Is Mavericks Server swallowing Mail? I fear, YES

Question

Level 1

134 points

Is Mavericks Server swallowing Mail? I fear, YES

Have a very strange thing here.

For the last 6+ years I ran a Tiger 10.4. Mail Server. Just recently this really old puppy was due for retirement and a shiny new Mac Mini with the latest and greates Mavericks Server (3.1.1) took over. On Tiger I had installed an add-on package for grey-listing. This really worked wonders and reduced spam by a factor of 5 to 10. However every day I received about 20-30 spam mails tagged with ***Junk Mail***. Mostly (but not all) those were foreign writing (Chinese? and Russian). This didn't bother me as I have set up local filtering in Mail.app.

Now with Mavericks I get NO SPAM at all (almost). Maybe one or two tagged messages per week! No foreign writing messages. And some of my users are complaining that they miss messages that were supposed to be sent to them.

So it is obvious that the mail server swallows mail (spam and possibly legititmate mails as well). This bothers me greatly. My settings in the user interface are as follows:

Enable Greylisting and Enable Junk Mail are checked, Virus and Black List filtering are unchecked. Junk Mail filtering is set one notch from Aggressiv.

Checking the settings via command line (serveradmin settings mail) shows spam related settings

mail:postfix:greylist_enabled = yes

mail:postfix:spam_quarantine = "junk-quarantine@example.com"

mail:postfix:spam_subject_tag = "***JUNK MAIL*** "

mail:postfix:spam_notify_admin_email = "junk-admin@example.com"

mail:postfix:spam_ok_locales = "en"

mail:postfix:spam_scan_enabled = yes

mail:postfix:spam_rewrite_subject = yes

mail:postfix:spam_notify_admin = no

mail:postfix:spam_ok_languages = "en"

mail:postfix:spam_action = "deliver"

mail:postfix:spam_log_level = "warn"

and the virus related settings

mail:postfix:virus_db_last_update = "2014-03-25 17:20:55 +0000"

mail:postfix:virus_scan_enabled = no

mail:postfix:virus_db_log_level = "info"

mail:postfix:virus_quarantine = "virus-quarantine@example.com"

mail:postfix:virus_log_level = "info"

mail:postfix:virus_notify_recipients = no

mail:postfix:virus_notify_admin_email = "virus-admin@example.com"

mail:postfix:virus_action = "delete"

mail:postfix:virus_db_update_days = 12

mail:postfix:virus_notify_admin = no

These look pretty ok to me. So my question: where is my daily ration of spam? And are there legitimate mails being swallowed?

Thanks for any help, this is getting pretty urgent

---markus---

MacBook Pro with Retina display, OS X Mavericks (10.9.1)

Posted on Mar 26, 2014 4:05 AM

Reply

Answer 1

nick101

Level 5

5,132 points

Mar 26, 2014 4:49 AM in response to ruggiero

Other people will have more technical detail to offer, I expect, but my experience may help.

Greylisting - I have seen anumber of concerns about Server greylisting, and frequent recommendations to turn it off. I have it on and, although I'm not aware of having permanently lost any significant mail, I have seen quite long delays (more than a day) in receiving mail from 'new' senders. I surmise (but this needs testing) that Server greylisting in your new setup started be seeing *all* senders as 'new', which would generate a high percentage of delayed inbound mail. It may be that some sending servers stop retrying before Server finally permits receipt.

I switched to Server from MDaemon on Windows, and found greylisting to be much more 'aggressive' on Server

Anti-spam - I'd suggest lowering the aggressiveness of the filter - I would recommend setting it off completely to start with (that would enable you to separate filter issues from greylisting issues), then increasing it one notch at a time to get to a satisfactory balance.

Hope that helps

Reply

Answer 2

Mar 26, 2014 6:56 AM in response to ruggiero

Read the logs. Check the Postfix settings. See what's going on within your mail server.

Also confirm that your public DNS is correct — that is, fetch your MX record and confirm that the name to address translation works, and that the address then returns the domain name (the mail server host name) you started with. (Related reading)

Other mechanisms simply deny access to sites that have bogus DNS settings — this is the other side of the public DNS tests mentioned above. Using these settings and using RBLs can reduce the volume of spam.

Greylisting avoids spam because a substantial part of the spam around isn't sent from mail servers, it's sent from spam engines. The typical spam engines don't retry — they just blast messages, and move on when the message isn't delivered. Mail servers do retry. If you don't retry the send, you don't get through the greylisting.

Greylisting does not have an aggressiveness selecting. It's a rejection. SMTP 450. Not now I'm busy. It's then all up to the remote mail server to retry the message later. That might happen within minutes or hours, or the remote mail server might (rarely) be configured to drop the message — different mail providers have different settings.

Greylisting also offers explicit mail server whitelisting features, which can be helpful around Google GMail and related services that are operating with a gazillion mail servers — particularly if there's some form of failover or clustering in play, and the inbound mail messages aren't all sent from the same originating mail server. Until your greylisting software "learns" the pool of servers, some messages will be slow to arrive.

If you want the folks here to check your Postfix settings and/or your external DNS settings, post the output from:

postconf -n -c /Library/Server/Mail/Config/postfix

FWIW, given that it now takes around three minutes to scan the whole of the active IPv4 address space from one box (with a big enough network pipe), and given that the spammers can scan even faster than that given how many hosts the average botnet has, and given the spammers are already looking for DNS MX records and related, you're not going to be disclosing anything that the spammers don't already know about and aren't already testing.

Now there can be personal preferences and various other reasons to obfuscate a domain — so if you do choose to post the output and do obfuscate, please do perform the obfuscation consistently.

Reply

Answer 3

ruggiero Author

Level 1

134 points

Mar 28, 2014 2:34 AM in response to MrHoffman

Thanks for the tips. Nothing has changed DNS wise during the last couple years. It is just the NAT that is internally pointing to a different IP. Anyway, here is the output from postconf -n -c /Library/Server/Mail/Config/postfix

biff = no

command_directory = /usr/sbin

config_directory = /Library/Server/Mail/Config/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/libexec/postfix

data_directory = /Library/Server/Mail/Data/mta

debug_peer_level = 2

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5

dovecot_destination_recipient_limit = 1

enable_server_options = yes

header_checks = pcre:/Library/Server/Mail/Config/postfix/custom_header_checks

html_directory = /usr/share/doc/postfix/html

imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred

inet_interfaces = all

inet_protocols = all

mail_owner = _postfix

mailbox_size_limit = 0

mailbox_transport = dovecot

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

message_size_limit = 10485760

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

mydomain = rucotec.ch

mydomain_fallback = localhost

myhostname = miniserver.rucotec.ch

mynetworks = 127.0.0.0/8, [::1]/128

newaliases_path = /usr/bin/newaliases

queue_directory = /Library/Server/Mail/Data/spool

readme_directory = /usr/share/doc/postfix

recipient_canonical_maps = hash:/Library/Server/Mail/Config/postfix/system_user_maps

recipient_delimiter = +

relayhost = smtp.magnet.ch

sample_directory = /usr/share/doc/postfix/examples

sendmail_path = /usr/sbin/sendmail

setgid_group = _postdrop

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit

smtpd_enforce_tls = no

smtpd_helo_required = yes

smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname

smtpd_pw_server_security_options = cram-md5,digest-md5,login,plain

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit

smtpd_sasl_auth_enable = yes

smtpd_tls_CAfile = /etc/certificates/miniserver.rucotec.ch.D970BA471E33DCDAC55AD3CEC50C16725E4E301 2.chain.pem

smtpd_tls_cert_file = /etc/certificates/miniserver.rucotec.ch.D970BA471E33DCDAC55AD3CEC50C16725E4E301 2.cert.pem

smtpd_tls_ciphers = medium

smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL

smtpd_tls_key_file = /etc/certificates/miniserver.rucotec.ch.D970BA471E33DCDAC55AD3CEC50C16725E4E301 2.key.pem

smtpd_use_pw_server = yes

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 550

use_sacl_cache = yes

virtual_alias_domains = $virtual_alias_maps hash:/Library/Server/Mail/Config/postfix/virtual_domains

virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users

The problem with all the Apple stuff is that it is nowhere documented what can be changed by serveradmin commandline tool and how those entries map to the underlying Unix conf file entries. So I am very hesitant to change something in a .conf in fear of it being overwritten next time Server.app is running.

Thanks for looking into things.

---markus---

Reply

Answer 4

Mar 28, 2014 6:10 AM in response to ruggiero

There's nothing in that postconf that would block traffic, so — beyond checking the logs and preferably beyond moving to a static IP address — there don't seem to be any particular issues here.

ruggiero wrote:

Thanks for the tips. Nothing has changed DNS wise during the last couple years. It is just the NAT that is internally pointing to a different IP.

That will effect DNS. Did you then verify internal DNS is still correct? Harmless diagnostic command to do that:

sudo changeip -checkhostname

The public DNS for this server is misconfigured, and — if you were not already using that mail relay, and were sending email directly — this server will be seen as a spam engine by various other mail servers, and messages arriving from this server will be dropped by a number of those receiving servers:

$ dig +short MX rucotec.ch

10 rucotec.ch.

$ dig +short rucotec.ch

213.189.151.242

$ dig +short -x 213.189.151.242

ip-213-189-151-243.fix.magnet.ch.

$

Were you not using a relay via your ISP, that last translation would be the host name rucotec.ch, and your current configuration would be indistinguishable from a spam engine by other mail servers. Some mail servers will not send messages to a configuration such as this; I've used a few that detect and drop such messages without sending them. If you already have or can get static IP from your ISP (as implied by that fix in the domain), then check with your ISP for that address-to-name translation. That'll entirely avoid the need for the mail relay.

You're fairly wide open in terms of what mail you'll accept with the following, too — yes, you do have greylisting running (that's the policy entry shown below), but that'll just defer the messages while also greatly reducing the spam:

smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit

As for your concerns around the command line usage and entirely unfortunately with OS X Server, there's not all that much documentation of or guidance around what's stable and what's not and what's allowed at the command line and what's not — muy frustrante — though I've empirically found that direct changes to Postfix via postconf -e -c /Library/Server/Mail/Config/postfix "value = settings" commands do (currently) stick.

Reply