the Zimbra server IP.

    Quote Originally Posted by Labsy View Post
    And YES, I have "Add X-Originating IP" checked, but I wanted to be so, for security and easier tracking.
    That's OK but it may cause problems for the reason stated above.

    Quote Originally Posted by Labsy View Post
    But under the same tab (Global Server Settings --> MTA) I have few problems:

    Authentication

    Enable authentication YES
    TLS authentication only YES

    Network
    Web mail MTA Hostnames: localhost (PROBLEM: each of hosted domain uses "webmail.domain.com" FQDN to access webmail, but I don't want to enter one by one domain here...there are more than 100 domains)
    Web mail MTA Port: 25
    Relay MTA for external delivery: <empty>
    If your MX records point to a spam-relay or any other external non-zimbra server, enter the name of that server in "Inbound SMTP host name" field.
    Inbound SMTP host name: <empty> (PROBLEM: 50% of hosted domains have redundant antispam filter proxy for MX, and there is a cluster of 12 servers, configured as 3 MX records and also round-robin on DNS. So I cannot enter only 1 of them here, should be all 12 listed...but interface accepts only 1 entry.)
    Enable DNS lookups: YES

    Messages
    Maximum message size (kb): 80000
    Add X-Originating-IP to messages: YES
    Protocol checks
    Hostname in greeting violates RFC (reject_invalid_hostname) NO
    Client must greet with a fully qualified hostname (reject_non_fqdn_hostname) NO
    Sender address must be fully qualified (reject_non_fqdn_sender) YES
    DNS checks
    Client's IP address (reject_unknown_client) NO
    Hostname in greeting (reject_unknown_hostname) NO
    Sender's domain (reject_unknown_sender_domain) YES
    List of RBLs: EMPTY

    Might some of these settings be problematic?
    The 'problematic' entry from my point of view would be that there is nothing in your RBL list, I also don't find the following particularly useful:

    Code:
    Sender address must be fully qualified (reject_non_fqdn_sender) 
    Sender's domain (reject_unknown_sender_domain)
    I only use the following Protocol check & RBLs and I don't have any great spam problem:

    Code:
    Hostname in greeting violates RFC (reject_invalid_hostname)
    
    zen.spamhaus.org
    psbl.surriel.com
    dnsbl.dronebl.org
    bl.spameatingmonkey.net
    Most of the spam gets rejected by the Spamhaus RBL. You also haven't mentioned your Kill/Tag percentages, what are they set at? Is there any specific reason you don't use any RBLs?

    Don't forget that tuning your ant-spam system is specific to your environment and there is no one 'right way' to do it, adding RBLs and Kill/Tag changes might be a good place to start.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Labsy is offline Elite Member
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    5

    Default

    Thanx, Phoenix,

    I removed "X-Originating IP" from headers, since some of our customers are actually on suspicious IP subnets, and also nobody can be on Zimbra server's LAN subnet, since it is hosting server, separated from any other computer.

    Also I added some RBLs.
    Regarding RBL...where Zimbra got all those *RBL* X-header tags in message scoring, if there was no RBL entered? I assumed there must be some default RBLs, which are not shown.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Returning messages in Deferred Queue
    By jeschulze in forum Administrators
    Replies: 4
    Last Post: 08-27-2007, 12:01 PM
  2. Replies: 3
    Last Post: 07-19-2007, 02:00 AM
  3. E-mail not delivered notifications (bounced and deffered)
    By tilinhonh in forum Administrators
    Replies: 3
    Last Post: 05-22-2007, 06:48 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •