Private mails to admin delivered

NethServer Version: 7.9
Hello, yesterday I got new incoming mails of all mail users delivered to the admin account. This behavior is unwanted and not configured in settings.

image874×222 15.3 KB

In the mail header is not the mail address of the administrators listed, but the private mail addresses of the users.
How can this be?

I think this is a blatant violation of privacy and I want to prevent this at all costs. What can, or must I do?

Sincerely, Marko

Can you reproduce the issue by sending a mail to one of your users?

Did you already check /var/log/maillog to get information about delivered mails?

Were there changes the last days, did you update or configure something?

Please also check mail destinations/forwardings, mail groups or maybe piler config…

Can you reproduce the issue by sending a mail to one of your users?

After restarting the server, the problem disappeared. The phenomenon includes mails from April 27 to May 7, but all of them were delivered to the admin account at the same time on May 9.

Were there changes the last days, did you update or configure something?

Nothing, Only automated updates.

Please also check mail destinations/forwardings, mail groups or maybe piler config…

On this server Piler is not installed. There are no abnormalities in the groups.

Within the rspamd history, the mails are all documented as delivered to the correct addressee.

Did you already check /var/log/maillog to get information about delivered mails?

This is a difficult question, because I do not know what to look for.
I have now done the following:

The last affected mail for expample was delivered to the client on 7.5. 14:14. Around this time, maillog has the following entries.

[root@ns log]# cat /var/log/maillog-20220508 | grep "May  7 14:14"
May  7 14:14:32 ns rspamd[11204]: <5jhu13>; lua; bayes_expiry.lua:440: finished expiry step 7: 507 items checked, 57 significant (0 made persistent), 20 insignificant (0 ttls set), 12 common (0 discriminated), 418 infrequent (0 ttls set), 1 mean, 3 std
May  7 14:14:32 ns rspamd[11204]: <5jhu13>; lua; bayes_expiry.lua:440: finished expiry cycle in 7 steps: 6463 items checked, 370 significant (0 made persistent), 276 insignificant (0 ttls set), 101 common (0 discriminated), 5716 infrequent (0 ttls set), 2 mean, 4 std
May  7 14:14:32 ns rspamd[11204]: <5jhu13>; lua; bayes_expiry.lua:447: tokens occurrences, in ham: {0:4186,1:1858,2:126,3:61,4:37,}
May  7 14:14:32 ns rspamd[11204]: <5jhu13>; lua; bayes_expiry.lua:447: tokens occurrences, in spam: {0:1899,1:3680,2:414,3:96,4:42,5:39,}
May  7 14:14:32 ns rspamd[11204]: <5jhu13>; lua; bayes_expiry.lua:447: tokens occurrences, total: {1:5430,2:496,3:55,4:81,5:57,6:5,7:13,8:25,9:95,10:8,11:3,}
May  7 14:14:59 ns postfix/smtpd[30598]: connect from 69-171-232-146.mail-mail.facebook.com[69.171.232.146]
May  7 14:14:59 ns rspamd[11203]: <af1682>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
May  7 14:18:26 ns postfix/anvil[30600]: statistics: max connection rate 1/60s for (smtp:69.171.232.146) at May  7 14:14:59
May  7 14:18:26 ns postfix/anvil[30600]: statistics: max connection count 1 for (smtp:69.171.232.146) at May  7 14:14:59
May  7 14:18:26 ns postfix/anvil[30600]: statistics: max cache size 1 at May  7 14:14:59
[root@ns log]# cat /var/log/maillog-20220508 | grep "May  7 14:15"
May  7 14:15:00 ns postfix/smtpd[30598]: 7ADAA778B: client=69-171-232-146.mail-mail.facebook.com[69.171.232.146]
May  7 14:15:00 ns rspamd[11203]: <af1682>; milter; rspamd_milter_process_command: got connection from 69.171.232.146:44897
May  7 14:15:00 ns postfix/cleanup[30603]: 7ADAA778B: message-id=<4a296c0a-cdff-11ec-8dec-b3f883d3efc3@facebookmail.com>
May  7 14:15:00 ns rspamd[11203]: <af1682>; proxy; rspamd_message_parse: loaded message; id: <4a296c0a-cdff-11ec-8dec-b3f883d3efc3@facebookmail.com>; queue-id: <7ADAA778B>; size: 15553; checksum: <86a36f57f6936cc985cd940bab5dc773>
May  7 14:15:00 ns rspamd[11203]: <af1682>; proxy; rspamd_mime_part_detect_language: detected part language: de
May  7 14:15:00 ns rspamd[11203]: <af1682>; proxy; rspamd_mime_part_detect_language: detected part language: de
May  7 14:15:00 ns rspamd[11203]: <af1682>; proxy; rspamd_spf_maybe_return: stored record for facebookmail.com (0xe5b300648cca24da) in LRU cache for 300 seconds, 1/2000 elements in the cache
May  7 14:15:01 ns rspamd[11203]: <af1682>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 31; 200 required
May  7 14:15:01 ns rspamd[11203]: <af1682>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 16; 200 required
May  7 14:15:01 ns rspamd[11203]: <af1682>; proxy; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
May  7 14:15:01 ns rspamd[11203]: <af1682>; lua; greylist.lua:318: Score too low - skip greylisting
May  7 14:15:01 ns rspamd[11203]: <af1682>; lua; neural.lua:315: skip ham sample to keep spam/ham balance; probability 1; 0 spam and 1 ham vectors stored
May  7 14:15:01 ns rspamd[11203]: <af1682>; proxy; rspamd_task_write_log: id: <4a296c0a-cdff-11ec-8dec-b3f883d3efc3@facebookmail.com>, qid: <7ADAA778B>, ip: 69.171.232.146, from: <friendupdates@facebookmail.com>, (default: F (no action): [-8.06/20.00] [WHITELIST_DMARC(-7.00){facebookmail.com:D:+;},AUTOGEN_PHP_SPAMMY(1.00){},SPF_REPUTATION_HAM(-0.80){-0.80730033956365;},DMARC_POLICY_ALLOW(-0.50){facebookmail.com;reject;},IP_REPUTATION_HAM(-0.33){asn: 32934(-0.33), country: US(-0.01), ip: 69.171.232.146(0.00);},R_DKIM_ALLOW(-0.20){facebookmail.com:s=s1024-2013-q3;},R_SPF_ALLOW(-0.20){+ip4:69.171.232.0/24;},MANY_INVISIBLE_PARTS(0.10){2;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},HAS_LIST_UNSUB(-0.01){},MX_GOOD(-0.01){},ASN(0.00){asn:32934, ipnet:69.171.224.0/20, country:US;},DKIM_TRACE(0.00){facebookmail.com:+;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_PHPMAILER_SIG(0.00){},HAS_REPLYTO(0.00){noreply@facebookmail.com;},HAS_X_PRIO_THREE(0.00){3;},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},REPLYTO_DOM_EQ_FROM_DOM(0.00){},RWL_MAILSPIKE_GOOD(0.00){69.171.232.146:from;},TO_DN_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 15553, time: 513.538ms, dns req: 52, digest: <86a36f57f6936cc985cd940bab5dc773>, rcpts: <user1@domain.de>, mime_rcpts: <user1@domain.de>
May  7 14:15:01 ns rspamd[11203]: <af1682>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 6 regexps matched, 175 regexps total, 65 regexps cached, 0B scanned using pcre, 18.10KiB scanned total
May  7 14:15:01 ns postfix/qmgr[10881]: 7ADAA778B: from=<friendupdates@facebookmail.com>, size=15869, nrcpt=1 (queue active)
May  7 14:15:01 ns dovecot: lmtp(30615): Connect from local
May  7 14:15:01 ns dovecot: lmtp(user1@domain.de): save: box=INBOX, uid=63, msgid=<4a296c0a-cdff-11ec-8dec-b3f883d3efc3@facebookmail.com>, from="Facebook" <friendupdates@facebookmail.com>, subject==?UTF-8?B?8J+ThCBKYW4gRmFiZXIgaGF0?=? =?UTF-8?B?IGVpbmUgRXJpbm5lcnVu?=? =?UTF..., flags=()
May  7 14:15:01 ns dovecot: lmtp(user1@domain.de): OLmWGMVidmKXdwAAnFmNGg: sieve: msgid=<4a296c0a-cdff-11ec-8dec-b3f883d3efc3@facebookmail.com>: stored mail into mailbox 'INBOX'
May  7 14:15:01 ns dovecot: lmtp(30615): Disconnect from local: Successful quit
May  7 14:15:01 ns postfix/lmtp[30614]: 7ADAA778B: to=<user1@domain.de>, orig_to=<user1@domain.de>, relay=mail.domain.de[/var/run/dovecot/lmtp], delay=1.1, delays=1/0.01/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 domain.de OLmWGMVidmKXdwAAnFmNGg Saved)
May  7 14:15:01 ns postfix/qmgr[10881]: 7ADAA778B: removed
May  7 14:15:06 ns postfix/smtpd[30598]: disconnect from 69-171-232-146.mail-mail.facebook.com[69.171.232.146]
May  7 14:15:06 ns rspamd[11203]: <2434d9>; proxy; proxy_milter_finish_handler: finished milter connection
May  7 14:15:45 ns rspamd[11204]: <5jhu13>; lua; bayes_expiry.lua:440: finished expiry step 1: 990 items checked, 27 significant (0 made persistent), 38 insignificant (0 ttls set), 17 common (11 discriminated), 908 infrequent (0 ttls set), 2 mean, 4 std

Not only mails from facebook are affected, but also any other sender.
Best regards, Marko

today I got user mail delivered as admin again. Does no one have any advice?

I assume user mails were delivered TO admin because mails delivered AS admin would be another issue.

Is there any entry about admin in maillog?

grep admin /var/log/maillog

Maybe you allowed unknown recipients for a domain?

Maybe you are using Mail synchronisation to admin?

Did you setup external mail addresses for the users on “Addresses” page?

[root@ns ~]# grep admin /var/log/maillog
[root@ns ~]#

Maybe you allowed unknown recipients for a domain?

No.

image882×602 29.8 KB

Did you setup external mail addresses for the users on “Addresses” page?

No

Just to be sure, did you already check the destinations in “Addresses” and the forwardings in “Mailboxes”?
Do you use imapsync or sieve rules?

I have only one forward rule: the local admin to my personalized admin acount

image1912×868 87.6 KB

affected user

image876×762 24 KB

Do you use imapsync or sieve rules?

• no imapsync
  

  

  image896×542 27 KB

• sieve rules: I did not now how to implement.

There could be mail filter rules in mail clients like Roundcube or Thunderbird.

Could this be done by users (not me as root or admin) in their email programs?

Yes, it’s commonly used to automove mails to the right folders.

Can I check this on the server or only involving the users?

Both.

Server side sieve filters are in /var/lib/nethserver/sieve-scripts/ and /var/lib/nethserver/vmail/<user>/.dovecot.sieve or /var/lib/nethserver/vmail/<user>/sieve/*.

Mail clients also have local rules. They are applied when the mail client is started.

on the server all sieve scripts are…
/* empty script */

…or spam management related