Hi all !!
I’ve got a Centos 5.11 public mail server running Virtualmin GPL 4.15. I think there a problem in antispam services.
I’m running spamassassin 3.3.1.
Unfortunately I’m not able to attach to this post my configuration files. How can I do it?

Problem is that some customers report me some emails don’t arrive to their mailbox so I check my log and see that emails is signed as SPAM and deleted.
Seems that spamassassin is too aggressive but I see a problem in autowhitelist files, I don’t know if this issue can create some problems.
All autowhitelist files that are present into homes directories are update at 2012 and a lot of users haven’t this file into its folder, seems to be new users created after 2012.
Also, if I create a new mail, the first sender that write an email to that address receive this error but messagge is deliver correctly to the mailbox:

procmail: Enforcing stricter permissions on “/var/mail/USER_DOMAIN.it”
procmail: Error while writing to “/var/log/procmail.log”

Failed to open /etc/webmin/miniserv.conf : Permission denied at /etc/webmin/virtual-server/lookup-domain.pl line 9.

procmail: Program failure (13) of “/etc/webmin/virtual-server/lookup-domain.pl”
Time:1426869899 From:“SENDER” To:USER@DOMAIN.it User:USER_DOMAIN.it Size:897 Dest:/var/spool/mail/USER_DOMAIN.it Mode:None

554 5.3.0 unknown mailer error 13

I hope this information are enough.
Thanks a lot.

Howdy,

Hmm, how did you initially install Virtualmin? Was it with the install.sh script?

Also, what is the output of this command:

postconf -n

Thanks for reply.

Yes, I installed it with install.sh script.

I’m using sendmail not postfix, this command doesn’t work.

Howdy,

It sounds like there are some permissions problems going on there.

Unfortunately, I’m not too familiar with Sendmail these days, so I’m not quite sure what to tell you regarding how to troubleshoot that.

Is using Postfix an option?

It’s simpler to setup, and easier to get help when things don’t work right

However, if you’re hoping to keep Sendmail – I can offer that in terms of Postfix, I was beginning to wonder if your “mailbox_command” was set incorrectly. On Postfix, it needs to use the procmail-wrapper in order to switch to the correct user during email delivery:

mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME

If you’re familiar with Sendmail setup, you may be able to use the above to accomplish a similar setup.

-Eric

This is a public mail server. I prefer to don’t touch configurations too much…

This is my procmail configuration:

LOGFILE=/var/log/procmail.log
TRAP=/etc/webmin/virtual-server/procmail-logger.pl
:0wi
VIRTUALMIN=|/etc/webmin/virtual-server/lookup-domain.pl --exitcode 73 $LOGNAME
EXITCODE=$?
:0

• ?/usr/bin/test “$EXITCODE” = “73”
  /dev/null
  :0
• ?/usr/bin/test “$VIRTUALMIN” != “”
  {
  INCLUDERC=/etc/webmin/virtual-server/procmail/$VIRTUALMIN
  }
  DEFAULT=/var/spool/mail/$LOGNAME
  ORGMAIL=/var/spool/mail/$LOGNAME
  DROPPRIVS=yes
  :0
  $DEFAULT
  :0
• ^X-Spam-Status: Yes
  /dev/null

And this is my sendmail configuration:

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl # make -C /etc/mail
dnl #
include(/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(setup for linux’)dnl
OSTYPE(linux')dnl dnl # dnl # Do not advertize sendmail version. dnl # define(confSMTP_LOGIN_MSG’, $j $b')dnl dnl # dnl # default logging level is 9, you might want to set it higher to dnl # debug the configuration dnl # define(confLOG_LEVEL’, 12')dnl dnl # dnl # Uncomment and edit the following line if your outgoing mail needs to dnl # be sent out through an external mail server: dnl # dnl define(SMART_HOST’, smtp.your.provider')dnl dnl # define(confDEF_USER_ID’, ``8:12’’)dnl
dnl define(confAUTO_REBUILD')dnl define(confTO_CONNECT’, 1m')dnl define(confTRY_NULL_MX_LIST’, True')dnl define(confDONT_PROBE_INTERFACES’, True')dnl define(PROCMAIL_MAILER_PATH’, /usr/bin/procmail')dnl define(ALIAS_FILE’, /etc/aliases')dnl define(STATUS_FILE’, /var/log/mail/statistics')dnl define(UUCP_MAILER_MAX’, 2000000')dnl define(confUSERDB_SPEC’, /etc/mail/userdb.db')dnl define(confPRIVACY_FLAGS’, authwarnings,novrfy,noexpn,restrictqrun')dnl dnl # dnl # The following allows relaying if the user authenticates, and disallows dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links dnl # define(confAUTH_OPTIONS’, A')dnl dnl # <added> TRUST_AUTH_MECH(DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
define(confAUTH_MECHANISMS', DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
dnl #
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl define(confAUTH_MECHANISMS’, EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl # dnl # Rudimentary information on creating certificates for sendmail TLS: dnl # cd /etc/pki/tls/certs; make sendmail.pem dnl # Complete usage: dnl # make -C /etc/pki/tls/certs usage dnl # dnl define(confCACERT_PATH’, /etc/pki/tls/certs')dnl dnl define(confCACERT’, /etc/pki/tls/certs/ca-bundle.crt')dnl dnl define(confSERVER_CERT’, /etc/pki/tls/certs/sendmail.pem')dnl dnl define(confSERVER_KEY’, /etc/pki/tls/certs/sendmail.pem')dnl dnl # dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's dnl # slapd, which requires the file to be readble by group ldap dnl # dnl define(confDONT_BLAME_SENDMAIL’, groupreadablekeyfile')dnl dnl # dnl define(confTO_QUEUEWARN’, 4h')dnl dnl define(confTO_QUEUERETURN’, 5d')dnl dnl define(confQUEUE_LA’, 12')dnl dnl define(confREFUSE_LA’, 18')dnl define(confTO_IDENT’, 0')dnl dnl FEATURE(delay_checks)dnl FEATURE(no_default_msa’, dnl')dnl FEATURE(smrsh’, /usr/sbin/smrsh')dnl FEATURE(mailertable’, hash -o /etc/mail/mailertable.db')dnl FEATURE(virtusertable’, hash -o /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl dnl # dnl # The following limits the number of processes sendmail can fork to accept dnl # incoming messages or process its message queues to 20.) sendmail refuses dnl # to accept connections once it has reached its quota of child processes. dnl # dnl define(confMAX_DAEMON_CHILDREN’, 20')dnl dnl # dnl # Limits the number of new connections per second. This caps the overhead dnl # incurred due to forking new sendmail processes. May be useful against dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address dnl # limit would be useful but is not available as an option at this writing.) dnl # dnl define(confCONNECTION_RATE_THROTTLE’, 3')dnl dnl # dnl # The -t option will retry delivery if e.g. the user runs over his quota. dnl # FEATURE(local_procmail, ‘, procmail -t -Y -a $h -d $u')dnl FEATURE(access_db’, hash -T<TMPF> -o /etc/mail/access.db')dnl FEATURE(blacklist_recipients’)dnl
EXPOSED_USER(root')dnl dnl # dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment dnl # the following 2 definitions and activate below in the MAILER section the dnl # cyrusv2 mailer. dnl # dnl define(confLOCAL_MAILER’, cyrusv2')dnl dnl define(CYRUSV2_MAILER_ARGS’, FILE /var/lib/imap/socket/lmtp')dnl dnl # dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # dnl # dnl # The following causes sendmail to additionally listen to port 587 for dnl # mail from MUAs that authenticate. Roaming users who can't reach their dnl # preferred sendmail daemon due to port 25 being blocked or redirected find dnl # this useful. dnl # dnl DAEMON_OPTIONS(Port=submission, Name=MSA, M=Ea’)dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can’t
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn’t support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(Port=smtps, Name=TLSMTA, M=s')dnl dnl # dnl # The following causes sendmail to additionally listen on the IPv6 loopback dnl # device. Remove the loopback address restriction listen to the network. dnl # dnl DAEMON_OPTIONS(port=smtp,Addr=::1, Name=MTA-v6, Family=inet6’)dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6') dnl # dnl # We strongly recommend not accepting unresolvable domains if you want to dnl # protect yourself from spam. However, the laptop and users on computers dnl # that do not have 24x7 DNS do need this. dnl # dnl # FEATURE(accept_unresolvable_domains’)dnl
dnl #
dnl #
dnl # Also accept email sent to “localhost.localdomain” as local email.
dnl #
LOCAL_DOMAIN(localhost.localdomain')dnl dnl # dnl # The following example makes mail from this host and any additional dnl # specified domains appear to be sent from mydomain.com dnl # dnl MASQUERADE_AS(mydomain.com’)dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
DAEMON_OPTIONS(Port=smtp, Name=MTA')dnl FEATURE(dnsbl’, cbl.abuseat.org', ‘, "550 Mail from " $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your SMTP server " in http://cbl.abuseat.org/lookup.cgi "') INPUT_MAIL_FILTER(ratelimit-filter’, S=local:/var/run/milter-greylist/milter-greylist.sock') define(confINPUT_MAIL_FILTERS’,ratelimit-filter') define(confMILTER_MACROS_CONNECT’,j, {if_addr}') define(confMILTER_MACROS_HELO’,{verify}, {cert_subject}') define(confMILTER_MACROS_ENVFROM’,i, {auth_authen}') define(confMILTER_MACROS_ENVRCPT’,`{greylist}’)

What do you think about these configurations?
Thanks.

Sorry, I’m really not familiar with Sendmail configuration… if you’d like to use Sendmail, that’s okay, but you’d need to be comfortable setting it up and troubleshooting any issues that come with it.

We definitely recommend Postfix.

Perhaps someone more familiar with Sendmail than myself will see this and respond though

-Eric

Ok thanks. I understand.

But do you think that my problem with auto-whitelist files is caused by Sendmail? Not Spamassassin or something else?

“All autowhitelist files that are present into homes directories are updated at 2012 and a lot of users haven’t this file into its folder, seems to be new users created after 2012.”

This is my spamassassin configuration file:

These values can be overridden by editing ~/.spamassassin/user_prefs.cf

(see spamassassin(1) for details)

These should be safe assumptions and allow for simple visual sifting

without risking lost emails.

required_hits 5
report_safe 0
rewrite_header subject [SPAM]

score RDNS_NONE 1.0
report Attenzione! messaggio di spam o considerato potenzialmente pericoloso.
report Prego controllare il mittente dell’email
report Attention! spam message or considered potentially dangerous.
report Please check the email sender

rbl_timeout 10

use_bayes 1
use_auto_whitelist 1

Thanks again.

Hi.

I resolve issue regarding auto whitelist.
Spamassassin didn’t load AWL module so uncomment this line into configuration file:

loadplugin Mail::SpamAssassin::Plugin::AWL

http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_AWL.html

After this old files start to be updated and users that didn’t have this file have got a new one.

Bye !