Hello,
My understanding is that for authenticated email users, the IP of their ISP should not be included in the headers of emails that they send, however this is not the behavior that we are experiencing.
Sometimes users who have a dynamic public IP from their ISP are randomly assigned IPs that have previously been placed on spam lists. Presumably this is due to the IP being previously assigned to another network that was producing spam. (For the sake of discussion let's assume the previous IP lease holder was the innocent victim of a spambot.) Also, many users are not able to obtain static public IPs, particularly if they are in a home or internet cafe environment.
If the public IP of authenticated users is not included in outgoing headers, then they will not be unfairly (and unpredictably) penalized by having their legitimate email tagged as spam.
We see that this is not the case for our Virtualmin system. With our system, the public IP is included in the mail header despite the user being authenticated to our host. Is there a way to correct this problem without too much trouble?
Thank you very much,
-Bob McLaughlin
Comments
Submitted by andreychek on Fri, 09/24/2010 - 10:33 Comment #1
I don't know the specifics about what the "right" behavior is here (maybe Jamie has some input on all that).
However, what I've seen a lot of folks doing to solve the issue you're describing is to add this to the Postfix config file (/etc/postfix/main.cf):
smtpd_sasl_authenticated_header = yesAnd then restart Postfix (/etc/init.d/postfix restart).
What that does is add an "Authenticated" flag to the received headers, which anti-spam software (such as SpamAssassin) should take into consideration when processing email.
Submitted by JamieCameron on Fri, 09/24/2010 - 12:47 Comment #2
I'm pretty sure that including the originating IP is common, and shouldn't cause email to be classified as spam.
Tools like spamassassin that look at these headers usually just check the IP that they received the message from, which will be your virtualmin server. IPs prior to that in the chain of received headers don't matter.
You could verify this by looking at the X-Spam headers of an email sent via your virtualmin system and received by another server, to see if a spamassassin rule for an RBL was triggered.
Submitted by bob7123 on Mon, 09/27/2010 - 04:37 Comment #3
Thanks everyone. The above suggestions helped, but were not complete. I am adding what I found in the interest of helping the community...
Adding the parameter "smtpd_sasl_authenticated_header = yes" did not solve the problem, at least not by itself.
The other piece that was needed was to add a filter using the postfix header_checks feature (google it for many helpful examples) which I used to remove the header in question.
One thing that is a pain is that there is no way using header_checks to tell incoming mail from outgoing mail. A proper solution would be to create a separate process for incoming and outgoing mail and apply the filter to only one of those, but seeing as I have only a limited number of domains on the box, I was able to set up nested regular expressions to meet my needs.
Said regular expressions use the info provided by "smtpd_sasl_authenticated_header = yes" to figure out which header to strip, which is why others have seen this in other solutions.
Again thanks everyone for your help and I hope if others see this it will help point them in the right direction.
-Bob
Submitted by JamieCameron on Mon, 09/27/2010 - 12:07 Comment #4
Ok, thanks for the information! I am still a little surprised that this is needed though ..
Submitted by Issues on Mon, 10/11/2010 - 13:19 Comment #5
Automatically closed -- issue fixed for 2 weeks with no activity.