Mail from Outside our Domain not Stored

Lamar Milligan lmilligan at co.walton.ga.us
Thu Jun 13 13:15:55 UTC 2019 

Here are maillog extracts from our sendmail server for messages to and from 
my Gmail account.  I did hide my Gmail address in the logs.



[root at mail log]# grep address  maillog|grep Jun\ 13

Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: 
to=<address at gmail.com>, delay=00:00:00, mailer=esmtp, pri=35430, stat=queued

Jun 13 08:51:37 mail MailScanner[20868]: Delivery of nonspam: message 
x5DCpZVS029638 from lmilligan at co.walton.ga.us to address at gmail.com with 
subject Test Message

Jun 13 08:52:37 mail sendmail[29653]: x5DCpZVS029638: to=< 
address at gmail.com>, delay=00:01:02, xdelay=00:01:00, mailer=esmtp, 
pri=125430, relay=gmail-smtp-in.l.google.com. [64.233.185.27], dsn=2.0.0, 
stat=Sent (OK  1560430357 a64si1019447yba.91 - gsmtp)

Jun 13 08:53:23 mail sendmail[29857]: x5DCrN44029857: from=< 
address at gmail.com>, size=4489, class=0, nrcpts=1, 
msgid=<CAEqc0zk7k5Q9FiM6VUk-P8oKBhpgWOqcCBQd3-U-HepE=5Enew at mail.gmail.com>, 
proto=ESMTP, daemon=MTA, relay=mail-qk1-f180.google.com [209.85.222.180]

Jun 13 08:53:26 mail MailScanner[27531]: Message x5DCrN44029857 from 
209.85.222.180 (address at gmail.com) to co.walton.ga.us is not spam, 
SpamAssassin (not cached, score=-1.998, required 5, autolearn=not spam, 
BAYES_00 -1.90, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, 
FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00, SPF_HELO_NONE 0.00, SPF_PASS -0.00)

Jun 13 08:53:26 mail MailScanner[27531]: Delivery of nonspam: message 
x5DCrN44029857 from address at gmail.com to lmilligan at co.walton.ga.us with 
subject Re: Test Message



[root at mail log]# grep x5DCpZVS029638 maillog

Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: 
from=<lmilligan at co.walton.ga.us>, size=5430, class=0, nrcpts=1, 
msgid=<000001d521e6$bb9dbfd0$32d93f70$@co.walton.ga.us>, bodytype=7BIT, 
proto=ESMTP, daemon=MTA, relay=zimbra1 [192.168.32.47]

Jun 13 08:51:35 mail opendkim[2320]: x5DCpZVS029638: DKIM-Signature field 
added (s=FEA62E10-BFE6-11E7-BA2D-46CD2CC478D5, d=co.walton.ga.us)

Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: Milter insert (1): 
header: DKIM-Signature:  v=1; a=rsa-sha256; c=relaxed/simple; 
d=co.walton.ga.us;\n\ts=FEA62E10-BFE6-11E7-BA2D-46CD2CC478D5; 
t=1560430295;\n\tbh=CSJ2rlhIjlClMMaj7t9SswqeupTOa7unO4OXOq2PwNc=;\n\th=Reply-To:From:To:Subject:Date:From;\n\tb=uvX8sa9j4g3GZc9r94bLrYNJj4FqJoin1EItnitkB+cPWrAKf147nfTTNGOofBTK8\n\t 
rEPD90/OGACQwNG5VaQh433tMaB7sPSlhrfAMQsmj9hLHPZ1iUk0NDQNXn1293KqMS\n\t 
naHcHSbwzQIqG7O6TrjtPaPKXWHgZ1KnJ2zpY5QQ=

Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: Milter insert (1): 
header: DKIM-Filter:  OpenDKIM Filter v2.11.0 mail.co.walton.ga.us 
x5DCpZVS029638

Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: to=< 
address at gmail.com>, delay=00:00:00, mailer=esmtp, pri=35430, stat=queued

Jun 13 08:51:37 mail MailScanner[20868]: Message x5DCpZVS029638 from 
192.168.32.47 (lmilligan at co.walton.ga.us) to gmail.com is not spam, 
SpamAssassin (not cached, score=-2.699, required 5, ALL_TRUSTED -1.00, 
BAYES_00 -1.90, DKIM_INVALID 0.10, DKIM_SIGNED 0.10, HTML_MESSAGE 0.00)

Jun 13 08:51:37 mail MailScanner[20868]: Delivery of nonspam: message 
x5DCpZVS029638 from lmilligan at co.walton.ga.us to address at gmail.com with 
subject Test Message

Jun 13 08:51:37 mail MailScanner[20868]: MailWatch: Logging message 
x5DCpZVS029638 to SQL

Jun 13 08:51:37 mail MailScanner[29472]: MailWatch: x5DCpZVS029638: Logged 
to MailWatch SQL

Jun 13 08:52:37 mail sendmail[29653]: x5DCpZVS029638: to=< 
address at gmail.com>, delay=00:01:02, xdelay=00:01:00, mailer=esmtp, 
pri=125430, relay=gmail-smtp-in.l.google.com. [64.233.185.27], dsn=2.0.0, 
stat=Sent (OK  1560430357 a64si1019447yba.91 - gsmtp)



 [root at mail log]# grep x5DCrN44029857 maillog

Jun 13 08:53:23 mail sendmail[29857]: x5DCrN44029857: from=< 
address at gmail.com>, size=4489, class=0, nrcpts=1, 
msgid=<CAEqc0zk7k5Q9FiM6VUk-P8oKBhpgWOqcCBQd3-U-HepE=5Enew at mail.gmail.com>, 
proto=ESMTP, daemon=MTA, relay=mail-qk1-f180.google.com [209.85.222.180]

Jun 13 08:53:23 mail opendkim[2320]: x5DCrN44029857: 
mail-qk1-f180.google.com [209.85.222.180] not internal

Jun 13 08:53:23 mail opendkim[2320]: x5DCrN44029857: not authenticated

Jun 13 08:53:23 mail opendkim[2320]: x5DCrN44029857: DKIM verification 
successful

Jun 13 08:53:23 mail sendmail[29857]: x5DCrN44029857: Milter insert (1): 
header: Authentication-Results:  mail.co.walton.ga.us;\n\tdkim=pass 
(2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QvRSmgcU"

Jun 13 08:53:23 mail sendmail[29857]: x5DCrN44029857: Milter insert (1): 
header: DKIM-Filter:  OpenDKIM Filter v2.11.0 mail.co.walton.ga.us 
x5DCrN44029857

Jun 13 08:53:26 mail MailScanner[27531]: Message x5DCrN44029857 from 
209.85.222.180 (address at gmail.com) to co.walton.ga.us is not spam, 
SpamAssassin (not cached, score=-1.998, required 5, autolearn=not spam, 
BAYES_00 -1.90, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, 
FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00, SPF_HELO_NONE 0.00, SPF_PASS -0.00)

Jun 13 08:53:26 mail MailScanner[27531]: Delivery of nonspam: message 
x5DCrN44029857 from address at gmail.com to lmilligan at co.walton.ga.us with 
subject Re: Test Message

Jun 13 08:53:26 mail MailScanner[27531]: MailWatch: Logging message 
x5DCrN44029857 to SQL

Jun 13 08:53:26 mail MailScanner[29472]: MailWatch: x5DCrN44029857: Logged 
to MailWatch SQL

Jun 13 08:53:26 mail sendmail[29883]: x5DCrN44029857: 
to=lmilligan at zimbra1.co.walton.ga.us, delay=00:00:03, xdelay=00:00:00, 
mailer=esmtp, pri=124489, relay=zimbra1.co.walton.ga.us. [192.168.32.47], 
dsn=2.0.0, stat=Sent (Ok: queued as 7A9B2E17EE)



I hope there is something in here that explains this behavior, but I cannot 
see it.  Thanks so much for looking at this, it has bugged me for months!



Lamar



From: MailScanner 
<mailscanner-bounces+lmilligan=co.walton.ga.us at lists.mailscanner.info> On 
Behalf Of Shawn Iverson via MailScanner
Sent: Wednesday, June 12, 2019 7:34 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Cc: Shawn Iverson <iversons at rushville.k12.in.us>
Subject: Re: Mail from Outside our Domain not Stored



Hehe, missed that line, so the line is being read, this is very bizzare...



In any case, maillogs are going to be the next logical step.



On Wed, Jun 12, 2019 at 5:09 PM Antony Stone 
<Antony.Stone at mailscanner.open.source.it 
<mailto:Antony.Stone at mailscanner.open.source.it> > wrote:

On Wednesday 12 June 2019 at 22:32:28, Shawn Iverson via MailScanner wrote:

> I do see a subtle clue...
>
> 1)  The "X-Spam-Status: No" is actually not present.

Erm, yes it is?

X-Spam-Status: No, score=3.451 required=6 
tests=[ALL_TRUSTED=-1,BAYES_50=0.8,
        DKIM_SIGNED=0.1, DKIM_VALID=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.25,
        LOCAL_COUNTRY=2.2, LOCAL_NOTFROM_TTLD=2.2, MAILING_LIST_MULTI=-1,
        SPF_HELO_NONE=0.001] autolearn=no autolearn_force=no

> "X-Spam-Flag: NO" is actually coming from amavisd-new on the next hop (the
> Zimbra mail server itself, I think) and hence why it is so far up in the
> Received chain.

Indeed - that's different.

> 2) Becuase X-Spam-Status is not there, the Non Spam Actions appears to 
> have
> been ignored for some reason.

I'm not so sure (but then again I'm not at all sure about this one).

> At this point, we are going to need a maillog of an inbound message that
> fails to get quarantined, along with a maillog of an outbound message that
> is being quarantined for further clues.

Sounds good to me.


Antony.

-- 
"Remember: the S in IoT stands for Security."

 - Jan-Piet Mens

                                                   Please reply to the list;
                                                         please *don't* CC 
me.


-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info 
<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner



-- 

Shawn Iverson, CETL

Director of Technology

Rush County Schools

765-932-3901 option 7

iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190613/2cc418a3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD000.jpg
Type: image/jpeg
Size: 823 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190613/2cc418a3/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 440 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190613/2cc418a3/attachment-0001.jpg>

More information about the MailScanner mailing list