SpamBlocker 4.3.0, BlockCracking, Easy Spam Figther, and new exim.pl

Sending messages with ip assigned to reseller/user

Hello

I previously used the proposed customizations in this thread (http://forum.directadmin.com/showthread.php?t=36468&page=3&p=231599#post231599), for messages sent using the IP assigned to the reseller/user which worked perfectly.

Code: 
local_interfaces = SERVER IP : RESELLER/USER IP : RESELLER/USER IP : RESELLER/USER IP : ...
smtp_active_hostname = ${lookup{$interface_address}lsearch{/etc/virtual/smtp_active_hostnames}{$value}}
smtp_banner = "$smtp_active_hostname ESMTP $tod_full"
Code: 
remote_smtp:  driver = smtp
  interface = "${lookup{$smtp_active_hostname}lsearch{/etc/virtual/domainips}{$value}{SERVER IP}}"
  helo_data = "${lookup{$sending_ip_address}lsearch{/etc/virtual/helo_data}{$value}{$primary_hostname}}"

With this new configuration Exim SpamBlocker 4.3.0 I guess already includes messages sent using the IP assigned to the reseller/user.

But with this line in "remote_smtp" is not working properly that send messages from the user IP:

Code: 
interface = <; ${if exists{/etc/virtual/domainips}{${lookup{[B]$sender_address_domain[/B]}lsearch{/etc/virtual/domainips}}}}

Now I have only these two files created in "/etc/virtual" with this content:

helo_data
Code: 
Server IP  :     Hostname
Reseller IP:     Reverse
Reseller IP:     Reverse
...

domainips
Code: 
Hostname:   Server IP
Reverse :   Reseller IP
Reverse :   Reseller IP
...

But if I change in the line above the "$sender_address_domain" by "$smtp_active_hostname", sending messages again performed from the IP assigned to the user:

Code: 
interface = <; ${if exists{/etc/virtual/domainips}{${lookup{[B]$smtp_active_hostname[/B]}lsearch{/etc/virtual/domainips}}}}

Do not know if this is an error

A greeting and thanks
 
Hello John, i have the latest exim and ESF but emails to my server are still being rejected

2015-04-16 13:05:44 1Yip6e-0001Zg-IJ H=mail32.******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2015-04-16 13:20:45 1YipLA-0001t4-Mc H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2015-04-16 13:20:45 1YipLB-0001t5-I4 H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2015-04-16 13:24:59 1YipPH-0001zO-GU H=host.********.com [***.***.15.130] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2015-04-16 13:35:45 1YipZh-0002Av-GU H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2015-04-16 13:35:46 1YipZi-0002Aw-BB H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2015-04-16 13:50:47 1YipoF-0002Td-AK H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2015-04-16 13:50:48 1YipoG-0002Te-61 H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
Click to expand...

I reinstalled exim using http://help.directadmin.com/item.php?id=576 but emails are still being rejected. I also added domain name in esf_skip_senders list *domain.com but that also had no effect. Is there anything else that i might be missing apart from instructions from install KB.

Thanks
Sukh
 
100% email blocking, even at the shell/script level. Zero sends through exim. ?

/etc/virtual/blacklist_usernames
philocal:1429084800

Message System
000000286 Warning: 1 emails have been sent yesterday by philocal Today at 00:46

The top authenticated user was philocal, at 1 emails.
This accounts for 100% of the emails. The higher the value, the more likely this is the source of the emails.
An authenticated username is the user and password value used at smtp time to authenticate with exim for delivery.

The most common path that the messages were sent from is /home/philocal/domains/userdomain.com/public_html/wp-content/uploads/2014, at 1 emails (100%).
The path value may only be of use if it's pointing to that of a User's home directory.
If the path is a system path, it likely means the email was sent through smtp rather than using a script.

The top sending script was /home/philocal/domains/userdomain.net/public_html/wp-includes/js/jquery/test.php:2, at 74131 emails, (7413100%).
Because the bulk of the emails have been sent by the script, please check it to confirm it has not been compromised.

I hope this feature will prevent server ip from getting blacklisted.
 
Last edited:
The new exim.pl and exim.conf result in double counted emails.

I can confirm this bug. I've noticed the same on my servers.

One sent email results in 2 counted emails sent.

This is the part of /etc/virtual/usage/user.bytes for just 1 email sent (notice 2 entries for 1 email):
--- CUT ---
502=type=email&[email protected]&method=outgoing&id=&[email protected]&sender_host_address=87.205.49.24&log_time=1429703091&message_size=502&local_part=user&domain=recipientdomain.com&path=/etc
751=type=email&[email protected]&method=outgoing&id=1Ykt5I-001lLn-A8&[email protected]&sender_host_address=87.205.xx.xx&log_time=1429703092&message_size=751&local_part=user&domain=recipientdomain.com&path=/etc
--- CUT ---

My configuration:
Exim 4.85
Exim.conf 4.3.3
Exim.pl 19-alpha2

When downgraded to older exim.conf and exim.pl it counts emails correctly.
 
That wouldn't be the correct way of handling email. If SPF is not present, there is no warning either, it's just ignored.
There should only be a block if Dkim or SPF is present and incorrect.
So what you want is a personal choice imho (which ofcourse may also be asked for).
 
As noted earlier in the thread, spamassassin is using a non-existing map:
Code: 
Apr 24 16:42:18 alpha spamd[13841]: spamd: connection from localhost [127.0.0.1]:57755 to port 783, fd 5
Apr 24 16:42:18 alpha spamd[13841]: spamd: setuid to nobody succeeded
Apr 24 16:42:18 alpha spamd[13841]: spamd: creating default_prefs: //.spamassassin/user_prefs
Apr 24 16:42:18 alpha spamd[13841]: spamd: failed to create readable default_prefs: //.spamassassin/user_prefs
Apr 24 16:42:18 alpha spamd[13841]: spamd: checking message <[email protected]> for nobody:99
Apr 24 16:42:20 alpha spamd[13841]: pyzor: check failed: internal error, python traceback seen in response
Apr 24 16:42:22 alpha spamd[13841]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /.spamassassin/bayes.lock.alpha.xxx.nl.13841 for /.spamassassin/bayes.lock: Permission denied
Apr 24 16:42:22 alpha spamd[13841]: spamd: clean message (-0.8/5.0) for nobody:99 in 4.4 seconds, 2622 bytes.
Apr 24 16:42:22 alpha spamd[13841]: spamd: result: . 0 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS,TVD_SPACE_RATIO scantime=4.4,size=2622,user=nobody,uid=99,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=57755,mid=<[email protected]>,autolearn=unavailable autolearn_force=no
Apr 24 16:42:22 alpha dovecot[29728]: lmtp(16568): Connect from local
Apr 24 16:42:22 alpha spamd[13832]: prefork: child states: II

As far as I can see the spamd is not setuid to the user of the domain. This way it can't open the user_prefs file.
 
@Ankh: we have two options here. You can either create /.spamassasin, chowned to nobody:mail, 770..
Or I'd have to change SB to not use SA if the User doesn't have SpamAssassin turned on.

I'm thinking SB shouldn't be scanning with SA if the User hasn't turned it on in their account, but am open to suggestions on that.

@remikk: greylisting would be nice, but it requires quite a lot of overhead in terms of a database management, installation, etc.. I won't rule it out, but it's not currently high on the list. We can push it higher if there is actually a lot of demand for it.

John
 
+1 for greylisting. why not make it as plugin and sell for 10,- usd?
 
Last edited:
DirectAdmin Support said:
@Ankh: we have two options here. You can either create /.spamassasin, chowned to nobody:mail, 770..
Or I'd have to change SB to not use SA if the User doesn't have SpamAssassin turned on.

I'm thinking SB shouldn't be scanning with SA if the User hasn't turned it on in their account, but am open to suggestions on that.
Click to expand...
The mail is for me and I have turned on SA. The question is should it setuid to my user? Because that hasn't happend.
 
For one outside sender to my server I have DKIM rejected
Code: 
2015-04-25 12:12:47 1Ylx4p-000CFu-Qk DKIM: d=albeco.com.pl s=default c=relaxed/relaxed a=rsa-sha256 [invalid - public key record (currently?) unavailable]
2015-04-25 12:12:47 1Ylx4p-000CFu-Qk H=albeco.com.pl (aquarius.albeco.com.pl) [92.43.112.9] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 temporarily rejected DKIM : DKIM: De
ferred. reason='pubkey_unavailable'

How it resolve? I think that should pass with 100 points from easy spam filter. But this sender is rejected.
 
To learn a version of exim.conf run this:

Code: 
head /etc/exim.conf

or

Code: 
/usr/local/directadmin/custombuild/build options | grep exim.conf
 
To get 10/10 at mail-tester.com the default first recieved header is wrong:

Received: from localhost ([127.0.0.1] helo=<IP>)
by <HOSTNAME> with esmtpa (Exim 4.85)

To get that one removed add:
headers_remove = Received

to comment 61

Like:

#COMMENT#61:
remote_smtp:
driver = smtp
.include_if_exists /etc/exim.dkim.conf
headers_remove = Received
 
You must log in or register to reply here.
Back
Top