Mail from Outside our Domain not Stored
Lamar Milligan
lmilligan at co.walton.ga.us
Thu Jun 13 13:40:32 UTC 2019
I forgot to include headers from an external email that should be stored but
was not. Here is a sample:
[root at mail log]# grep x5DDUaQ2002792 maillog
Jun 13 09:30:39 mail sendmail[2792]: x5DDUaQ2002792:
from=<bowman at myxpal.agency>, size=9664, class=0, nrcpts=1,
msgid=<dax6N5S39289cyj.ojf90A71YAB8nys at Myxpal.agency> , proto=ESMTP,
daemon=MTA, relay=69-94-156-238.nca.lanset.com [69.94.156.238] (may be
forged)
Jun 13 09:30:39 mail opendkim[2320]: x5DDUaQ2002792: [69.94.156.238]
[69.94.156.238] not internal
Jun 13 09:30:39 mail opendkim[2320]: x5DDUaQ2002792: not authenticated
Jun 13 09:30:40 mail opendkim[2320]: x5DDUaQ2002792: bad signature data
Jun 13 09:30:40 mail sendmail[2792]: x5DDUaQ2002792: Milter insert (1):
header: Authentication-Results: mail.co.walton.ga.us;\n\tdkim=fail
reason="signature verification failed" (1024-bit key) header.d=myxpal.agency
header.i=@myxpal.agency header.b="h7s2jlp+"
Jun 13 09:30:40 mail sendmail[2792]: x5DDUaQ2002792: Milter insert (1):
header: DKIM-Filter: OpenDKIM Filter v2.11.0 mail.co.walton.ga.us
x5DDUaQ2002792
Jun 13 09:30:44 mail MailScanner[27531]: RBL checks: x5DDUaQ2002792 found in
SPAMHAUS
Jun 13 09:30:49 mail MailScanner[27531]: Message x5DDUaQ2002792 from
69.94.156.238 (bowman at myxpal.agency) to co.walton.ga.us is spam, SPAMHAUS,
SpamAssassin (not cached, score=7.159, required 5, BAYES_00 -1.90,
DKIM_INVALID 0.10, DKIM_SIGNED 0.10, HTML_IMAGE_RATIO_02 0.44, HTML_MESSAGE
0.00, PYZOR_CHECK 1.39, RCVD_IN_SBL_CSS 3.33, RDNS_DYNAMIC
0.98, SPF_HELO_NONE 0.00, SPF_NONE 0.00, T_HTML_TAG_BALANCE_CENTER 0.01,
URIBL_CSS 0.10, URIBL_CSS_A 0.10, URIBL_DBL_SPAM 2.50)
Jun 13 09:30:49 mail MailScanner[27531]: Non-delivery of spam: message
x5DDUaQ2002792 from bowman at myxpal.agency to bryan.shelton at co.walton.ga.us
with subject <dynamic> to- Help- Pay--Your- Final- Expenses-
Jun 13 09:30:49 mail MailScanner[27531]: Spam Actions: message
x5DDUaQ2002792 actions are store,header
Jun 13 09:30:50 mail MailScanner[27531]: MailWatch: Logging message
x5DDUaQ2002792 to SQL
Jun 13 09:30:50 mail MailScanner[30470]: MailWatch: x5DDUaQ2002792: Logged
to MailWatch SQL
Thanks for your help,
Lamar
From: MailScanner
<mailscanner-bounces+lmilligan=co.walton.ga.us at lists.mailscanner.info> On
Behalf Of Lamar Milligan via MailScanner
Sent: Thursday, June 13, 2019 9:16 AM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Cc: Lamar Milligan <lmilligan at co.walton.ga.us>
Subject: RE: Mail from Outside our Domain not Stored
Here are maillog extracts from our sendmail server for messages to and from
my Gmail account. I did hide my Gmail address in the logs.
[root at mail log]# grep address maillog|grep Jun\ 13
Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: to=<address at gmail.com
<mailto:address at gmail.com> >, delay=00:00:00, mailer=esmtp, pri=35430,
stat=queued
Jun 13 08:51:37 mail MailScanner[20868]: Delivery of nonspam: message
x5DCpZVS029638 from lmilligan at co.walton.ga.us
<mailto:lmilligan at co.walton.ga.us> to address at gmail.com
<mailto:address at gmail.com> with subject Test Message
Jun 13 08:52:37 mail sendmail[29653]: x5DCpZVS029638: to=< address at gmail.com
<mailto:address at gmail.com> >, delay=00:01:02, xdelay=00:01:00, mailer=esmtp,
pri=125430, relay=gmail-smtp-in.l.google.com. [64.233.185.27], dsn=2.0.0,
stat=Sent (OK 1560430357 a64si1019447yba.91 - gsmtp)
Jun 13 08:53:23 mail sendmail[29857]: x5DCrN44029857: from=<
address at gmail.com <mailto:address at gmail.com> >, size=4489, class=0,
nrcpts=1,
msgid=<CAEqc0zk7k5Q9FiM6VUk-P8oKBhpgWOqcCBQd3-U-HepE=5Enew at mail.gmail.com
<mailto:CAEqc0zk7k5Q9FiM6VUk-P8oKBhpgWOqcCBQd3-U-HepE=5Enew at mail.gmail.com>
>, proto=ESMTP, daemon=MTA, relay=mail-qk1-f180.google.com [209.85.222.180]
Jun 13 08:53:26 mail MailScanner[27531]: Message x5DCrN44029857 from
209.85.222.180 (address at gmail.com <mailto:address at gmail.com> ) to
co.walton.ga.us is not spam, SpamAssassin (not cached, score=-1.998,
required 5, autolearn=not spam, BAYES_00 -1.90, DKIM_SIGNED 0.10,
DKIM_VALID -0.10, DKIM_VALID_AU -0.10, FREEMAIL_FROM 0.00, HTML_MESSAGE
0.00, SPF_HELO_NONE 0.00, SPF_PASS -0.00)
Jun 13 08:53:26 mail MailScanner[27531]: Delivery of nonspam: message
x5DCrN44029857 from address at gmail.com <mailto:address at gmail.com> to
lmilligan at co.walton.ga.us <mailto:lmilligan at co.walton.ga.us> with subject
Re: Test Message
[root at mail log]# grep x5DCpZVS029638 maillog
Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638:
from=<lmilligan at co.walton.ga.us <mailto:lmilligan at co.walton.ga.us> >,
size=5430, class=0, nrcpts=1,
msgid=<000001d521e6$bb9dbfd0$32d93f70$@co.walton.ga.us
<mailto:000001d521e6$bb9dbfd0$32d93f70$@co.walton.ga.us> >, bodytype=7BIT,
proto=ESMTP, daemon=MTA, relay=zimbra1 [192.168.32.47]
Jun 13 08:51:35 mail opendkim[2320]: x5DCpZVS029638: DKIM-Signature field
added (s=FEA62E10-BFE6-11E7-BA2D-46CD2CC478D5, d=co.walton.ga.us)
Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: Milter insert (1):
header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=co.walton.ga.us;\n\ts=FEA62E10-BFE6-11E7-BA2D-46CD2CC478D5;
t=1560430295;\n\tbh=CSJ2rlhIjlClMMaj7t9SswqeupTOa7unO4OXOq2PwNc=;\n\th=Reply-To:From:To:Subject:Date:From;\n\tb=uvX8sa9j4g3GZc9r94bLrYNJj4FqJoin1EItnitkB+cPWrAKf147nfTTNGOofBTK8\n\t
rEPD90/OGACQwNG5VaQh433tMaB7sPSlhrfAMQsmj9hLHPZ1iUk0NDQNXn1293KqMS\n\t
naHcHSbwzQIqG7O6TrjtPaPKXWHgZ1KnJ2zpY5QQ=
Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: Milter insert (1):
header: DKIM-Filter: OpenDKIM Filter v2.11.0 mail.co.walton.ga.us
x5DCpZVS029638
Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: to=< address at gmail.com
<mailto:address at gmail.com> >, delay=00:00:00, mailer=esmtp, pri=35430,
stat=queued
Jun 13 08:51:37 mail MailScanner[20868]: Message x5DCpZVS029638 from
192.168.32.47 (lmilligan at co.walton.ga.us
<mailto:lmilligan at co.walton.ga.us> ) to gmail.com is not spam, SpamAssassin
(not cached, score=-2.699, required 5, ALL_TRUSTED -1.00, BAYES_00 -1.90,
DKIM_INVALID 0.10, DKIM_SIGNED 0.10, HTML_MESSAGE 0.00)
Jun 13 08:51:37 mail MailScanner[20868]: Delivery of nonspam: message
x5DCpZVS029638 from lmilligan at co.walton.ga.us
<mailto:lmilligan at co.walton.ga.us> to address at gmail.com
<mailto:address at gmail.com> with subject Test Message
Jun 13 08:51:37 mail MailScanner[20868]: MailWatch: Logging message
x5DCpZVS029638 to SQL
Jun 13 08:51:37 mail MailScanner[29472]: MailWatch: x5DCpZVS029638: Logged
to MailWatch SQL
Jun 13 08:52:37 mail sendmail[29653]: x5DCpZVS029638: to=< address at gmail.com
<mailto:address at gmail.com> >, delay=00:01:02, xdelay=00:01:00, mailer=esmtp,
pri=125430, relay=gmail-smtp-in.l.google.com. [64.233.185.27], dsn=2.0.0,
stat=Sent (OK 1560430357 a64si1019447yba.91 - gsmtp)
[root at mail log]# grep x5DCrN44029857 maillog
Jun 13 08:53:23 mail sendmail[29857]: x5DCrN44029857: from=<
address at gmail.com <mailto:address at gmail.com> >, size=4489, class=0,
nrcpts=1,
msgid=<CAEqc0zk7k5Q9FiM6VUk-P8oKBhpgWOqcCBQd3-U-HepE=5Enew at mail.gmail.com
<mailto:CAEqc0zk7k5Q9FiM6VUk-P8oKBhpgWOqcCBQd3-U-HepE=5Enew at mail.gmail.com>
>, proto=ESMTP, daemon=MTA, relay=mail-qk1-f180.google.com [209.85.222.180]
Jun 13 08:53:23 mail opendkim[2320]: x5DCrN44029857:
mail-qk1-f180.google.com [209.85.222.180] not internal
Jun 13 08:53:23 mail opendkim[2320]: x5DCrN44029857: not authenticated
Jun 13 08:53:23 mail opendkim[2320]: x5DCrN44029857: DKIM verification
successful
Jun 13 08:53:23 mail sendmail[29857]: x5DCrN44029857: Milter insert (1):
header: Authentication-Results: mail.co.walton.ga.us;\n\tdkim=pass
(2048-bit key) header.d=gmail.com header.i=@gmail.com
<mailto:header.i=@gmail.com> header.b="QvRSmgcU"
Jun 13 08:53:23 mail sendmail[29857]: x5DCrN44029857: Milter insert (1):
header: DKIM-Filter: OpenDKIM Filter v2.11.0 mail.co.walton.ga.us
x5DCrN44029857
Jun 13 08:53:26 mail MailScanner[27531]: Message x5DCrN44029857 from
209.85.222.180 (address at gmail.com <mailto:address at gmail.com> ) to
co.walton.ga.us is not spam, SpamAssassin (not cached, score=-1.998,
required 5, autolearn=not spam, BAYES_00 -1.90, DKIM_SIGNED 0.10,
DKIM_VALID -0.10, DKIM_VALID_AU -0.10, FREEMAIL_FROM 0.00, HTML_MESSAGE
0.00, SPF_HELO_NONE 0.00, SPF_PASS -0.00)
Jun 13 08:53:26 mail MailScanner[27531]: Delivery of nonspam: message
x5DCrN44029857 from address at gmail.com <mailto:address at gmail.com> to
lmilligan at co.walton.ga.us <mailto:lmilligan at co.walton.ga.us> with subject
Re: Test Message
Jun 13 08:53:26 mail MailScanner[27531]: MailWatch: Logging message
x5DCrN44029857 to SQL
Jun 13 08:53:26 mail MailScanner[29472]: MailWatch: x5DCrN44029857: Logged
to MailWatch SQL
Jun 13 08:53:26 mail sendmail[29883]: x5DCrN44029857:
to=lmilligan at zimbra1.co.walton.ga.us
<mailto:to=lmilligan at zimbra1.co.walton.ga.us> , delay=00:00:03,
xdelay=00:00:00, mailer=esmtp, pri=124489, relay=zimbra1.co.walton.ga.us.
[192.168.32.47], dsn=2.0.0, stat=Sent (Ok: queued as 7A9B2E17EE)
I hope there is something in here that explains this behavior, but I cannot
see it. Thanks so much for looking at this, it has bugged me for months!
Lamar
From: MailScanner
<mailscanner-bounces+lmilligan=co.walton.ga.us at lists.mailscanner.info
<mailto:mailscanner-bounces+lmilligan=co.walton.ga.us at lists.mailscanner.info>
> On Behalf Of Shawn Iverson via MailScanner
Sent: Wednesday, June 12, 2019 7:34 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info
<mailto:mailscanner at lists.mailscanner.info> >
Cc: Shawn Iverson <iversons at rushville.k12.in.us
<mailto:iversons at rushville.k12.in.us> >
Subject: Re: Mail from Outside our Domain not Stored
Hehe, missed that line, so the line is being read, this is very bizzare...
In any case, maillogs are going to be the next logical step.
On Wed, Jun 12, 2019 at 5:09 PM Antony Stone
<Antony.Stone at mailscanner.open.source.it
<mailto:Antony.Stone at mailscanner.open.source.it> > wrote:
On Wednesday 12 June 2019 at 22:32:28, Shawn Iverson via MailScanner wrote:
> I do see a subtle clue...
>
> 1) The "X-Spam-Status: No" is actually not present.
Erm, yes it is?
X-Spam-Status: No, score=3.451 required=6
tests=[ALL_TRUSTED=-1,BAYES_50=0.8,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.25,
LOCAL_COUNTRY=2.2, LOCAL_NOTFROM_TTLD=2.2, MAILING_LIST_MULTI=-1,
SPF_HELO_NONE=0.001] autolearn=no autolearn_force=no
> "X-Spam-Flag: NO" is actually coming from amavisd-new on the next hop (the
> Zimbra mail server itself, I think) and hence why it is so far up in the
> Received chain.
Indeed - that's different.
> 2) Becuase X-Spam-Status is not there, the Non Spam Actions appears to
> have
> been ignored for some reason.
I'm not so sure (but then again I'm not at all sure about this one).
> At this point, we are going to need a maillog of an inbound message that
> fails to get quarantined, along with a maillog of an outbound message that
> is being quarantined for further clues.
Sounds good to me.
Antony.
--
"Remember: the S in IoT stands for Security."
- Jan-Piet Mens
Please reply to the list;
please *don't* CC
me.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 option 7
iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190613/c66f9ca5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 440 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190613/c66f9ca5/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 823 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190613/c66f9ca5/attachment-0001.jpg>
More information about the MailScanner
mailing list