Setting users whitelist above all others

[dthompson]

I looked but didn't see this in the forum.

I would like to know of there is a way to change the order of how incoming emails are processed. I'd like to have the users whitelists set to be looked up first before all others.

Right now, if a users whitelists someone@domain.net, but for some reason that domain.net or even the address itself gets flagged with some spam, that email either gets rejected or moved to quarantine, which is counter productive.

Is there any way to change the order of email processing incoming so that it could be as follows:

users whitelist
global whitelist
whitelists
users blacklists
blacklists
DNSBL
....


Right now I get questioned as to why an email address that an end user whitelisted is still getting rejected or moved to quarantine.
Any way to do this?

 

[dcsapak]

no not really, the user white/blacklists are only taken in consideration when encountering a rule which could move the mail into the quarantine

 

[dthompson]

Hmm. OK. then there is still something Amis with my setup, as I've added the emails to not be moved to quarantine for specific users, yet they're still being moved there.

How do I debug this?

 

[dcsapak]

check the mail logs (e.g. via tracking center or /var/log/mail.log) and check your rule system. you can ofc post them here and we can also check if we can see anything

 

[dthompson]

Here is the log files for a particular one:

Mar  9 10:07:45 swarmx1 pmg-smtp-filter[423550]: 26045060478F408EE56: SA score=0/5 time=0.779 bayes=0.00 autolearn=ham autolearn_force=no hits=BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),HTML_MESSAGE(0.001),KAM_HUGEIMGSRC(0.2),KAM_REALLYHUGEIMGSRC(0.5),MAILING_LIST_MULTI(-1),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_KAM_HTML_FONT_INVALID(0.01)
Mar  9 10:07:45 swarmx1 postfix/smtpd[423402]: connect from localhost[127.0.0.1]
Mar  9 10:07:45 swarmx1 postfix/smtpd[423402]: 740562A0087: client=localhost[127.0.0.1]
Mar  9 10:07:45 swarmx1 postfix/cleanup[423072]: 740562A0087: message-id=<20210309150745.740562A0087@swarmx1.mailhive.ca>
Mar  9 10:07:45 swarmx1 postfix/qmgr[540]: 740562A0087: from=<postmaster@swarmx1.mailhive.ca>, size=2068, nrcpt=1 (queue active)
Mar  9 10:07:45 swarmx1 postfix/smtpd[423402]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 commands=4
Mar  9 10:07:45 swarmx1 pmg-smtp-filter[423550]: 26045060478F408EE56: notify <support@mailhive.ca> (rule: Block Spam, 740562A0087)
Mar  9 10:07:45 swarmx1 pmg-smtp-filter[423550]: 26045060478F408EE56: moved mail for <stephen@domain.com> to spam quarantine - 26117F60478F41755A9 (rule: Block Spam)
Mar  9 10:07:45 swarmx1 pmg-smtp-filter[423550]: 26045060478F408EE56: processing time: 0.898 seconds (0.779, 0.085, 0)
Mar  9 10:07:45 swarmx1 postfix/lmtp[423073]: DC6BB2A005B: to=<stephen@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=23, delays=22/0/0/0.9, dsn=2.5.0, status=sent (250 2.5.0 OK (26045060478F408EE56))
Mar  9 10:07:45 swarmx1 postfix/qmgr[540]: DC6BB2A005B: removed
Mar  9 10:07:45 swarmx1 postfix/smtp[422342]: Trusted TLS connection established to 192.168.11.220[192.168.11.220]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar  9 10:07:45 swarmx1 postfix/smtp[422342]: 740562A0087: to=<support@mailhive.ca>, relay=192.168.11.220[192.168.11.220]:25, delay=0.05, delays=0.01/0/0.03/0.01, dsn=2.0.0, status=sent (250 Mail queued for delivery)
Mar  9 10:07:45 swarmx1 postfix/qmgr[540]: 740562A0087: removed

Here are the spam results that it flagged it as:

Spam detection results:  0
BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
HTML_MESSAGE            0.001 HTML included in message
KAM_HUGEIMGSRC            0.2 Message contains many image tags with huge http urls
KAM_REALLYHUGEIMGSRC      0.5 Spam with image tags with ridiculously huge http urls
MAILING_LIST_MULTI         -1 Multiple indicators imply a widely-seen list manager
RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
SPF_PASS               -0.001 SPF: sender matches SPF record
T_KAM_HTML_FONT_INVALID   0.01 Test for Invalidly Named or Formatted Colors in HTML

This incoming email address has been whitelisted in the global whitelist, the who objects whitelist and the users personal whitelist.
This is still getting flagged and sent to the quarantine.

What other log files can I look at to get this resolved?
Appreciate the help!

 

[dcsapak]

can you post a screenshot of your rulesystem (incl rules + objects)?

 

[dthompson]

Here you go. Thank you!!

 

[dcsapak]

ok , so the info thats missing is which objects the rule has that is listed in above mail log:

Mar 9 10:07:45 swarmx1 pmg-smtp-filter[423550]: 26045060478F408EE56: moved mail for <stephen@domain.com> to spam quarantine - 26117F60478F41755A9 (rule: Block Spam)

the user white/blacklist only modifies the spam score on a 'spam level' what object and basically either ignores the spaminfo (if the sender is in the whitelist) or adds 100 spamscore
if in the users blacklist

in any case this would be visible in the syslog with a message like 'foo: sender in user (bar@mail.com) blacklist'

so my guess is that the 'block spam' rule does not take the spam level into account