• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved "message content rejected" + outbound.protection.outlook.com + google.com

T

tetrahall

Basic Pleskian
Hello,

I am using ‪CentOS Linux 7.6.1810 + Plesk Onyx 17.8.11. Since I started using postfix with header_checks and body_checks, many emails sent by members have been rejected. I am not using anti-virus or spam filters, and no spamassasin.

Samples from var/log/maillog are mentioned below. Please note the following:-
Most of them come from "outbound.protection.outlook.com" with various IP addresses.
Some from "google.com"
Only a couple from other sources - legitimate ones.

Header_checks + body_checks have normal filters, like all the boobs and googlegroups and things like "russian teen", etc.

How can I solve this problem , please?

And if I whitelist "outlook.com" and "googles.com" in the "Server-Wide Mail Settings", would that resolve the issue?

And if so, then if a spammer sends "boobs" from outlook.com, would the filters in body_checks and header_checks be ignored?

Thank you in advance!

Samples from maillog:-

reject: body

Jul 11 02:53:25 my_Sserver postfix/cleanup[366]: 200B942B0D: reject: body vlxQvCt02SPg7I+HMKg7Wmj9kGkWQXO5nIELOdJthzP5BZHRfoRmsExVrxCKpepQODMmoHDSw1bd from mail-oln040092066092.outbound.protection.outlook.com[40.92.66.92]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<EUR01-VE1-obe.outbound.protection.outlook.com>: 5.7.1 message content rejected

Jul 10 19:46:29 my_Sserver postfix/cleanup[11926]: 6CB6F4281A: reject: body Xdvt+RPwmd+W8Av4esEXjRg4UIaRKJj4U0HswShwuR9U4TKMDAyUYXKvNKFvithzMzKKhiwR+Q5f from mail-vs1-f53.google.com[209.85.217.53]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail-vs1-f53.google.com>: 5.7.1 message content rejected

reject:header

Jul 11 11:29:09 my_Sserver postfix/cleanup[29260]: 9D4D8427BD: reject: header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;? s=selector1;? h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;? bh=7euSk+Zw/cMjRBmwFHfrjNinUh from mail-oln040092071105.outbound.protection.outlook.com[40.92.71.105]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<EUR03-DB5-obe.outbound.protection.outlook.com>: 5.7.1 message content rejected

Jul 11 10:16:37 my_Sserver postfix/cleanup[30386]: C1E134272C: reject: header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;? d=gmail.com; s=20161025;? h=to:from:date:message-id:in-reply-to:references:subject:mime-version? :content-transfer-encoding from mail-io1-f43.google.com[209.85.166.43]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail-io1-f43.google.com>: 5.7.1 message content rejected
 
Well, quite obviously those mails were rejected by your body_checks and header_checks filters. Your filters appear to be too strict.
You see the matching filter in the reject message. Search your filters for that string and remove it.
If unsure, post the contents of your filter (to pastebin or similar, as the filters probably contain words that are not allowed in this forum here)
 
Monty said:
Well, quite obviously those mails were rejected by your body_checks and header_checks filters. Your filters appear to be too strict.
You see the matching filter in the reject message. Search your filters for that string and remove it.
If unsure, post the contents of your filter (to pastebin or similar, as the filters probably contain words that are not allowed in this forum here)
Click to expand...
 
Thank you Monty. The two files are listed below. I have removed all the boobs etc But they are definitely not the cause of the rejection.

The numbers in the filters are telephone numbers of spammers abroad.

header_checks

/free mortgage quote/ REJECT
/repair your credit/ REJECT
/name ?="?.*\.(bat|com|dll|exe|hta|pif|vbs)"?/ REJECT
/Senior Citizen Representative/ REJECT
/[email protected]/ REJECT
/googlegroups.com/ REJECT
/http:\/\/some_domain.com/ REJECT
/The Certain High Club/ REJECT
/newsletter/ REJECT
/List-Unsubscribe/ REJECT


body_checks

/free mortgage quote/ REJECT
/repair your credit/ REJECT
/russian/ REJECT
/russia/ REJECT
/0020237800693/ REJECT
/0020237800583/ REJECT
/0020237800573/ REJECT
/0020235866323/ REJECT
/00201100083425/ REJECT
/00201069874009/ REJECT
/00201027731551/ REJECT
/0020226360125/ REJECT
/[email protected]/ REJECT
/training@some_domain.com/ REJECT
/http:\/\/links.e.some_domain.com/ REJECT
 
Well, your filters look OK.
Can you post your main.cf config?
Also, maybe also post your complete body_checks and header_checks file to pastebin, maybe there is something weird in the file
 
Thanks. I will do pastebin shortly and let you know when it's done (never used it before).

The file main.cf is too large for plesk to accept (more than 10000 characters). Have tried to upload it but it won't accept extensions cf + txt or even withput extension. So I removed all the commented lines. It is as follows:-

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = all
mydestination = localhost.$mydomain, localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
mailq_path = /usr/bin/mailq.postfix

setgid_group = postdrop

sample_directory = /usr/share/doc/postfix-2.10.1/samples

readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks =
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname, reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org
authorized_flush_users =
authorized_mailq_users =
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:30
smtpd_milters = , inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
message_size_limit = 1536000
mailbox_size_limit = 0
virtual_mailbox_limit = 0
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = HIGH:!aNULL:!MD5
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_canonical_classes = envelope_recipient,header_recipient
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks
 
Sorry to bother you with this extra point: I have just noticed that /var/log/maillog is empty.

Have tried to restart server, to no avail.

I restarted syslog + postfix services:
service syslog restart
service postfix restart

Then maillog is filled with entries dated June 28 ! Nothing is added after that.

Is there a way to get postfix to log mail activities again, please?
 
OK, still nothing very unusual to see.

I suggest you do the following:
  1. Backup your /etc/postfix/main.cf
  2. Comment the two lines header_checks = and body_checks =
  3. Run "plesk repair mail"
  4. Re-add the 2 commented lines again and do "postfix reload"
  5. If mails are still rejected I suggest you empty the files header_checks and body_checks and add your rules one by one (and perform "postfix reload" after each modification) until you find the rules that cause the mails to be rejected
Regarding the logs: Check your syslog configuration, you should have a line in there similar to:
Code: 
mail.*                                                  -/var/log/maillog

Could be that your syslog is logging the "mail" facility to a different file....

One last question: Your server does have the correct time, right?
 
Monty, I am grateful for your responses. I will follow the 5 steps as per your suggestion.

The server has the correct time. I am now more concerned about maillog being empty than the main issue because it is needed to check things.

The file /etc/rsyslog.conf contains the lines:
Code: 
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

And in /etc/rsyslog.d/listen.conf
Code: 
$SystemLogSocketName /run/systemd/journal/syslog

I tried few steps to get maillog to work again, none actually worked:-
1. restarted server
2. installed qmail (postfix removed)
3. restarted the server
4. postfix installed (qmail removed)
5. plesk repair mail -y

None has made a difference.

Plesk repair mail reported no errors:
Code: 
Repairing the mail server configuration
    Reconfiguring all domains and mailboxes ......................... [OK]
Error messages: 0; Warnings: 0; Errors resolved: 0

I had qmail installed prior to all this. The I started using postfix. The strange thing is that now when I restart syslog service, the maillog is populated with 20000 entries dated June 28 and they all belong to qmail; lines like this:

Jun 28 23:03:15 servername qmail: 1561759395.468020 new msg 665508

I honestly cannot think of anything else to try. Is it worth rebuilding the server from scratch?
 
Not sure what's going on on your server, sound quite weird to me. As a last resort you could try "plesk repair all".
And if nothing helps you could still contact Plesk support and let them have a look at your server.
 
Hi Monty,
Sorry about the delay, it has been hectic trying all sorts.

"Plesk repair all" didn't find errors (STRANGE!)

Plesk support must be done through our slow_uncooperative webhost. Their advice is that it might be quicker to re-build the server than get a response from Plesk. It would take around 8 hours to complete the re-building task.

It occurred to me then that the logging problem was related to "rsyslog" + "imjournal", because rsyslog restart always populated the maillog with same June 28 entries. On searching google, I found the following , which partially solved the problem.

.. the only way we were able to get our logging working again, without any rate limiting by journald or IMUXSock, was using the config changes below.

Add the following to /etc/rsyslog.conf after '$ModLoad imuxsock' and '$ModLoad imjournal':

Code: 
$IMUXSockRateLimitInterval 0
$IMJournalRatelimitInterval 0

Set the following in /etc/systemd/journald.conf:
Code: 
Storage=volatile
Compress=no
RateLimitInterval=0
MaxRetentionSec=5s

Restart journald and rsyslog to pickup the changes with:
Code: 
systemctl restart systemd-journald.service
systemctl restart rsyslog.service

CentOS 7 rsyslog DEBUG logs dropped for C/C++ modules

It worked, but the maillog is very unstable. It would increase in size rapidly to around 200 MB, filling entries from June 28 up to today, July 12, then increase slowly, then the same entries would be repeated.

I have decided to re-build the server tomorrow as 4 days have been spent on this.

I consider your suggestion as a resolution of the main problem.
Code: 
I suggest you do the following:

    Backup your /etc/postfix/main.cf
    Comment the two lines header_checks = and body_checks =
    Run "plesk repair mail"
    Re-add the 2 commented lines again and do "postfix reload"
    If mails are still rejected I suggest you empty the files header_checks and body_checks and add your rules one by one (and perform "postfix reload" after each modification) until you find the rules that cause the mails to be rejected

I will follow the above steps after rebuilding the server.

Thank you ever so much for your time and effort.

Kind regards
 
You must log in or register to reply here.

Similar threads

A
Resolved Some emails don't go through
Replies
5
Views
779
andrecab93
A
D
Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?
Replies
2
Views
614
drdna
D
S
Question Spammer in the server, how to find him
Replies
7
Views
1K
mow
M
nethubonline
Issue Failed to reset statistics for mail exceed limit
Replies
7
Views
9K
AlmaWalters
A
L
Issue Spam-/Mailproblems
Replies
1
Views
933
Peter Debik
P
Back
Top