autowhitelist files not updated or not existent

8 posts / 0 new
Last post
#1 Fri, 03/20/2015 - 11:53
adlsrl

autowhitelist files not updated or not existent

Hi all !!
I've got a Centos 5.11 public mail server running Virtualmin GPL 4.15. I think there a problem in antispam services.
I'm running spamassassin 3.3.1.
Unfortunately I'm not able to attach to this post my configuration files. How can I do it?

Problem is that some customers report me some emails don't arrive to their mailbox so I check my log and see that emails is signed as SPAM and deleted.
Seems that spamassassin is too aggressive but I see a problem in autowhitelist files, I don't know if this issue can create some problems.
All autowhitelist files that are present into homes directories are update at 2012 and a lot of users haven't this file into its folder, seems to be new users created after 2012.
Also, if I create a new mail, the first sender that write an email to that address receive this error but messagge is deliver correctly to the mailbox:

procmail: Enforcing stricter permissions on "/var/mail/USER_DOMAIN.it"
procmail: Error while writing to "/var/log/procmail.log"

Failed to open /etc/webmin/miniserv.conf : Permission denied at /etc/webmin/virtual-server/lookup-domain.pl line 9.

procmail: Program failure (13) of "/etc/webmin/virtual-server/lookup-domain.pl"
Time:1426869899 From:"SENDER" To:USER@DOMAIN.it User:USER_DOMAIN.it Size:897 Dest:/var/spool/mail/USER_DOMAIN.it Mode:None

554 5.3.0 unknown mailer error 13

I hope this information are enough.
Thanks a lot.

Wed, 03/25/2015 - 11:21
andreychek

Howdy,

Hmm, how did you initially install Virtualmin? Was it with the install.sh script?

Also, what is the output of this command:

postconf -n

Wed, 03/25/2015 - 11:28
adlsrl

Thanks for reply.

Yes, I installed it with install.sh script.

I'm using sendmail not postfix, this command doesn't work.

Wed, 03/25/2015 - 12:11
andreychek

Howdy,

It sounds like there are some permissions problems going on there.

Unfortunately, I'm not too familiar with Sendmail these days, so I'm not quite sure what to tell you regarding how to troubleshoot that.

Is using Postfix an option?

It's simpler to setup, and easier to get help when things don't work right :-)

However, if you're hoping to keep Sendmail -- I can offer that in terms of Postfix, I was beginning to wonder if your "mailbox_command" was set incorrectly. On Postfix, it needs to use the procmail-wrapper in order to switch to the correct user during email delivery:

mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME

If you're familiar with Sendmail setup, you may be able to use the above to accomplish a similar setup.

-Eric

Wed, 03/25/2015 - 12:25
adlsrl

This is a public mail server. I prefer to don't touch configurations too much....

This is my procmail configuration:

LOGFILE=/var/log/procmail.log
TRAP=/etc/webmin/virtual-server/procmail-logger.pl
:0wi
VIRTUALMIN=|/etc/webmin/virtual-server/lookup-domain.pl --exitcode 73 $LOGNAME
EXITCODE=$?
:0
* ?/usr/bin/test "$EXITCODE" = "73"
/dev/null
:0
* ?/usr/bin/test "$VIRTUALMIN" != ""
{
INCLUDERC=/etc/webmin/virtual-server/procmail/$VIRTUALMIN
}
DEFAULT=/var/spool/mail/$LOGNAME
ORGMAIL=/var/spool/mail/$LOGNAME
DROPPRIVS=yes
:0
$DEFAULT
:0
* ^X-Spam-Status: Yes
/dev/null

And this is my sendmail configuration:

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl # make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Do not advertize sendmail version.
dnl #
define(`confSMTP_LOGIN_MSG', `$j $b')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
define(`confLOG_LEVEL', `12')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST', `smtp.your.provider')dnl
dnl #
define(`confDEF_USER_ID', ``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
define(`confAUTH_OPTIONS', `A')dnl
dnl #
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /etc/pki/tls/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /etc/pki/tls/certs usage
dnl #
dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 20.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
dnl # FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
FEATURE(`dnsbl', `cbl.abuseat.org', `', `"550 Mail from " $" refused. Rejected for bad WHOIS info on IP of your SMTP server " in http://cbl.abuseat.org/lookup.cgi "')
INPUT_MAIL_FILTER(`ratelimit-filter', `S=local:/var/run/milter-greylist/milter-greylist.sock')
define(`confINPUT_MAIL_FILTERS',`ratelimit-filter')
define(`confMILTER_MACROS_CONNECT',`j, {if_addr}')
define(`confMILTER_MACROS_HELO',`{verify}, {cert_subject}')
define(`confMILTER_MACROS_ENVFROM',`i, {auth_authen}')
define(`confMILTER_MACROS_ENVRCPT',`{greylist}')

What do you think about these configurations?
Thanks.

Wed, 03/25/2015 - 13:14
andreychek

Sorry, I'm really not familiar with Sendmail configuration... if you'd like to use Sendmail, that's okay, but you'd need to be comfortable setting it up and troubleshooting any issues that come with it.

We definitely recommend Postfix.

Perhaps someone more familiar with Sendmail than myself will see this and respond though :-)

-Eric

Thu, 03/26/2015 - 02:56 (Reply to #6)
adlsrl

Ok thanks. I understand.

But do you think that my problem with auto-whitelist files is caused by Sendmail? Not Spamassassin or something else?

"All autowhitelist files that are present into homes directories are updated at 2012 and a lot of users haven't this file into its folder, seems to be new users created after 2012."

This is my spamassassin configuration file:

# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.

required_hits 5
report_safe 0
rewrite_header subject [SPAM]

score RDNS_NONE 1.0
report Attenzione! messaggio di spam o considerato potenzialmente pericoloso.
report Prego controllare il mittente dell'email
report Attention! spam message or considered potentially dangerous.
report Please check the email sender

rbl_timeout 10

use_bayes 1
use_auto_whitelist 1

Thanks again.

Thu, 03/26/2015 - 10:35
adlsrl

Hi.

I resolve issue regarding auto whitelist.
Spamassassin didn't load AWL module so uncomment this line into configuration file:

loadplugin Mail::SpamAssassin::Plugin::AWL

http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_A...

After this old files start to be updated and users that didn't have this file have got a new one.

Bye !