NethServer Version: 7.5.1804 (final)
Module: rspamd
Hello,
very much incoming emails get a high spam score because of this line:
IP_SCORE(4.18)[ip: (8.72), ipnet: 212.87.32.0/19(6.96), asn: 12512(4.35), country: DE(0.87)];
This IP belongs to our ISP, they are receiving our mails as primary MX and send them to us.
What can I do to avoid this?
As all incoming mails are going through their mailserver, I think I can’t just whitelist their IP.
Received: from mavas2.cbxnet.de (mavas2.cbxnet.de [212.87.33.79])
Regards
Uwe
I do not have access to rSpamd test installation and webgui.
There’s a whitelist module available into project… But im’ not sure if it allows a hostname or address to bypass the check.
Some ideas, cons and pro for each one
In fact a mail server is always about reputation and the IP of your isp is compromised because they send or have sent a lot of spams…I have had the same problem with 1&1 some time ago. You cannot do more, even any anti spam on the earth could reject or are rejecting their email.
- Does it is possible to be the first MX to your server, second to your ISP.
- you could disable the IP_SCORE but it for all emails
- you could try to allow mavas2.cbxnet.de in the mail menu/tab filter but not sure it works (normally it check the
From:header
better idea from https://rspamd.com/doc/modules/multimap.html#received-filters
make a file /etc/e-smith/templates/etc/rspamd/local.d/multimap.conf/20Receivers
WHITELIST_RECEIVED_FROM \{
type = "received";
map = [
"\$\{CONFDIR\}/whitelist_received_from.map",
];
prefilter = true;
filter = "from_hostname";
action = "accept";
description = "Accepted list of WHITELIST_RECEIVED_FROM";
symbol = "WHITELIST_RECEIVED_FROM";
\}
- make a file with your hostname whitelist in
/etc/rspamd/whitelist_received_from.map - signal-event nethserver-mail-filter-save
I did not test but if from_hostname does not do the trick you could test with
-
from_ip- IP address as provided by a peer -
real_hostname- hostname as resolved by MTA -
real_ip- IP as resolved by PTR request of MTA -
by_hostname- MTA hostname -
tld:from_hostname- extract eSLD part from peer-provided hostname -
tld:real_hostname- extract eSLD part from MTA-verified hostname
In fact we should use
put in the map : cbxnet.de
eSLD (exact second level domain), here it is cbxnet.de
whatever send by any smtp servers of cbxnet.de (understand *.cbxnet.de) could be whitelisted and accepted without more verification
this should/could be a valid NFR for me
what do you think @davidep
this what I have from outlook.com
Received: from VI1PR03MB4318.eurprd03.prod.outlook.com
...
X-Spamd-Result: default: False [0.00 / 19.90];
ASN(0.00)[asn:8075, ipnet:40.64.0.0/10, country:US];
WHITELIST_RECEIVED_FROM(0.00)[outlook.com]
IIUC you want to whitelist the SMTP server by host name suffix.
I think we can help @hinzberlin to set up a template custom at first so he can validate the setup. I’d wait if others are interested in the same feature. The second step is implementing a prop. Only if it becomes widely adopted add it to the (cockpit) UI
the prop is not needed IMO, if we do not want to create an UI (yet), we could create a map in /var/lib/rspamd, writable by the rspamd UI
1 Like
Nice idea! Is it compatible with our backup/restore procedures?
# cat /etc/backup-data.d/nethserver-mail-filter.include
/var/lib/rspamd
/var/lib/redis/rspamd
it should 
Is it just a matter of touching a file then edit it from rspamd UI?
We can document it…
We could also create a map to whitelist the IP of your isp in IP_score, maybe a better way but you must know all ips.
The pro is that all cheks are made again spam score
Hello Stéphane,
thank you, I will try this " multimap.conf/20Receivers" and will use
filter = “from_hostname”;
I’m afraid I do not understand the rest of your and Davides messages but I think they weren’t for me.
BTW: you’re very active at night!
Regards
Uwe
In that case the hostname used must be exact…do you know all ips used by your isp ?
yes, there are 2 IPs, 2 servers sending email, mavas2 and mavas3.
Other question…can you change the mx and receive first the email, probably the best simple way ?
I could, but the goal is that the ISP does some prefiltering and we are not hammered by illegal SMTP requests. Our Firewall just lets the ISP send us Email.
If we accept all emails from your isp we do not check more the emails…it might be better to
Stop ip_score check
Or whitelist ip of your isp
Or ask them to unblacklist their ip
Where do I “Stop ip_score check” ?
Where do I “Or whitelist ip of my isp”?
Let me check, not in front of my laptop
make a file /etc/rspamd/override.d/ip_score.conf
# cat /etc/rspamd/override.d/ip_score.conf
enabled = false;
restart rspamd : systemctl restart rspamd
quite useless, you cannot figure all IP of your ISP
make a file /etc/rspamd/override.d/ip_score.conf
# cat /etc/rspamd/override.d/ip_score.conf
whitelist = "file:///var/lib/rspamd/IP_whitelisted";
restart rspamd : systemctl restart rspamd
go to rspamd UI and open the relevant map IP_whitelisted
3 Likes