Amavis removing mail items?

[Labsy]

Hi,

few days after upgrade to 8.8.7 many users begun complaining, that they simply do not receive SOME mails. It's hard to diagnose, but I managed to get hands on some samples....but there are THOUSANDS of such cases:
- mail arives
- Zimbra accepts it
- mail BLINKS for short mail in user's mailbox
- then it dissapears from mailbox

I managed to trace one of those:

Code: Select all

Mar 13 13:05:42 seven postfix/smtpd[23962]: NOQUEUE: filter: RCPT from antispam.proxy.com[11.22.33.44]: <sender@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<sender@domain.com> to=<recipient@zimbraserver.com> proto=ESMTP helo=<antispam.proxy.com>
Mar 13 13:05:42 seven postfix/smtpd[23962]: NOQUEUE: filter: RCPT from antispam.proxy.com[11.22.33.44]: <sender@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<sender@domain.com> to=<recipient@zimbraserver.com> proto=ESMTP helo=<antispam.proxy.com>
Mar 13 13:05:42 seven postfix/cleanup[24359]: B20C4168F50E: message-id=<01bc01d3bac3$9872b640$c95822c0$@surnamesender@domain.com>
Mar 13 13:05:42 seven postfix/qmgr[17668]: B20C4168F50E: from=<sender@domain.com>, size=49536, nrcpt=1 (queue active)

Amavis?
What filter is triggered?
This is MASSIVE now, practically ALL users are missing some mails.

[phoenix]

Does your mynetworks have a valid entry for your spam proxies to send to the ZCS server and is the mynetworks setting also reflected in this file: /opt/zimbra/conf/amavisd.conf

[Labsy]

Hi bill,

Yes, all networks are there, same in Zimbra and in Amavis conf. And there are IP addresses (ever since...same IPs almost 10 years):
127.0.0.0/8 10.10.11.50/32 11.22.33.0/24
(last one is Public /24 IP range, where all my servers, Zimbra nad mail proxies operate)

BTW1...Mail is vanishing from mailboxes, which receive mail via proxy and directly, so proxy should not matter.

BTW2...beside vanishing mail inside Amavis, one of corporate users also complained, that past few days Zimbra Webmail simply LOGS THEM OUT UNEXPECTEDLY, for example during writing mail, and mails vanish. There are some 25 users on the same location, all using Zimbra Webmail.
Pop up they see is:
Network error has occurred ...or something like this

[Labsy]

Here I found Amavis masivelly removing FALSE POZITIVES in past few days (after upgrade to 8.8.7).
The above logs continue like this:

Code: Select all

Mar 13 13:05:42 seven amavis[19045]: (19045-20) Checking: GLgy8_20IrBV [11.22.33.44] <sender@domain.com> -> <recipient@zimbraserver.com>
Mar 13 13:05:43 seven amavis[19045]: (19045-20) Blocked SPAM {DiscardedInbound}, [11.22.33.44]:50836 [90.157.194.8] <sender@domain.com> -> <recipient@zimbraserver.com>, Queue-ID: B20C4168F50E, Message-ID: <01bc01d3bac3$9872b640$c95822c0$@sendername@domain.com>, mail_id: GLgy8_20IrBV, Hits: 29.101, size: 49535, 761 ms
Mar 13 13:05:43 seven postfix/smtp[30009]: B20C4168F50E: to=<recipient@zimbraserver.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.2, delays=0.47/0/0/0.76, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=19045-20 - spam)
Mar 13 13:05:43 seven postfix/qmgr[17668]: B20C4168F50E: removed

Now, any idea, how to see and RESTORE BACK all majoritiy of FALSE POZITVES?
There are thousands of those messages, users are getting crazy.

[Labsy]

Definitelly Amavis after update to 8.8.7 now blocks A LOT OF false pozitives, regular mail, which never got any spam score.
Where did that come from?

And what does HIT RATE in logs mean?

Code: Select all

Hits: 29.101

Is this some percentage?
Or is it 29101 or 29-point-101?

Under GLOBAL SETTINGS AV/AS settings are all the same for past few years:
75% spam, discard
35% spam, tag

I see most BAD-HEADER amavis errors lately...only appeared after upgrade to 8.8.7:

Code: Select all

X-Amavis-Alert: BAD HEADER SECTION, Non-encoded non-ASCII data (and not UTF-8)
        (char FC hex): Subject: Paketstatus f\x{FC}r Lieferung: 18[...]

Bug?