Setup problems - rejecting everything

mark-a · January 19, 2024, 10:13pm

Hi,
For the past month I have been trying to get MiaB to work. For the most part I have managed to get it partly working by doing bad things.

First nothing internal was getting in, everything rejected, external made it in.
I added addresses into the spamassassin for the internal trusted addresses, did not make any difference.

So for the internal this is what I see in my mail gateway server:

Sender address rejected: Domain not found

I got around this by adding an AAAA entry into the external DNS for some of my internal servers, problem i have several hundred internal servers sending error messages by email all with a from address of servername.myrealdomain.com and with several hundred servers well…, so this is not workable for the long term.

next problem is all the internal messages get placed into JUNK
this is what i see in the headers:

X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
** mail.xxxxxxxxxxx.com**
X-Spam-Level: ****************
X-Spam-Status: No, score=14.2 required=20.0 tests=ALL_TRUSTED,DKIM_INVALID,
** DKIM_SIGNED,DMARC_FAIL_REJECT,HTML_MESSAGE,SPF_FAIL,
** T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6**
X-Spam-Report:
** * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP**
** * 10 DMARC_FAIL_REJECT DMARC check failed (p=reject)**
** * 5.0 SPF_FAIL SPF check failed**
** * 0.0 HTML_MESSAGE BODY: HTML included in message**
** * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily**
** * valid**
** * 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid**
** * -0.0 T_SCC_BODY_TEXT_LINE No description available.**

so to get around this i set the spam score to 20

SO…
What i am looking for is 3 things for all my internal servers,

1 - ignore the domain name
2 - ignore the spf
3 - ignore the dkim

If I can not find a solution for these 3 issues I will be forced to declare MiaB as a failure and scrap it.

eXTric · January 20, 2024, 9:06am

Are you hosting miab yourself behind a firewall or using a VPS.

KiekerJan · January 20, 2024, 9:22am

Looks like your deployment is different than usual so I limit myself to spamassassin.
You already seem to have gotten SA so far to declare the mail from a trusted source (ALL_TRUSTED), perhaps using this?

trusted_networks 212.17.35.

Further you can look at the following options:
This way you should be able to skip some tests:

shortcircuit ALL_TRUSTED             on

This can be used to change the score of ALL_TRUSTED, thus making a message score so low it is not spam:

score ALL_TRUSTED -50.0

mark-a · January 20, 2024, 3:06pm

hosting myself behind a firewall and behind an e-mail gateway appliance.

I was using postfix with thunderbird, the purpose of trying MiaB was to get a WEB based e-mail solution.

andrew · January 20, 2024, 10:21pm

My system is much smaller but along the same lines. What’s I’ve done to handle “internal” email is shown below.

This has been sufficient for me - the only hassle being that the first email from each server gets greylisted, but subsequent emails get through. (I haven’t bothered working out how to bypass greylisting for internal addresses, or how to have the internal servers do proper resends, I just send an initial email from each to start greylisting!)

(If you’re not familiar with old style < and > patch text, the < lines get removed and replaced by the > lines.)

In /etc/fail2ban/jail.d/mailinabox.conf, add your server addresses and also your router’s internal address (necessary if it does “hairpin” routing of connections from internal servers to your external addresses.)

< [DEFAULT]
< ignoreip = 127.0.0.1/8 <your.MIAB.IP.address>
> [DEFAULT]
> ignoreip = 127.0.0.1/8 <your.MIAB.IP.address> ::1 <your.local.server.subnet> <your.hairpin.router.address>

In /etc/postfix/main.cf, adjust the mynetworks line to include local servers and/or subnets:

< mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 <your.local.server.IPv4subnet> <your.local.server.IPv6subnet>

Add a file /etc/mail/spamassassin/99_local.cf

> # local spamassissin config for MIAB
> # whitelist reports from local servers
> whitelist_from *@*.your.local.server.domain

There are several services that then need to be restarted … I just reboot the box

I think the first couple of changes get clobbered by upgrades; check and/or redo after each upgrade.

mark-a · January 21, 2024, 5:49pm

I had the trusted_networks and shortcircuit
added score ALL_TRUSTED -50.0 and that does solve the missing spf and dkim issue
Thank you

mark-a · January 23, 2024, 5:53pm

After making the changes to fail2ban things got strange.
sometimes it works and sometimes it does not.

When it is not working, the mail gateway goes into a loop retrying every 30 minutes.
the error recieved back from MiaB is:

status=deferred (host miab.domain.con] said: 450 4.1.8 root@server.domain.com: Sender address rejected: Domain not found (in reply to RCPT TO command))

after about 6 hours of this error it suddenly works for many hours.

I have been watching this for a few days, and do not see a “time” coloration.

andrew · January 23, 2024, 10:08pm

Hmmm. Ok, more stuff I’ve done that slipped my mind.

I’ve put A, AAAA, and MX records for each local server into MIAB’s custom DNS page. (There are no email users for those servers.)

And I can see email aliases (ubuntu, abuse, admin, postmaster) directing to the main administrator. I don’t recall creating those aliases, so perhaps they were generated by the system.

system · January 30, 2024, 10:09pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.