Disable spam filtering

NCKNE

Is there a supported way to disable spam filtering completely (or selectively for specific domains)? We are using an external mail gateway for security and compliance reasons (encryption, archiving, etc.) and are facing some issues with the spam filtering at times.

For example, users are unable to send mails to themselves:

Connection from 52.29.x.x denied. Mail from domain 'mydomain.com' is not allowed from your host

Queued mail for delivery to me@mydomain.com from me@mydomain.com

This might not be too common, but we have invoices for example being send out from one account and copied to the same account in CC.

girish

@NCKNE This is not related to the spam filter. Cloudron does not reject mail at connection time (spam classification after mail is completely received). This looks like SPF records are incorrectly setup. Have you setup SPF with the external mail gateway in it?

Otherwise, if you can give some more detailed information, it will help to diagnose the real problem.

NCKNE

@girish Thanks for the offer to look into it further. Here is a more complete log. Further information: SMTP is set up to relay through mailgun.

MX setup:

$ host -t MX plaxon.consulting
plaxon.consulting mail is handled by 10 mx1.eu.mailhop.org.

SPF record:

$ host -t TXT plaxon.consulting
plaxon.consulting descriptive text "v=spf1 a:my.plaxon.consulting include:eu.mailgun.org mx ip4:52.28.30.98/32 ip4:52.29.118.68/32 52.29.142.239/32 ip4:52.29.144.204/32 ip4:52.29.147.143/32 ip4:52.29.152.107/32 ip4:52.29.162.96/32 ip4:52.58.5.29/32 ip4:52.58.7.81/32 ip4:52.58.7.120/32 -all"

MX tries to deliver to my.plaxon.consulting:

[2020-04-20T14:49:29.724Z][queued] [205569173] [script] Source netaddr:2 10.0.23.160 NAT 52.29.144.204 PTR inbound2.eu.delivery1.mailhop.org
[2020-04-20T14:49:29.726Z][queued] [205569173] Delivering message to [my.plaxon.consulting]:25
[2020-04-20T14:49:29.730Z][queued] [205569173] Connecting to [2.56.97.196]:25
[2020-04-20T14:49:29.805Z][queued] [205569173] Connection is now using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128 bits)
[2020-04-20T14:49:29.928Z][queued] [205569173] [script] INFO [NODE=inbound4.eu, ZONE=eu, REGION=eu-central-1, CFG=eu-central-1.new]
[2020-04-20T14:49:29.928Z][queued] [205569173] Delivery failed to <nr@plaxon.consulting> (retry 0) in 0.202s: SMTP error: 550 Mail from domain 'plaxon.consulting' is not allowed from your host
[2020-04-20T14:49:29.928Z][queued] [205569173] SMTP error is permanent: no more tries
[2020-04-20T14:49:29.929Z][queued] [205569173] Message deleted for <nr@plaxon.consulting> (retry 0, DSN: disabled)
[2020-04-20T14:49:29.929Z][queued] [205569173] [script] Probably spam, skipping DSN
[2020-04-20T14:51:51.465Z][smtpd] Disconnected
[2020-04-20T14:51:51.465Z][smtpd] [SMTP] [bye] 221 2.0.0 Bye
[2020-04-20T14:51:51.465Z][smtpd] [SMTP] [QUIT] QUIT

Message in cloudron logs:

{
  "ts": 1587392976652,
  "type": "denied",
  "direction": "inbound",
  "uuid": "2828FC73-058E-43C3-9C80-A368683DFE31.1",
  "remote": {
    "ip": "52.29.144.204",
    "port": 31796,
    "host": "inbound2.eu.delivery1.mailhop.org",
    "info": "inbound2.eu.delivery1.mailhop.org",
    "closed": false,
    "is_private": false,
    "is_local": false
  },
  "authUser": null,
  "mailFrom": "<bounce+982ce2.49176-nr=plaxon.consulting@plaxon.consulting>",
  "rcptTo": [],
  "details": {
    "relaying": false,
    "pluginName": "rcpt_to.in_host_list",
    "errorCode": 902,
    "message": "Mail from domain 'plaxon.consulting' is not allowed from your host",
    "rejectionCountLastHour": 1
  }
}

This is not critical, but using an extern MX gateway is crucial for us so disabling spam filtering would be a good option for us (and maybe others).

Update: This actually also blocks mails sent from apps as well, basically any incoming mail with the sender domain plaxon.consulting that is being delivered through our external MX.

NCKNE

@girish This behaviour seems to be independent of the external MX. I set the MX record to my cloudron instance and still get the following error with no mail from my own domain coming through:

{
  "ts": 1587410642170,
  "type": "denied",
  "direction": "inbound",
  "uuid": "76F9F049-92EF-4E8C-87CE-1D4F0FA0DF72.1",
  "remote": {
    "ip": "141.193.32.16",
    "port": 38277,
    "host": "m32-16.eu.mailgun.net",
    "info": "m32-16.eu.mailgun.net",
    "closed": false,
    "is_private": false,
    "is_local": false
  },
  "authUser": null,
  "mailFrom": "<bounce+982ce2.49176-nr=plaxon.consulting@plaxon.consulting>",
  "rcptTo": [],
  "details": {
    "relaying": false,
    "pluginName": "rcpt_to.in_host_list",
    "errorCode": 902,
    "message": "Mail from domain 'plaxon.consulting' is not allowed from your host",
    "rejectionCountLastHour": 0
  }
}

When I change the app email address from eg. bitwarden.app@plaxon.consulting to bitwarden.app@plaxon.de (plaxon.de is also enabled on cloudron) the mails sent to nr@plaxon.consulting are going through. The problem only comes up when sending to the same domain.

Apr 21 21:11:47 [INFO] [72174BEC-99CD-4743-9611-6BDDE9EACF8F.1] [spf] identity=mfrom ip=52.29.142.239 domain="plaxon.consulting" mfrom=<bounce+982ce2.49176-nr=plaxon.consulting@plaxon.consulting> result=PermError
Apr 21 21:11:47 [INFO] [72174BEC-99CD-4743-9611-6BDDE9EACF8F.1] [spf] scope: mfrom, result: PermError, domain: plaxon.consulting
Apr 21 21:11:47 [INFO] [72174BEC-99CD-4743-9611-6BDDE9EACF8F.1] [core] hook=mail plugin=rcpt_to.in_host_list function=hook_mail params="<bounce+982ce2.49176-nr=plaxon.consulting@plaxon.consulting>" retval=DENY msg="Mail from domain 'plaxon.consulting' is not allowed from your host"

From the logs it looks like an SPF error, but the IP is whitelisted in the SPF record.

girish

@NCKNE said in Disable spam filtering:

This is not critical, but using an extern MX gateway is crucial for us so disabling spam filtering would be a good option for us (and maybe others).

Indeed, this is part one of the problem. The Cloudron mail stack does not support delivery via another MX. It sees that the From header is set to your domain and an email is incoming, it decides it is not allowed because only it can be the originator of your domain emails.

girish

@NCKNE I think the issue with the second setup was that incoming email for plaxon.consulting is still enabled on Cloudron even though MX is an external server. Currently, the external MX setup is not tested/wont' work until we test it on our side.

girish

OK, with @NCKNE 's help we got this figured out. Cloudron has a anti-spoof check where we don't allow external servers to send email with FROM address set to any incoming domain. In this case, a backup MX is relaying email to Cloudron and it is correctly detected as spoof-ed email.

The workaround is to simply whitelist the MX's IP in the SPF record. With this Cloudron has the "authorization" that the server is allowed to relay such email and accepts the mail. I have added a section in our doc here - https://cloudron.io/documentation/email/#alternate-mx