I have some domains in virtualmin that are getting all mail from the same domain flagged as spam. I’ve tried some things but I could not avoid it to happen.
So please, can anyone tell me, what’s the right way to have all messages from the same domain to never be flagged as spam? Like when account1@mydomain.com sends an email to account2@mydomain.com?
BIND is installed and I’m using the default configuration for the domain records, but the system is NOT configured to use local BIND for DNS resolution. And I don’t have PTR/SPF on my main DNS servers.
Could this be the problem? If it is, what would be best? To add PTR/SPF on my default DNS server, or to have the system configured to use local BIND to resolve DNS?
on the /etc/mail/spamassassin/local.cf file. It this the right file? My other domains were not on the file.
And I’ve noticed something… checking some users auto-whitelist I’ve found that they have a positive “score to apply”. Positive score means spam, right? See the list bellow, it’s only a sample from the auto-whitelist file that has more 4600 entries.
I also noticed on the auto-whitelist file that there are LOTS of emails addresses on the whitelist that don’t exist. For example, the list above is for the user carlos@barrosdecoracoes.com.br. On his auto-whitelist I’ve found:
Following your instructions I was able to avoid emails from the same domain to be marked as spam.
But now that has become a problem. The users on the that domain are receiving A LOT of spam, because the spammers use a FROM/TO field with the same domain.
I’m sure the spammer didn’t do any SMTP auth, so my question is, how do force SMTP auth for everybody? That way I would avoid it, right? All my clients are already configured to use SMTP Auth.
On my SMTP server options I have:
HELO is required: NO
Restrict ETRN command upon…: default
Restrictions on sends in HELO commands: default
Restrictions on sender addresses: default
Restrictions on recipient addresses: permit_mynetworks permit_sasl_authenticated reject_unauth_destination
You could have your users send their outbound mail via the submission port 587 on your server and require auth on that port. This is pretty standard practice.
Inbound mail to your domains comes in on port 25 and cannot possibly use AUTHentication. You could deny mail on that port which is from your domains, but then your users wouldn’t be able to email to each other unless you permit_sasl_authenticated before you check_sender_access
Good secure and spam-resistant email server configuration requires a great deal of study and oversight. Don’t shortchange it. I expect the Virtualmin defaults with postfix to be a very good starting point. Modify them carefully and only with good understanding.
The TXT record for spf can help, not hurt. If you’re not going to let Virtualmin handle your DNS locally then you can add it through your DNS host provider.
In order for it to help you block inbound spam claiming to be from your domains, you’ll have to configure your email server to use spf validation on incoming mail.
Without local spf checking, it can also help you avoid some out-scatter mail from other hosts who use the spf record to block, rather than bounce, mail which is forged to be from your domains.
I recommend using the spf TXT records for all domains. I do not personally use SPF checking of inbound mail.