On Thu, 8 Nov 2018 at 08:07, Poliman - Serwis <ser...@poliman.pl> wrote:
> > > 2018-11-08 8:49 GMT+01:00 Dominic Raferd <domi...@timedicer.co.uk>: > >> On Thu, 8 Nov 2018 at 07:35, Poliman - Serwis <ser...@poliman.pl> wrote: >> >>> I have domain kamir-transport.pl deployed on the server with dns zone >>> where are configured google MX servers like aspmx.l.google.com, >>> alt1.aspmx.l.google.com (and few more). Mailboxes are not on my server, >>> all email things are deployed on google. Yesterday I saw in log the >>> message: >>> >>> 9FBE713D05F 1564 Tue Nov 6 06:34:55 webmas...@kamir-transport.pl >>> (host alt2.aspmx.l.google.com[74.125.24.27] said: 421-4.7.0 >>> [54.38.202.128 15] Our system has detected that this message is 421-4.7.0 >>> suspicious due to the nature of the content and/or the links within. >>> 421-4.7.0 To best protect our users from spam, the message has been >>> blocked. 421-4.7.0 Please visit 421 4.7.0 >>> https://support.google.com/mail/answer/188131 for more information. >>> t1-v6si2536163pgv.349 - gsmtp (in reply to end of DATA command)) >>> bi...@kamir-transport.pl >>> >>> Honestly I don't fully understand this log. Looks like google mx says >>> that some message from webmas...@kamir-transport.pl belong to ip >>> 54.38.202.128 (what is 15 after ip address?) looks suspicious, although is >>> send to another mailbox in this same domain. But both mailboxes are hosted >>> on google, so why google mx mention something about not their ip? >>> >>> PS >>> SPF record configured in DNS zone looks like google advices -> v=spf1 >>> include:_spf.google.com ~all >>> >> >> This is a response from gsmtp (Gmail) saying that the email your server >> relayed to them looks suspicious (detailed reasons not given) - and so it >> was temp blocked. I am not sure why gsmtp gives a temp 4xx response, I >> rewrite them to permanent 5xx to prevent pointless retries. If you are >> relaying world-sourced mails into your users' Gmail mailboxes then messages >> of this type are a perennial problem. You might reduce their frequency with >> improved anti-spam/anti-virus checks. >> > > Hmm, I am relaying emails. In this example between mailboxes of specific > domain which has mx on google. I have on the server - amavisd, clamav, > fail2ban, postgrey, [spf, dkim, dmarc - currently not for each domain, > which have my server as MX]. Could you advice me what exactly should I > improve? I can provide some configs if needed. I am not sure what I can do > better. > > PS > What does exactly mean " If you are relaying world-sourced mails into your > users' Gmail mailboxes " - my server acts as open relay? > I also relay incoming mails into our users Gmail boxes. It sounds as if you have pretty good mail checking already, so there may be little more you can do in this direction. If you are not already blocking emails based on DMARC (e.g. using opendkim and opendmarc) then that is something to add to your armoury (but don't block on p=quarantine, only on p=reject). Generally these messages from gsmtp indicate that the mail was bad, so you don't have to worry too much - your users haven't missed anything. But if your server relays a large number of such emails it might be blacklisted by Gmail. However a few 'good' mails can be blocked by Gmail precisely because you are relaying: in particular, ones where the sender domain has DMARC p=reject policy but legitimate emails therefrom are sent without dkim header (relying only on SPF for delivery), or - if there are many recipients - where sender has a hotmail (or presumably other MS) address. You will have to find workarounds for these edge cases.
