Results 1 to 8 of 8

Thread: MTA Protocol checks don't seem to be working

  1. #1
    jon_w is offline Junior Member
    Join Date
    Oct 2009
    Posts
    7
    Rep Power
    5

    Default MTA Protocol checks don't seem to be working

    Hello all,

    I've been receiving a lot of spam recently. I've enabled all three protocol checks under admin -> global settings -> MTA. Unfortunately, plenty of spam is still getting through, even though it looks to me as though it should be failing those protocol checks. Here are demo example headers:-

    Code:
    Return-Path: potionaccurate@eudict.com
    Received: from 192.168.1.202 (LHLO <my.external.fqdn.host.name>)
     (192.168.1.202) by <mail.mydomain.org> with LMTP; Wed, 25 Sep 2013 20:16:55
     +1000 (EST)
    Received: from localhost (localhost [127.0.0.1])
    	by <my.external.fqdn.host.name> (Postfix) with ESMTP id 2938E606DB
    	for <jon@mydomain.org>; Wed, 25 Sep 2013 20:16:55 +1000 (EST)
    X-Virus-Scanned: amavisd-new at <mydomain.org>
    X-Spam-Flag: NO
    X-Spam-Score: 6.119
    X-Spam-Level: ******
    X-Spam-Status: No, score=6.119 tagged_above=-10 required=6.6
    	tests=[BAYES_99=3.5, FSL_HELO_NON_FQDN_1=0.001,
    	RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_XBL=0.375, RDNS_NONE=0.793,
    	TVD_SPACE_RATIO=0.001] autolearn=no
    Received: from <my.external.fqdn.host.name> ([127.0.0.1])
    	by localhost (<mail.mydomain.org> [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id z3dl2ZVAgqxg for <jon@mydomain.org>;
    	Wed, 25 Sep 2013 20:16:53 +1000 (EST)
    Received: from 286d59c429cd40f (unknown [5.143.196.76])
    	by <my.external.fqdn.host.name> (Postfix) with SMTP id C891C606D1
    	for <jon@mydomain.org>; Wed, 25 Sep 2013 20:16:45 +1000 (EST)
    Received: (from root@localhost) by mail4.eudict.com (8.11.3/8.11.3)
     id k3V7OhN86972; Wed, 25 Sep 2013 10:16:52 -0300 (PDT envelope-from root)
    Date: Wed, 25 Sep 2013 09:51:23 -0300
    Message-Id: <53043801563038.lKxzWbDkHR@genitive>
    X-Mailer: phpmailer [version 1.41]
    X-BeenThere: esquire@mailman.eudict.com
    X-Kaspersky: Checking 
    Content-Type: text/plain;
    	charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    To: <jon@mydomain.org>
    From: "Free trial sample enlargement" <potionaccurate@eudict.com>
    <SNIPPED>

    I'm on version 8.0.4 FOSS. I'd appreciate any help on stopping the spammers.

    Cheers,

    Jon

  2. #2
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    There's an absolute dearth of information here. What protocol checks do you have enabled? What protocol checks do you believe are not being followed? What leads you to believe they aren't being followed?
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    jon_w is offline Junior Member
    Join Date
    Oct 2009
    Posts
    7
    Rep Power
    5

    Default

    Quanah, thanks. I haven't been able to find the information - if you can point me in the right direction I'd be grateful.

    I have the following protocol and DNS checks enabled.

    Protocol checks:
    Hostname in greeting violates RFC (reject_invalid_hostname)
    Client must greet with a fully qualified hostname (reject_non_fqdn_hostname)
    Sender address must be fully qualified (reject_non_fqdn_sender)
    DNS checks:
    Client's IP address (reject_unknown_client)
    Hostname in greeting (reject_unknown_hostname)


    but not reject_unknown_sender_domain. I would have thought that reject_non_fqdn_hostname would stop mail like this:-

    Code:
    Received: from 286d59c429cd40f (unknown [5.143.196.76])
    	by <my.external.fqdn.host.name> (Postfix) with SMTP id C891C606D1
    	for <jon@mydomain.org>; Wed, 25 Sep 2013 20:16:45 +1000 (EST)
    Again, any advice is welcome.

    Cheers,

    Jon

  4. #4
    jon_w is offline Junior Member
    Join Date
    Oct 2009
    Posts
    7
    Rep Power
    5

    Default

    Here's an excerpt from zimbra.log. It looks like the mail is getting rejected, but then it gets processed anyway. I'm at a loss.

    Code:
    Oct  1 21:28:02 mail postfix/smtpd[27164]: connect from unknown[91.205.201.27]
    Oct  1 21:28:03 mail postfix/smtpd[27164]: NOQUEUE: filter: RCPT from unknown[91.205.201.27]: <teamworkuhf@yourdictionary.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<teamworkuhf@yourdictionary.com> to=<jon@whitear.org> proto=SMTP helo=<ckonisheva-nn>
    Oct  1 21:28:03 mail postfix/smtpd[27164]: NOQUEUE: filter: RCPT from unknown[91.205.201.27]: <teamworkuhf@yourdictionary.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<teamworkuhf@yourdictionary.com> to=<jon@whitear.org> proto=SMTP helo=<ckonisheva-nn>
    Oct  1 21:28:03 mail postfix/smtpd[27164]: 67E76658FF: client=unknown[91.205.201.27]
    Oct  1 21:28:04 mail postfix/cleanup[27168]: 67E76658FF: message-id=<005501cebeb0$bcc6a6a0$3653f3e0$@com>
    Oct  1 21:28:07 mail postfix/qmgr[26603]: 67E76658FF: from=<teamworkuhf@yourdictionary.com>, size=5965, nrcpt=1 (queue active)
    Oct  1 21:28:07 mail amavis[26192]: (26192-04) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20131001T212609-26192-HYvccI9D: <teamworkuhf@yourdictionary.com> -> <jon@whitear.org> SIZE=5965 Received: from 60-242-25-26.static.tpgi.com.au ([127.0.0.1]) by localhost (mail.whitear.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <jon@whitear.org>; Tue,  1 Oct 2013 21:28:07 +1000 (EST)
    Oct  1 21:28:07 mail amavis[26192]: (26192-04) Checking: Y2fgPcC3jiCY [91.205.201.27] <teamworkuhf@yourdictionary.com> -> <jon@whitear.org>
    Oct  1 21:28:08 mail postfix/smtpd[27164]: disconnect from unknown[91.205.201.27]
    Oct  1 21:28:10 mail postfix/amavisd/smtpd[27801]: 60C5C66378: client=localhost[127.0.0.1]
    Oct  1 21:28:10 mail postfix/cleanup[27926]: 60C5C66378: message-id=<005501cebeb0$bcc6a6a0$3653f3e0$@com>
    Oct  1 21:28:10 mail postfix/amavisd/smtpd[27801]: disconnect from localhost[127.0.0.1]
    Oct  1 21:28:10 mail postfix/qmgr[26603]: 60C5C66378: from=<teamworkuhf@yourdictionary.com>, size=6746, nrcpt=1 (queue active)
    Oct  1 21:28:10 mail amavis[26192]: (26192-04) FWD from <teamworkuhf@yourdictionary.com> -> <jon@whitear.org>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 60C5C66378
    Oct  1 21:28:10 mail amavis[26192]: (26192-04) Passed SPAMMY {RelayedTaggedInbound}, [91.205.201.27]:33569 [91.205.201.27] <teamworkuhf@yourdictionary.com> -> <jon@whitear.org>, Queue-ID: 67E76658FF, Message-ID: <005501cebeb0$bcc6a6a0$3653f3e0$@com>, mail_id: Y2fgPcC3jiCY, Hits: 8.199, size: 5965, queued_as: 60C5C66378, 2704 ms
    Oct  1 21:28:10 mail postfix/smtp[27199]: 67E76658FF: to=<jon@whitear.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.7, delays=5/0/0/2.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 60C5C66378)
    Oct  1 21:28:10 mail postfix/qmgr[26603]: 67E76658FF: removed
    Oct  1 21:28:10 mail postfix/lmtp[27970]: 60C5C66378: to=<jon@whitear.org>, relay=mail.whitear.org[192.168.1.202]:7025, delay=0.46, delays=0.22/0/0/0.24, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
    Oct  1 21:28:10 mail postfix/qmgr[26603]: 60C5C66378: removed
    Here are the headers for that same email:-

    Code:
    Return-Path: teamworkuhf@yourdictionary.com
    Received: from 192.168.1.202 (LHLO 60-242-25-26.static.tpgi.com.au)
     (192.168.1.202) by mail.whitear.org with LMTP; Tue, 1 Oct 2013 21:28:10
     +1000 (EST)
    Received: from localhost (localhost [127.0.0.1])
    	by 60-242-25-26.static.tpgi.com.au (Postfix) with ESMTP id 60C5C66378
    	for <jon@whitear.org>; Tue,  1 Oct 2013 21:28:10 +1000 (EST)
    X-Virus-Scanned: amavisd-new at whitear.org
    X-Spam-Flag: YES
    X-Spam-Score: 8.199
    X-Spam-Level: ********
    X-Spam-Status: Yes, score=8.199 tagged_above=-10 required=6.6
    	tests=[BAYES_99=3.5, FSL_HELO_NON_FQDN_1=0.001, HTML_MESSAGE=0.001,
    	RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_RP_RNBL=1.31,
    	RCVD_IN_SORBS_WEB=0.77, RCVD_IN_XBL=0.375, RDNS_NONE=0.793]
    	autolearn=no
    Received: from 60-242-25-26.static.tpgi.com.au ([127.0.0.1])
    	by localhost (mail.whitear.org [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id Y2fgPcC3jiCY for <jon@whitear.org>;
    	Tue,  1 Oct 2013 21:28:07 +1000 (EST)
    Received: from ckonisheva-nn (unknown [91.205.201.27])
    	by 60-242-25-26.static.tpgi.com.au (Postfix) with SMTP id 67E76658FF
    	for <jon@whitear.org>; Tue,  1 Oct 2013 21:28:02 +1000 (EST)
    Received: (qmail 9727 by uid 568); Tue, 1 Oct 2013 11:28:20 -0300
    From: "Enlargement pils Free trials" <teamworkuhf@yourdictionary.com>
    To: <jon@whitear.org>
    Subject: Show the ladies how good you are
    Date: Tue, 1 Oct 2013 11:07:25 -0300
    Message-ID: <005501cebeb0$bcc6a6a0$3653f3e0$@com>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    	boundary="----=_NextPart_000_0054_01CEBEB0.BCC6A6A0"
    X-Mailer: Microsoft Office Outlook 12.0
    Thread-Index: Acjjp421951/tTzpIk5aBB85VBBhXQ==
    Content-Language: en-us
    
    This is a multipart message in MIME format.
    My main.cf includes "smtpd_helo_required = yes", but no sign of smtp_helo_restrictions

    Code:
    zimbra@mail:~/postfix/conf$ cat main.cf | grep helo
    smtp_helo_name = $myhostname
    smtpd_helo_required = yes
    I tried this

    Code:
    zimbra@mail:~/conf/zmconfigd$ zmlocalconfig -e postfix_smtpd_helo_restrictions="reject_non_fqdn_hostname"
    zimbra@mail:~/conf/zmconfigd$ zmcontrol restart
    but that was a bit of guesswork, as I can't find anything about enabling smtp_helo_restrictions..

    Please help. I'm getting swamped with spam. If this was a straight postfix mail server, I could add a single line to the config file and be done, but I've spent hours trying to work out how to do this with Zimbra, and failed.

  5. #5
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,373
    Rep Power
    10

    Default

    The default Zimbra thresholds are set high for safety's sake; to avoid "false positives" i.e. legitimate email incorrectly identified as spam.

    Plenty of spam will get by the Protocol checks, and some of those checks can create false positives as too many large email systems are not fully RFC compliant.

    What I would recommend however is to lower the "Tag percent" to somewhere between 19 and 25 (Admin Console > Configuration > Global Settings > AS/AV tab). An X-Spam-Score of 6 or higher (see your sample header) is in our experience almost always true spam, so getting emails flagged as spam when their score is 4 or above is generally (but not always) safe.

    Zimbra have indicated they are devoting resources to improving Zimbra's built-in implementation of SpamAssassin and documenting how users can customize it. They started a new wiki page and I contributed our current best practices here: https://wiki.zimbra.com/wiki/SpamAss...Customizations

    Hope that helps,
    Mark

  6. #6
    jon_w is offline Junior Member
    Join Date
    Oct 2009
    Posts
    7
    Rep Power
    5

    Default

    Mark,

    Thanks for your reply. The spam I'm getting is all sent by hosts that HELO with a non-FQDN. I have two fundamental questions:

    1) Am I right in thinking that to reject hosts that HELO with a non-FQDN, I need to have both "smtpd_helo_required = yes" and "smtpd_helo_restrictions=reject_non_fqdn_hostn ame" in /opt/zimbra/postfix/conf/main.cf?

    2) If so, how do I set "smtpd_helo_restrictions=reject_non_fqdn_hostname" ?

    Thanks.

    Jon

  7. #7
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,373
    Rep Power
    10

    Default

    Hi Jon,

    A few things (apologies if I am telling you something you already know):

    First, lots and lots of legitimate email servers fail to HELO with an FQDN. If you configure Postfix to start rejecting outright things like that you will end up with a lot of false positives for sure and upset end users. I know why you want to do it, but I wouldn't.

    Second, modifying Zimbra to have the Postfix MTA do things the ZImbra devs haven't yet put in there means modifying zmmta.cf and often adding a localconfig variable too. That means upgrades will become a big pain, so while we used to do this fairly frequently (because we have both a lot of Postfix as well as Zimbra experience), we've essentially stopped because it's not worth it. If you feel strongly about having something in there, fill out a bugzilla and then pitch it in the forums to get people to vote for it. Zimbra pre-VMware did a good job of listening to customers, and I have the sense that post-VMware they will do a lot better than under VMware.

    Third, it's true that any filtering you can do at the MTA level is very resource-efficient; putting emails through Amavis's SpamAssassin, ClamAV plus whatever other tests you care to add uses a lot of I/O and CPU. But, nowadays, CPU, RAM and IOPs are plentiful, cheap and easily allocated or deallocated via virtualization. Consequently, in the past few years we've spent more time tweaking the AS/AV portions of Zimbra over the MTA portion.

    To that end, yes, currently Zimbra's out-of-the-box anti-spam is way too conservative IMHO. But if you add in Razor2, Pyzor, a few good RBLs and jack up a few of the SpamAssassin scores along with a few protocol checks at the MTA level, we've been able to see pretty darn good results -- with Zimbra upgrades being much, much easier now. That's the direction I'd suggest you pursue.

    S'OK?

    All the best,
    Mark

  8. #8
    jon_w is offline Junior Member
    Join Date
    Oct 2009
    Posts
    7
    Rep Power
    5

    Default

    Mark,

    Thanks once again for your reply, and especially so for taking the time to put me on the right path.

    I hadn't appreciated that many legit mail servers HELO with a non-FQDN, so I shall not proceed down the HELO restrictions path. I thought I was just missing something obvious not being able to set smtpd_helo_restrictions, but your explanation makes it clear that Zimbra's config in that regard is intentional.

    Instead I'll look at tweaking Zimbra's anti-spam settings per the wiki article you've linked to.

    Thanks again.

    Jon

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. SPF checks not being made?
    By cronos in forum Administrators
    Replies: 11
    Last Post: 03-01-2013, 01:48 AM
  2. Header Checks
    By aj_calderon in forum Spanish
    Replies: 0
    Last Post: 08-06-2012, 10:32 PM
  3. Can`t disable protocol checks
    By plastilin in forum Administrators
    Replies: 2
    Last Post: 01-22-2010, 03:03 AM
  4. Bad ZimbraSync Protocol
    By Nutz in forum Zimbra Mobile
    Replies: 9
    Last Post: 05-03-2007, 11:28 AM
  5. SpamAssassin rbl and uribl checks not working
    By stuheiss in forum Administrators
    Replies: 0
    Last Post: 04-10-2007, 05:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •