search

simple-login / app

The SimpleLogin back-end and web app
https://simplelogin.io
GNU Affero General Public License v3.0
4.9k stars 412 forks source link

SpamAssasin returns RCVD_ILLEGAL_IP when sending e-mails through simplelogin.io #44

Closed jarylc closed 4 years ago

jarylc commented 4 years ago

Likely because of this line in the source

Received: from [240.0.0.3] (unknown [240.0.0.3]) by mx1.simplelogin.co (Postfix) with ESMTP id 24C385C1F7

nguyenkims commented 4 years ago

Hi can you give more info about your setup please?

240.0.0.3 is from the SimpleLogin docker container network (which is 240.0.0.0/24).

jarylc commented 4 years ago

I've done 2 test e-mails on mail-tester.com today (it did not trigger the flag when I tested yesterday).

I'm not entirely sure what causes Spam Assassin to flag for RCVD_ILLEGAL_IP, but looking at the description and the source so far, the only IP that I could think it might be flagging is [240.0.0.3] (unknown [240.0.0.3]) (see the source below).

Unless it's Google's ipv6 address IPv6:2a00:1450:4864:20::131 which I think it's unlikely. Or this one 2002:ac2:5e9b:: (see the source below).

Here's the Spam Assassin response.

Here's the latest source for one of them with some content snipped out:

Received: by mail-tester.com (Postfix, from userid 500)
    id 5F473A4979; Thu, 23 Jan 2020 12:10:40 +0100 (CET)
Authentication-Results: mail-tester.com;
    dkim=pass (1024-bit key; unprotected) header.d=simplelogin.co header.i=@simplelogin.co header.b=F1GVCCb0;
    dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail-tester.com
X-Spam-Level: *
X-Spam-Status: No/1.1/5.0
X-Spam-Test-Scores: DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
    DKIM_VALID_EF=-0.1,HTML_MESSAGE=0.001,RCVD_ILLEGAL_IP=1.3,
    SPF_PASS=-0.001,URIBL_BLOCKED=0.001
X-Spam-Last-External-IP: 94.237.86.150
X-Spam-Last-External-HELO: mx1.simplelogin.co
X-Spam-Last-External-rDNS: mx1.simplelogin.co
X-Spam-Date-of-Scan: Thu, 23 Jan 2020 12:10:40 +0100
X-Spam-Report: 
    *  1.3 RCVD_ILLEGAL_IP Received: contains illegal IP address
    * -0.0 SPF_PASS SPF: sender matches SPF record
    *  0.0 HTML_MESSAGE BODY: HTML included in message
    * -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
    *      envelope-from domain
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
    *      author's domain
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    *       valid
    *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
    *      blocked.  See
    *      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    *      for more information.
    *      [URIs: simplelogin.co]
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=94.237.86.150; helo=mx1.simplelogin.co; envelope-from=---snip alias address---; receiver=--- snip id ---@mail-tester.com 
DMARC-Filter: OpenDMARC Filter v1.3.1 mail-tester.com ADAB19FC76
Authentication-Results: mail-tester.com; dmarc=pass header.from=simplelogin.co
Authentication-Results: mail-tester.com;
    dkim=pass (1024-bit key; unprotected) header.d=simplelogin.co header.i=@simplelogin.co header.b=F1GVCCb0;
    dkim-atps=neutral
Received: from mx1.simplelogin.co (mx1.simplelogin.co [94.237.86.150])
    (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail-tester.com (Postfix) with ESMTPS id ADAB19FC76
    for <--- snip id ---@mail-tester.com>; Thu, 23 Jan 2020 12:10:38 +0100 (CET)
Received: from [240.0.0.3] (unknown [240.0.0.3])
    by mx1.simplelogin.co (Postfix) with ESMTP id 278845C10D
    for <--- snip id ---@mail-tester.com>; Thu, 23 Jan 2020 11:10:38 +0000 (UTC)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com
 [IPv6:2a00:1450:4864:20::131]) (using TLSv1.3 with cipher
 TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested)   by
 mx1.simplelogin.co (Postfix) with ESMTPS id E87A75C10B for
 <--- snip reverse alias email --->; Thu, 23 Jan 2020 11:10:37
 +0000 (UTC)
Received: by mail-lf1-x131.google.com with SMTP id b15so1988943lfc.4       
 for <--- snip reverse alias email --->; Thu, 23 Jan 2020 03:10:37
 -0800 (PST)
X-Google-DKIM-Signature: --- snip ---
X-Gm-Message-State: --- snip ---
X-Google-Smtp-Source: --- snip ---
X-Received: by 2002:ac2:5e9b:: with SMTP id b27mr4586538lfq.184.1579777836925;
 Thu, 23 Jan 2020 03:10:36 -0800 (PST)
MIME-Version: 1.0
References:
 <---snip---@mail.gmail.com>
In-Reply-To:
 <---snip---@mail.gmail.com>
From: ---snip alias---@simplelogin.co
Date: Thu, 23 Jan 2020 19:10:24 +0800
Message-ID:
 <---snip---@mail.gmail.com>
Subject: ---snip subject---
To: ---snip id---@mail-tester.com
Content-Type: multipart/alternative; boundary="000000000000cb4589059cccb0cf"
List-Unsubscribe: <https://app.simplelogin.io/dashboard/unsubscribe/1679>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
DKIM-Signature: ---snip---

--000000000000cb4589059cccb0cf
Content-Type: text/plain; charset="UTF-8"

---snip e-mail contents---

On Thu, 23 Jan 2020, 18:18 Jaryl, <---snip e-mail---> wrote:

---snip e-mail contents---

--000000000000cb4589059cccb0cf
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

---snip e-mail contents---

--000000000000cb4589059cccb0cf--
jarylc commented 4 years ago

Looking at https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6923#c1

(of course addresses above 224.x.x.x remain illegal)

Likely it's because the Docker IP address is in 240.0.0.0/24 range which is probably triggers the 224.0.0.0/4 range of Spam Assassin.

Might be fixed if you set up the Docker network to use another range of IPs.

nguyenkims commented 4 years ago

@jarylc Thanks a lot for the details! SpamAssasin does not like 240.0.0.0 indeed ... We just replaced the Docker network by 10.0.0.0 which is more conventional but also has more risks of conflict with existing networks ...

Now the mail-tester score is back to 10 :).

jarylc commented 4 years ago

Awesome, just did another test, perfect score indeed.

I think you should consider having a separate server for premium & paying users in the long run. Of course after securing a good revenue stream.

Eventually if popularity grows, I predict there will probably be some black sheeps around that abuse the free service and use your current mail server to post spam causing the IP to get blacklisted in spam databases.

nguyenkims commented 4 years ago

@jarylc Very good point about having separated servers for premium & free plans! I just created https://trello.com/c/1MqpVrEi/23-separate-server-for-free-premium-plan in our roadmap.

luisgepeto commented 3 years ago

Hello I am using the self hosted solution but changing the docker network to 10.0.0.0 does not work, i.e. my emails are no longer being redirected to my email address.

Jan 28 17:52:24 vps643 postfix/smtp[30046]: 1A5E542521: to=myalias@mydomain.com, relay=127.0.0.1[127.0.0.1]:20381, delay=166, delays=0.27/0.01/35/131, dsn=5.0.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 500 Error: (TimeoutError) [Errno 110] Connection timed out (in reply to end of DATA command)) Jan 28 17:52:24 vps643 postfix/cleanup[30074]: AD41542CA9: message-id=20210128175224.AD41542CA9@app.mydomain.com Jan 28 17:52:24 vps643 postfix/qmgr[30024]: AD41542CA9: from=<>, size=4774, nrcpt=1 (queue active) Jan 28 17:52:24 vps643 postfix/bounce[30072]: 1A5E542521: sender non-delivery notification: AD41542CA9 Jan 28 17:52:24 vps643 postfix/qmgr[30024]: 1A5E542521: removed Jan 28 17:52:24 vps643 postfix/smtp[30046]: connect to gmail-smtp-in.l.google.com[2a00:1450:4010:c03::1b]:25: Network is unreachable Jan 28 17:52:25 vps643 postfix/smtp[30046]: AD41542CA9: to=myrealaddress@gmail.com, relay=gmail-smtp-in.l.google.com[173.194.220.27]:25, delay=0.63, delays=0.1/0.01/0.35/0.17, dsn=2.0.0, status=sent (250 2.0.0 OK DMARC:Quarantine 1611856345 c200si3910149lfd.317 - gsmtp) Jan 28 17:52:25 vps643 postfix/qmgr[30024]: AD41542CA9: removed Jan 28 17:52:59 vps643 postfix/anvil[30037]: statistics: max connection rate 1/60s for (smtp:209.85.167.42) at Jan 28 17:48:02 Jan 28 17:52:59 vps643 postfix/anvil[30037]: statistics: max connection count 1 for (smtp:209.85.167.42) at Jan 28 17:48:02 Jan 28 17:52:59 vps643 postfix/anvil[30037]: statistics: max cache size 1 at Jan 28 17:48:02

I created my docker network by using 

sudo docker network create -d bridge \
    --subnet=10.0.0.0/24 \
    --gateway=10.0.0.1 \
    sl-network

Also in my /etc/postfix/main.cf I updated the line: 

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/24

And then ran:

sudo systemctl restart postfix

Is there something I might be missing?