<div dir="ltr"><div>Hello Glenn,<br><br>thanks for your <span id="result_box" class="" lang="en"><span class="">relevant</span> <span class="">and accurate</span> <span class="">information!<br></span></span></div><span id="result_box" class="" lang="en"><span class="">I will try this these settings<br><br>Best regards<br><br>---<br>Sim<br></span></span></div><div class="gmail_extra"><br><div class="gmail_quote">2014-11-14 9:56 GMT+01:00 Glenn Steen <span dir="ltr"><<a href="mailto:glenn.steen@gmail.com" target="_blank">glenn.steen@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Just to be clear on what you need do Sim, here's a few more precise pointers:<br>
<br>
In MailScanner.conf change<br>
<span class=""><br>
Check Watermarks With No Sender = yes<br>
<br>
</span>to<br>
<br>
Check Watermarks With No Sender = %rules-dir%/check.watermark.rules<br>
<br>
and in the ruleset file (in the rules subdirectory of your MailScanner<br>
etc directory (probably /etc/MailScanner/rules/check.watermark.rules)<br>
create tre rules<br>
-------- Start ------<br>
# Our MailStore server(s) IP addresses should have a "no" for this<br>
From: 192.168.3.140 no<br>
<br>
# Under no circumstances should this be changed to "no".<br>
FromOrTo: default yes<br>
-------- End ------<br>
Please be sure to separate the colums ("From:" is the first column,<br>
"192.168.3.140" is the second etc) with <TAB> character(s). Reload or<br>
restart mailScanner after this change and you'll not check watermarks<br>
for internally generated non-delivery-notices, out-of-office messages<br>
etc, and hence will not break the RFSs in such a bad way as before.<br>
<br>
Also, consider either setting (in MailScanner.conf)<br>
Treat Invalid Watermarks With No Sender as Spam = spam<br>
or<br>
Treat Invalid Watermarks With No Sender as Spam = 7<br>
(or some other low-scoring spam number), since elsewise you run a<br>
definite risk of losing non-delivery-reports genereted on outside<br>
systems that do not preserve the watermark header... Better that they<br>
violate the RFCs than you;-)<br>
<br>
And finally, you can easily configure RECIPIENT address verification<br>
in postfix by adding something like<br>
reject_unverified_recipient<br>
to your smtpd_recipient_restrictions in <a href="http://main.cf" target="_blank">main.cf</a> ... or something<br>
similar (I actually don't use this feature, since I don't trust our<br>
mailstoree to properly reject things, so use a relay_recipient_map<br>
instead... that I generate with LDAP every 15 minutes.. Same effect,<br>
different approach). If you didn't find it anywhere else, your systems<br>
package for Postfix probably installed the readme somewhere like:<br>
/usr/share/doc/postfix-*/README_FILES/ADDRESS_VERIFICATION_README<br>
... See the warnings at the top, and heed the one about SENDER address<br>
verification.<br>
<br>
Cheers<br>
<span class="HOEnZb"><font color="#888888">--<br>
-- Glenn (who had a few minutes to spend on this:-)<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
On 13 November 2014 11:15, Glenn Steen <<a href="mailto:glenn.steen@gmail.com">glenn.steen@gmail.com</a>> wrote:<br>
> Actually.... You could play around with a ruleset on this:<br>
><br>
> # Do you want to check watermarks?<br>
> # This can also be the filename of a ruleset.<br>
> Check Watermarks With No Sender = yes<br>
><br>
> ... And simply avoid checking the watermark on your mailstore systems<br>
> IP address.<br>
> Probably the simplest fix of all;-).<br>
><br>
> Cheers!<br>
> --<br>
> -- Glenn<br>
><br>
> On 13 November 2014 10:58, Glenn Steen <<a href="mailto:glenn.steen@gmail.com">glenn.steen@gmail.com</a>> wrote:<br>
>> I just re-read your initial post and get what's happening:<br>
>><br>
>> You have the watermark feature enabled, to handle all those faked<br>
>> bounces/NDRs/NDNs (in reality, where the envelope sender is <>), but<br>
>> when your own mailstore (the server/servers protected by your<br>
>> MX/MailScanner system) generate a bounce these also lack the watermark<br>
>> (which is just a specific header with a checksum cryptagraphically<br>
>> protected...) and thus get handled as "bad". Many systems<br>
>> implementation of OoO will fall into this category as well. Regular<br>
>> bounces SHOULD NOT lack the watermark, but this is up to the<br>
>> mailstore, whether the watermark is present in the NDN or not.<br>
>><br>
>> First off:<br>
>> - Don't mark them as "High scoring spam". Just mark as Spam and they<br>
>> will actually get delivered, thus making your system RFC compliant (or<br>
>> at least a tad more so:-).<br>
>><br>
>> Second thing to explore:<br>
>> - Try to make your mailstore system(s) generate or preserve a valid<br>
>> watermark header for bounces etc. This is a lot less trivial than the<br>
>> first step, and in many cases close to impossible... In many cases,<br>
>> just implementing the first step above is the only real option... at<br>
>> least from a time management perspective:-):-).<br>
>><br>
>> So... this problem of yours is mostly a problem outside of<br>
>> mailScanner, but entirely caused be the use of the watermark feature.<br>
>> i wouldn't recommend turning it off, without first doing a thorough<br>
>> analysis of the effectiveness of the feature...;)<br>
>><br>
>> Cheers!<br>
>> --<br>
>> -- Glenn<br>
>><br>
>> On 12 November 2014 19:58, Sim <<a href="mailto:simvirus@gmail.com">simvirus@gmail.com</a>> wrote:<br>
>>> Thanks for reply...<br>
>>> But in other case the bounce is generated for other reasons<br>
>>> For example if the mailbox for the user is over quota, etc..<br>
>>> In this case the bounce is "dropped".<br>
>>> The question is why this "postfix/cleanup - MailScanner" header is too short<br>
>>> ...and how to extend it :-(<br>
>>><br>
>>> Thanks again<br>
>>><br>
>>> ---<br>
>>> Sim<br>
>>><br>
>>> 2014-11-10 18:16 GMT+01:00 Glenn Steen <<a href="mailto:glenn.steen@gmail.com">glenn.steen@gmail.com</a>>:<br>
>>>><br>
>>>> Actually... All you need do is configure recipient verification in postfix<br>
>>>> (this is in-built and documented well several places, like the postfix doc<br>
>>>> site or the MailScanner wiki). Alternatively maintain a relay recipient map<br>
>>>> or an access map (both are fairly trivial to set up).<br>
>>>> Doing any of these will reject instead of bounce, for unknown recipients.<br>
>>>> Flip side of the coin is that you may expose your recipient "universe", for<br>
>>>> easy mapping (regardless if you have disabled vrfy), but... That's just how<br>
>>>> it is:-)<br>
>>>><br>
>>>> Cheers<br>
>>>> --<br>
>>>> -- Glenn<br>
>>>><br>
>>>> Den 10 nov 2014 14:03 skrev "Joolee" <<a href="mailto:mailscanner@joolee.nl">mailscanner@joolee.nl</a>>:<br>
>>>><br>
>>>>> Quite an easy solution is to simply don't bounce. E-mail to non-existing<br>
>>>>> users is probably (uncought) spam and they rarely come from legit e-mail<br>
>>>>> addresses. You are spamming the actual owners of the e-mail addresses being<br>
>>>>> abused by sending backscatter to them. It might even get you listed on a<br>
>>>>> backscatter dnsbl.<br>
>>>>><br>
>>>>> If you want to provide legit mail senders with a "this user doesn't<br>
>>>>> exist" message, configure all legit users on your edge server so mail to<br>
>>>>> non-existing users is being blocked on smtp level. (This will also reject<br>
>>>>> ~90% of spam) The sending party can than implement any backscatter/messages<br>
>>>>> they want with this information, it's not your problem.<br>
>>>>><br>
>>>>><br>
>>>>> On 10 November 2014 12:44, Sim <<a href="mailto:simvirus@gmail.com">simvirus@gmail.com</a>> wrote:<br>
>>>>>><br>
>>>>>> Hello to all!<br>
>>>>>><br>
>>>>>> I've a little issue...<br>
>>>>>><br>
>>>>>> SENDER (from <a href="mailto:test@extenal.com">test@extenal.com</a> to nomail@mydomain) ------> MailScanner<br>
>>>>>> -----> Mailbox Server (@mydomain)<br>
>>>>>><br>
>>>>>> At this time my internal "Mailbox Server" generate a bounce for not<br>
>>>>>> exiting "nomail" account.<br>
>>>>>> This bounce is detected as SPAM from MailScanner.<br>
>>>>>><br>
>>>>>> Note:<br>
>>>>>> - The IP of Mailbox Server is in "Whitelist"<br>
>>>>>> - The LAN (/24) of Mailbox Server is in "Trusted Network"<br>
>>>>>> - The LAN (/24) of Mailbox Server is in "Outbound mail relay"<br>
>>>>>> - All other email sent from "Mailbox Server" are detected as "white<br>
>>>>>> list"<br>
>>>>>><br>
>>>>>><br>
>>>>>> Checking the log of postfix i've found this:<br>
>>>>>><br>
>>>>>> postfix/cleanup[20872]: C1C2960069: hold: header Received: from<br>
>>>>>> srv.mydomain.local (unknown [192.168.0.10])??(using TLSv1 with cipher<br>
>>>>>> AES128-SHA (128/128 bits))??(No client certificate requested)??by<br>
>>>>>> <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> (Postfix) w from unknown[192.168.0.10]; from=<><br>
>>>>>> to=<<a href="mailto:test@external.com">test@external.com</a>> proto=ESMTP helo=<srv.mydomain.local><br>
>>>>>> [..]<br>
>>>>>> MailScanner[19852]: Spam Checks: Starting<br>
>>>>>> MailScanner[19852]: Message C1C2960069.AEB15 from 192.168.0.10 has no<br>
>>>>>> (or invalid) watermark or sender address, marked as high-scoring spam<br>
>>>>>> MailScanner[19852]: Spam Checks: Found 1 spam messages<br>
>>>>>><br>
>>>>>><br>
>>>>>> The header of postifx/cleanup is incomplete!!!!<br>
>>>>>><br>
>>>>>> Looking for full header i've seen: "(Postfix) with ESMTPS id<br>
>>>>>> C1C2960069?" and not only "(Postfix) w"<br>
>>>>>><br>
>>>>>><br>
>>>>>> How to increase this "check of the header limit" in postfix, cleanup or<br>
>>>>>> MailScanner ?<br>
>>>>>><br>
>>>>>> Thanks<br>
>>>>>><br>
>>>>>> --<br>
>>>>>> MailScanner mailing list<br>
>>>>>> <a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
>>>>>> <a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
>>>>>><br>
>>>>>> Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
>>>>>><br>
>>>>>> Support MailScanner development - buy the book off the website!<br>
>>>>>><br>
>>>>><br>
>>>>><br>
>>>>> --<br>
>>>>> MailScanner mailing list<br>
>>>>> <a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
>>>>> <a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
>>>>><br>
>>>>> Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
>>>>><br>
>>>>> Support MailScanner development - buy the book off the website!<br>
>>>>><br>
>>>><br>
>>>> --<br>
>>>> MailScanner mailing list<br>
>>>> <a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
>>>> <a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
>>>><br>
>>>> Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
>>>><br>
>>>> Support MailScanner development - buy the book off the website!<br>
>>>><br>
>>><br>
>>><br>
>>> --<br>
>>> MailScanner mailing list<br>
>>> <a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
>>> <a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
>>><br>
>>> Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
>>><br>
>>> Support MailScanner development - buy the book off the website!<br>
>>><br>
>><br>
>><br>
>><br>
>> --<br>
>> -- Glenn<br>
>> email: glenn < dot > steen < at > gmail < dot > com<br>
>> work: glenn < dot > steen < at > ap1 < dot > se<br>
><br>
><br>
><br>
> --<br>
> -- Glenn<br>
> email: glenn < dot > steen < at > gmail < dot > com<br>
> work: glenn < dot > steen < at > ap1 < dot > se<br>
<br>
<br>
<br>
--<br>
-- Glenn<br>
email: glenn < dot > steen < at > gmail < dot > com<br>
work: glenn < dot > steen < at > ap1 < dot > se<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
</div></div></blockquote></div><br></div>