How to send email from an old scanner device? (TLS not working)

[molnarti]

My DMS instance is running strong from quite some time without any problems. However recently I have acquired a Brother scanner and I can't seem to be able to set it up to send emails via DMS.

The settings in the scanner are the following:

these settings work everywhere I use DMS to send emails, however from the scanner I am getting this error:

i have basically tried app combinations of SSL, TLS and disabling certificate verifications, but it did not help.

in the DMS logs I am getting this error:

2024-01-18T19:52:48.605447132Z Jan 18 20:52:48 mail postfix/submission/smtpd[1671108]: connect from BRW3423872A3701.********[192.168.120.80]

2024-01-18T19:52:48.635120454Z Jan 18 20:52:48 mail postfix/submission/smtpd[1671108]: SSL_accept error from BRW3423872A3701.********[192.168.120.80]: -1

2024-01-18T19:52:48.635178278Z Jan 18 20:52:48 mail postfix/submission/smtpd[1671108]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:

[casperklein]

Take a look here. You might give "intermediate" a try.

[molnarti]

thanks, but unforrtunately did not help.... (sshd into the container and checked the value with printenv to be sure the setting was properly applied)

[polarathene]

Brother scanner

Depends how old this is. This type of product often is problematic with TLS.

IIRC, you're potentially stuck with the CA list it has, so if it needed to verify a cert and that CA cert it came with has expired (this happened with LetsEncrypt IIRC) then it's unable to verify trust. Old Smart TV products that were no longer receiving updates had this issue a few years ago preventing them from browsing many websites securely.

---

Likewise, the supported cipher suite may be lacking.

Here is the script portion that configures intermediate TLS cipher-suite:

docker-mailserver/target/scripts/helpers/ssl.sh

Lines 145 to 148 in 9cdbef2

	( "intermediate" )
	local TLS_INTERMEDIATE_SUITE='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256'
	local TLS_INTERMEDIATE_IGNORE='!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
	local TLS_INTERMEDIATE_MIN='TLSv1.2'

In Dec 2022, I raised our minimum support by being more restrictive, you can see here that intermediate min TLS level was bumped up from TLS 1.0 to TLS 1.2 (2008).

---

One additional point to make is we presently have these cipher suites configured for all ports other than 25. Port 25 is more relaxed, but as the linked commit shows we excluded some weaker cipher suites that were still valid in TLS 1.2. It's possible that your mail client (brother printer) could be compatible with those.

---

Troubleshooting

1. Your brother printer settings page lists both SSL and TLS. I have seen this elsewhere where it refers to StartTLS (587) vs implicit TLS (465), so this would be the first suggestion. Try port 465 (like our docs encourage) with the TLS option. If that works, 587 probably works with the SSL option.
2. With port 465, a direct TLS connection is made, this is much simpler / secure than StartTLS on port 587. If you still get the TLS errors, we need to relax the security further.

• Make sure that you properly restart DMS (docker compose up --force-recreate or docker compose down && docker compose up), do not use docker compose stop && docker compose start or docker compose restart.
• If the connection is still not successful now, temporarily use DMS v11.3.1. This was the release before the referenced TLS changes, it may be sufficient with the intermediate (or potentially with modern) as we also had an OpenSSL config change that was required for TLS <1.2.

3. If you still are unsuccessful, we need more information. Ideally what TLS cipher suites (or TLS versions) the printer does support.

• You can likely use our postfix-main.cf / user-patches.sh to alter configuration for this once we know what is required.
• Alternatively, port 587 could be used with None instead of SSL/TLS options. This should still work, but will be over an insecure connection. You must trust the network to not be compromised as the credentials will be in cleartext form, allowing anyone observing that traffic to now have the credentials for authenticating to DMS as the brother printer device.

[molnarti]

my issue with the scanner still persists. actually it got more significant, since in the meantime I have acquired some additional appliances (a UPS and and a power distributor unit) that I would like to use with mail notifications. I use my docker mail server instance exclusively to send notifications from my homelab, so no ports are exposed externally and no email is ever recieved on the DMS mailbox.

With port 25 i am getting this error:

mail postfix/postscreen[3662]: CONNECT from [192.168.50.32]:59497 to [172.18.0.37]:25
mail postfix/postscreen[3662]: PASS OLD [192.168.50.32]:59497
mail postfix/smtpd[3672]: connect from sentry3-5135c9.*********.**[192.168.50.32]
mail postfix/smtpd[3672]: disconnect from sentry3-5135c9.******.****[192.168.50.32] ehlo=1 auth=0/1 quit=1 commands=2/3

With authentication none i was able to get to the state where I am getting the NOQUEUE: reject: : Relay access denied error. In my understanding of the documentation, this could be solvalbe via the PERMIT_DOCKER variable and setting it to connected-networks, but it does not seem to help in getting rid of that...

[polarathene]

my issue with the scanner still persists

Did you go through the troubleshooting advice? You never replied, despite the effort I made to assist writing up that response.

You have not provided context on how you configured DMS with TLS:

• If it's using LetsEncrypt certs or self-signed.
• If the printer is enforcing verifying the chain of trust (CA), if it actually has a valid root CA public cert, or one that has expired due to age of the device. Your GUI screenshot specifically has "verify" enabled, so this is a valid concern.
• What cipher suite the printer attempted to use, if it is quite old it may lack TLS 1.3, and possibly our reduced TLS 1.2 cipher suite list.
• If you tried port 465 instead of 587, or the SSL vs TLS options. I had told you that 587 (SSL) and 465 (TLS) were the likely expectations from your GUI screenshot settings. You have 587 (TLS) which is likely misconfigured.

---

With port 25 i am getting this error

What error? There is no error there.

Port 25 is only intended for mail delivery, you should not be using that to attempt authentication or mail submission (to send out from DMS).

DMS specifically avoids supporting auth on port 25, this is a standard practice as only submission(s) ports (587 / 465) should be used to submit mail for sending outbound.

---

With authentication none i was able to get to the state where I am getting the NOQUEUE: reject: : Relay access denied error.

That None GUI setting avoids sending credentials. So that will work for sending mail to DMS to deliver on port 25.

The relay error is because it's avoiding being an open relay. Without trust (granted from authentication, or `PERMIT_DOCKER), DMS will not allow you to send mail outbound as that is relaying. Configure your printer to connect to DMS properly.

---

PERMIT_DOCKER variable and setting it to connected-networks, but it does not seem to help in getting rid of that...

This is ill-advised. You have better more secure options to use if you configure correctly. PERMIT_DOCKER is rarely needed but is available for those that really insist on needing it.

connected-networks is only for networks that the DMS container has an interface to, that is, it belongs to that network. In the container you can run ip a and see a list of interfaces, you'll probably not see your 192.168.x.y subnet there. Hence it's not trusted.

Please pay attention to insights I provided for you this time, instead of ignoring them.

Here is what should solve this for you:

The settings in the scanner are the following:

1. Go back to the settings you had here. Make sure you have port 587 set with SMTP-AUTH, not 25 and None.
2. Change SMTP over SSL/TLS to SSL.
3. If the connection fails, try disable the Verify Server Certificate feature.

• Encryption will still occur, verification is only necessary if you don't want to blindly trust the certificate provided (which can be bad if the connection was instead to a server that an attacker controlled and pretends to be your server).

4. You should already have success by now. If that fails, try port 465 and TLS.
5. If you're still unlucky, it's probably TLS cipher suite compatibility. You can try the DMS ENV TLS_LEVEL=intermediate, this will relax cipher suite a bit more.
6. If you end up here, error log is needed and you're expected to follow the original troubleshooting advice provided before we proceed.

You'll likely be successful by step 2 or 3. Please reply back if successful, this is for the benefit other users that arrive here with the same / similar predicament.

[molnarti]

yep, i have tried your recommendations, but I only have a faint idea what am I doing here...

1. My DMS is using letsencrypt
2. I have no idea if the printers certificates are valid or what TLS version it is using and I don't know how to find that out. There is a possibility to upload own certs, but it does not seem to work properly. I have tried uploading fullchain.pem (was rejected as not X.509 compatibile) cert.pem or chain.pem (seems to succeed, but the certificate list which is supposed to show cert name, issuer and validity is still empty). Also my other devices (UPS, PDU) dont have the option to upload certs so likely this will not be a solution.

So the current state of things is this:

1. port 587 with SSL
   

2024-08-16T07:40:16.474136+02:00 mail postfix/submission/smtpd[1362]: connect from BRW3423872A3701.*********.***[192.168.120.80]
2024-08-16T07:40:16.475693+02:00 mail postfix/submission/smtpd[1362]: warning: non-SMTP command from BRW3423872A3701.*****.****[192.168.120.80]: \026\003\001\000\\\001\000\000X\003\003\000O\322\363\023~\321a\033\3376\257\005_\bw\f\374\267\341\23
2024-08-16T07:40:16.476018+02:00 mail postfix/submission/smtpd[1362]: disconnect from BRW3423872A3701.*********.***[192.168.120.80] unknown=0/1 commands=0/1
2024-08-16T07:43:36.658546+02:00 mail postfix/anvil[1211]: statistics: max connection rate 2/60s for (submission:192.168.120.80) at Aug 16 07:40:16
2024-08-16T07:43:36.658571+02:00 mail postfix/anvil[1211]: statistics: max connection count 1 for (submission:192.168.120.80) at Aug 16 07:39:31
2024-08-16T07:43:36.658576+02:00 mail postfix/anvil[1211]: statistics: max cache size 1 at Aug 16 07:39:31

2. And this is the result with 465
   

2024-08-16T07:58:05.498862+02:00 mail postfix/submissions/smtpd[3032]: connect from BRW3423872A3701.*********.***[192.168.120.80]
2024-08-16T08:03:05.585095+02:00 mail postfix/submissions/smtpd[3032]: SSL_accept error from BRW3423872A3701.*********.***[192.168.120.80]: Connection timed out
2024-08-16T08:03:05.594232+02:00 mail postfix/submissions/smtpd[3032]: lost connection after CONNECT from BRW3423872A3701.*********.***[[192.168.120.80]
2024-08-16T08:03:05.594251+02:00 mail postfix/submissions/smtpd[3032]: disconnect from BRW3423872A3701.*********.***[[192.168.120.80] commands=0/0

I have already set the TLS_LEVEL=intermediate back in January according to your recommendations.

The UPS has even more limited settings with no option for TLS or SSL so i think getting the communication work on the plain port 25 is likely the way, maybe even by hosting a separate instance of DMS if needed....??

[polarathene]

1. port 587 with SSL

postfix/submission/smtpd[1362]: warning: non-SMTP command from BRW3423872A3701.*****.****[192.168.120.80]: \026\003\001\000\\\001\000\000X\003\003\000O\322\363\023~\321a\033\3376\257\005_\bw\f\374\267\341\23

Ok so there seems to be a problem with how it's interacting with the SMTP protocol 🤔

2. And this is the result with 465

postfix/submissions/smtpd[3032]: SSL_accept error from BRW3423872A3701.*********.***[192.168.120.80]: Connection timed out

While here it seems it got stuck for some other reason.

My assumption was with SSL vs TLS, but perhaps they are the other way around here. Could you try port 587 with TLS? And/or port 465 with SSL?

I think that might explain the failures both encountered. Your 587 possibly began sending credentials (SMTP auth commands) before negotiate to TLS (STARTTLS is meant to upgrade from plain-text to TLS, but it's technically optional and some bad clients will send credentials even if upgrade failed), while for port 465 it expects to establish TLS connection first and then authentication.

---

2. Also my other devices (UPS, PDU) dont have the option to upload certs so likely this will not be a solution.

I think you have a misunderstanding here. It would not make sense for your mail server LetsEncrypt cert to be given to your printer. It will get what it needs (public cert) from DMS when connecting.

What it cannot get is root CA cert that signed the certificate for trust. These are files you normally don't have to think about as most systems will have them already to verify trust. On older systems that don't get updated for like a decade since purchase, this can be a problem as the root CA certs they have our expired, this was actually a problem with smart TV products with LetsEncrypt in the past.

You can disregard this concern. Disabling the Verify certificate setting like mentioned will avoid this issue.

---

I have already set the TLS_LEVEL=intermediate back in January according to your recommendations.

It might be that your scanner lacks any support for TLS 1.2, or only insecure ciphers. If you need TLS 1.0 / 1.1 support for that was removed from DMS v12, you could verify by trying with DMS v13.3 image (make a backup of your current DMS config / volumes to roll back to if you have anything important).

That should enable some additional cipher suites, and with TLS_LEVEL=intermediate allow you to try TLS 1.0 and 1.1.

---

The UPS has even more limited settings with no option for TLS or SSL so i think getting the communication work on the plain port 25 is likely the way, maybe even by hosting a separate instance of DMS if needed....??

It will be either port 587 or 465, usually it is port 587.

When there is settings to choose like SSL vs TLS, it really should be STARTTLS (587) and TLS (465) 🫤

---

Alternative - Deliver to port 25 without TLS and use alias to forward mail

Port 25 does not require TLS at all to work. Delivery will fallback to unencrypted.

If you do not actually need the device to connect to DMS to send the different recipients externally, then you can instead just have it deliver the mail to DMS on port 25.

To do this on the DMS container add the alias:

docker exec -it dms-container-name-here bash
setup alias add [email protected] [email protected]

The my-scanner should not be an existing account (setup email add ...), any mail that arrives to DMS to that alias you create will then be forwarded to the 2nd address you configure.

Mail submission on port 465 and 587 are useful if you need more control than that, or do not want to allow any port 25 delivery to DMS at the alias to send mail. Perhaps for you it will work the easiest this way?

If that is not an option for you, we can take the PERMIT_DOCKER approach to allow an open relay to trusted networks.

[molnarti]

Could you try port 587 with TLS? And/or port 465 with SSL?

yeah, already did that a countless times, never worked

2024-08-16T10:58:32.764097+02:00 mail postfix/submissions/smtpd[19278]: connect from BRW3423872A3701.******.***[192.168.120.80]
2024-08-16T10:58:32.765748+02:00 mail postfix/submissions/smtpd[19278]: SSL_accept error from BRW3423872A3701.r******.***[192.168.120.80]: -1
2024-08-16T10:58:32.765780+02:00 mail postfix/submissions/smtpd[19278]: warning: TLS library problem: error:0A0000C1:SSL routines::no shared cipher:../ssl/statem/statem_srvr.c:2220:
2024-08-16T10:58:32.766268+02:00 mail postfix/submissions/smtpd[19278]: lost connection after CONNECT from BRW3423872A3701.******.***[192.168.120.80]
2024-08-16T10:58:32.766295+02:00 mail postfix/submissions/smtpd[19278]: disconnect from BRW3423872A3701.******.***[192.168.120.80] commands=0/0
2024-08-16T10:59:27.576449+02:00 mail postfix/submission/smtpd[19364]: connect from BRW3423872A3701.******.***[192.168.120.80]
2024-08-16T10:59:27.743109+02:00 mail postfix/submission/smtpd[19364]: SSL_accept error from BRW3423872A3701.******.***[192.168.120.80]: -1
2024-08-16T10:59:27.743135+02:00 mail postfix/submission/smtpd[19364]: warning: TLS library problem: error:0A0000C1:SSL routines::no shared cipher:../ssl/statem/statem_srvr.c:2220:
2024-08-16T10:59:27.743355+02:00 mail postfix/submission/smtpd[19364]: lost connection after STARTTLS from BRW3423872A3701.******.***[192.168.120.80]
2024-08-16T10:59:27.743943+02:00 mail postfix/submission/smtpd[19364]: disconnect from BRW3423872A3701.******.***[192.168.120.80] ehlo=1 starttls=0/1 commands=1/2

It will be either port 587 or 465, usually it is port 587.

When there is settings to choose like SSL vs TLS, it really should be STARTTLS (587) and TLS (465) 🫤

With either settings I am just getting a connect-disconnect in the logs and nothing else. Note that these are really old appliances (pre-2010, although their latest firmware is from 2020)

setup alias add [email protected] [email protected]

what should be the [email protected] ? my @gmail.com address where i want to receive the notification or another mailbox configured within DMS? with both approached i am just getting the relay access denied error again....

[polarathene]

postfix/submissions/smtpd[19278]: warning: TLS library problem: error:0A0000C1:SSL routines::no shared cipher:../ssl/statem/statem_srvr.c:2220

That's a more useful error though, it's working just DMS doesn't offer a compatible cipher suite. I don't think you've mentioned the age of the device, so it might be that it doesn't even support TLS 1.2, or if your LetsEncrypt certificate is ECDSA instead of RSA, your scanner device maybe only has RSA support, which could also hint to limited cipher suite even with TLS 1.2 🤔

Note that these are really old appliances (pre-2010, although their latest firmware is from 2020)

Oh there we go. So TLS 1.2 came out in 2008 and adoption took a while. These likely don't have any TLS 1.2 support. You might have luck with DMS 11.3.0 to confirm the few previously supported TLS 1.0 and 1.1 cipher suites work. Otherwise it might not be worth bothering to try get TLS working, especially if encryption between the devices and your DMS connection doesn't matter to you.

---

my @gmail.com address where i want to receive the notification or another mailbox configured within DMS?

Yeah, if you want it sent out to an address that DMS manages it should be that. So the alias should point to your Gmail.

with both approached i am just getting the relay access denied error again....

That shouldn't happen if the alias is configured correctly 🤔

Just to clarify:

• setup alias add will add the alias to your DMS config volume folder, it will create/update a file called postfix-virtual.cf
• setup email add will do similar for any mail account address that you want to have DMS manage a mailbox for and provide authentication credentials. If you are just having DMS send mail you probably don't need this.
  • The config file for this one is postfix-accounts.cf.
  • DMS will expect 1 account created unless you have SMTP_ONLY=1.
• Ensure that postfix-accounts.cf and postfix-virtual.cf do not share an address.
• Your scanner then sends mail on port 25 to the DMS alias address, no SMTP-AUTH just go with None for that instead.

Make sure that you are testing DMS with a fresh container instance just in case (docker compose up --force-recreate).

• If it doesn't accept the mail for the alias something is misconfigured. You can try deliver mail to a DMS account (setup email add [email protected] secret-password), that should work.
• If you still get relay denied, then the scanner is trying to send to an external recipient like your gmail address instead of to the DMS email or alias. For the alias to work correctly, the scanner must configure the recipient as the alias address, and DMS will handle the relay to external address that you aliased.

setup alias add [email protected] [email protected]

[molnarti]

ok, this is getting somewhere SLOWLY :D

i think the alias is set up properly in DMS based on the content of postfix-accounts.cf and postfix-virtual.cf, i just need to understand how to set up the appliances.
Mail server is my mail server domain
Port is 25
Auth is None
sender email is the alias have set up [email protected]
target emails is also the alias [email protected] right?

This is what i got:

NOQUEUE: reject: RCPT from BRW3423872A3701.*****.**** [192.168.120.80]: 550 5.7.23 <[email protected]>: Recipient address rejected: Message rejected due to: SPF fail - not authorized.; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<BRW3423872A3701>

[polarathene]

Message rejected due to: SPF fail - not authorized.;

So this is normal, the domain is looked up and there is SPF DNS TXT record that says who has permission to send on behalf of that domain.

That check is avoided/skipped when your connection is trusted (via port 587 / 465, or PERMIT_DOCKER).

---

from=<[email protected]> to=<[email protected]>

The recipient (to) is where you want to send the mail to (the DMS alias), and the sender address (from) is the address where the mail is coming from, usually it's the same as your DMS account that you'd login with (from setup email add), but it doesn't really matter it can be anything when submitting mail on port 587 / 465. For port 25 without PERMIT_DOCKER trusting the IP, then it will be treated like any other untrusted third-party with rules like the SPF check and preventing open relay.

Example:

FROM [email protected]
TO [email protected]

---

Since PERMIT_DOCKER won't actually work here for you (connected-networks might work if host network mode), you can do it a bit more manually.

In the DMS config volume folder, add another postfix file of your own, this one is called postfix-main.cf (see our docs for Postfix override config feature). It needs this line:

mynetworks = 192.168.120.80/32`

If the IP assigned is not statically assigned to the scanner, then you'll need to relax the CIDR range /32 a bit more to accept the wider subnet. For you, that private range may be the entire 192.168.0.0/16 network. Caution that any connection from an IP (including one routed via the gateway IP) would then be considered trusted in the same way, risking an open relay if any host on that network is compromised.

There is no ENV to set for postfix-main.cf, so long as the file is there it will be detected and applied after initial setup of the container. As a reminder docker compose up (without docker compose down, or a up --force-recreate) will skip most of the setup, so if it's not working make sure to use docker compose up --force-recreate.

You could probably also add the scanner local IP to your DNS record for SPF.

---

Alternatively, you could try with 587 again (465 won't work for this IIRC), and remove the SSL_TYPE=letsencrypt ENV on DMS.

This removes the TLS cert support, and drops some related security... you're not really meant to use it but if DMS is only accessible internally it might be another option:

docker-mailserver/target/scripts/helpers/ssl.sh

Lines 316 to 318 in fb57905

	( '' ) # No SSL/TLS certificate used/required, plaintext auth permitted over insecure connections
	_log 'warn' '!! INSECURE !! SSL configured with plain text access - DO NOT USE FOR PRODUCTION DEPLOYMENT'
	# Untested. Not officially supported.

[molnarti]

ok, progress. adding the ip addresses to mynetworks apparently helped.

But: this was the message I have received in my external mailbox from the scanner:

The message WAS NOT relayed to:
  <********@****.com>:
  554 5.6.0 Bounce, id=00950-01 - BAD HEADER

This nondelivery report was generated by the program amavisd-new at host
mail.*****.***. Our internal reference code for your message is
00950-01/lCS-cM2MJWQQ

INVALID HEADER

  Missing required header field: "Date"

Return-Path: <****@****.****>
From: *****@*****.****
Subject: Test E-Mail Sending Configuration

Also tried to send something from another device, here i have received no email but got quite extensive logs:

2024-08-16T15:02:59.594493+02:00 mail postfix/smtpd[2113]: connect from sentry3-5135c9.*****.****[192.168.50.32]
2024-08-16T15:02:59.762427+02:00 mail postfix/smtpd[2113]: disconnect from sentry3-5135c9.*****.****[192.168.50.32] ehlo=1 quit=1 commands=2
2024-08-16T15:03:00.145288+02:00 mail postfix/postscreen[2112]: CONNECT from [192.168.50.32]:55090 to [172.18.0.6]:25
2024-08-16T15:03:00.145309+02:00 mail postfix/postscreen[2112]: ALLOWLISTED [192.168.50.32]:55090
2024-08-16T15:03:00.152169+02:00 mail postfix/smtpd[2113]: connect from sentry3-5135c9.*****.****[192.168.50.32]
2024-08-16T15:03:00.463898+02:00 mail postfix/smtpd[2113]: 7137B2A0453: client=sentry3-5135c9.*****.****[192.168.50.32]
2024-08-16T15:03:00.554921+02:00 mail postfix/cleanup[2116]: 7137B2A0453: message-id=<>
2024-08-16T15:03:00.561591+02:00 mail opendkim[758]: 7137B2A0453: sentry3-5135c9.*****.****[192.168.50.32] not internal
2024-08-16T15:03:00.561602+02:00 mail opendkim[758]: 7137B2A0453: not authenticated
2024-08-16T15:03:00.562654+02:00 mail opendkim[758]: 7137B2A0453: no signature data
2024-08-16T15:03:00.571939+02:00 mail opendmarc[773]: 7137B2A0453: *****.**** none
2024-08-16T15:03:00.621039+02:00 mail postfix/qmgr[866]: 7137B2A0453: from=<server@*****.****>, size=548, nrcpt=1 (queue active)
2024-08-16T15:03:00.629017+02:00 mail postfix/smtpd[2113]: disconnect from sentry3-5135c9.*****.****[192.168.50.32] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2024-08-16T15:03:00.631202+02:00 mail amavis[950]: (00950-02) ESMTP :10024 /var/lib/amavis/tmp/amavis-20240816T145212-00950-oYnMjStY: <server@*****.****> -> <*****.****@*****.****> SIZE=548 Received: from *****.**** ([127.0.0.1]) by localhost (mail.r*****.**** [127.0.0.1]) (amavis, port 10024) with ESMTP for <*****.****@*****.****>; Fri, 16 Aug 2024 15:03:00 +0200 (CEST)
2024-08-16T15:03:00.672489+02:00 mail amavis[950]: (00950-02) Checking: GsfHdGLtYxeH [192.168.50.32] <*****.****@*****.****> -> <*****.****@*****.****>
2024-08-16T15:03:00.672895+02:00 mail amavis[950]: (00950-02) Open relay? Nonlocal recips but not originating: *****.****@*****.****
2024-08-16T15:03:00.681120+02:00 mail amavis[950]: (00950-02) p001 1 Content-Type: text/plain, 7bit, size: 22, SHA1 digest: 81303352becc23ee5b4fa5f80da8b74a0e929a57
2024-08-16T15:03:00.702707+02:00 mail amavis[950]: (00950-02) check_header: 7, Missing required header field: "Date"
2024-08-16T15:03:00.736579+02:00 mail amavis[950]: (00950-02) header_edits_for_quar: rec_bl_ccat=(4,0), ccat=(4,7) *****.****@*****.****
2024-08-16T15:03:00.737207+02:00 mail amavis[950]: (00950-02) header_edits_for_quar: <server@*****.****> -> <*****.****@*****.****>, No, score=x tag=x tag2=x kill=x tests=[] autolearn=unavailable
2024-08-16T15:03:00.742750+02:00 mail amavis[950]: (00950-02) local delivery: <server@*****.****> -> bad-header-quarantine, mbx=/var/lib/amavis/virusmails/G/badh-GsfHdGLtYxeH
2024-08-16T15:03:00.753432+02:00 mail amavis[950]: (00950-02) DSN: NOTIFICATION: Action:failed, LOCAL 554 BadHdr, spam level 0.000, <server@*****.****> -> <*****.****@*****.****>
2024-08-16T15:03:00.777696+02:00 mail postfix/smtpd-amavis/smtpd[2120]: connect from localhost[127.0.0.1]
2024-08-16T15:03:00.782873+02:00 mail postfix/smtpd-amavis/smtpd[2120]: BF1A12A0457: client=localhost[127.0.0.1]
2024-08-16T15:03:00.791717+02:00 mail postfix/cleanup[2116]: BF1A12A0457: message-id=<DSNGsfHdGLtYxeH@mail.*****.****>
2024-08-16T15:03:00.813802+02:00 mail postfix/smtpd-amavis/smtpd[2120]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2024-08-16T15:03:00.813869+02:00 mail postfix/qmgr[866]: BF1A12A0457: from=<>, size=2801, nrcpt=1 (queue active)
2024-08-16T15:03:00.821836+02:00 mail amavis[950]: (00950-02) cyy6Q3uvwEXM(GsfHdGLtYxeH) SEND from <> -> <server@*****.****>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BF1A12A0457
2024-08-16T15:03:00.854803+02:00 mail amavis[950]: (00950-02) Blocked BAD-HEADER-0 {BouncedOpenRelay,Quarantined}, [192.168.50.32]:55090 <server@*****.****> -> <*****.****@*****.****>, quarantine: G/badh-GsfHdGLtYxeH, Queue-ID: 7137B2A0453, mail_id: GsfHdGLtYxeH, Hits: -, size: 559, 230 ms
2024-08-16T15:03:00.869075+02:00 mail postfix/smtp-amavis/smtp[2117]: 7137B2A0453: to=<*****.****@*****.****.com>, orig_to=<*****.****@*****.****>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.44, delays=0.19/0/0.01/0.24, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=00950-02, BOUNCE)
2024-08-16T15:03:00.871096+02:00 mail postfix/qmgr[866]: 7137B2A0453: removed
2024-08-16T15:03:00.871431+02:00 mail dovecot: lmtp(2218): Connect from local
2024-08-16T15:03:00.888934+02:00 mail amavis[950]: (00950-02) size: 559, TIMING [total 266 ms] - SMTP greeting: 2.4 (1%)1, SMTP EHLO: 2.2 (1%)2, SMTP pre-MAIL: 1.5 (1%)2, SMTP MAIL: 1.5 (1%)3, SMTP pre-DATA-flush: 3.4 (1%)4, SMTP DATA: 36 (14%)18, check_init: 0.5 (0%)18, digest_hdr: 0.4 (0%)18, digest_body: 0.2 (0%)18, collect_info: 1.4 (1%)19, mime_decode: 11 (4%)23, get-file-type1: 19 (7%)30, parts_decode: 0.2 (0%)30, check_header: 1.0 (0%)30, AV-scan-1: 32 (12%)42, decide_mail_destiny: 1.2 (0%)43, notif-quar: 0.3 (0%)43, quar-hdrs: 4.0 (1%)44, stat-mbx: 11 (4%)48, open-mbx: 0.3 (0%)49, write-header: 0.4 (0%)49, save-to-local-mailbox: 0.2 (0%)49, prepare-dsn: 22 (8%)57, fwd-connect: 6 (2%)59, fwd-mail-pip: 6 (2%)62, fwd-rcpt-pip: 0.3 (0%)62, fwd-data-chkpnt: 0.1 (0%)62, write-header: 0.3 (0%)62, fwd-data-contents: 2.9 (1%)63, fwd-end-chkpnt: 36 (14%)77, report: 17 (7%)83, main_log_entry: 22 (8%)91, update_snmp: 2.8 (1%)92, SMTP pre-response: 0.4 (0%)92, SMTP response: 0.2 (0%)93, unlink-1-files: 19 (7%)100, run...
2024-08-16T15:03:00.896201+02:00 mail amavis[950]: (00950-02) ...down: 0.7 (0%)100
2024-08-16T15:03:00.963798+02:00 mail dovecot: lmtp(*****.****@*****.****)<2218><JdbsMwROv2aqCAAAvuKd5w>: sieve: msgid=<DSNGsfHdGLtYxeH@mail.*****.****>: stored mail into mailbox 'INBOX'
2024-08-16T15:03:00.973872+02:00 mail postfix/lmtp[2217]: BF1A12A0457: to=<*****.****@*****.****>, relay=mail.*****.****[/var/run/dovecot/lmtp], delay=0.19, delays=0.03/0.02/0.03/0.1, dsn=2.0.0, status=sent (250 2.0.0 <*****.****@*****.****> JdbsMwROv2aqCAAAvuKd5w Saved)
2024-08-16T15:03:00.976019+02:00 mail postfix/qmgr[866]: BF1A12A0457: removed
2024-08-16T15:03:00.978291+02:00 mail dovecot: lmtp(2218): Disconnect from local: Logged out (state=READY)

if i understand it correctly, I should somehow whitelist my alias email address in amavis?

[polarathene]

I should somehow whitelist my alias email address in amavis?

Since we're dismissing some security already, how important is it to you to have anti-virus / anti-spam enabled?

Amavis is a filter service (and will be swapped for rspamd in a future release). You can opt-out with ENABLE_AMAVIS=0. From the mail you received it would seem like the scanner perhaps did not provide standard mail headers that were typically expected like the date, Amavis is presumably checking for that and flagging it as spam.

If you do want to keep Amavis, we would be using the same trick to bypass these checks as we did with Postfix mynetworks setting, but we'd need to specifically override it here:

docker-mailserver/target/amavis/postfix-amavis.cf

Line 28 in fb57905

-o mynetworks=127.0.0.0/8

If ENABLE_AMAVIS=0 is acceptable, that would be a bit easier 😓

---

tried to send something from another device, here i have received no email but got quite extensive logs:

check_header: 7, Missing required header field: "Date"

amavis[950]: (00950-02) local delivery: <server@*****.****> -> bad-header-quarantine, mbx=/var/lib/amavis/virusmails/G/badh-GsfHdGLtYxeH
amavis[950]: (00950-02) DSN: NOTIFICATION: Action:failed, LOCAL 554 BadHdr, spam level 0.000, <server@*****.****> -> <*****.****@*****.****>

This is the Amavis logs showing that same issue with missing header "Date" detected. The DSN is a delivery failure notification, so that email content you showed prior.

postfix/lmtp[2217]: BF1A12A0457: to=<*****.****@*****.****>, relay=mail.*****.****[/var/run/dovecot/lmtp], delay=0.19, delays=0.03/0.02/0.03/0.1, dsn=2.0.0, status=sent (250 2.0.0 <*****.****@*****.****> JdbsMwROv2aqCAAAvuKd5w Saved)

Near the end of the logs you shared is this and a dovecot line before it. LMTP was used for local delivery (Dovecot), which means the mail was stored for an account that you created with setup email add ... / postfix-accounts.cf, possibly redirected from/to the postmaster address if you configured that.

---

if i understand it correctly, I should somehow whitelist my alias email address in amavis?

We could, there's a few options since your scanner isn't doing what it should for mail.

Let me know if ENABLE_AMAVIS=0 is not ok for you, otherwise let's go with that.

[molnarti]

thanks, with AMAVIS disabled all my devices were able to receive the emails. i dont think i have compromised much security since I have allowed the open relay for just 3 specific devices on my network. later I might tweak this a bit more to re-enable AMAVIS & ClamAV