@scooke we have traced this down to a nodejs bug apparently with the domain in question.
The upstream issue is at https://github.com/nodejs/node/issues/39397

Good notes to follow up when we look into email in the next release.

IIRC, whitelist setting is a bit dangerous because it allows "spoofed" emails as it pretty much bypasses all the SPF/DMARC/DKIM checks. Meaning, Cloudron does not reject mail if those checks do not pass because there are too many misconfigured mail servers out there. Instead we tag the failures and allow spamassassin to score the rules. whitelisting makes spamassassin bypass the checks altogether.

@d19dotca Ah good point about editing those files. In the next release, I am hoping to make the filemanager be able to edit mail data (so admins can setup sieve rules etc for a mailbox), so this will atleast partly fix that issue.

@eddowding ah, great you managed to figure this out. indeed, cloudflare can only proxy http(s) and not email.

@pintudaso are you a real user or is this some very creative spam 😉 ? apologies if you are a real user but the amount of spam on this forum is crazy.

@jegillikin-0 mm, that shouldn't be the reason. But something for me to ask future users who hit the same problem.

@nj Use this: https://omm.ovh.net/ , very fast and no any data amount limitations.

@msbt yes, thanks for reaching out, will take a look.

@necrevistonnezr True, but imapfilter ( or another workaround ) is here today for you to achieve what you want. Beats waiting for the feature you're asking for which might be available sometime soon, later .... or never.

@d19dotca Okay, that is a bit confusing, but I will only be able to figure it out once I try it.

I appreciate everyone's help and responses.

@timconsidine Also good to point out is if the plan is to just use a personal google account's SMTP settings it will be severely rate limited.

@humptydumpty Yes, correct. Server restart won't fix the issue, have to restart the service explicitly (since it copies over certs).

I end this thread because I now have a more specific one going.

Mystery solved; The server i was hosting Afterlogic on turns out is just too slow. Checking the logs it would always time out, which is 15 seconds.
I ran Afterlogic on a much faster server and now it sends emails just fine.
Thanks all for your efforts to help me, it was much appreciated.

Not 100% sure but are there any files under /home/yellowtent/boxdata/mail/spamd/<mailboxname> ? Those are the per mailbox spamassassin bayes databases. Maybe it's picking up something from there?

@girish WOW that greatly simplifies the process, that's great, still always amazed at how CR makes sysadmin soooo much easier 🙂

@imc67 nevermind, I found it - https://docs.espocrm.com/user-guide/mass-email/#settings

I will move this to feature request. But we haven't really analyzed what work this involves.

Just found the solution here: https://forum.cloudron.io/topic/1279/receive-email/4

The problem was that AWS EC2 instances close port 25 by default. As soon as I opened it in the AWS console, I was able to receive emails.

@girish Hello Girish, any news about this issue? Thank's a lot

@girish said in Anyone else see many connections denied due to "Mail from domain <domain> is not allowed from your host" repeatedly from spammy IPs?:

A bit of a wild guess: mail from is usually <> for bounce mail. So, this seems like some poor denial of service or maybe those IPs know that some mail software misbehaves with such carefully crafted mail.

Ah very interesting, I appreciate that insight. It was definitely strange when I saw it happening - so many requests at once. I'll keep an eye out for it. Sounds like it's all good then as far as Cloudron is concerned. 🙂 Thanks Girish.

@ccfu That's a good point. Probably one for their forum but I think I'd like that too so may help develop.

@d19dotca it's not a problem. Just the natue of any service being exposed to the internet. There a bots, misconfigured services, compromised iot devices doing all sorts of things. Nothing to worry.

Latest round of SpamAssassin rules I'm using, if anyone is interested.

The highlights here are just a couple of things:

A few new sources which come with new rules Slight scoring tweaks on just a few rules

Of course, as they say... YMMV. 😉

# scoring DNSBLs (blocklists & allowlists) score RCVD_IN_BL_SPAMCOP_NET 2.5 score RCVD_IN_DNSWL_HI -5.0 score RCVD_IN_DNSWL_LOW -0.5 score RCVD_IN_DNSWL_MED -2.5 score RCVD_IN_DNSWL_NONE 0.5 score RCVD_IN_GBUDB 4.5 score RCVD_IN_IADB_DK -0.5 score RCVD_IN_IADB_DOPTIN_GT50 -0.5 score RCVD_IN_IADB_DOPTIN_LT50 -0.5 score RCVD_IN_IADB_EDDB -0.5 score RCVD_IN_IADB_EPIA -0.5 score RCVD_IN_IADB_GOODMAIL -0.5 score RCVD_IN_IADB_LISTED -0.5 score RCVD_IN_IADB_LOOSE -0.5 score RCVD_IN_IADB_MI_CPEAR 0 score RCVD_IN_IADB_MI_CPR_30 0 score RCVD_IN_IADB_MI_CPR_MAT 0.0 score RCVD_IN_IADB_NOCONTROL -0.5 score RCVD_IN_IADB_OOO -0.5 score RCVD_IN_IADB_OPTIN -0.5 score RCVD_IN_IADB_OPTIN_GT50 -0.5 score RCVD_IN_IADB_OPTIN_LT50 -0.5 score RCVD_IN_IADB_OPTOUTONLY -0.5 score RCVD_IN_IADB_RDNS -0.5 score RCVD_IN_IADB_SENDERID -0.5 score RCVD_IN_IADB_SPF -0.5 score RCVD_IN_IADB_UNVERIFIED_1 -0.5 score RCVD_IN_IADB_UNVERIFIED_2 -0.5 score RCVD_IN_IADB_UT_CPEAR 0 score RCVD_IN_IADB_UT_CPR_30 0 score RCVD_IN_IADB_UT_CPR_MAT 0 score RCVD_IN_JMF_BL 2.5 score RCVD_IN_MSPIKE_BL 0.0 score RCVD_IN_MSPIKE_H2 0.0 score RCVD_IN_MSPIKE_H3 -0.5 score RCVD_IN_MSPIKE_H4 -2.0 score RCVD_IN_MSPIKE_H5 -3.0 score RCVD_IN_MSPIKE_L2 1.5 score RCVD_IN_MSPIKE_L3 3.5 score RCVD_IN_MSPIKE_L4 4.5 score RCVD_IN_MSPIKE_L5 5.0 score RCVD_IN_MSPIKE_WL 0.0 score RCVD_IN_MSPIKE_ZBI 4.0 score RCVD_IN_PBL 3.5 score RCVD_IN_SBL 3.5 score RCVD_IN_SBL_CSS 3.5 score RCVD_IN_SEM_BACKSCATTER 1.5 score RCVD_IN_SEM_BLACK 3.5 score RCVD_IN_SEM_NET_BLACK 2.5 score RCVD_IN_SORBS_BLOCK 2.5 score RCVD_IN_SORBS_DUL 2.5 score RCVD_IN_SORBS_HTTP 2.5 score RCVD_IN_SORBS_MISC 2.5 score RCVD_IN_SORBS_SMTP 2.5 score RCVD_IN_SORBS_SOCKS 2.5 score RCVD_IN_SORBS_SPAM 2.5 score RCVD_IN_SORBS_WEB 2.5 score RCVD_IN_SORBS_ZOMBIE 2.5 score RCVD_IN_SPAMRATS 2.5 score RCVD_IN_XBL 3.5 score RCVD_IN_ZEN_BLOCKED 0.0 score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.0 # scoring URIBLs score URIBL_ABUSE_SURBL 4.0 score URIBL_BLACK 4.5 score URIBL_CR_SURBL 4.0 score URIBL_CSS 2.0 score URIBL_CSS_A 2.0 score URIBL_DBL_ABUSE_BOTCC 3.5 score URIBL_DBL_ABUSE_MALW 3.5 score URIBL_DBL_ABUSE_PHISH 3.5 score URIBL_DBL_ABUSE_REDIR 3.5 score URIBL_DBL_ABUSE_SPAM 3.5 score URIBL_DBL_BLOCKED 0.0 score URIBL_DBL_BLOCKED_OPENDNS 0.0 score URIBL_DBL_BOTNETCC 3.5 score URIBL_DBL_ERROR 3.5 score URIBL_DBL_MALWARE 3.5 score URIBL_DBL_PHISH 3.5 score URIBL_DBL_SPAM 3.5 score URIBL_GREY 1.0 score URIBL_MW_SURBL 4.0 score URIBL_PH_SURBL 4.0 score URIBL_RED 1.5 score URIBL_RHS_DOB 2.0 score URIBL_SBL 2.0 score URIBL_SBL_A 2.0 score URIBL_SEM 3.0 score URIBL_SEM_FRESH30 1.5 score URIBL_WS_SURBL 3.0 score URIBL_ZEN_BLOCKED 0.0 score URIBL_ZEN_BLOCKED_OPENDNS 0.0 # scoring DKIM & SPF score DKIM_INVALID 1.5 score DKIM_SIGNED 0.0 score DKIM_VALID 0.0 score DKIM_VALID_AU 0.0 score DKIM_VALID_EF 0.0 score DKIM_VERIFIED 0.0 score DKIMWL_BL 3.0 score DKIMWL_WL_HIGH -3.5 score DKIMWL_WL_MED -1.5 score DKIMWL_WL_MEDHI -2.5 score FORGED_SPF_HELO 3.0 score SPF_FAIL 1.5 score SPF_HELO_FAIL 1.5 score SPF_HELO_NEUTRAL 1.0 score SPF_HELO_NONE 0.5 score SPF_HELO_PASS 0.0 score SPF_HELO_SOFTFAIL 1.5 score SPF_NEUTRAL 0.5 score SPF_NONE 0.5 score SPF_PASS 0.0 score SPF_SOFTFAIL 1.5 # scoring BAYES score BAYES_00 -3.0 score BAYES_05 -1.5 score BAYES_20 0.5 score BAYES_40 1.5 score BAYES_50 2.0 score BAYES_60 3.0 score BAYES_80 4.0 score BAYES_95 4.5 score BAYES_99 5.0 score BAYES_999 1.5 # scoring HTML score HTML_FONT_LOW_CONTRAST 0.5 score HTML_IMAGE_ONLY_04 1.5 score HTML_IMAGE_ONLY_08 2.0 score HTML_IMAGE_ONLY_12 2.0 score HTML_IMAGE_ONLY_16 2.0 score HTML_IMAGE_ONLY_20 2.0 score HTML_IMAGE_ONLY_24 2.5 score HTML_IMAGE_ONLY_28 2.5 score HTML_IMAGE_ONLY_32 3.0 score HTML_IMAGE_RATIO_02 0.0 score HTML_IMAGE_RATIO_04 0.0 score HTML_IMAGE_RATIO_06 0.0 score HTML_IMAGE_RATIO_08 0.0 score HTML_MESSAGE 0.0 # scoring HEADER & MISSING score HEADER_FROM_DIFFERENT_DOMAINS 0.5 score HEADER_SPAM 2.5 score MISSING_DATE 3.0 score MISSING_FROM 1.5 score MISSING_HB_SEP 0.0 score MISSING_HEADERS 1.5 score MISSING_MID 1.0 score MISSING_MIMEOLE 2.0 score MISSING_SUBJECT 2.0 # scoring FREEMAIL score FORGED_GMAIL_RCVD 2.5 score FORGED_YAHOO_RCVD 2.5 score FREEMAIL_ENVFROM_END_DIGIT 0.5 score FREEMAIL_FORGED_REPLYTO 1.5 score FREEMAIL_FROM 0 score FREEMAIL_REPLY 1.0 score FREEMAIL_REPLYTO 1.0 score FREEMAIL_REPLYTO_END_DIGIT 0.5 score MALFORMED_FREEMAIL 4.0 # additional scoring tweaks score BILLION_DOLLARS 2.0 score BODY_URI_ONLY 1.5 score EMPTY_MESSAGE 1.5 score HELO_DYNAMIC_SPLIT_IP 2.0 score HK_RANDOM_ENVFROM 0.5 score HK_RANDOM_FROM 0.5 score LOTS_OF_MONEY 0.5 score MPART_ALT_DIFF 1.0 score MPART_ALT_DIFF_COUNT 1.5 score NO_DNS_FOR_FROM 0.5 score PDS_TONAME_EQ_TOLOCAL 0.5 score PDS_TONAME_EQ_TOLOCAL_VSHORT 0.5 score RDNS_NONE 1.5 score REPLYTO_WITHOUT_TO_CC 2.5 score UNPARSEABLE_RELAY 0.5 score URI_DQ_UNSUB 2.0 # add GDUB TRUNCATE DNSBL header RCVD_IN_GBUDB eval:check_rbl('gbudb', 'truncate.gbudb.net.') describe RCVD_IN_GBUDB Listed in truncate.gbudb.net tflags RCVD_IN_GBUDB net # add JMF-Black DNSBL header RCVD_IN_JMF_BL eval:check_rbl('jmf', 'black.junkemailfilter.com.') describe RCVD_IN_JMF_BL Listed in black.junkemailfilter.com tflags RCVD_IN_JMF_BL net # add Spamrats DNSBL header RCVD_IN_SPAMRATS eval:check_rbl('spamrats', 'all.spamrats.com.') describe RCVD_IN_SPAMRATS Sender listed in all.spamrats.com tflags RCVD_IN_SPAMRATS net # add SpamEatingMonkey backscatter DNSBL header RCVD_IN_SEM_BACKSCATTER eval:check_rbl('sem', 'backscatter.spameatingmonkey.net') tflags RCVD_IN_SEM_BACKSCATTER net describe RCVD_IN_SEM_BACKSCATTER Received from an IP listed by SEM-BACKSCATTER # add SpamEatingMonkey network blacklist DNSBL header RCVD_IN_SEM_NET_BLACK eval:check_rbl('sem', 'netbl.spameatingmonkey.net') tflags RCVD_IN_SEM_NET_BLACK net describe RCVD_IN_SEM_NET_BLACK Received from an IP listed by SpamEatingMonkeys # add SpamEatingMonkey blacklist DNSBL header RCVD_IN_SEM_BLACK eval:check_rbl('sem', 'bl.spameatingmonkey.net') tflags RCVD_IN_SEM_BLACK net describe RCVD_IN_SEM_BLACK Received from an IP listed by SpamEatingMonkeys # add SpamEatingMonkey URIBL urirhssub URIBL_SEM uribl.spameatingmonkey.net. A 2 body URIBL_SEM eval:check_uridnsbl('URIBL_SEM') describe URIBL_SEM Contains a URI listed by SpamEatingMonkeys tflags URIBL_SEM net # add SpamEatingMonkey fresh domain URIBL urirhssub URIBL_SEM_FRESH30 fresh30.spameatingmonkey.net. A 2 body URIBL_SEM_FRESH30 eval:check_uridnsbl('URIBL_SEM_FRESH30') describe URIBL_SEM_FRESH30 From a domain registered less than 30 days ago tflags URIBL_SEM_FRESH30 net

how embarrassing. You're absolutely right. I was searching after ghosts.

Added a new one to the list.

@tamayers Ah, I understand the use case now. I will move this to Feature Request. It looks easy enough to add since we just need to disable the internal MX check.

Okay... I may be on the side of this working properly again. lol. Maybe I've been wrong this whole time in thinking it wasn't working correctly.

So coincidentally I was checking the mail server logs and saw another example of the same message go through to the same recipient from the same mail server, it was listed in the logs as "just now" so I quickly checked mxtoolbox and found that only 4 at that time had been listed, none of which were ones I was using.

Here is how it looked at the very moment I checked when it was "just now" in the logs:

69bc5a02-12ca-420e-958a-27405c21f7ed-image.png

07b937c4-4840-4c14-887b-7513acc87251-image.png

Edit: Checking about 6 minutes later, I see the blocklists have aleady been updated for more (Spamhaus Zen in this case would have caught it if it were about 5 minutes earlier):

4522d168-dc21-498f-845b-885cfe0a73a1-image.png

So I guess we can probably mark this as resolved, as I now see conclusive evidence that the various blocklists used just didn't have it listed until a few minutes after the message was received. I guess in order for it to adapt so quickly this spam attack on one of my users from those mail servers must be right at the beginning of a spam wave. Kind of neat actually to see how real-time these lists are. haha.

@d19dotca since the email is forwarded , this info is probably lost. One idea is to look into the bounce mail headers. Maybe there is some message I'd or something we can match.

@mdreira said in Lightmeter - Mail server delivery monitoring:

What mail server does Cloudron use? Exim?

This is what Cloudron uses for smpt: https://haraka.github.io/

Nevermind, I did not realize sendgrid setup was only for sending email, I see the other parts to setup for receiving email now. Please disregard.