Authenticated outgoing email is marked as spam by PBL on mailserver

Question

Users are sending email, authenticated, through the submission port on my mailserver (their domain MX record points to mailserver; postfix).

What's been setup

• A record
• MX record (pointing to same mailserver for all domains)
• PTR record resolving to mailserver name
• DKIM: pass
• SPF: pass
• DMARC: pass
• MailScanner with clamd and spamassassin
• SASL authentication (mail headers mention user is authenticated)
• No open relay
• ...

I see that mails are authenticated in the headers.

However I see that spamassassin marks it as spam (it mentions that the IP of the client is on the RBL). When I query spamhaus I see that the client IP (which is dynamic due to mobile ISP). Zenhaus says it's on the PBL, so basically it is marked as spam as a policy based on the client IP.as

Apart from that there's nothing wrong with those emails. The other ISPs don't have this problem and the emails are then delivered properly.

Now on to my questions... :)

• is mail send through submission port supposed to go through Mailscanner (spamassassin + clamd)? I would suppose yes as it would already prevent people from sending spam in the first place (instead of preventing spam email to be delivered). On the other hand a receiving mailserver can't trust what's in the headers so it'll probably check it anyway.
• Is there a way to not mark as spam if only mentioned on the PBL?
• Will releasing the message make it deliverable? Or will it just move the problem? (so the receiving mailserver might check and mark as spam due to the PBL) If it moves the problem it doesn't seem a valid solution to try to bypass the PBL for authenticated users.
• Will a receiving mailserver only check the last header (so the header added by my mail server)? In this case disabling spam check might actually resolve the issue and not move it on to the next machine).
• another thing that comes to mind is removing/modifying the first header so the IP is no longer mentioned. However this seems like a bad practice.
• What's the proper/appropriate way to handle this?

For clarity: the mails are received on the smtp server that the users have configured on their laptop/mobile and put in the postfix queue. So no direct rejection to the clients. Only after mailscanner jumps in and checks the email before sending (in this case marking it as spam and not sending it).

Thanks a lot in advance!

Answer 1

I'm surprised nobody could give some input on this. I've checked on the Postfix-users mailinglist and got some good feedback there from Dominic (Thank you!).

• Usually mail sent through port 25 is being checked with blacklist and antivirus. Mail through the submission port is not(although you still can).
• new connections are checked with for example spamhaus blocklist and their connection dropped before a mail can be put into the queue. Advantage is a directly noticeable reject for the client.
• in my situation I've did the following changes: add zen.spamhaus, ... to smptd_sender_restrictions, then disabled zen and pbl in Mailscanner rules.
• The IP address that would be taken into consideration with another smptd server is the IP you're connecting to it. Not the IP in the header. I think this sounds valid as headers can be faked so they have little value.
• Due to the point above releasing the message makes it deliverable. I have verified and the message gets delivered after I disabled the spamhaus PBL for authenticated users.

I hope this helps out someone else.