I've searched the forum and the internet for any related topic, but couldn't find any suitable thread that addresses our issue. I'm pretty new to this forum and also to hMailServer, so please excuse if I'm asking anything that might be obvious.
We are still in the process of migrating from another MTA to hMailserver and everything is working really beautifully at the moment. However, from my experience there is something that needs to be enhanced, but before bothering Martin or placing an issue on Githubs repository pages, I'd like to openly discuss it with experienced MTA admins here. I hope very much that I'm overseeing something in my configuration and hopefully somebody more experienced can tell me better.
At the moment hMailServer SPAM-Test adds a scoring and marks emails to be more or less "likely" to be a spam email in reference to the SPAM-Test validity checks. But the way it's implemented it will cause a good number of false positives and false negatives. Here is a test case. In this example I have the follwing SPAM-Test settings:
- Use SPF: I've set score to 4 (triggers only if DNS of the senders email-domain has SPF implemented in DNS. If no SPF is implemented, the test will silently pass)
- Check host in the HELO command: I've set score to 2 (triggers always with incorrect DNS entries to the IP reffering to the submitted HELO Command, but mail also fail for valid dial-in dynamic dns addresses in the HELO command )
- Check sender has DNS-MX records: I've set score to 1 (triggers if a DNS-MX doesn't exists for the @domain.com address)
- Verify DKIM-Signature header: I've set score to 8 (triggers only the senders DNS for the @domain.com address has DKIM implemented)
Email received by hmailserver from valid outlook.com email address:
Code: Select all
Return-Path: firstname.lastname@example.org Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05olkn2023.outbound.protection.outlook.com [184.108.40.206]) ... .... From: xxxxxxxx <email@example.com> X-hMailServer-Reason-1: The host name specified in HELO does not match IP address. - (Score: 2) X-hMailServer-Reason-Score: 2
Email received by hmailserver from a local vbscript MS-CDO with an invalid fake t-online.de address:
Code: Select all
Return-Path: firstname.lastname@example.org Received: from mypc (cable-xxx-0-193-xxx.nc.de [xxx.0.193.xxx]) by ... .... From: <email@example.com> ... X-Mailer: Microsoft CDO for Windows 2000 ... X-MimeOLE: Produced By Microsoft MimeOLE X-hMailServer-Reason-1: The host name specified in HELO does not match IP address. - (Score: 2) X-hMailServer-Reason-Score: 2
For what it's worth, we would like hMailServer to strictly accept only emails from other correctly configured MTAs in a more granular way and reject everything that hasn't at least a minimal configuration to show it's legitmacy to send for a certain @domain.com address. That is also what mayor e-mail providers do. You won't get any email passed from your MTA to their MTA (and the accounts hosted there) unless you have a minimal configuration that shows you are a legimit to send on behalf of @domain.com. For that type of SPAM-Defense hMailServer doesn't get deep enough.
Instead of adding SPAM scores, an alternative would be to add deeper spam-test and add headers after SPAM-Tests in a "OR-condition" manner. Every condition check could create a X-hMailServer header accordingly:
1. ALLOW if connecting SMTP server IP is allowed by SPF to send on behalf of @domain.com as specified in the senders "From:" / "Return-Path:".
Sets header: X-hMailServer-SPFresult: 0/1 (for false/true)
2. ALLOW if connecting SMTP server IP is listed as one of the valid MX IP addresses for @domain.com as specified in DNS in reference to the senders "From:" / "Return-Path:".
Sets header: X-hMailServer-MXresult: 0/1 (for false/true)
3. ALLOW if connecting SMTP server PTR entry matches a valid DNS entry for @domain.com name as specified in the senders "From:" / "Return-Path:".
Sets header: X-hMailServer-FcrDNSresult: 0/1 (for false/true)
4. ALLOW if DKIM is valid.
Sets header: X-hMailServer-DKIMresult: 0/1 (for false/true)
There is no SPAM scoring envolved. This check could be bypassed for users authenticating with AUTH to send their emails. This would reduce false positives and false negatives. Also, this would allow a more granular way to catch certain emails by global rules and combat SPAM and BACKSCATTER more effectively with hMailServer. Of course, there would be more overhead envolved.
We already have implemented this with our old MTA with a self programmed application that catches the email via POP3. It does all these checks in a more or less somehow dirty way, but it banned a lot of SPAM and we were able to effectively combat backscatter. However, it would be really, really nice to see hMailServer doing that and give other hMailServer admins more power to tweak their MTAs and combat spam more effectively. Please share your opinions! Thanks to all envolved in this great project!