Atomicorp

Posted: **Tue Apr 14, 2009 6:14 am**

I'm trying to tidy up strange activity on a new server onto which I have migrated all clients/domains. Server has CentOS5, Plesk 8.6 and ASL. We have identified that if people send email from btinternet and talk21 email addresses (and others, but this is the main one), they are rejected for some reason. It only happens on certain domains, because one client cannot get through on two hosted domains but can get through on a third. Therefore, it suggests that it is not server-wide. I'm thinking that it MIGHT be to do with incorrect SPF, but I thought that would only apply to outgoing emails, and 2 of the domains are the same.

The SPF for the 2 domains being rejected are:
v=spf1 a mx ptr a:plesk.expat-email.co.uk a:plesk2.expat-email.co.uk include:expat-email.co.uk ~all
AND
v=spf1 a mx ptr a:server2.emailitis.com a:plesk.expat-email.co.uk a:plesk2.expat-email.co.uk include:expat-email.co.uk ~all

The SPF for the working domain is:
v=spf1 a mx ptr a:plesk.expat-email.co.uk a:plesk2.expat-email.co.uk include:expat-email.co.uk ~all

The failure notice they get is:

From: "MAILER-DAEMON@plesk2.expat-email.co.uk" <MAILER-DAEMON@plesk2.expat-email.co.uk>
To: person2@talk21.com
Sent: Tuesday, 7 April, 2009 6:25:58 PM
Subject: failure notice

Hi. This is the qmail-send program at plesk2.expat-email.co.uk.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<minifixtures@salisburyrfc.org>:

Separately, but possibly linked, I have been sending emails to an external email address. The emails are getting through, but I am getting a failure coming through to me as follows (exact domains of my own left intact which I can delete later):

From: MAILER-DAEMON@plesk2.expat-email.co.uk [mailto:MAILER-DAEMON@plesk2.expat-email.co.uk]
Sent: 14 April 2009 10:40
To: postmaster@plesk2.expat-email.co.uk
Subject: failure notice

Hi. This is the qmail-send program at plesk2.expat-email.co.uk.
I tried to deliver a bounce message to this address, but the bounce bounced!

<me@expat-email.com>:

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 29701 invoked from network); 14 Apr 2009 10:39:37 +0100
Received: from smtp-in-131.livemail.co.uk (213.171.216.131)
by plesk.digitalsigns.co.uk with SMTP; 14 Apr 2009 10:39:37 +0100
Received-SPF: pass (plesk.digitalsigns.co.uk: local policy designates 213.171.216.131 as permitted sender)
Received: by smtp-in-131.livemail.co.uk (Postfix)
id 6C4A2484A84; Tue, 14 Apr 2009 10:39:34 +0100 (BST)
Date: Tue, 14 Apr 2009 10:39:34 +0100 (BST)
From: MAILER-DAEMON (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: me@expat-email.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="F2F02484A8C.1239701974/smtp-in-131.livemail.co.uk"
Message-Id: <20090414093934.6C4A2484A84@smtp-in-131.livemail.co.uk>

This is a MIME-encapsulated message.

--F2F02484A8C.1239701974/smtp-in-131.livemail.co.uk
Content-Description: Notification
Content-Type: text/plain

This is the Postfix program at host smtp-in-131.livemail.co.uk.

I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can delete your own text from the message returned below.

The Postfix program

<xxxxx@yahoo.co.uk>: host mx2.mail.eu.yahoo.com[77.238.177.142] said:
554 delivery error: dd Sorry your message to xxxxx@yahoo.co.uk
cannot be delivered. This account has been disabled or discontinued [#102].
- mta113.mail.ird.yahoo.com (in reply to end of DATA command)

--F2F02484A8C.1239701974/smtp-in-131.livemail.co.uk
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; smtp-in-131.livemail.co.uk
X-Postfix-Queue-ID: F2F02484A8C
X-Postfix-Sender: rfc822; me@expat-email.com
Arrival-Date: Tue, 14 Apr 2009 10:39:33 +0100 (BST)

Final-Recipient: rfc822; xxxxx@yahoo.co.uk
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host mx2.mail.eu.yahoo.com[77.238.177.142] said:
554 delivery error: dd Sorry your message to xxxxx@yahoo.co.uk
cannot be delivered. This account has been disabled or discontinued [#102].
- mta113.mail.ird.yahoo.com (in reply to end of DATA command)

--F2F02484A8C.1239701974/smtp-in-131.livemail.co.uk
Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: from virus_13.livemail.co.uk (virus-cluster.livemail.co.uk [213.171.216.10])
by smtp-in-131.livemail.co.uk (Postfix) with SMTP id F2F02484A8C
for <person@domain.co.uk>; Tue, 14 Apr 2009 10:39:33 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
spam-87.livemail.co.uk
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=HTML_MESSAGE,SPF_HELO_PASS
autolearn=disabled version=3.2.5
Received: from plesk2.expat-email.co.uk (server2.emailitis.com [SERVER_IP_ADDRESS])
by smtp-in-126.livemail.co.uk (Postfix) with ESMTP id 7847C2CF545
for <person@domain.co.uk>; Tue, 14 Apr 2009 10:39:32 +0100 (BST)
Received: (qmail 29689 invoked from network); 14 Apr 2009 10:39:35 +0100
Received: from MY_IP_ADDRESS.static.enta.net (HELO New) (MY_IP_ADDRESS)
by plesk.digitalsigns.co.uk with SMTP; 14 Apr 2009 10:39:34 +0100
From: "Me" <me@expat-email.com>
To: "'Person'" <person@domain.co.uk>
References: <A59A918E8D1C4D4D8E514F060DD1F5B6@LogInPc> <00b501c9bcdf$698766a0$3c9633e0$@com> <3FD4F6E01C4D48649A7D5E3A22683FCC@LogInPc>
In-Reply-To: <3FD4F6E01C4D48649A7D5E3A22683FCC@LogInPc>
Subject: RE: from whom and for what?
Date: Tue, 14 Apr 2009 10:39:34 +0100
Message-ID: <00c101c9bce4$ebeea220$c3cbe660$@com>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_00C2_01C9BCED.4DB30A20"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acm85BbtcsaToyq3Shuw8ABfDQ+DDgAAHjUg
Content-Language: en-gb
X-Original-To: person@domain.co.uk
X-AntiVirus: checked by Vexira MailArmor

This is a multipart message in MIME format.

------=_NextPart_000_00C2_01C9BCED.4DB30A20
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_00C3_01C9BCED.4DB30A20"

The above email got to person@domain.co.uk. All I notice from the above is that it appears they have a forwarding to xxxxx@yahoo.co.uk which was failing. The strange thing is why was the failure notice to kuhle@expat-email.com not getting through?

Possible action required by me???
1. Remove all PTR records on domains on the new server less the one on plesk2.expat-email.com??? (The above used digitalsigns.co.uk PTR record when sending).
2. Change SPF records on all domains?? If so, what should they be? The hostname is plesk2.expat-email.co.uk. A while ago, I had set something to server2.emailitis.com (see above) but I'm not sure what, and do not understand why many failure notices show:
Received: from plesk2.expat-email.co.uk (server2.emailitis.com [SERVER_IP_ADDRESS])

I look forward to guidance from the various experts, please, to help me clear my brain and resolve this! Thanks in advance.

Posted: **Tue Apr 14, 2009 9:24 am**

http://www.openspf.org/Why?show-form=1& ... mit=Submit says that it does not understand why the SPF failed.

http://private.dnsstuff.com/tools/mail. ... 951732a019 suggests that sending mail is as it should be.

I remembered where the server2.emailitis.com came from - that is the reverse DNS I requested to be set up. I have changed this to the hostname of the server.

Would/could that cause the failures that I was getting?

Posted: **Tue Apr 14, 2009 1:37 pm**

maybe this?

Diagnostic-Code: X-Postfix; host mx2.mail.eu.yahoo.com[77.238.177.142] said:
554 delivery error: dd Sorry your message to xxxxx@yahoo.co.uk
cannot be delivered. This account has been disabled or discontinued [#102].
- mta113.mail.ird.yahoo.com (in reply to end of DATA command)

Posted: **Tue Apr 14, 2009 2:52 pm**

Hi hostingguy,

Thanks for your response. I accept that the failure to get to the yahoo address was due to what you said, but then my server tried to tell me of that failure, and that message (internal, as far as I'm concerned) bounced:

From: MAILER-DAEMON@plesk2.expat-email.co.uk [mailto:MAILER-DAEMON@plesk2.expat-email.co.uk]
Sent: 14 April 2009 10:40
To: postmaster@plesk2.expat-email.co.uk
Subject: failure notice

Hi. This is the qmail-send program at plesk2.expat-email.co.uk.
I tried to deliver a bounce message to this address, but the bounce bounced!

<me@expat-email.com>:

Interestingly, postmaster@plesk2.expat-email.co.uk is automatically sent to info@expat-email.com, so while it was unable (apparently) to send to me@expat-email.com, the "bounce bounced" email did get through!!

Trying to get a little further, I did a port 25 test, sending from info@ to support@, and all that came through to me was the "bounce bounced" email:

Hi. This is the qmail-send program at plesk2.expat-email.co.uk.
I tried to deliver a bounce message to this address, but the bounce bounced!

<support@expat-email.com>:

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 27066 invoked from network); 14 Apr 2009 10:23:00 +0100
Received: from 78-32-177-1.static.enta.net (HELO expat-email.com) (78.32.177.1)
by plesk.expat-email.co.uk with SMTP; 14 Apr 2009 10:22:25 +0100
Received-SPF: unknown (plesk.expat-email.co.uk: Maximum nesting level exceeded, possible loop)
Subject: test message

This is a test message

Can you suggest something I might do to force a test, and which particular error log might shed any more information on what is happening?

Posted: **Wed Apr 15, 2009 3:57 pm**

Anyone?

I have now removed all PTR records, except for the domain plesk2.expat-email.co.uk.

I am receiving some mail from btinternet email addresses from some senders, but some are still being rejected.

Is there one of the error logs which is specific to this where I can try to identify the failure and what is causing it.

I am really confused about the emails which the server appears not to be able to send to me as I identified before. If there is something else I can do to test/replicate this, that would be great.

Can anybody help on this one?

It may be totally unrelated, but over the weekend, mail was no longer being delivered, and I could not access the Plesk CP. I tried restarting Apache and that did not work. So I rebooted the server, and emails started flowing again. Then I had to re-start mailman as the mailing lists were not working. Until this reboot, ASL was stopping almost ALL Spam, but now much more is getting through. I'd love to do a yum update (ASL tells me there is an update), but wary only because of all these other (related?) issues. I sometimes think it would be better to solve those first.

I would be really grateful for the advice of you experts out there, please.

EDIT. I got a friend to send a test email to 3 accounts. His initial email got through. I replied, and that got to him. He replied, and his email was rejected with the following:

----- Forwarded Message ----
From: "MAILER-DAEMON@plesk2.expat-email.co.uk" <MAILER-DAEMON@plesk2.expat-email.co.uk> (This is my server)
To: friend@btinternet.com
Sent: Wednesday, 15 April, 2009 9:32:46 PM
Subject: failure notice

Hi. This is the qmail-send program at plesk2.expat-email.co.uk.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<me@expat-email.com>:

--- Below this line is a copy of the message.

Return-Path: <friend@btinternet.com>
Received: (qmail 25396 invoked from network); 15 Apr 2009 21:32:46 +0100
Received: from web87002.mail.ird.yahoo.com (87.248.114.54)
by plesk2.expat-email.co.uk with SMTP; 15 Apr 2009 21:32:45 +0100
Received-SPF: neutral (plesk2.expat-email.co.uk: 87.248.114.54 is neither permitted nor denied by SPF record at btinternet.com)
Received: (qmail 24266 invoked by uid 60001); 15 Apr 2009 20:32:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=s1024; t=1239827559; bh=FK2RVlMG0e9BUxsn9XVD/qMkZVd5wWmIXJ1bLKq3Z8g=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=mYyvEYWk8k/JrOicSZl0qKA0frbhPVjvdJ/VNTlGNnFDMwTU/geCEfhjOxwROmQZmk74QUnWxLjYV4EHLaYn7RJPkNvxSyLztwzPRm3CISm6O0mrOfnnD1oEzDKX0LoY7wpU/Z4gX07g5+dbtF4w8n5btUj2paW1pm8l7lrZlTM=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=btinternet.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type;
b=yorvsWAuwZ6DcmrgD47Ek957d3WgMoGHP4hYfen4FyiQbmusd+DwuYbctIpOyMzZ3jv/U24cCOeUi0kWZNZF+cRivtK2WGtE+uPHwWAuZEwoCIV8jFN5LDdfx6JevK4MzfislKAe8lXgX8NoDCYwXLFQLrXzO5fPVbtmm16w4mI=;
Message-ID: <63556.3198.qm@web87002.mail.ird.yahoo.com>
X-YMail-OSG: UGOQh9gVM1l7zk92MqV.au5PMW8JIL4S1tRzCqK0XUaK_SqzfXQx444n_Yej889bnQ9zNt3UFnf0.15olLiO7ikkRo7zeaHI4WQgibWG0eHydtgZyJJGEg6OfjpJwqty0_O3zAO_Aslvr2AMHdNodJwMrBG1iKqYd9gC8Q8IQ9CisAHiAQ2CNtn_mbxMPwgKkEuYaghRuOuJ4g.IqJnD6EetRFRbThaSo0XfP6Kg5d5DbDsiEfBUuwiGrncyWmBXRAzDVCbphi98wcUyr7urDtMxKEjcVr5m5tphZhWDFHW_fwVSVgZWZRI-
Received: from [81.155.45.244] by web87002.mail.ird.yahoo.com via HTTP; Wed, 15 Apr 2009 20:32:38 GMT
X-Mailer: YahooMailRC/1277.35 YahooMailWebService/0.7.289.1
References: <240030.68230.qm@web87006.mail.ird.yahoo.com> <02c701c9be09$2b2025c0$81607140$@com>
Date: Wed, 15 Apr 2009 20:32:38 +0000 (GMT)
From: FRIEND <friend@btinternet.com>
Subject: Re: test
To: "ME" <me@expat-email.com>
In-Reply-To: <02c701c9be09$2b2025c0$81607140$@com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-161779492-1239827558=:3198"

--0-161779492-1239827558=:3198
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

I sent them all at the same time=0A=0A=0A=0A=0A

Can anybody help fathom this one out, and help me resolve this? It's driving me mad with frustration.

Posted: **Thu Apr 16, 2009 5:14 pm**

PLEASE HELP SOMEBODY

I have set up an email address to test with. The first email I sent got through OK. My reply got back OK. When I then replied again (and any future emails I send from btconnect to my server) they are being rejected.

The maillog says:

Apr 16 21:54:27 plesk2 relaylock: /var/qmail/bin/relaylock: mail from 87.248.114.66:30063 (web87014.mail.ird.yahoo.com)
Apr 16 21:54:27 plesk2 greylist[21525]: IP 87.248.114.66 OK - accepting
Apr 16 21:54:27 plesk2 qmail-queue[21528]: scan: the message(drweb.tmp.JUhcEC) sent by testemail@btinternet.com to me@mydomain.com is passed
Apr 16 21:54:27 plesk2 qmail-queue-handlers[21529]: Handlers Filter before-queue for qmail started ...
Apr 16 21:54:27 plesk2 qmail-queue-handlers[21529]: from=testemail@btinternet.com
Apr 16 21:54:27 plesk2 qmail-queue-handlers[21529]: to=me@mydomain.com
Apr 16 21:54:27 plesk2 qmail-queue-handlers[21529]: hook_dir = '/var/qmail//handlers/before-queue'
Apr 16 21:54:27 plesk2 qmail-queue-handlers[21529]: recipient[3] = 'me@mydomain.com'
Apr 16 21:54:27 plesk2 qmail-queue-handlers[21529]: handlers dir = '/var/qmail//handlers/before-queue/recipient/me@mydomain.com'
Apr 16 21:54:27 plesk2 qmail-queue-handlers[21529]: starter: submitter[21530] exited normally
Apr 16 21:54:27 plesk2 qmail: 1239915267.245894 new msg 14814550
Apr 16 21:54:27 plesk2 qmail: 1239915267.246020 info msg 14814550: bytes 2356 from <testemail@btinternet.com> qp 21530 uid 2020
Apr 16 21:54:27 plesk2 qmail: 1239915267.256638 starting delivery 484: msg 14814550 to local 45-me@mydomain.com
Apr 16 21:54:27 plesk2 qmail: 1239915267.256708 status: local 1/10 remote 1/20
Apr 16 21:54:27 plesk2 qmail-local-handlers[21531]: Handlers Filter before-local for qmail started ...
Apr 16 21:54:27 plesk2 qmail-local-handlers[21531]: from=testemail@btinternet.com
Apr 16 21:54:27 plesk2 qmail-local-handlers[21531]: to=me@mydomain.com
Apr 16 21:54:27 plesk2 qmail-local-handlers[21531]: domainkeys-handler exited with status 13
Apr 16 21:54:27 plesk2 qmail-local-handlers[21531]: call_handlers: stop call handlers because handler 'dd52-domainkeys' not PASS (31)
Apr 16 21:54:27 plesk2 qmail-local-handlers[21531]: call_handlers: stop call handlers from dir '/var/qmail//handlers/before-local/global'
Apr 16 21:54:27 plesk2 qmail: 1239915267.271098 delivery 484: failure:
Apr 16 21:54:27 plesk2 qmail: 1239915267.271248 status: local 0/10 remote 1/20
Apr 16 21:54:27 plesk2 qmail-queue[21533]: mail: all addreses are uncheckable - need to skip scanning (by deny mode)
Apr 16 21:54:27 plesk2 qmail-queue[21533]: scan: the message(drweb.tmp.KKD1WM) sent by to testemail@btinternet.com should be passed without checks, because contains uncheckable addresses

and testemail@btinternet.com gets an email saying:

From: "MAILER-DAEMON@plesk2.expat-email.co.uk" <MAILER-DAEMON@plesk2.expat-email.co.uk>
To: testemail@btinternet.com
Sent: Thursday, 16 April, 2009 9:54:27 PM
Subject: failure notice

Hi. This is the qmail-send program at plesk2.expat-email.co.uk.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<me@mydomain.com>:

--- Below this line is a copy of the message.

There is mention in the maillog of domainkeys. On the server, under Plesk CP > Server > Mail, under the section "DomainKeys spam protection" I have enabled "Allow signing outgoing mail" and also "Verify incoming mail". However, "Use DomainKeys spam protection system to sign outgoing e-mail messages" is turned off on all domains. Does that shed any light on what needs to be changed?

EDIT. We might be getting somewhere. I disabled "Verify Incoming Mail" and it appears to be working from the btinternet account. Can someone explain what was preventing the second and subsequent emails from getting through? And can someone help me get a better Spam prevention because with my settings the DomainKeys appears to be causing a problem with incoming mail and the signing of outgoing mail appears not to be working if DomainKeys is enabled because I tried it once before to try and improve my protection.

Posted: **Thu Apr 16, 2009 5:37 pm**

Get rid of qgraylist, disable domainkeys (I hope you aren't on Plesk 9?)

Install spamdyke.

*** Modify spamdyke's config to match your needs ***

Sleep soundly.

http://www.spamdyke.org

Scott has an rpm in his repo.

But you HAVE to configure it. It isn't an install and hope for the best job.

Here's an example config:

Code: Select all

#use log-level=verbose to see which dnsrbls triggered. use info for normal level. use debug ## for loads of stuff.

log-level=verbose
local-domains-file=/var/qmail/control/rcpthosts

## if you use morescpthosts, uncomment this (unlikely)
# local-domains-file=/var/qmail/control/morercpthosts

#general options:
max-recipients=5
idle-timeout-secs=60
greeting-delay-secs=5

## the following url gets put in all rejection messages so people who get false positives
## know where to go for help:
policy-url=http://www.yourwebsite.com/emailterms.html

#graylist options
graylist-dir=/var/qmail/graylist
graylist-level=always-create-dir
graylist-min-secs=300
graylist-max-secs=1814400

#general rejection options follow:

#Blacklists -- these are files, inside which there is a list of items
ip-blacklist-file=/etc/spamdyke.d/blacklist_ip
sender-blacklist-file=/etc/spamdyke.d/blacklist_sender
rdns-blacklist-file=/etc/spamdyke.d/blacklist_rdns
recipient-blacklist-file=/etc/spamdyke.d/blacklist_recipient

#whitelisting -- these are files, inside which you have a list of items
ip-whitelist-file=/etc/spamdyke.d/whitelist_ip
rdns-whitelist-file=/etc/spamdyke.d/whitelist_rdns
recipient-whitelist-file=/etc/spamdyke.d/whitelist_recipient
sender-whitelist-file=/etc/spamdyke.d/whitelist_sender

#tls stuff
tls-certificate-file=/var/qmail/control/servercert.pem

#dns blacklists
dns-blacklist-entry=zen.spamhaus.org
dns-blacklist-entry=bl.spamcop.net
dns-blacklist-entry=dnsbl.sorbs.net
dns-blacklist-entry=bogons.cymru.com
dns-blacklist-entry=b.barracudacentral.org
dns-blacklist-entry=blacklist.cymru1.org

#useful rejection options
reject-empty-rdns
reject-unresolvable-rdns
reject-missing-sender-mx

Note: you have to register with them in order to use the barracuda dnsrbl in this particular config. These are just example dnsrbls. You would use the ones you like.

Note: spamdyke does not work with pop-before-relay.

Posted: **Fri Apr 17, 2009 5:44 am**

THANK YOU Faris for this really helpful response. I am on Plesk 8.6 at present. Do I detect from the various forums that it is not worth updating to Plesk 9 yet?

To install spamdyke from Scott's repo, can I simply

Code: Select all

yum install spamdyke

or if not, can you tell me where I find the repo, and how to install these things. I have ASL installed if that makes any difference.

The barracuda seems very expensive? Certainly by the time I have purchased rack space, servers, Plesk annual licence, ASL etc. etc. I would hope to avoid spending another £1000+ on barracuda (which is what their website appears to suggest is the cost). Have I missed something with their cost? And with the graylisitng and other things that Spamdyke does, is it really essential, do you think, to pay for the barracuda as well?

Also, is it possible to have both qgreylist and spamdyke working - giving just another level of Spam protection? Or do they conflict with each other, meaning I would have to remove qgreylist as you suggest?

I do not think I have pop-before-relay. In my mail settings, I authorise for SMTP. The POP3 is disabled if this is what you mean.

Thanks again for the help.

Posted: **Sat Apr 18, 2009 2:13 pm**

Yes, it is as simple as yum install spamdyke....

But personally I've never used Scott's rpm. Not because it is no good -- just because I got used to installing from source. What this means is that I do not know for sure where scott's rpm will put the configuration file. Probably /etc/spamdyke.conf -- so that means there won't be an /etc/spamddyke.d/ as in my example.

Anyway......

The barracuda thing isn't one of their hardware boxes. It is just a blacklist like zen.spamhaus.org.

But in order to use it you have to register on their site .. www.barracudacentral.com (I think?).

Of the four dnsrbls I've mentioned, zen.spamhaus.org will catch the most spam and also the widest range of IPs belonging to dial-up and broadband accounts (which should never send email directly).

Spamcop will catch the next biggest bunch, but it is tiny in comparison.

The other two get very little.

Using sorbs can result in quite a few false positives. You may not want to use it.

Now, of the other settings, some of the best ones in that config are :

reject-empty-rdns which means if the IP of the sending server does not resolve then reject the email (NO legit email should come from an IP that doesn't have rdns)

reject-unresolvable-rdns rejects email from IPs that have rdns but that rdns does not then forward resolve to an IP. This can be the case for IPs from dial-ups and broadband connections.

reject-missing-sender-mx is great. It rejects emails where the domain listed in the "From:" line does not have an MX record and therefore cannot possibly be legit. This catches a lot of 419es and phishers.

After installing spamdyke, btw, you need to restart xinetd in order to get spamdyke into the equation.

Note the first line in my example config about logging. You can then use tail -f /usr/local/psa/var/log/maillog to see what's being rejected and what is being let through.

Faris.

Posted: **Mon Apr 20, 2009 9:33 am**

Thank you so much Faris for that really easy-to-understand response.

I have installed spamdyke, and amended the configuration file from Scott's default. I added barracuda (to which I registered, thanks for that info) and added one whitelist and one blacklist file to /var/qmail/spamdyke.

I have NOT yet removed qgreylist as I wanted to be sure that spamdyke was working first!

Apr 20 14:19:55 plesk2 spamdyke[17486]: DENIED_RDNS_RESOLVE from: teeq@acryglas.com to: email1@domain1.com origin_ip: 94.180.24.132 origin_rdns: net24.180.94-132.ertelecom.ru auth: (unknown)
Apr 20 14:20:00 plesk2 spamdyke[17152]: TIMEOUT from: seems_genuine_email@domain3.co.uk to: email2@domain2.com origin_ip: 213.2.207.27 origin_rdns: host3.onepaper.co.uk auth: (unknown) reason: TIMEOUT
Apr 20 14:21:37 plesk2 spamdyke[17683]: ALLOWED from: seems_genuine_email_2@domain4.net.mx to: email3@domain3.com origin_ip: 205.188.249.131 origin_rdns: omr-d33.mx.aol.com auth: (unknown)

But the spamdyke files all contain nothing, and file size is 0. Is that normal, or possibly do I have to either remove qgreylist OR restart other services for this to work properly?

[root@plesk2 ~]# ls -l /var/qmail/spamdyke
total 4
-rw-r--r-- 1 root root 0 Mar 6 15:59 blacklist_ip
-rw-r--r-- 1 root root 0 Mar 6 15:59 blacklist_keywords
-rw-r--r-- 1 root root 0 Apr 20 14:15 blacklist_rdns
-rw-r--r-- 1 root root 0 Mar 6 15:59 blacklist_recipients
-rw-r--r-- 1 root root 0 Mar 6 15:59 blacklist_senders
drwxr-xr-x 2 root root 4096 Mar 6 15:59 greylist
-rw-r--r-- 1 root root 0 Mar 6 15:59 whitelist_ip
-rw-r--r-- 1 root root 0 Mar 6 15:59 whitelist_rdns
-rw-r--r-- 1 root root 0 Apr 20 14:14 whitelist_recipients
-rw-r--r-- 1 root root 0 Mar 6 15:59 whitelist_senders
[root@plesk2 ~]#

Posted: **Mon Apr 20, 2009 10:48 am**

Those logfiles look good.

But when you say the spamdyke files are empty, which files do you mean?

The only files it creates are graylisting ones, in the directory specified by graylist-dir (e.g. /var/qmail/graylist in my example) and yes, they should be empty. The filesnames are basically the contents. e.g. email from me@domain.com sent to you@yourdomain.com would result in /var/qmail/graylist/yourdomain.com/domain.com/me being created (I think --- I'm making this up as I go along).

The timestamp on the file tells spamdyke all it need to know about when the last message was received, and whether to graylist or not as a result of a new message.
There's more to it than that, mind you. But bottom line is 0bytes in the graylist files is OK

Also you'll see filter_graylist or denied_graylist (or both, or something like that) in your logs when something gets graylisted by spamdyke.

The increased amount of logging that spamdyke provides is one of its most brilliant features. There's even a script that will process your maillog and tell you how many messages were rejected because of X, which dnsrbls were most effective and so on and so forth.

Just going back to barracuda, btw, some people would tell you not to use it to block ourtight (i.e. not to use it with spamdyke) but instead to add it in a spamassassin rule to add X points to the spam score. This is because it can also cause some false positives.

Really, of the dnsrbls I put in my example config, only zen.spamhaus.org is probably "safe". The rest can and do result in false positives. Nevertheless, we use those, and others, in our super-duper-antispam gateway for those customers who want basically almost zero spam and don't mind some false positives.

Oh, one more thing. If you allow people to use your server to send email via smtp, then as long as the user authenticates then all of spamdyke's filters are bypassed. This means you don't have to worry if someone connects from, say, an IP that's listed on spamhaus' pbl blacklist.

Of course I'd always suggest that you set Plesk to open up port 587 and use that for authenticated smtp anyway. But that's another story.

Anyway, I think you can safely get rid of qgraylist now, but be careful. It might do something that will also disable spamdyke. So restart xinetd after you remove qgraylist and check the logs to make sure spamdyke is still doing its thing. Make a backup of /etc/xinetd.d/smtp_psa just in case. remove and reinstall spamdyke to get it working again if need be. This is not the best way to get it working again, but it is the easiest. Backup your new spamdyke configuration first too.

Faris.

Posted: **Mon Apr 20, 2009 11:08 am**

Under the hood, baracuda is qmail, spamassassin, razor, rblsmtpd, etc. The same rules apply to it that you would expect out of Project Gamera, or Plesk

Posted: **Tue Apr 21, 2009 12:50 pm**

Thank you both for your replies.

When I mentioned the file sizes, it was because my greylist directory (/var/qmail/greylist) adds a new file each time an IP is blocked, so I can see how many have been blocked.

I also thought (dangerous, I know) that files like the /var/qmail/spamdyke/whitelist_senders could include specific email addresses or domains which I would want in the whitelist (perhaps I can add to these files??). But I would have thought that when it blocks because of RDNS, it would have added something to the blacklist_rdns file, for example. But for now, I will not mind about the 0bytes file size.

You said "There's even a script that will process your maillog and tell you how many messages were rejected because of X". Is that easy?

I will try to remove qgreylist and see how it changes.

Incidentally, I have just had a false negative/false positive (not sure which!) with Spamdyke which came through as I happened to be monitoring it:

Apr 21 17:43:40 plesk2 relaylock: /var/qmail/bin/relaylock: mail from 213.123.131.141:37262 (host213-123-131-141.in-addr.btopenworld.com)
Apr 21 17:43:40 plesk2 greylist[14701]: IP 213.123.131.141 OK - accepting
Apr 21 17:43:40 plesk2 spamdyke[14699]: DENIED_RDNS_RESOLVE from: known_email_address@domain.co.uk to: mailing_list_email@domain2.com origin_ip: 213.123.131.141 origin_rdns: host213-123-131-141.in-addr.btopenworld.com auth: (unknown)

Can you tell me what I can do with that, to whitelist them, or whatever? And if I had not been monitoring it, and someone reported an address that was failing to send emails, is there somewhere I can find what has happened? Strangely, this known email address can send to me, but their email to the mailing list fails (and if I send to the mailing list, it goes through).

EDIT. Interestingly, the known_email_address@domain.co.uk above did not get an email back with the link in my config:

Code: Select all

## the following url gets put in all rejection messages so people who get false positives
## know where to go for help:
policy-url=http://emailitis.com/index_files/spam_rejection.html

should they have done??

I think I might have another false negative which appears to have been rejected. It looks similar to the one above. Can you confirm whether this is anything to be worried about, and whether I can whitelist them?

Apr 22 08:45:56 plesk2 greylist[28142]: IP 213.2.207.27 OK - accepting
Apr 22 08:45:56 plesk2 spamdyke[28140]: DENIED_RDNS_RESOLVE from: email1@domain1.co.uk to: charlesthomas@emailitis.com origin_ip: 213.2.207.27 origin_rdns: host3.onepaper.co.uk auth: (unknown)
Apr 22 08:45:56 plesk2 relaylock: /var/qmail/bin/relaylock: mail from 213.2.207.27:1197 (host3.onepaper.co.uk)
Apr 22 08:45:56 plesk2 greylist[28145]: IP 213.2.207.27 OK - accepting
Apr 22 08:45:57 plesk2 spamdyke[28143]: DENIED_RDNS_RESOLVE from: email2@onepaper.co.uk to: charlesthomas@emailitis.com origin_ip: 213.2.207.27 origin_rdns: host3.onepaper.co.uk auth: (unknown)

I'm half anticipating that I may be recommended to remove the barracuda, but it is so lovely having Spam rejected, and that must be around 90% of all emails hitting the server.

I look forward to hearing from the various gurus!

Posted: **Wed Apr 22, 2009 3:11 pm**

HELP ME, PLEASE!!!

I have stopped qmail from running somehow. I forgot to "Make a backup of /etc/xinetd.d/smtp_psa just in case" as Faris said.

I did:

Code: Select all

yum remove qgreylist
/etc/init.d/xinetd restart

then when it was not working, have since done:

Code: Select all

/etc/init.d/qmail start
killall -9 /var/qmail/bin/qmail-smtpd
/etc/init.d/xinetd start
/etc/init.d/qmail start
/etc/init.d/courier-imap restart

then when qmail was not working, tried removing spamdyke as well with

Code: Select all

yum remove spamdyke

and I still cannot get qmail back on.

PLEASE HELP someone

EDIT /etc/xinetd.d/smtp_psa is as follows - can I amend server_args to get it working?

service smtp
{
socket_type = stream
protocol = tcp
wait = no
disable = no
user = root
instances = UNLIMITED
env = SMTPAUTH=1 SHORTNAMES=1
server = /var/qmail/bin/tcp-env
server_args = -Rt0 /usr/sbin/rblsmtpd -r sbl-xbl.spamhaus.org -r bl.spamcop.net /var/qmail/bin/relaylock /var/qmail/bin/greylist /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}

Posted: **Wed Apr 22, 2009 3:34 pm**

Here's mine if it is any help:

Code: Select all

service smtp
{
        socket_type     = stream
        protocol        = tcp
        wait            = no
        disable         = no
        user            = root
        instances       = UNLIMITED
        env             =  SMTPAUTH=1
        server          = /var/qmail/bin/tcp-env
        server_args     = -Rt0  /var/qmail/bin/relaylock  /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}

Atomicorp

Strange mail behaviour - various rejection

Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection

Re: Strange mail behaviour - various rejection - OH HELP

Re: Strange mail behaviour - various rejection