Hi,
I have an email gateway that filters spam for third-parties.
I usually use fail2ban to reduce cases when particular IPs are flooding the
gateway and record Hits: 35-100 points, by injecting "SMTP REJECT/DEFER
explicit" to reduce the queue on the sender's side, help the exploited
ISP/ESP with explicit error, and reduce queue and filtering on my side.
My question:
Can I add, in any way, the sender ip on the postfix/smtp log line?
One option I have in mind is to record: smtpd-queue-id, amavis-sender-ip,
smtp-return-code; and trigger the action I want, based on the last value.
But I'm not sure will work on large volume. Awk is my best skill ... :(
Detail about the problem:
Sometimes messages (legit or spam) pass my filter and get rejected by
third-party's Exchange servers with SMTP error "550 5.7.1 Message rejected
as spam by Content Filtering".
That causes the message to bounce (e.g. yahoo.com) blocking occasionally the
gateway's IP.
Saturday's rate was 10 bounces to 1000 messages (considering is a weekend
day, most of them are spam, probably 75%-99%).
I tried to convince the other parties (running Exchange) to find a way to
accept and quarantine the message, instead of rejecting at End of DATA. No
success in two cases.
Some of the messages look legit, hitting 1-2 points only. I can't stop them
with spam filtering.
Logs:
Apr 26 22:04:45 gateway postfix/smtpd[20596]: 990AF434DE:
client=localhost[127.0.0.1]
Apr 26 22:04:45 gateway postfix/cleanup[20583]: 990AF434DE:
message-id=e1we8ps-0000u7...@host.s-example.com
Apr 26 22:04:45 gateway postfix/qmgr[2420]: 990AF434DE:
from=sen...@s-domain.com, size=2943, nrcpt=1 (queue active)
Apr 26 22:04:45 gateway amavis[20536]: (20536-10) Passed CLEAN
{RelayedInbound}, [S-domain.com-ip]:35086 [S-domain.com-ip]
<sen...@s-domain.com> -> <recipi...@r-domain.com>, Queue-ID: 1D0794092C,
Message-ID: e1we8ps-0000u7...@host.s-example.com, mail_id: IZ2BVYo2XX6y,
Hits: 4.073, size: 1983, queued_as: 990AF434DE,
dkim_sd=default:S-domain.com, 4472 ms
Apr 26 22:04:45 gateway postfix/lmtp[20588]: 1D0794092C:
to=recipi...@r-domain.com, relay=127.0.0.1[127.0.0.1]:10024, delay=4.7,
delays=0.26/0/0.01/4.5, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 990AF434DE)
Apr 26 22:04:52 gateway postfix/smtp[22137]: 990AF434DE:
to=recipi...@r-domain.com, relay=mail.R-domain.com[R-domain.com-ip]:25,
delay=6.8, delays=0/0/0.45/6.3, dsn=5.7.1, status=bounced (host
mail.R-domain.com[R-domain.com-ip] said: 550 5.7.1 Message rejected as spam
by Content Filtering. (in reply to end of DATA command))
Apr 26 22:04:52 gateway postfix/bounce[22582]: 990AF434DE: sender
non-delivery notification: 66BD24351D
Apr 26 22:04:52 gateway postfix/qmgr[2420]: 990AF434DE: removed
Thank you.
Marius.
