openldap.log

May 12 10:58:28 mx slapd[79706]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
May 12 10:58:28 mx slapd[79706]: slapd starting
May 12 10:58:30 mx slapd[79706]: conn=1000 fd=8 ACCEPT from PATH=/tmp/tmp.mo1zcywvJn/socket (PATH=/tmp/tmp.mo1zcywvJn/socket)
May 12 10:58:30 mx slapd[79706]: conn=1000 op=0 BIND dn="" method=163
May 12 10:58:30 mx slapd[79706]: conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
May 12 10:58:30 mx slapd[79706]: conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
May 12 10:58:30 mx slapd[79706]: conn=1000 op=0 RESULT tag=97 err=0 text=
May 12 10:58:30 mx slapd[79706]: conn=1000 op=1 ADD dn="cn=temporary"
May 12 10:58:30 mx slapd[79706]: conn=1000 op=1 RESULT tag=105 err=0 text=
May 12 10:58:30 mx slapd[79706]: conn=1000 op=2 UNBIND
May 12 10:58:30 mx slapd[79706]: conn=1000 fd=8 closed
May 12 10:58:30 mx slapd[79706]: conn=1001 fd=8 ACCEPT from PATH=/tmp/tmp.mo1zcywvJn/socket (PATH=/tmp/tmp.mo1zcywvJn/socket)
May 12 10:58:30 mx slapd[79706]: conn=1001 op=0 BIND dn="" method=163
May 12 10:58:30 mx slapd[79706]: conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
May 12 10:58:30 mx slapd[79706]: conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
May 12 10:58:30 mx slapd[79706]: conn=1001 op=0 RESULT tag=97 err=0 text=
May 12 10:58:30 mx slapd[79706]: conn=1001 op=1 SRCH base="cn=schema,cn=config,cn=temporary" scope=2 deref=0 filter="(&(olcObjectClasses=*'pwdpolicy'*)(!(olcObjectClasses=*'pwdpolicy'*'pwdmaxrecordedfailure'*))(!(olcAttributeTypes=*'pwdmaxrecordedfailure'*)))"
May 12 10:58:30 mx slapd[79706]: conn=1001 op=1 SRCH attr=dn olcObjectClasses
May 12 10:58:30 mx slapd[79706]: conn=1001 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
May 12 10:58:31 mx slapd[79706]: conn=1001 op=2 UNBIND
May 12 10:58:31 mx slapd[79706]: conn=1001 fd=8 closed
May 12 10:58:31 mx slapd[79706]: daemon: shutdown requested and initiated.
May 12 10:58:31 mx slapd[79706]: slapd shutdown: waiting for 0 operations/tasks to finish
May 12 10:58:31 mx slapd[79706]: slapd stopped.
May 12 10:58:32 mx slapd[79735]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd

我在另一台 VM 機; 做 yum update 更新後, 情形一樣;
可有人和我相同情況?

我按照: https://docs.iredmail.org/backup.restore.html
重新restore ;仍無法啟動.

Thanks.

CentOS 7 ,更新版本為kernel-3.10.0-862.el7.x86_64 後 , slapd 無法啟動.
# systemctl status slapd.service -l

● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since 四 2018-05-10 19:06:02 CST; 1h 53min ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 4007 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
  Process: 3998 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)

 5月 10 19:06:02 mail.mydomain.com runuser[4001]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
 5月 10 19:06:02 mail.mydomain.com runuser[4001]: pam_unix(runuser:session): session closed for user ldap
 5月 10 19:06:02 mail.mydomain.com slapd[4007]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $
                                                         mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
 5月 10 19:06:02 mail.mydomain.com slapd[4007]: main: TLS init def ctx failed: -1
 5月 10 19:06:02 mail.mydomain.com slapd[4007]: slapd stopped.
 5月 10 19:06:02 mail.mydomain.com slapd[4007]: connections_destroy: nothing to destroy.
 5月 10 19:06:02 mail.mydomain.com systemd[1]: slapd.service: control process exited, code=exited status=1
 5月 10 19:06:02 mail.mydomain.com systemd[1]: Failed to start OpenLDAP Server Daemon.
 5月 10 19:06:02 mail.mydomain.com systemd[1]: Unit slapd.service entered failed state.
 5月 10 19:06:02 mail.mydomain.com systemd[1]: slapd.service failed.

/var/log/openldap.log 

May 10 18:24:09 mail slapd[19840]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openld44/openldap-2.4.44/servers/slapd
May 10 18:24:09 mail slapd[19840]: slapd starting
May 10 18:24:11 mail slapd[19840]: conn=1000 fd=8 ACCEPT from PATH=/tmp/tmp.8ODsyGsYuv/socket (PATH=/tmp/tmp.8ODsyGsYuv/socket)
May 10 18:24:11 mail slapd[19840]: conn=1000 op=0 BIND dn="" method=163
May 10 18:24:11 mail slapd[19840]: conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=d,cn=external,cn=auth"
May 10 18:24:11 mail slapd[19840]: conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
May 10 18:24:11 mail slapd[19840]: conn=1000 op=0 RESULT tag=97 err=0 text=
May 10 18:24:11 mail slapd[19840]: conn=1000 op=1 ADD dn="cn=temporary"
May 10 18:24:11 mail slapd[19840]: conn=1000 op=1 RESULT tag=105 err=0 text=
May 10 18:24:11 mail slapd[19840]: conn=1000 op=2 UNBIND
May 10 18:24:11 mail slapd[19840]: conn=1000 fd=8 closed
May 10 18:24:11 mail slapd[19840]: conn=1001 fd=8 ACCEPT from PATH=/tmp/tmp.8ODsyGsYuv/socket (PATH=/tmp/tmp.8ODsyGsYuv/socket)
May 10 18:24:11 mail slapd[19840]: conn=1001 op=0 BIND dn="" method=163
May 10 18:24:11 mail slapd[19840]: conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=d,cn=external,cn=auth"
May 10 18:24:11 mail slapd[19840]: conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
May 10 18:24:11 mail slapd[19840]: conn=1001 op=0 RESULT tag=97 err=0 text=
May 10 18:24:11 mail slapd[19840]: conn=1001 op=1 SRCH base="cn=schema,cn=config,cn=temporary" scope=2 deref=0 filter="(&(olcObjectClasses=*'pwdpolicy'*)(!(otClasses=*'pwdpolicy'*'pwdmaxrecordedfailure'*))(!(olcAttributeTypes=*'pwdmaxrecordedfailure'*)))"
May 10 18:24:11 mail slapd[19840]: conn=1001 op=1 SRCH attr=dn olcObjectClasses
May 10 18:24:11 mail slapd[19840]: conn=1001 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
May 10 18:24:11 mail slapd[19840]: conn=1001 op=2 UNBIND
May 10 18:24:11 mail slapd[19840]: conn=1001 fd=8 closed
May 10 18:24:11 mail slapd[19840]: daemon: shutdown requested and initiated.
May 10 18:24:11 mail slapd[19840]: slapd shutdown: waiting for 0 operations/tasks to finish
May 10 18:24:11 mail slapd[19840]: slapd stopped.
May 10 18:24:11 mail slapd[32729]: daemon: shutdown requested and initiated.
May 10 18:24:11 mail slapd[32729]: slapd shutdown: waiting for 0 operations/tasks to finish
May 10 18:24:11 mail slapd[32729]: slapd stopped.

此為 loglevel    2  ; 改為loglevel    128  log內容相同
後面一直出現:
May 10 18:24:12 mail slapd[19873]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openld44/openldap-2.4.44/servers/slapd
May 10 18:24:12 mail slapd[19873]: main: TLS init def ctx failed: -1
May 10 18:24:12 mail slapd[19873]: slapd stopped.
May 10 18:24:12 mail slapd[19873]: connections_destroy: nothing to destroy.

maillog

May 10 18:25:01 mail postfix/pickup[17470]: C2FB7C0000120: uid=0 from=<Fail2ban_Mail@mydomain.com>
May 10 18:25:01 mail postfix/proxymap[19761]: warning: dict_ldap_connect: Unable to bind to server ldap://127.0.0.1:389 with dn cn=vmail,dc=mydomain,dc=com: -1 (Can't contact LDAP server)
May 10 18:25:01 mail postfix/cleanup[19758]: warning: proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf lookup error for "Fail2ban_Mail@mydomain.com"
May 10 18:25:01 mail postfix/cleanup[19758]: warning: C2FB7C0000120: sender_bcc_maps lookup problem
May 10 18:25:01 mail postfix/pickup[17470]: warning: maildrop/B896CD1C4AC34: error writing C2FB7C0000120: queue file write error

#postqueue -p  有500多封信被 queue 住. 已被我刪除

/etc/openldap/slapd.conf 20170703 已被我更改為:

##TLSCACertificateFile /etc/pki/tls/certs/iRedMail.crt
#TLSCACertificateFile /etc/pki/tls/certs/fullchain.pem
#TLSCertificateFile /etc/pki/tls/certs/iRedMail.crt
#TLSCertificateKeyFile /etc/pki/tls/private/iRedMail.key

TLSCACertificateFile /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
TLSCertificateFile /etc/letsencrypt/live/mail.mydomain.com/cert.pem
TLSCertificateKeyFile /etc/letsencrypt/live/mail.mydomain.com/privkey.pem

find  /etc/cron.* |xargs grep '/var/spool/amavisd/quarantine'
grep: /etc/cron.d: 是個目錄
grep: /etc/cron.daily: 是個目錄
grep: /etc/cron.hourly: 是個目錄
grep: /etc/cron.monthly: 是個目錄
grep: /etc/cron.weekly: 是個目錄

# tree /etc/cron.*
/etc/cron.d
├── 0hourly
├── clamav-update
├── raid-check
└── sa-update
/etc/cron.daily
├── 0logwatch
├── logrotate
└── man-db.cron
/etc/cron.deny [error opening dir]
/etc/cron.hourly
├── 0anacron
└── awstats
/etc/cron.monthly
/etc/cron.weekly

0 directories, 9 files

沒有發現.

Thanks

1).
logwatch:
       touch /var/spool/amavisd/quarantine; find /var/spool/amavisd/quarantine/ -mtime +15 | xargs rm -rf {}: 1 Time(s)
       touch /var/spool/amavisd/quarantine; find /var/spool/amavisd/quarantine/ -mtime +45 | xargs rm -rf {}: 1 Time(s)

2).
crontab -e -u amavis
#
# File generated by iRedMail (2017.03.28.18.08.17):
#
# Version:  0.9.6
# Project:  http://www.iredmail.org/
#
# Community: http://www.iredmail.org/forum/
#

# Delete virus mails which created 15 days ago.
## Delete virus mails which created 45 days ago.
1   5   *   *   *   touch /var/spool/amavisd/quarantine; find /var/spool/amavisd/quarantine/ -mtime +45 | xargs rm -rf {}


如何只執行一次 ?

Thanks.

這是另一封得分 12.985 的信件,iRedAdmin-Pro 可正常阻隔,可收到隔離信件通知.
test4@ 可收到通知 , (因未啟用 bcc ,故admin@未收到通知)

但此和上一封 5.075 的信件令人不解! 怎不是amavisd 在動作? (主旨未有 "***spam***" )

From - Wed Mar 28 17:28:57 2018
X-Account-Key: account127
X-UIDL: 0000325958db0a8f
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-Path: <sb+s1065346u6240@n5.nabble.com>
Delivered-To: test4@Mydoamin.com
Received: from mail.Mydomain.com (mail.Mydomain.com [127.0.0.1])
    by mail.Mydomain.com (Postfix) with ESMTP id B5B61C0000F4A
    for <test4@Mydomain.com>; Wed, 28 Mar 2018 17:26:05 +0800 (CST)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.Mydomain.com 5B61C0000F4A
Authentication-Results: mail.Mydomain.com/B5B61C0000F4A; dmarc=none (p=none dis=none) header.from=n5.nabble.com
Authentication-Results: mail.Mydomain.com; spf=pass  smtp.mailfrom=sb+s1065346u6240@n5.nabble.com
Resent-From: "Content-filter at mail.Mydomain.com" 
    <postmaster@mail.Mydomain.com>
Resent-To: <test4@Mydomain.com>
Resent-Date: Wed, 28 Mar 2018 17:26:05 +0800 (CST)
Resent-Message-ID: <VQczWXQJh2pP- Lpbuugp5LgNg@mail.Mydomain.com>
Received: from unknown ([127.0.0.1])
    by mail.Mydomain.com (mail.Mydomain.com [127.0.0.1]) (amavisd-new, port 9998)
    id Lpbuugp5LgNg for <test4@Mydomain.com>;
    Wed, 28 Mar 2018 17:26:05 +0800 (CST)
Received: from mail.Mydomain.com ([127.0.0.1]) by mail.Mydomain.com (mail.Mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VQczWXQJh2pP for <test4@Mydomain.com>; Wed, 28 Mar 2018 16:31:16 +0800 (CST)
Authentication-Results: mail.Mydomain.com; spf=pass (sender SPF authorized) smtp.mailfrom=n5.nabble.com (client-ip=162.253.133.81; helo=n5.nabble.com; envelope-from=sb+s1065346u6240@n5.nabble.com;  receiver=test4@Mydomain.com)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.Mydomain.com     8FDC9C0000F4A
Authentication-Results: mail.Mydomain.com/8FDC9C0000F4A; dmarc=none (p=none dis=none) header.from=n5.nabble.com
Authentication-Results: mail.Mydomain.com; spf=pass smtp.mailfrom=sb+s1065346u6240@n5.nabble.com
Received: from n5.nabble.com (n5.nabble.com [162.253.133.81])
    by mail.Mydomain.com (Postfix) with ESMTP id 8FDC9C0000F4A
    for <test4@Mydomamin.com>; Wed, 28 Mar 2018 16:31:10 +0800 (CST)
Received: from n5.nabble.com (localhost [127.0.0.1])
    by n5.nabble.com (Postfix) with ESMTP id 66CFB5179D0E
    for <test4@Mydomain.com>; Wed, 28 Mar 2018 01:31:07 -0700 (MST)
Date: Wed, 28 Mar 2018 01:31:07 -0700 (MST)
From: "Rules Report Cron-2 [via SpamAssassin]" <ml+s1065346n150995h8@n5.nabble.com>
To: test4 <test4@Mydomain.com>
Message-ID: <20180328083043.6AA1AA0B17@sa-vm1.apache.org>
Subject: [auto] bad sandbox rules report
MIME-Version: 1.0
Content-Type: multipart/alternative; 

此在主控台可看到, spam的分數; 在release 信件下來,則沒有spam 的分數(這是什麼原因?);
故抓amavisd.log的資料.

40687:Mar 28 16:31:16 mail.Mydomain.com /usr/sbin/amavisd[6344]: (06344-01) ESMTP [127.0.0.1]:10024 /var/spool/amavisd/tmp/amavis-20180328T163116-06344-yr6uZ0Lb: <sb+s1065346u6240@n5.nabble.com> -> <test4@Mydomain.com> SIZE=471554 Received: from mail.Mydomain.com ([127.0.0.1]) by mail.Mydomain.com (mail.Mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <test4@Mydomain.com>; Wed, 28 Mar 2018 16:31:16 +0800 (CST)

40688:Mar 28 16:31:16 mail.Mydomain.com /usr/sbin/amavisd[6344]: (06344-01) Checking: VQczWXQJh2pP [162.253.133.81] <sb+s1065346u6240@n5.nabble.com> -> <test4@Mydomain.com>

40689:Mar 28 16:31:48 mail.Mydomain.com /usr/sbin/amavisd[6344]: (06344-01) delivering to sql:, SEND via SQL (DBI:mysql:database=amavisd;host=127.0.0.1;port=3306): <sb+s1065346u6240@n5.nabble.com> -> <test4@Mydomain.com>, mail_id VQczWXQJh2pP

40690:Mar 28 16:31:48 mail.Mydomain.com /usr/sbin/amavisd[6344]: (06344-01) Blocked SPAM {DiscardedInbound,Quarantined}, [162.253.133.81]:62508 [162.253.133.81] ESMTP/ESMTP <sb+s1065346u6240@n5.nabble.com> -> <test4@Mydomain.com>, (ESMTP://[162.253.133.81]:62508), quarantine: VQczWXQJh2pP, Queue-ID: 8FDC9C0000F4A, Message-ID: <20180328083043.6AA1AA0B17@sa-vm1.apache.org>, mail_id: VQczWXQJh2pP, b: JkMRCJE3R, Hits: 12.984, size: 471493, Subject: "[auto] bad sandbox rules report", From: <ml+s1065346n150995h8@n5.nabble.com>, helo=n5.nabble.com, Tests: [AD_PREFS=0.28,HTML_MESSAGE=0.001,KAM_LOTTO1=0.5,KAM_SEX=7,KAM_VIAGRA6=3.1,LOTS_OF_MONEY=0.001,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_IN_SENDERSCORE_90_100=-1.2,SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,THIS_AD=1.199,UPPERCASE_50_75=0.791,URIBL_BLOCKED=0.001,URI_HEX=1.313], shortcircuit=no, autolearn=no autolearn_force=no, autolearnscore=12.985, relaycountry=US_**, rss=281140, 31909 ms

40691:Mar 28 16:31:48 mail.Mydomain.com /usr/sbin/amavisd[6344]: (06344-01) Blocked SPAM, <sb+s1065346u6240@n5.nabble.com> -> , Hits: 12.984, tag=-999, tag2=5, kill=6.9, L/Y/Y/Y

是大於6.2 , iRedAdmin-Pro 優先? 小於 6.2到5.0 時, amavisd 優先?

版主我好像在寫推理小說, 但結果好像還在叢林裡!!!!

此topic 我想把它砍掉,實在浪費版主和大家時間.

這是封為無此帳號的信件,因有啟用 cath-all 功能.
所以會寄給我這設定的spam@Mydomain.com帳號.
但仍出現 ***spam*** 的主旨.
經看其分數為 5.075, 在amavisd 我是設為 5.0 ,iRedAdmin-Pro 使用預設值6.0 ,
所以應是 amavisd 的動作造成的.

 
From - Wed Mar 28 08:02:00 2018
X-Account-Key: account71
X-UIDL: 0000008758db0a80
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-Path: <bounces13@thecentsiblelife.com>
Delivered-To: spam@Mydomain.com
Received: from mail.Mydomain.com (mail.Mydomain.com [127.0.0.1])
    by mail.Mydomain.com (Postfix) with ESMTP id A529CC0000F46
    for <spam@Mydomain.com>; Wed, 28 Mar 2018 04:20:55 +0800 (CST)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.Mydomain.com A529CC0000F46
Authentication-Results: mail.Mydomain.com/A529CC0000F46; dmarc=none (p=none dis=none) header.from=thecentsiblelife.com
Authentication-Results: mail.Mydomain.com; spf=pass smtp.mailfrom=bounces13@thecentsiblelife.com
X-Virus-Scanned: By Mydomain MailServer
X-Spam-Flag: YES
X-Spam-Score: 5.075
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.075 tagged_above=-999 required=5
    tests=[HTML_MESSAGE=0.001, KAM_LAZY_DOMAIN_SECURITY=1,
    RCVD_IN_SENDERSCORE_0_29=2.8, RDNS_NONE=1.274]
    autolearn=no autolearn_force=no
Received: from mail.Mydomain.com ([127.0.0.1])
    by mail.Mydomain.com (mail.Mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id W5ZYRu4xm6V2 for <spam@Mydomain.com>;
    Wed, 28 Mar 2018 04:20:53 +0800 (CST)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.Mydomain.com 4B0B0C0000F45
Received: from filter1.selecthosting.com (unknown [185.224.76.28])
    by mail.Mydomain.com (Postfix) with SMTP id 4B0B0C0000F45
    for <onestone@Mydomain.com>; Wed, 28 Mar 2018 04:20:43 +0800 (CST)
Received: from filter1.selecthosting.com ([127.0.0.1]) by filter1.selecthosting.com ([127.0.0.1]) with SMTPSVC;
     Tue, 27 Mar 2018 22:22:07 +0200
Message-ID: <b9aa875ceb93729b8f10ee0039956865@thecentsiblelife.com>
Reply-To: <reg@world-business-list.org>
From: "World Business Registry" <general.business@thecentsiblelife.com>
To: <onestone@Mydomain.com>
Subject: ***Spam*** Pending - World Business Registration 2018-2019
    [REF:PDI-13698]
Date: Tue, 27 Mar 2018 22:22:07 +0200
rain6966 写道:

請問版主:
1).spam 訊息何以會不一樣? 正確是否以iRedAdmin-Pro 的設定為主 ,如何修正.

2). 但實際上我有設定 "隔離信件通知" ,設定如下:
何以沒有啟動此功能? 還是此功能只針對incoming 信件,未針對內網帳號?

iRedMail amavisd :
預設值為 6.2 , 如下 , 當我更改為 5.0時 ,
#$sa_tag2_level_deflt = 6.2;  # add 'spam detected' headers at that level
$sa_tag2_level_deflt = 5.0;

在iRedAdmin-Pro裡:
/var/www/iredadmin/libs/amavisd/spampolicy.py
DEFAULT_SPAM_TAG_LEVEL = 2
DEFAULT_SPAM_TAG2_LEVEL = 6

請問版主 iRedmail-Pro 會有動作?
是會以amavisd 新值5.0, 還是 iRedAmin-pro 的 6 為優先?

amavisd 的預設值,新安裝是否要設高一點 ,如10 ,
避免iRedAdmin-Pro 主控台設定高於amavisd 的6.2時,
或像我不小心調降Amavisd 的預設值,造成iRedAdmin-pro 的動作異常.

PS:
在英文論壇有人提問 "Set spam deliver vs. bounce threshold?"
此為我這邊的設定值, 和版主的值是不一樣:這會有影響?

(iRedAdmin-Pro-LDAP-3.0)

        # Update spam policy
        updates = {}
        updates['spam_lover'] = 'Y'
        updates['bypass_spam_checks'] = 'N'
        updates['virus_lover'] = 'N'
        updates['bypass_virus_checks'] = 'N'
        updates['banned_files_lover'] = 'Y'
        updates['bypass_banned_checks'] = 'N'
        updates['bad_header_lover'] = 'Y'
        updates['bypass_header_checks'] = 'N'

        if 'enable_spam_checks' not in form:
            updates['bypass_spam_checks'] = 'Y'

        if 'enable_virus_checks' not in form:
            updates['bypass_virus_checks'] = 'Y'

        if 'enable_banned_checks' not in form:
            updates['bypass_banned_checks'] = 'Y'

        if 'enable_header_checks' not in form:
            updates['bypass_header_checks'] = 'Y'

英文論壇有人提問 :"Fake Emails" ; 連結測試網址 https://emkei.cz/

我這裡測試如下:

1).寄給有啟動 bcc 帳戶: (test@) 不會收到 ,但 admin 會收到emkei.cz 寄來的信 ;但主旨是: *** Spam ***   ,非我設定 "**iRedAdmin,垃圾郵件 ** IS Spam ? **" 的主旨.
過一些時間,會收 spam@ 寄出的 "隔離信件通知".

amavisd.log:

Mar 14 13:39:21 mail.Mydomain.com /usr/sbin/amavisd[9705]: (09705-02) Blocked SPAM {DiscardedInbound,Quarantined}, [46.167.245.205]:35108 [46.167.245.205] ESMTP/ESMTP<aaa@gmail.com> -> <test@Mydomain.com>,(ESMTPS://[46.167.245.205]:35108), quarantine: sM7yzJVDZ9iA, Queue-ID: 5AAE7C0000121,Message-ID:<20180314053900.6FFCCD5A86@emkei.cz>, mail_id:sM7yzJVDZ9iA, b: aLMp2piT4,Hits:10.12, size: 1082, Subject: "test fake", From:<aaa@gmail.com>, helo=emkei.cz, Tests:[DKIM_ADSP_CUSTOM_MED=0.001,FREEMAIL_FROM=0.001,FROMNAME_SPOOF=1,FROMNAME_SPOOF_FREEMAIL=2,F_DM=5,NML_ADSP_CUSTOM_MED=1.2,SPF_FAIL=0.919,SPF_HELO_PASS=-0.001], shortcircuit=no, autolearn=no autolearn_force=no,autolearnscore=10.12,relaycountry=CZ, rss=244744, 2660 ms
Mar 14 13:39:21 mail.Mydomain.com /usr/sbin/amavisd[9705]: (09705-02) Blocked SPAM,<aaa@gmail.com> -> , Hits: 10.12, tag=-999, tag2=5, kill=6.9, L/Y/Y/Y
Mar 14 13:39:21 mail.Mydomain.com /usr/sbin/amavisd[9714]: (09714-01) Be-WdexruIYN FWD from <aaa@gmail.com> -> <admin@Mydomain.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9E7EBC000013E
Mar 14 13:39:21 mail.Mydomain.com /usr/sbin/amavisd[9714]: (09714-01) Passed SPAM {RelayedTaggedInbound}, [46.167.245.205]:35108 [46.167.245.205] ESMTP/ESMTP <aaa@gmail.com> -> <admin@Mydomain.com>, (ESMTPS://[46.167.245.205]:35108), Queue-ID: 5AAE7C0000121, Message-ID: <20180314053900.6FFCCD5A86@emkei.cz>, mail_id: Be-WdexruIYN, b: aLMp2piT4, Hits: 10.12, size: 1082, queued_as: 9E7EBC000013E, Subject: "test fake", From: <aaa@gmail.com>, helo=emkei.cz, Tests:[DKIM_ADSP_CUSTOM_MED=0.001,FREEMAIL_FROM=0.001,FROMNAME_SPOOF=1,FROMNAME_SPOOF_FREEMAIL=2,F_DM=5,NML_ADSP_CUSTOM_MED=1.2,SPF_FAIL=0.919,SPF_HELO_PASS=-0.001], shortcircuit=no, autolearn=no autolearn_force=no, autolearnscore=10.12, relaycountry=CZ, rss=241548, 2702 ms
Mar 14 13:39:21 mail.Mydomain.com /usr/sbin/amavisd[9714]: (09714-01) Passed SPAM,<aaa@gmail.com> -> <admin@Mydomain.com>, Hits: 10.12, tag=-999, tag2=5, kill=6.9, queued_as: 9E7EBC000013E, L/Y/Y/Y 

2).未啟動 bcc 的帳戶: (test4@) : 可阻檔並隔離 ,過一些時間, 會收到 spam@ 寄出的 隔離信件通知.

amavisd.log:

Mar 14 14:05:56 mail.main.com /usr/sbin/amavisd[9684]: (09684-02) Blocked SPAM {DiscardedInbound,Quarantined}, [46.167.245.205]:53282 [46.167.245.205] ESMTP/ESMTP <a@gmail.com> -> <test4@Mydomain.com>, (ESMTPS://[46.167.245.205]:53282), quarantine: ZfKqLkP1OisB, Queue-ID: C6ECDC0000121, Message-ID: <20180314060527.B457BD589C@emkei.cz>, mail_id: ZfKqLkP1OisB, b: FU34Nu1Ga, Hits: 11.357, size: 1090, Subject: "test fake 2", From: <a@gmail.com>, helo=emkei.cz, Tests:[DKIM_ADSP_CUSTOM_MED=0.001,FREEMAIL_FROM=0.001,F_DM=5,HTML_MESSAGE=0.001,HTML_MIME_NO_HTML_TAG=0.635,KAM_NUMSUBJECT=0.5,MIME_HEADER_CTYPE_ONLY=1.996,MIME_HTML_ONLY=1.105,NML_ADSP_CUSTOM_MED=1.2,SPF_FAIL=0.919,SPF_HELO_PASS=-0.001], shortcircuit=no, autolearn=no autolearn_force=no, autolearnscore=11.357, relaycountry=CZ, rss=244100, 1494 ms
Mar 14 14:05:56 mail.Mydomain.com /usr/sbin/amavisd[9684]: (09684-02) Blocked SPAM, <a@gmail.com> -> , Hits: 11.357, tag=-999, tag2=5, kill=6.9, L/Y/Y/Y

3).在 spamassassin 我是有另外加入其他rule ;但有些問題還是不懂:

a).spamassassin 未自己加入一些規則, 上面測試網址, 應該是擋不到.

此為admin@ 收到主旨為 "***Spam***" 的表頭內容:

X-Spam-Flag: YES
X-Spam-Score: 10.12
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.12 tagged_above=-999 required=5
    tests=[DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001,
    FROMNAME_SPOOF=1, FROMNAME_SPOOF_FREEMAIL=2, F_DM=5,
    NML_ADSP_CUSTOM_MED=1.2, SPF_FAIL=0.919, SPF_HELO_PASS=-0.001]
    autolearn=no autolearn_force=no 

b). 上面2). 因我有啟動 "隔離信件通知" ; test4@ 有收到 ,所以 iRedAdmin-Pro 正常 ;
     但1). 測試 test@ 有啟用 bcc 功能 則未收到"隔離信件通知" ,而admin@ 收到amavisd 的 spam訊息.

     過一些時間才收到spam@ 寄出的"隔離信件通知",在3/4時是收不到通知(第一po文時) .

c). iRedMail 正常對spamassassin 手動加入rule ,會影響其運作?
     前一po文  ,皆針對test@ (啟用bcc), " *** Spam *** " 經查此為 amavisd.conf 內的設定 .

ZhangHuangbin 写道:

所以你可能要重新更新一下 Global Spam Policy 页面(不做任何修改直接 submit 应该就够了,或者保守一点,先 delete 再重新设置

1).重新設置 Global Spam Policy : 4個 item ;皆設為 偵測 且隔離 .
再重新發送郵件,主旨為Q ;
結果 除了spam@ 沒有收到訊息外,其餘3個admin@ , aaaaa@outlook.com,bbbbb@gmail.com 皆收到主旨為 ***Spam*** R 的信件.
admin@ 倒沒收的 **iRedAdmin,垃圾郵件 ** IS Spam ? **

2).使用phpMyAdmin 查看 amavisd資料庫, @Mydomain.com 其 policy table 的 spam_subject_tag ,tag1,tag2 皆為 NULL;
原先3欄位值為 : NULL , [**iRedAdmin,垃圾郵件 ** IS Spam ? **],[**iRedAdmin,垃圾郵件 ** IS Spam ? **]

3). "隔離信件通知"功能已設定啟用,有一段時間了.

手機 在外網 使用域内帳號test@Mydomain.com 寄給 aaaaa@outlook.com 及 bbbbb@gmail.com
附件為一個excel 檔
主旨: Q

在主控臺設定:test@Mydomain
Spam Policy :設為偵測,但不隔離
有啟動 bcc 給admin@Mydomain.com

amavisd.conf:
spam_admin_maps  => ["spam\@Mydomain\.com"],
virus_admin_maps => ["spam\@Mydomain\.com"],

/var/www/iredadmin/settings.py:
AMAVISD_SPAM_SUBJECT_PREFIX = '[ iRedAdmin,垃圾郵件 ** IS Spam ? ** ]'

/etc/mail/spamassassin/local.cf
rewrite_header      subject [ SPAM ]


1).收到的主旨
a).aaaaa@outlook.com 及 bbbbb@gmail.com
主旨:***Spam*** Q
b).admin@Mydoamin.com
主旨:[ iRedAdmin,垃圾郵件 ** IS Spam ? ** ]Q
c).spam@Mydomain.com
主旨:Spam FROM LOCAL [219.xx.yy.zz]:28203 <test@Mydomain.com>


2).log 及 spam@Mydomain.com和admin@Mydomain.com的內容
a).maillog

Mar  4 09:07:18 mail postfix/submission/smtpd[13963]: connect from 219-xx-yy-zz.static.tfn.net.tw[219.xx.yy.zz]
Mar  4 09:07:18 mail postfix/submission/smtpd[13963]: Anonymous TLS connection established from 219-xx-yy-zz.static.tfn.net.tw[219.xx.yy.zz]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Mar  4 09:07:18 mail postfix/submission/smtpd[13963]: F2F3BC00048B6: client=219-xx-yy-zz.static.tfn.net.tw[219.xx.yy.zz], sasl_method=PLAIN, sasl_username=test@Mydomain.com
Mar  4 09:07:19 mail postfix/cleanup[13934]: F2F3BC00048B6: message-id=<6oaam8kpr3ubi3s61276niph.1520125636195@email.android.com>
Mar  4 09:07:19 mail postfix/qmgr[22554]: F2F3BC00048B6: from=<test@Mydomain.com>, size=48800, nrcpt=3 (queue active)
Mar  4 09:07:20 mail postfix/10025/smtpd[13938]: connect from mail.Mydomain.com[127.0.0.1]
Mar  4 09:07:20 mail opendmarc[31754]: ignoring connection from mail.Mydomain.com
Mar  4 09:07:20 mail postfix/10025/smtpd[13938]: 4D3A4C00048B9: client=mail.Mydomain.com[127.0.0.1]
Mar  4 09:07:20 mail postfix/cleanup[13934]: 4D3A4C00048B9: message-id=<6oaam8kpr3ubi3s61276niph.1520125636195@email.android.com>
Mar  4 09:07:20 mail postfix/10025/smtpd[13981]: connect from mail.Mydomain.com[127.0.0.1]
Mar  4 09:07:20 mail opendmarc[31754]: ignoring connection from mail.Mydomain.com
Mar  4 09:07:20 mail postfix/10025/smtpd[13981]: 5138FC00048BA: client=mail.Mydomain.com[127.0.0.1]
Mar  4 09:07:20 mail postfix/cleanup[13983]: 5138FC00048BA: message-id=<6oaam8kpr3ubi3s61276niph.1520125636195@email.android.com>
Mar  4 09:07:20 mail postfix/10025/smtpd[13986]: connect from mail.Mydomain.com[127.0.0.1]
Mar  4 09:07:20 mail opendmarc[31754]: ignoring connection from mail.Mydomain.com
Mar  4 09:07:20 mail postfix/10025/smtpd[13981]: disconnect from mail.Mydomain.com[127.0.0.1]
Mar  4 09:07:20 mail postfix/10025/smtpd[13938]: disconnect from mail.Mydomain.com[127.0.0.1]
Mar  4 09:07:20 mail postfix/qmgr[22554]: 4D3A4C00048B9: from=<test@Mydomain.com>, size=49619, nrcpt=1 (queue active)
Mar  4 09:07:20 mail postfix/10025/smtpd[13986]: 66CC8C00048BB: client=mail.Mydomain.com[127.0.0.1]
Mar  4 09:07:20 mail postfix/smtp-amavis/smtp[13935]: F2F3BC00048B6: to=<bbbbb@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.5, delays=0.61/0/0/0.86, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5138FC00048BA)
Mar  4 09:07:20 mail postfix/qmgr[22554]: 5138FC00048BA: from=<test@Mydomain.com>, size=49621, nrcpt=1 (queue active)
Mar  4 09:07:20 mail postfix/cleanup[13983]: 66CC8C00048BB: message-id=<SAGhR7i8TFJMkN@mail.Mydomain.com>
Mar  4 09:07:20 mail postfix/smtp-amavis/smtp[13969]: F2F3BC00048B6: to=<aaaaa@outlook.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.5, delays=0.61/0.01/0/0.88, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4D3A4C00048B9)
Mar  4 09:07:20 mail postfix/qmgr[22554]: 66CC8C00048BB: from=<postmaster@mail.Mydomain.com>, size=3358, nrcpt=1 (queue active)
Mar  4 09:07:20 mail postfix/10025/smtpd[13986]: disconnect from mail.Mydomain.com[127.0.0.1]
Mar  4 09:07:20 mail postfix/10025/smtpd[13981]: connect from mail.Mydomain.com[127.0.0.1]
Mar  4 09:07:20 mail opendmarc[31754]: ignoring connection from mail.Mydomain.com
Mar  4 09:07:20 mail postfix/10025/smtpd[13981]: 7435CC00048BD: client=mail.Mydomain.com[127.0.0.1]
Mar  4 09:07:20 mail postfix/cleanup[13988]: 7435CC00048BD: message-id=<6oaam8kpr3ubi3s61276niph.1520125636195@email.android.com>
Mar  4 09:07:20 mail postfix/10025/smtpd[13981]: disconnect from mail.Mydomain.com[127.0.0.1]
Mar  4 09:07:20 mail postfix/qmgr[22554]: 7435CC00048BD: from=<test@Mydomain.com>, size=49700, nrcpt=1 (queue active)
Mar  4 09:07:20 mail postfix/smtp-amavis/smtp[13970]: F2F3BC00048B6: to=<admin@Mydomain.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.6, delays=0.61/0.01/0/0.95, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7435CC00048BD)
Mar  4 09:07:20 mail postfix/qmgr[22554]: F2F3BC00048B6: removed
Mar  4 09:07:20 mail postfix/pipe[13941]: 66CC8C00048BB: to=<spam@Mydomain.com>, relay=dovecot, delay=0.23, delays=0.1/0/0/0.12, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar  4 09:07:20 mail postfix/qmgr[22554]: 66CC8C00048BB: removed
Mar  4 09:07:20 mail postfix/pipe[13993]: 7435CC00048BD: to=<admin@Mydomain.com>, relay=dovecot, delay=0.19, delays=0.02/0.01/0/0.16, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar  4 09:07:20 mail postfix/qmgr[22554]: 7435CC00048BD: removed
Mar  4 09:07:21 mail postfix/smtp[13990]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar  4 09:07:22 mail postfix/smtp[13989]: Untrusted TLS connection established to outlook-com.olc.protection.outlook.com[104.47.9.33]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Mar  4 09:07:23 mail postfix/smtp[13990]: 5138FC00048BA: to=<bbbbb@gmail.com>, relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=2.9, delays=0.1/0.01/1.4/1.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1520125643 u21si7596563pfl.176 - gsmtp)
Mar  4 09:07:23 mail postfix/qmgr[22554]: 5138FC00048BA: removed
Mar  4 09:07:23 mail postfix/smtp[13989]: 4D3A4C00048B9: to=<aaaaa@outlook.com>, relay=outlook-com.olc.protection.outlook.com[104.47.9.33]:25, delay=3.4, delays=0.11/0.01/2/1.3, dsn=2.6.0, status=sent (250 2.6.0 <6oaam8kpr3ubi3s61276niph.1520125636195@email.android.com> [InternalId=5012226843504, Hostname=VE1EUR03HT003.eop-EUR03.prod.protection.outlook.com] 55541 bytes in 0.248, 218.630 KB/sec Queued mail for delivery)
Mar  4 09:07:23 mail postfix/qmgr[22554]: 4D3A4C00048B9: removed
Mar  4 09:07:28 mail postfix/verify[13933]: cache btree:/var/lib/postfix/verify_cache full cleanup: retained=5 dropped=1 entries
Mar  4 09:07:29 mail postfix/postscreen[13927]: cache btree:/var/lib/postfix/postscreen_cache full cleanup: retained=16 dropped=0 entries
Mar  4 09:11:39 mail postfix/submission/smtpd[13963]: disconnect from 219-xx-yy-zz.static.tfn.net.tw[219.xx.yy.zz]

b).amavisd.log

Mar  4 09:07:19 mail.Mydomain.com /usr/sbin/amavisd[8498]: (08498-02) ESMTP [127.0.0.1]:10026 /var/spool/amavisd/tmp/amavis-20180304T063245-08498-3hGpzMsk: <test@Mydomain.com> -> <bbbbb@gmail.com> Received: from mail.Mydomain.com ([127.0.0.1]) by mail.Mydomain.com (mail.Mydomain.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for <bbbbb@gmail.com>; Sun,  4 Mar 2018 09:07:19 +0800 (CST)
Mar  4 09:07:19 mail.Mydomain.com /usr/sbin/amavisd[8495]: (08495-02) ESMTP [127.0.0.1]:10026 /var/spool/amavisd/tmp/amavis-20180304T060040-08495-ZtCpIF7D: <test@Mydomain.com> -> <admin@Mydomain.com> Received: from mail.Mydomain.com ([127.0.0.1]) by mail.Mydomain.com (mail.Mydomain.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for <admin@Mydomain.com>; Sun,  4 Mar 2018 09:07:19 +0800 (CST)
Mar  4 09:07:19 mail.Mydomain.com /usr/sbin/amavisd[8531]: (08531-01) ESMTP [127.0.0.1]:10026 /var/spool/amavisd/tmp/amavis-20180304T090719-08531-_swyPbyz: <test@Mydomain.com> -> <aaaaa@outlook.com> Received: from mail.Mydomain.com ([127.0.0.1]) by mail.Mydomain.com (mail.Mydomain.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for <aaaaa@outlook.com>; Sun,  4 Mar 2018 09:07:19 +0800 (CST)
Mar  4 09:07:19 mail.Mydomain.com /usr/sbin/amavisd[8498]: (08498-02) Checking: x6WNkemiNXnj ORIGINATING [219.xx.yy.zz] <test@Mydomain.com> -> <bbbbb@gmail.com>
Mar  4 09:07:19 mail.Mydomain.com /usr/sbin/amavisd[8531]: (08531-01) Checking: azhkBl5BcCVN ORIGINATING [219.xx.yy.zz] <test@Mydomain.com> -> <aaaaa@outlook.com>
Mar  4 09:07:19 mail.Mydomain.com /usr/sbin/amavisd[8495]: (08495-02) Checking: GhR7i8TFJMkN ORIGINATING [219.xx.yy.zz] <test@Mydomain.com> -> <admin@Mydomain.com>
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8498]: (08498-02) x6WNkemiNXnj FWD from <test@Mydomain.com> -> <bbbbb@gmail.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5138FC00048BA
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8498]: (08498-02) Passed SPAMMY {RelayedTaggedInternal}, ORIGINATING LOCAL [219.xx.yy.zz]:28203 [219.xx.yy.zz] ESMTP/ESMTP <test@Mydomain.com> -> <bbbbb@gmail.com>, (ESMTPSA://[219.xx.yy.zz]:28203), Queue-ID: F2F3BC00048B6, Message-ID: <6oaam8kpr3ubi3s61276niph.1520125636195@email.android.com>, mail_id: x6WNkemiNXnj, b: NZ8hAuUhw, Hits: 6.042, size: 48761, queued_as: 5138FC00048BA, Subject: "Q", From: <test@Mydomain.com>, helo=[192.168.66.111], Tests: [ALL_TRUSTED=-1,DKIM_ADSP_DISCARD=1.8,DKIM_ADSP_MY1=1,HTML_MESSAGE=0.001,HTML_MIME_NO_HTML_TAG=0.635,MIME_HTML_ONLY=1.105,TVD_SPACE_RATIO=0.001,TVD_SPACE_RATIO_MINFP=2.5], shortcircuit=no, autolearn=no autolearn_force=no, autolearnscore=7.042, rss=247396, 813 ms
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8498]: (08498-02) Passed SPAMMY, <test@Mydomain.com> -> <bbbbb@gmail.com>, Hits: 6.042, tag=-999, tag2=5, kill=6.9, queued_as: 5138FC00048BA, L/Y/Y/0
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8531]: (08531-01) azhkBl5BcCVN FWD from <test@Mydomain.com> -> <aaaaa@outlook.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4D3A4C00048B9
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8498]: (08498-02) extra modules loaded: unicore/To/Cf.pl, unicore/lib/Gc/Nd.pl
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8531]: (08531-01) Passed SPAMMY {RelayedTaggedInternal}, ORIGINATING LOCAL [219.xx.yy.zz]:28203 [219.xx.yy.zz] ESMTP/ESMTP <test@Mydomain.com> -> <aaaaa@outlook.com>, (ESMTPSA://[219.xx.yy.zz]:28203), Queue-ID: F2F3BC00048B6, Message-ID: <6oaam8kpr3ubi3s61276niph.1520125636195@email.android.com>, mail_id: azhkBl5BcCVN, b: NZ8hAuUhw, Hits: 6.042, size: 48761, queued_as: 4D3A4C00048B9, Subject: "Q", From: <test@Mydomain.com>, helo=[192.168.66.111], Tests: [ALL_TRUSTED=-1,DKIM_ADSP_DISCARD=1.8,DKIM_ADSP_MY1=1,HTML_MESSAGE=0.001,HTML_MIME_NO_HTML_TAG=0.635,MIME_HTML_ONLY=1.105,TVD_SPACE_RATIO=0.001,TVD_SPACE_RATIO_MINFP=2.5], shortcircuit=no, autolearn=no autolearn_force=no, autolearnscore=7.042, rss=246060, 858 ms
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8531]: (08531-01) Passed SPAMMY, <test@Mydomain.com> -> <aaaaa@outlook.com>, Hits: 6.042, tag=-999, tag2=5, kill=6.9, queued_as: 4D3A4C00048B9, L/Y/Y/0
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8531]: (08531-01) extra modules loaded: unicore/To/Cf.pl, unicore/lib/Gc/Nd.pl
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8495]: (08495-02) YXIBTlytbV0v(GhR7i8TFJMkN) SEND from <postmaster@mail.Mydomain.com> -> <spam@Mydomain.com>, ENVID=AM.YXIBTlytbV0v.20180304T010720Z@mail.Mydomain.com 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 66CC8C00048BB
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8495]: (08495-02) GhR7i8TFJMkN FWD from <test@Mydomain.com> -> <admin@Mydomain.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7435CC00048BD
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8495]: (08495-02) Passed SPAM {RelayedTaggedInternal}, ORIGINATING LOCAL [219.xx.yy.zz]:28203 [219.xx.yy.zz] ESMTP/ESMTP <test@Mydomain.com> -> <admin@Mydomain.com>, (ESMTPSA://[219.xx.yy.zz]:28203), Queue-ID: F2F3BC00048B6, Message-ID: <6oaam8kpr3ubi3s61276niph.1520125636195@email.android.com>, mail_id: GhR7i8TFJMkN, b: NZ8hAuUhw, Hits: 6.042, size: 48761, queued_as: 7435CC00048BD, Subject: "Q", From: <test@Mydomain.com>, helo=[192.168.66.111], Tests: [ALL_TRUSTED=-1,DKIM_ADSP_DISCARD=1.8,DKIM_ADSP_MY1=1,HTML_MESSAGE=0.001,HTML_MIME_NO_HTML_TAG=0.635,MIME_HTML_ONLY=1.105,TVD_SPACE_RATIO=0.001,TVD_SPACE_RATIO_MINFP=2.5], shortcircuit=no, autolearn=no autolearn_force=no, autolearnscore=7.042, rss=246272, 925 ms
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8495]: (08495-02) Passed SPAM, <test@Mydomain.com> -> <admin@Mydomain.com>, Hits: 6.042, tag=-999, tag2=5, kill=5, queued_as: 7435CC00048BD, L/Y/Y/Y
Mar  4 09:07:20 mail.Mydomain.com /usr/sbin/amavisd[8495]: (08495-02) extra modules loaded: unicore/To/Cf.pl, unicore/lib/Gc/Nd.pl

c).spam@Mydomain.com 信件內容:

Content type: Spam
Internal reference code for the message is 08495-02/GhR7i8TFJMkN

First upstream SMTP client IP address: [219.xx.yy.zz]:28203
  219-xx-yy-zz.static.tfn.net.tw

Received trace: ESMTPSA://[219.xx.yy.zz]:28203

Return-Path: <test@Mydomain.com>
From: test <test@Mydomain.com>
Message-ID: <6oaam8kpr3ubi3s61276niph.1520125636195@email.android.com>
Subject: Q
Not quarantined.

The message WILL BE relayed to:
<admin@Mydomain.com>

Spam scanner report:
Spam detection software, running on the system "mail.Mydomain.com",
has identified this incoming email as possible spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  發自我的小米手機 [...] 

Content analysis details:   (6.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 1.8 DKIM_ADSP_DISCARD      No valid author signature, domain signs all mail
                            and suggests discarding the rest
 1.0 DKIM_ADSP_MY1          No description available.
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 0.6 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
 0.0 TVD_SPACE_RATIO        No description available.
 2.5 TVD_SPACE_RATIO_MINFP  Space ratio


header.hdr

Return-Path: <test@Mydomain.com>
Received: from [192.168.66.111] (219-xx-yy-zz.static.tfn.net.tw [219.xx.yy.zz])
    by mail.Mydomain.com (Postfix) with ESMTPSA id F2F3BC00048B6;
    Sun,  4 Mar 2018 09:07:18 +0800 (CST)
Date: Sun, 04 Mar 2018 09:07:16 +0800
Subject: Q
Message-ID: <6oaam8kpr3ubi3s61276niph.1520125636195@email.android.com>
From: test <test@Mydomain.com>
To: "aaaaa" <aaaaa@outlook.com>
Cc: bbbbb@gmail.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--_com.android.email_531982708327960"

d).admin@Mydomain.com 信件表頭

From - Mon Mar  5 07:56:48 2018
X-Account-Key: account125
X-UIDL: 0000024958db0a80
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-Path: <test@Mydomain.com>
Delivered-To: admin@Mydomain.com
Received: from mail.Mydomain.com (mail.Mydomain.com [127.0.0.1])
    by mail.Mydomain.com (Postfix) with ESMTP id 7435CC00048BD
    for <admin@Mydomain.com>; Sun,  4 Mar 2018 09:07:20 +0800 (CST)
X-Virus-Scanned: By Mydomain MailServer
X-Spam-Flag: YES
X-Spam-Score: 6.042
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.042 tagged_above=-999 required=5
    tests=[ALL_TRUSTED=-1, DKIM_ADSP_DISCARD=1.8, DKIM_ADSP_MY1=1,
    HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.635, MIME_HTML_ONLY=1.105,
    TVD_SPACE_RATIO=0.001, TVD_SPACE_RATIO_MINFP=2.5]
    autolearn=no autolearn_force=no
Received: from mail.Mydomain.com ([127.0.0.1])
    by mail.Mydomain.com (mail.Mydomain.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id GhR7i8TFJMkN for <admin@Mydomain.com>;
    Sun,  4 Mar 2018 09:07:19 +0800 (CST)
Received: from [192.168.66.111] (219-xx-yy-zz.static.tfn.net.tw [219.xx.yy.zz])
    by mail.Mydomain.com (Postfix) with ESMTPSA id F2F3BC00048B6;
    Sun,  4 Mar 2018 09:07:18 +0800 (CST)
Date: Sun, 04 Mar 2018 09:07:16 +0800
Subject: [ =?UTF-8?Q?iRedAdmin,=E5=9E=83=E5=9C=BE=E9=83=B5=E4=BB=B6?= ** IS
    Spam ? ** ]Q
Message-ID: <6oaam8kpr3ubi3s61276niph.1520125636195@email.android.com>
From: test <test@Mydomain.com>
To: "aaaaa" <aaaaa@outlook.com>
Cc: bbbbb@gmail.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--_com.android.email_531982708327960"

----_com.android.email_531982708327960
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64

請問版主:
1).spam 訊息何以會不一樣? 正確是否以iRedAdmin-Pro 的設定為主 ,如何修正.

2). 但實際上我有設定 "隔離信件通知" ,設定如下:
何以沒有啟動此功能? 還是此功能只針對incoming 信件,未針對內網帳號?

# SMTP server address, port, username, password used to send notification mail.
NOTIFICATION_SMTP_SERVER = 'localhost'
NOTIFICATION_SMTP_PORT = 587
NOTIFICATION_SMTP_STARTTLS = True

#NOTIFICATION_SMTP_USER = 'no-reply@localhost.local'
#NOTIFICATION_SMTP_PASSWORD = ''
NOTIFICATION_SMTP_USER = 'spam@Mydomain.com'
NOTIFICATION_SMTP_PASSWORD = 'xxxxxxxxxx'
NOTIFICATION_SMTP_DEBUG_LEVEL = 1

# The short description or full name of this smtp user. e.g. 'No Reply'
#NOTIFICATION_SENDER_NAME = 'No Reply'
NOTIFICATION_SENDER_NAME = 'spam'

#NOTIFICATION_IREDADMIN_URL = 'https://mail.l.Mydomain.com/iredadmin/'
#NOTIFICATION_URL_SELF_SERVICE = 'https://mail.Mydoamin.com/iredadmin/'

#NOTIFICATION_QUARANTINE_MAIL_SUBJECT = '[Attention] You have emails quarantined and not delivered to mailbox'
NOTIFICATION_QUARANTINE_MAIL_SUBJECT = "[注意] 隔離信件通知"

MAIL_ERROR_TO_WEBMASTER = True

暸解.

Thanks.

ZhangHuangbin 写道:

一帖里讨论的内容太多,必须细化并拆分到各自独立的 forum thread 里去,我现在已经被你搞得头大了。。。

fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.iredmail.conf /etc/fail2ban/filter.d/postfix.iredmail.conf

可否确认一下你的测试是否正确?如果不正确,可否再重新测试一次?谢谢。

感谢版主的指導:
我忘記 fail2ban-regex 的測試 ,有關 ignoreregex 的測試須加兩次 filter 參數 .
確實可跳過 .

Lines: 162118 lines, 8 ignored, 256 matched, 161854 missed
[processed in 17.75 sec]

|- Ignored line(s):
|  Jan 14 21:07:13 mail postfix/postscreen[18432]: PREGREET 33 after 0.21 from [219.80.xx.yy]:13685: EHLO we-guess.mozilla.org\r\nQUIT\r\n
|  Jan 14 21:07:13 mail postfix/postscreen[18432]: PREGREET 33 after 0.21 from [219.80.xx.yy]:13687: EHLO we-guess.mozilla.org\r\nQUIT\r\n
|  Jan 25 18:00:14 mail postfix/postscreen[13076]: PREGREET 33 after 0.04 from [219.80.xx.yy]:55933: EHLO we-guess.mozilla.org\r\nQUIT\r\n
|  Jan 25 18:00:14 mail postfix/postscreen[13076]: PREGREET 27 after 0.04 from [219.80.xx.yy]:35427: EHLO we-guess.mozilla.org\r\n
|  Jan 25 18:04:32 mail postfix/postscreen[13246]: PREGREET 33 after 0.11 from [219.80.xx.yy]:15135: EHLO we-guess.mozilla.org\r\nQUIT\r\n
|  Jan 25 18:04:32 mail postfix/postscreen[13246]: PREGREET 33 after 0.11 from [219.80.xx.yy]:64281: EHLO we-guess.mozilla.org\r\nQUIT\r\n
|  Jan 29 10:35:17 mail postfix/postscreen[22871]: PREGREET 33 after 0.03 from [192.168.1.10]:1885: EHLO we-guess.mozilla.org\r\nQUIT\r\n
|  Jan 29 10:35:17 mail postfix/postscreen[22871]: PREGREET 33 after 0.02 from [192.168.1.10]:1887: EHLO we-guess.mozilla.org\r\nQUIT\r\n
`-

所以我會修正上面有關postfix的rule設定.

感謝.

版主對不起,現才回覆:

1).

ZhangHuangbin 写道:
ZhangHuangbin 写道:

可能的一个方案是:在 postfix.iredmail.conf 的 "ignoreregex =" 参数里加入 Thunderbird 的 log 作为例外情况。

可否在你的 postfix.iredmail.conf 里加上以下 ignoreregex 来忽略 TB?

ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org

測試結果:
"ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org"

此參數放在 "ignoreregex =" 是無效的,仍會被抓到(沒有ignore)  ;
但放在  "failregex =" ,只加此rule ,是有效的,有抓到:

Failregex: 6 total
|-  #) [# of hits] regular expression
|   1) [6] postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess\.mozilla\.org.*$
|      219.80.xx.yy  Sun Jan 14 21:07:13 2018
|      219.80.xx.yy  Sun Jan 14 21:07:13 2018
|      219.80.xx.yy  Thu Jan 25 18:00:14 2018
|      219.80.xx.yy  Thu Jan 25 18:00:14 2018
|      219.80.xx.yy  Thu Jan 25 18:04:32 2018
|      219.80.xx.yy  Thu Jan 25 18:04:32 2018
`-

Ignoreregex: 0 total

難道是 fail2ban 的bug?

2).

rain6966 写道:

1).

查看 123.59.60.110 的log

Jan 18 03:17:33 mail postfix/postscreen[12606]: PREGREET 295 after 0.01 from [123.59.60.110]:39922: \22\3\1\1"\1\0\1\30\3\3\1343\238b\23\174\238\223\28^VYf\22\253r\19?\226v1\188\189\184\245H\175\145r\

Jan 18 03:17:36 mail postfix/postscreen[12606]: PREGREET 3 after 3.1 from [123.59.60.110]:34059: \255\253\1

上面的log ,  無 (EHLO|HELO) ,故
" postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO)"
仍無法抓到 .

所以是否有其他方法,還是讓其pass ? 還是用我的 rule ? 請版主裁定.

若要使用上面我提到的 rule , 今早查看 log ,仍須再修正為:

HANGUP after [0-9](\.[0-9]|\d+)* from \[<HOST>]:\d+ ?in tests (after|before)

因:"HANGUP after 0 from" 為"0" 時抓不到 ;
若以 "postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO)"
來抓也抓不到 , 因其 helo 是小寫.

Jan 28 19:44:25 mail postfix/postscreen[7371]: CONNECT from [114.221.126.195]:24729 to [10.10.10.10]:25
Jan 28 19:44:25 mail postfix/postscreen[7371]: PREGREET 12 after 0 from [114.221.126.195]:24729: ehlo hello\r\n
Jan 28 19:44:26 mail postfix/dnsblog[7378]: addr 114.221.126.195 listed by domain zen.spamhaus.org as 127.0.0.11
Jan 28 19:44:26 mail postfix/dnsblog[7378]: addr 114.221.126.195 listed by domain zen.spamhaus.org as 127.0.0.4
Jan 28 19:44:26 mail postfix/postscreen[7371]: DNSBL rank 13 for [114.221.126.195]:24729
Jan 28 19:44:26 mail postfix/postscreen[7371]: COMMAND PIPELINING from [114.221.126.195]:24729 after ehlo: help\r\n\r\n
Jan 28 19:44:26 mail postfix/postscreen[7371]: HANGUP after 0 from [114.221.126.195]:24729 in tests after SMTP handshake
Jan 28 19:44:26 mail postfix/postscreen[7371]: DISCONNECT [114.221.126.195]:24729

3).
postfix.iredmail.conf 我是把其拆為2檔 ,因先前iRedMail 是沒有針對 postscreen 的過慮管制,我是自己加的.(我應會把其合併)
postfix-ired.conf:

[INCLUDES]
before = common.conf

[Definition]
failregex = reject: RCPT from \S+\[<HOST>\]: 450 4.1.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            reject: RCPT from \S+\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            reject: RCPT from \S+\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            reject: RCPT from \S+\[<HOST>\]: 450 4.7.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
            reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1 Service unavailable.*$
            reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1 (.*): Relay access denied.*$
            reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname.*$
            reject: VRFY from (.*)\[<HOST>\]: 550 5.1.1 .*$
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1 .*$
            warning: Illegal address syntax from (.*)\[<HOST>\] in (RCPT|MAIL) command.*$
            lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\].*$
            ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
            ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$


ignoreregex =

[Init]
#backend = polling
##journalmatch = _SYSTEMD_UNIT=postfix.service
#journalmatch =

postfix-poscr.conf:      "#" 為註解 ,先前使用兩條rule : "HANGUP" 及 "PREGREET"

[INCLUDES]
before = common.conf
[Definition]

failregex =
#先前設定         HANGUP after [0-9]\.[0-9]* from \[<HOST>]:\d+ ?in tests after SMTP handshake$
#先前設定         HANGUP after [0-9]\.[0-9]* from \[<HOST>]:\d+ ?in tests before SMTP handshake$
#          HANGUP after [0-9]\.[0-9]* from \[<HOST>]:\d+ ?in tests (after|before)
           HANGUP after [0-9](\.[0-9]|\d+)* from \[<HOST>]:\d+ ?in tests (after|before)

#          postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO)
#
#版主設定,放此可抓到          postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess\.mozilla\.org.*$

#先前設定          PREGREET ([0-9]{1,3}) .* from \[<HOST>\]:([0-9]{4,5}:)?(.*) .*$
#先前設定          PREGREET ([0-9]{1,3})* after (0\.[0-9]{1,2}) from \[<HOST>\]:([0-9]{4,5}:)?(.*) .*$


ignoreregex =
#版主設定,抓不到
#ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org

PS: 版主 ;CentOS Nginx 的rule ,下一iRedMail版本有更新?(加強管制功能), 下為我目前的設定,僅請參考:
nginx-http-auth.conf

[INCLUDES]

# Load regexes for filtering
before = botsearch-common.conf


[Definition]
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00

failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
            ^<HOST> -.*GET http.*
            ^<HOST> .*\"(\\\S|\\)x\d\d\\.*\" 400 .+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .*\" 404 .+$
            ^<HOST> .*\"POST .*\" 405 .+$
            ^<HOST> -.*GET.*(\.asp|\.aspx|\.aspix|\.exe|\.cgi|\scgi)

            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
            ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) .*?$

             ^ \[error\] \d+#\d+: \*\d+ .*?forbidden(\,| .*) client: <HOST>

             ^ \[error\] \d+#\d+: \*\d+ ?FastCGI sent in stderr: .*?client: <HOST>

ignoreregex =

[Init]
backend = polling
journalmatch =

jail的設定, 我改回繼續使用 jail.local  檔

[nginx-http-auth]
enabled         = true
port            = http,https
#logpath        = %(nginx_error_log)s
logpath         = %(nginx_log)s 

paths-common.conf

nginx_log = %(syslog_nginx)s
nginx_backend = %(default_backend)s

paths-fedora.conf

syslog_nginx = /var/log/nginx/*.log

感謝版主回覆.

1).
使用此設定:

[url]https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/fail2ban/filter.d/postfix.iredmail.conf[/url]

# diff 1 2

13c13
< Failregex: 120 total
---
> Failregex: 133 total
68c68
< |   3) [69] postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO)
---
> |   3) [82] PREGREET ([0-9]{1,3}) .* from \[<HOST>\]:([0-9]{4,5}:)?(.*) .*$
73a74,77
> |      123.59.60.110  Tue Dec 19 23:15:18 2017
> |      123.59.60.110  Tue Dec 19 23:15:21 2017
> |      112.117.17.42  Thu Dec 21 01:18:48 2017
> |      139.162.99.243  Thu Dec 21 02:06:06 2017
88a93,94
> |      210.201.136.13  Tue Dec 26 14:57:33 2017
> |      110.185.170.146  Tue Dec 26 19:16:05 2017
101a108,109
> |      123.59.60.110  Wed Jan 03 14:17:25 2018
> |      123.59.60.110  Wed Jan 03 14:17:28 2018
104a113
> |      220.175.61.17  Thu Jan 04 10:12:48 2018
106a116
> |      124.235.138.249  Tue Jan 09 06:18:48 2018
131a142,143
> |      123.59.60.110  Thu Jan 18 03:17:33 2018
> |      123.59.60.110  Thu Jan 18 03:17:36 2018
137a150
> |      210.201.136.13  Fri Jan 26 14:55:44 2018
161,162c174,175
< Lines: 149143 lines, 0 ignored, 120 matched, 149023 missed
< [processed in 8.55 sec]
---
> Lines: 149143 lines, 0 ignored, 133 matched, 149010 missed
> [processed in 8.89 sec]
164c177
< Missed line(s): too many to print.  Use --print-all-missed to print all 149023 lines
---
> Missed line(s): too many to print.  Use --print-all-missed to print all 149010 lines

1檔 為 iRedMail 在bitbucket 上的設定.
2檔 為自己先前的設定.

查看 123.59.60.110 的log

Jan 18 03:17:33 mail postfix/postscreen[12606]: CONNECT from [123.59.60.110]:39922 to [10.10.10.10]:25
Jan 18 03:17:33 mail postfix/postscreen[12606]: BLACKLISTED [123.59.60.110]:39922
Jan 18 03:17:33 mail postfix/postscreen[12606]: PREGREET 295 after 0.01 from [123.59.60.110]:39922: \22\3\1\1"\1\0\1\30\3\3\1343\238b\23\174\238\223\28^VYf\22\253r\19?\226v1\188\189\184\245H\175\145r\
Jan 18 03:17:33 mail postfix/postscreen[12606]: CONNECT from [123.59.60.110]:34059 to [10.192.176.16]:25
Jan 18 03:17:33 mail postfix/postscreen[12606]: BLACKLISTED [123.59.60.110]:34059
Jan 18 03:17:33 mail postfix/postscreen[12606]: BARE NEWLINE from [123.59.60.110]:39922 after \22\3\1\1"\1\0\1\30\3\3\1343\238b\23\174\238\223\28^VYf\22\253r\19?\226v1\188\189\184\245H\175\145r\226\235\135\0\0\136\1920\192,\192(\192$\192\20\192
Jan 18 03:17:33 mail postfix/postscreen[12606]: COMMAND PIPELINING from [123.59.60.110]:39922 after ????"?: \0\163\0\159\0k\0j\0009\0008\0\136\0\135\1922\192.\192*\192&\192\15\192\5\0\157\0=\0005\0\132\192\18\192\b\0\22\0\19\192\r\192\3\0\n\192/\192+\192'\192#\192\19\192\t\0\162\0\158\0g\0@\0003\0002\0\154\0\153\0E\0D\1921\192-\192)\192%\192\14\192\4\0\156\0<\0/
Jan 18 03:17:33 mail postfix/postscreen[12606]: HANGUP after 0 from [123.59.60.110]:39922 in tests after SMTP handshake
Jan 18 03:17:33 mail postfix/postscreen[12606]: DISCONNECT [123.59.60.110]:39922
Jan 18 03:17:36 mail postfix/postscreen[12606]: PREGREET 3 after 3.1 from [123.59.60.110]:34059: \255\253\1
Jan 18 03:17:40 mail postfix/postscreen[12606]: HANGUP after 3.2 from [123.59.60.110]:34059 in tests after SMTP handshake
Jan 18 03:17:40 mail postfix/postscreen[12606]: DISCONNECT [123.59.60.110]:34059

確實無法擋到, 若是去掉 (EHLO|HELO) , 則抓到的結果,兩條rule是一樣的.

但我覺得還是有問題:
在公司外部的使用者以筆電(或遠端電腦),要新建使用帳號時會發生 被擋到 .

Jan 25 18:04:32 mail postfix/postscreen[13246]: CONNECT from [219.80.xx.yy]:15135 to [10.10.10.10]:25
Jan 25 18:04:32 mail postfix/postscreen[13246]: CONNECT from [219.80.xx.yy]:64281 to [10.10.10.10]:25
Jan 25 18:04:32 mail postfix/submission/smtpd[13245]: connect from 219-80-xx-yy.static.tfn.net.tw[219.80.xx.yy]
Jan 25 18:04:32 mail postfix/submission/smtpd[13252]: connect from 219-80-xx-yy.static.tfn.net.tw[219.80.xx.yy]
Jan 25 18:04:32 mail postfix/submission/smtpd[13245]: improper command pipelining after EHLO from 219-80-xx-yy.static.tfn.net.tw[219.80.xx.yy]: QUIT\r\n
Jan 25 18:04:32 mail postfix/submission/smtpd[13245]: disconnect from 219-80-xx-yy.static.tfn.net.tw[219.80.xx.yy]
Jan 25 18:04:32 mail postfix/postscreen[13246]: PREGREET 33 after 0.11 from [219.80.xx.yy]:15135: EHLO we-guess.mozilla.org\r\nQUIT\r\n
Jan 25 18:04:32 mail postfix/submission/smtpd[13252]: improper command pipelining after EHLO from 219-80-xx-yy.static.tfn.net.tw[219.80.xx.yy]: QUIT\r\n
Jan 25 18:04:32 mail postfix/submission/smtpd[13252]: disconnect from 219-80-xx-yy.static.tfn.net.tw[219.80.xx.yy]
Jan 25 18:04:32 mail postfix/postscreen[13246]: PREGREET 33 after 0.11 from [219.80.xx.yy]:64281: EHLO we-guess.mozilla.org\r\nQUIT\r\n
Jan 25 18:04:32 mail postfix/postscreen[13246]: COMMAND PIPELINING from [219.80.xx.yy]:15135 after EHLO: QUIT\r\n
Jan 25 18:04:32 mail postfix/postscreen[13246]: DISCONNECT [219.80.xx.yy]:15135
Jan 25 18:04:32 mail postfix/postscreen[13246]: COMMAND PIPELINING from [219.80.xx.yy]:64281 after EHLO: QUIT\r\n
Jan 25 18:04:32 mail postfix/postscreen[13246]: DISCONNECT [219.80.xx.yy]:64281

上述是使用TB 在遠端電腦上新建帳號的log .
Jan 25 18:04:32 mail postfix/postscreen[13246]: PREGREET 33 after 0.11 from [219.80.xx.yy]:64281: EHLO we-guess.mozilla.org\r\nQUIT\r\n
兩條rule 皆會抓到.


2).
現在我是新增此rule:

"HANGUP after [0-9]\.[0-9]* from \[<HOST>]:\d+ ?in tests (after|before)"

可抓 52 個IP 比postfix.iredmail.conf的 69個IP 少.

漏掉IP 其log 如下 ; 其一連結即斷線未有任何動作, 也許可不管它.

# grep -1 '103.255.177.76' /var/log/maillog

Jan 13 18:11:46 mail clamd[1635]: SelfCheck: Database status OK.
Jan 13 18:17:17 mail postfix/postscreen[12382]: CONNECT from [103.255.177.76]:49299 to [10.10.10.10]:25
Jan 13 18:17:17 mail postfix/postscreen[12382]: PREGREET 13 after 0 from [103.255.177.76]:49299: EHLO ubuntu\r\n
Jan 13 18:17:17 mail postfix/postscreen[12382]: DISCONNECT [103.255.177.76]:49299
Jan 13 18:21:46 mail clamd[1635]: SelfCheck: Database status OK.
--
Jan 13 19:41:46 mail clamd[1635]: SelfCheck: Database status OK.
Jan 13 19:48:00 mail postfix/postscreen[12571]: CONNECT from [103.255.177.76]:50211 to [10.10.10.10]:25
Jan 13 19:48:00 mail postfix/postscreen[12571]: PREGREET 13 after 0 from [103.255.177.76]:50211: EHLO ubuntu\r\n
Jan 13 19:48:01 mail postfix/postscreen[12571]: DISCONNECT [103.255.177.76]:50211
Jan 13 19:51:46 mail clamd[1635]: SelfCheck: Database status OK.
--
Jan 13 21:28:33 mail postfix/anvil[12915]: statistics: max cache size 1 at Jan 13 21:25:13
Jan 13 21:28:46 mail postfix/postscreen[12929]: CONNECT from [103.255.177.76]:42388 to [10.10.10.10]:25
Jan 13 21:28:46 mail postfix/postscreen[12929]: PREGREET 13 after 0 from [103.255.177.76]:42388: EHLO ubuntu\r\n
Jan 13 21:28:47 mail postfix/postscreen[12929]: DISCONNECT [103.255.177.76]:42388

目前也手動 加入ignoreip , 不知版主有其他更好的方法?

a0800426 写道:

2018-01-17 12:49:08,257 fail2ban.filterpyinotify[3340]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/dovecot.log pathname=/var/log/dovecot.log wd=2 >

dovecot.log 路徑是否正確?
iRedMail 0.9.7 好像需改路徑且 log 檔也改了.

下面指令查查 log path 是否正確
# fail2ban-client status dovecot-iredmail

Status for the jail: dovecot-iredmail
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/dovecot/pop3.log /var/log/dovecot/imap.log /var/log/dovecot/dovecot.log /var/log/dovecot/lda.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

以上僅供參考.

rain6966 写道:

b).建議: Pro 版的  "White/Balcklist"   若改為 Content Filter/或Content Policy , 比較不會搞亂.(當然沒有權限大不大的問題 .)

這個建議不好, 應改為 增設 "Content Filter/或Content Policy"

ZhangHuangbin 写道:
rain6966 写道:

a). amavisd 已改為不阻擋 ,為何還會檔?

你设置的不阻挡只是不 ban zip 文件吧?doc, pdf, csv, rar 是否仍然设置为阻挡?

除了原先上面:
amavisd.conf 裡

$banned_filename_re = new_RE(
# qr'^\.zip$',
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],

查看論壇有人提問 amavisd Banned  的問題
版主回覆 , 0.9.0 升級 0.9.1  針對RHEL/CentOs 有加入 $banned_namepath_re
把規則條文中的 rar 那條 註解 ,測試OK , 如下:

$banned_namepath_re = new_RE(
    #[qr'T=(rar|arc|arj|zoo|gz|bz2)(,|\t)'xmi => 'DISCARD'],     # Compressed file types

ZhangHuangbin 写道:
rain6966 写道:

b). 當White/Balcklist 裡加入 xxx@gmail.com 白名單 ;
   Spam Policy 應當無效還是有效? 哪個權限大?

amavisd 的文档似乎没有明确指出哪个权限大,需要实作一下看看。

a).Pro 版 , 需再修改 amavisd.conf 設定 , 我是想能不用去修改, 直接在主控台設定 ,那是最好. (在Free 版 , 當然要修改設定).

b).建議: Pro 版的  "White/Balcklist"   若改為 Content Filter/或Content Policy , 比較不會搞亂.(當然沒有權限大不大的問題 .)

因實際上 ,內部使用者與客戶往返電子信件的附檔 ,有很多特殊檔名的檔案需求.
由"網域/domain"設定, 會比較省事, 不用到"使用者/users" 設定, 我只是好奇針對users的設定測試而已.
iRedMail 預設是有阻擋特定檔名, 若不啟動,只是註解起來呢?(只做另加說明)


ZhangHuangbin 写道:
rain6966 写道:

c). 手動作隔離通知時,會出現錯誤

此问题会在下一版本里修复(已修复,未发布)。

下一版會採用? 

我目前使用情況: 由收件者告知 管理者幫其設定.

管理者 及原收件者會收到 :

主旨:

[注意] 隔離信件通知

內容為:

隔離信件保留 xx 天,
查看信件寄件者及主旨內容摘要後, 請將結果轉寄給mis ; 註明”黑名單或白名單”,
若不確定可先當做”白名單”,爾後確訂不想接收此類信件,可再告知mis ,把其加入”黑名單”

請以 ”附件轉寄” 給spam@mydom.com, 即可收到該信件或永不再收此信件
= = = = = = = = = = = = = == = = = = = = = = = = = = = = = = = = = =

Date and time are in time zone: GMT+08:00.
Subject           Sender                                Spam Level         Time
Dec 28, 2017
11111       test<test@mydomain.com>        0.0                     10:16

感謝版主回覆

Thank's

maillog:

Dec 26 06:20:52 mail postfix/smtpd[19316]: NOQUEUE: reject: RCPT from unknown[194.136.193.154]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [194.136.193.154]; from=<announce-bounces@mariadb.org> to=<test@mydomain.com> proto=ESMTP helo=<hasky.askmonty.org>

這個 450 4.7.1  Client host rejected: cannot find your reverse hostname

採用下面是擋不到的

failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
            lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\]
            reject: RCPT from .*\[<HOST>\]: .*: Relay access denied
            reject: RCPT from .*\[<HOST>\]: .*: Sender address rejected: Domain not found
            reject: RCPT from .*\[<HOST>\]: .*: Helo command rejected: Host not found
            reject: RCPT from .*\[<HOST>\]: .*: Helo command rejected: need fully-qualified hostname
            reject: RCPT from .*\[<HOST>\]: 554 5.7.1
            reject: RCPT from .*\[<HOST>\]:\d+: 550 5.5.1 Protocol error
            warning: Illegal address syntax from (.*)\[<HOST>\] in RCPT command
            from \[<HOST>\]:.*: EHLO ylmf-pc 

請問版主:

1).上面訊息的IP , 要擋嗎? 或加白名單?

以下分析:
就 announce-bounces@mariadb.org  寄信者:

#host -t mx mariadb.org
mariadb.org mail is handled by 1 mail.askmonty.org.

#host mail.askmonty.org
mail.askmonty.org has address 173.203.201.185
mail.askmonty.org mail is handled by 1 mail.askmonty.org.

# host hasky.askmonty.org
hasky.askmonty.org has address 194.136.193.154
hasky.askmonty.org mail is handled by 1 hasky.askmonty.org.

helo 為 hasky.askmonty.org , 和查詢mariadb.org 的MX , mail.askmonty.org  兩個IP是不一樣 .

194.136.193.154 hasky.askmonty.org 要檔 ?
若來信為173.203.201.185 , 加白名單?

2). 若確實要擋, fail2ban 是無法擋住的
我網域管理者, 收到很多這樣的信件:
主旨:
"Postfix SMTP server: errors from unknown[194.136.193.154]"

信件內容:

Transcript of session follows.

 Out: 220 mail.mydomain.com ESMTP Postfix
 In:  EHLO hasky.askmonty.org
 Out: 250-mail.mydomain.com
 Out: 250-PIPELINING
 Out: 250-SIZE 104857600
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  STARTTLS
 Out: 220 2.0.0 Ready to start TLS
 In:  EHLO hasky.askmonty.org
 Out: 250-mail.mydomain.com
 Out: 250-PIPELINING
 Out: 250-SIZE 104857600
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM:<announce-bounces@mariadb.org> SIZE=5863 BODY=7BIT
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<test@mydomain.com> ORCPT=rfc822;test@mydomain.com
 Out: 451 4.3.5 Server configuration error
 In:  DATA
 Out: 554 5.5.1 Error: no valid recipients
 In:  RSET
 Out: 250 2.0.0 Ok
 In:  QUIT
 Out: 221 2.0.0 Bye

最後改回我原來的設定 , 並加入
            reject: RCPT from \S+\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            reject: RCPT from \S+\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$

煩請版主 ,幫忙解惑!

Thank's

ZhangHuangbin 写道:

"Sender user@domain.com is blacklisted"

這以我目前的狀況 是比較貼切.

感謝回覆.

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Pro-LDAP-3.0
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

maillog:

Nov 24 15:32:00 mail postfix/submission/smtpd[25955]: NOQUEUE: reject: RCPT from 11-22-33-44.HINET-IP.hinet.net[11.22.33.44]: 554 5.7.1 <mygmail@gmail.com>: Recipient address rejected: Blacklisted; from=<user@mydomain.com> to=<mygmail@gmail.com> proto=ESMTP helo=<[10.10.1.6]>

postfix.iredmail.conf 設定 , 參考:
https://bitbucket.org/zhb/iredmail/src/ … dmail.conf

fail2ban log:
2017-11-24 15:32:00,433 fail2ban.filter  [25286]: INFO    [postfix.iredmail] Ignore 11.22.33.44 by ip

/etc/fail2ban/jail.local
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 11.22.33.44

fail2ban 是無法阻擋到 11.22.33.44

但還是無法寄出, 出現附檔21071116.jpg訊息

查了下主控台 ,該 user 是可收信件 , outbound 只能網內互發, 不可寄出網外
,設定如附檔20171114.jpg檔

這個"Recipient address rejected: Blacklisted"  ,是postfix 預設訊息 或 iRedMail
的提示訊息 ,若為 iRedMail 的,是否能稍加修正為可讀性訊息.

"554 5.7.1 <mygmail@gmail.com>: Recipient address rejected: Blacklisted; "
這訊息有點怪怪的 .

"必填訊息" 現在提問不用填寫了嗎?沒出現 ; 爾後提問改在forum.iredmail.org ?
不過我還是手動填上
==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Pro-LDAP-3.0
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

maillog 出現如下訊息:
mydomain.com 無下面此帳號

 
Nov 21 05:43:46 mail postfix/smtpd[31872]: NOQUEUE: reject: RCPT from hwsrv-201014.hostwindsdns.com[23.254.203.80]: 454 4.7.1 <1029mandaditos@gmail.com>: Relay access denied; from=<cocacola@mydomain.com> to=<1029mandaditos@gmail.com> proto=ESMTP helo=<hwsrv-201014.hostwindsdns.com>
Nov 21 05:44:02 mail postfix/smtpd[31555]: NOQUEUE: reject: RCPT from hwsrv-201014.hostwindsdns.com[23.254.203.80]: 454 4.7.1 <1029mandaditos@gmail.com>: Relay access denied; from=<action@mydomain.com> to=<1029mandaditos@gmail.com> proto=ESMTP helo=<hwsrv-201014.hostwindsdns.com>

另一台

Nov 21 05:07:13 mx postfix/smtpd[4678]: NOQUEUE: reject: RCPT from hwsrv-201014.hostwindsdns.com[23.254.203.80]: 454 4.7.1 <1029mandaditos@gmail.com>: Relay access denied; from=<environnement@hinet.net> to=<1029mandaditos@gmail.com> proto=ESMTP helo=<hwsrv-201014.hostwindsdns.com>
Nov 21 05:07:15 mx postfix/smtpd[4678]: NOQUEUE: reject: RCPT from hwsrv-201014.hostwindsdns.com[23.254.203.80]: 454 4.7.1 <1029mandaditos@gmail.com>: Relay access denied; from=<base@hinet.net> to=<1029mandaditos@gmail.com> proto=ESMTP helo=<hwsrv-201014.hostwindsdns.com>

在 fail2ban/filter.d/postfix.iredmail.conf 新增
reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1 (.*): Relay access denied.*$

reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1
使用:
fail2ban-regex -v /var/log/maillog /etc/fail2ban/filter.d/postfix.iredmail.conf> test.log
查看 test.log 可有效阻擋 ,
請問版主, 上面哪個較好? (目前是有450 4.7.1 無 454 4.7.1)

我試著在 postfix main.cf 加入
smtpd_client_connection_count_limit = 8

smtpd_client_connection_rate_limit = 12
#anvil_rate_time_unit = 60s                     #default
其作用似乎是無效?

Nov 21 05:07:42 mx postfix/smtpd[4714]: warning: Connection rate limit exceeded: 81 from hwsrv-201014.hostwindsdns.com[23.254.203.80] for service smtpd
Nov 21 05:07:42 mx postfix/smtpd[4714]: disconnect from hwsrv-201014.hostwindsdns.com[23.254.203.80]
Nov 21 05:09:04 mx postfix/anvil[4450]: statistics: max connection rate 81/60s for (smtpd:23.254.203.80) at Nov 21 05:07:42
Nov 21 05:09:04 mx postfix/anvil[4450]: statistics: max connection count 2 for (smtpd:23.254.203.80) at Nov 21 04:59:04

我設為smtpd_client_connection_rate_limit = 12 ,還是出現 81次 ?

在iRedMail 或 iRedAdmin-Pro 版 , 除fail2ban 可阻擋 , 針對454 4.7.1  Relay access denied ,還有哪個地方可設定?

==== 必填信息。没有填写将不予回复 ====
- iRedMail 版本号:0.9.7
- 使用哪个数据库存储用户帐号(OpenLDAP,MySQL,PostgreSQL):Pro-LDAP-3.0
- 使用的 Linux/BSD 发行版名称及版本号:CentOs 7
- 与您的问题相关的日志信息:
====
在 Users>>Profile of user:  下    (非domain)
1).White/Blacklist 裡設定 xxx@gmail.com 為白名單

2).Spam Policy 裡的選項全打勾
Spam ,Virus , Bad-header , Banned 皆啟動 checking 及 Quarantine .

3).amavisd.conf 裡 zip 及 rar , 不 banned ,如下:

$banned_filename_re = new_RE(
# qr'^\.zip$',
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],

4). 現由 xxx@gmail.com 寄給網域內user@ , 附件為一 zip檔.
其內容有 doc ,pdf ,csv ,及 rar 檔案.
此rar檔為ECNT2017001-A_AMOS-825_PBOM.rar 內為一目錄,裡有一
PAMOS-825-1Q10A2.csv .
;但仍會被隔離.

log:

Oct  6 17:43:02 mail.mydomain.com /usr/sbin/amavisd[29335]: (29335-08) Blocked BANNED (ECNT2017001-A_AMOS-825_PBOM) {DiscardedInbound,Quarantined}, [74.125.83.51]:45102 [xx.xx.xx.9] <xxx@gmail.com> -> , quarantine: JkNYNu1kYDgo, Queue-ID: 0C2FDC000010F, Message-ID: <155588fa-9f1f-cc43-9f14-0d33075e26c1@gmail.com>, mail_id: JkNYNu1kYDgo, Hits: -, size: 190126, dkim_sd=20161025:gmail.com, 838 ms
Oct  6 17:43:02 mail.mydomain.com /usr/sbin/amavisd[29335]: (29335-08) Blocked BANNED (ECNT2017001-A_AMOS-825_PBOM), <xxx@gmail.com> -> , Hits: -, tag=0, tag2=6.3, kill=6.3, L/Y/0/0

iRedAdmin 以此情形看 :
a). amavisd 已改為不阻擋 ,為何還會檔?
b). 當White/Balcklist 裡加入 xxx@gmail.com 白名單 ;
   Spam Policy 應當無效還是有效? 哪個權限大?

c). 手動作隔離通知時,會出現錯誤
# python /var/www/iredadmin/tools/notify_quarantined_recipients.py --force-all >/dev/null

Traceback (most recent call last):
  File "/var/www/iredadmin/tools/notify_quarantined_recipients.py", line 302, in <module>
    time_tuple = time_with_tz.timetuple()
AttributeError: 'str' object has no attribute 'timetuple'

改採 iRedAdmin-Pro-2.9.0 的notify_quarantined_recipients.py 正常

此favicon.ico檔, 原本用在另一台web server ,
我是直接從web server 抓下mark1.ico 來用的.
在此台mail server 的webmail 也可分頁正常顯示.

版主是認為此檔非正規的 ico 檔格式?

web server 網頁內碼:
<link href="CSS/spec1.css" rel="stylesheet" type="text/css">
<link rel="SHORTCUT ICON" href=IMG/mark1.ico>
<script language="JavaScript" type="text/JavaScript">


我有空再試試, 重做一個看看.
目前我暫時使用 png 的格式來用.

感謝版主回覆.