Technical Support

How to test SpamAssassin To test the spam filter, it is necessary to send a Gtube test spam email using the command below (Replacing emailonserver@example.com with a real email account on the server). If the Anti-spam is working correctly you will see it listed in the maillog and in Warden log under Warden -> Logs -> Message Log. While testing, note that Gtube test email gives +1000 scores to spam. So, even if a mailbox is in the whitelist, mail still be detected as spam because whitelisted email gets -100 scores. Disable Greylisting: If greylisting is enabled then you must disable it on the recipient domain before running these tests. /usr/local/psa/bin/grey_listing --update-domain example.com -status off Centos/RHEL/CloudLinux/AlmaLinux: echo "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" | mail -S smtp=localhost -r sender@test.com -s "Spam test example" emailonserver@example.com Debian/Ubuntu: apt-get install s-nail echo "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" | s-nail -S smtp=localhost -r sender@test.com -s "Spam test example" emailonserver@example.com How to test ClamAV
To test the virus filter, it is necessary to download the eicar test virus email and send it using the command below (Replacing emailonserver@example.com with a real email account on the server). If the Anti-virus is working correctly you will see it get blocked and it will be listed in the maillog and in Warden -> Logs -> Message Log. Disable Greylisting: If greylisting is enabled then you must disable it on the recipient domain before running these tests. /usr/local/psa/bin/grey_listing --update-domain example.com -status off Centos/RHEL/CloudLinux/AlmaLinux: wget http://www.eicar.org/download/eicar.com.txt echo "TEST MESSAGE w/ ATTACHMENT" | mail -S smtp=localhost -r sender@test.com -s "A/V test example" -a eicar.com.txt emailonserver@example.com Debian/Ubuntu: apt-get install s-nail wget http://www.eicar.org/download/eicar.com.txt echo "TEST MESSAGE w/ ATTACHMENT" | s-nail -S smtp=localhost -r sender@test.com -s "A/V test example" -a eicar.com.txt emailonserver@example.com
View Full Article...

Amavis will tag the subject line of any email that it can't scan with the tag UNCHECKED. ClamAV Problems First check and see that the ClamAV daemon is running properly. See: How can I check the status of ClamAV and fix any problems? Password Protected Archives Amavis will prepend to Subject (for local recipients only) if mail could not be decoded or checked entirely, e.g. due to password-protected archives. To Disable the UNCHECKED Header (Not recommended)
To disable this on Centos/RHEL edit the file /etc/amavisd/warden.conf or on Debian/Ubuntu edit the file /etc/amavis/conf.d/99-warden and add the line (before the last line 1;): $undecipherable_subject_tag = undef; After making the changes restart Amavis: // Centos/RHEL/CloudLinux/AlmaLinux systemctl restart amavisd // Debian/Ubuntu systemctl restart amavis
View Full Article...

Bad Header Destiny The default setting under Warden -> Settings -> Content Filter-> Content Filter Settings -> Bad header destiny is set to reject. The server wide policy option under Warden -> Settings -> Content Filter -> Policy Settings -> Receive bad header emails is set to Yes to allow bad header emails to pass to the mailbox. This means that Amavis will store a copy of the bad header emails for review but will still allow the emails to pass to the users mailbox. Amavis will delete the quarantined copies of the messages automatically after 30 days.
If you would like to reject mail with bad headers you can change the server wide policy option under Warden -> Settings -> Content Filter -> Policy Settings -> Receive bad header emails is set to No. Then bad header emails will not be passed though to the users mailbox.

To disable all bad header tests To disable all bad header tests on Centos/RHEL/CloudLinux/AlmaLinux edit the file /etc/amavisd/warden.conf or on Debian/Ubuntu edit the file /etc/amavis/conf.d/99-warden and search for the @bypass_header_checks_maps option. Change from: @bypass_header_checks_maps = (\%bypass_header_checks, \@bypass_header_checks_acl, \$bypass_header_checks_re); Change to: @bypass_header_checks_maps = [1]; After making these changes restart Amavis: // Centos/RHEL/CloudLinux/AlmaLinux systemctl restart amavisd // Debian/Ubuntu systemctl restart amavis To disable all bad header tests for a specific policy bank (outgoing email only) Go to Warden -> Settings -> Policy Banks and set the Disable bad header filter to Yes for the policy you want to disable it on. To disable specific bad header tests There is an $allowed_header_tests option by which you can define what should be looked up during the bad-header checks, and the list is as follows: other catchall for everything else - normally not used mime Bad MIME (sub)headers or bad MIME structure 8bit Invalid non-encoded 8-bit characters in header control Invalid control characters in header (CR or NUL) empty Folded header field made up entirely of whitespace long Header line longer than RFC 2822 limit of 998 characters syntax Header field syntax error missing Missing required header field multiple Duplicate or multiple occurrence of a header field To disable certain tests on Centos/RHEL/CloudLinux/AlmaLinux edit the file /etc/amavisd/warden.conf or on Debian/Ubuntu edit the file /etc/amavis/conf.d/99-warden and search for the $allowed_header_tests option. Setting a test to 0 will disable that test: $allowed_header_tests{'multiple'} = 0; $allowed_header_tests{'missing'} = 0; After making these changes restart Amavis // Centos/RHEL/CloudLinux/AlmaLinux systemctl restart amavisd // Debian/Ubuntu systemctl restart amavis  
View Full Article...

In order for PHP to log what scripts are sending out from the server you must first set mail.add_x_header = On in all the php.ini files that are being used by the server. 1. Enable the mail.add_x_header in all of your PHP.ini files: // turn on for the OS default php version if you have the base PHP packages installed sed -i -e "s/^mail.add_x_header = Off/mail.add_x_header = On/" /etc/php.ini // turn on for all of the Plesk PHP versions sed -i -e "s/^mail.add_x_header = Off/mail.add_x_header = On/" /opt/plesk/php/*/etc/php.ini // restart any PHP FPM instances systemctl restart plesk-php73-fpm systemctl restart plesk-php74-fpm systemctl restart plesk-php80-fpm 2. Go to Warden -> Settings -> Filter Settings and change the Log template option from short to verbose. 3. Now you should see the X-PHP-Originating-Script header logged when clicking on the plus icon for a message entry that was sent out using PHP in the message log. It will log the UID of the user that ran the script and the script name. Looking up the User from the X-PHP-Originating-Script Header The X-PHP-Originating-Script header consists of the UID of the user and the script name: X-PHP-Originating-Script: 10000:class.phpmailer.php To find the vhost directory from a UID (replace the UID with the user ID that was logged): grep UID /etc/passwd 5. To find the full path to a script (replace the path with the vhost directory from the UID and the php script name with the name of the script that was logged): find /var/www/vhosts/example.com/httpdocs -type f -name "class.phpmailer.php" Viewing the X-PHP-Originating-Script Header from the Queue When viewing a message in the Warden queue, the PHP tab will lookup the local user information based off the X-PHP-Originating-Script header (if it exists) and search the vhost files for any matching script files with the same name.
View Full Article...

To get your free Maxmind license key Signup for the free license key here: https://www.maxmind.com/en/geolite2/signup Generate a license key here (When asked - Will this key be used for geoipupdate? Choose: no) Navigate to your Extension -> Settings -> Panel Application -> Geolocation Settings and enter the license key under MaxMind license key. (It might take 30 minutes before MaxMind will recognize a newly created key). Press the Update button to save your settings.
View Full Article...

Lots of people seem to be confused by the "autolearn=no" statement in the default X-Spam-Status header. There are usually questions regarding whether or not "no" means SpamAssassin is not autolearning at all. What it actually means is that the specific message which includes the "autolearn=no" part was not autolearned, not that autolearning is disabled or somehow broken.

The three values that can be displayed are "no" (autolearning did not occur), "ham" (the message was learned as ham), and "spam" (the message was learned as spam).

If a message has already been learned by SpamAssassin, then that message will not be learned again. Therefore, if you run a message through SpamAssassin to see why it was classified as spam or ham, and it has already been learned, you will always get the result "autolearn=no". (To see this more clearly, use the "-D" flag, and you will see debug output explaining that the message has already been learned.)

Furthermore, the score used to trigger autolearning is somewhat different than the one reported in the final score; therefore a score displayed in the headers that ostensibly should trigger autolearning will not do so. Again, use the "-D" flag to SpamAssassin, and you will see the score that is used to determine whether or not autolearning will be triggered.

Finally, SpamAssassin requires at least 3 points from the header and 3 points from the body, to auto-learn as spam. If either section contributes fewer points, the message will not be auto-learned.

Possible Autolearn States

ham: the message was learned as ham (non-spam)
spam: the message was learned as spam
no: the specific message didn't achieve the proper threshold values and requirements to be learned
disabled: the configuration specifies bayes_auto_learn 0 or use_bayes 0 and so no autolearning is attempted
failed: autolearning was attempted, but couldn't complete. This happens if SpamAssassin can't gain a lock on the Bayes database files, etc.
unavailable: autolearning not completed for any reason not covered above. It could be the message was already learned. Reasons why Autolearn isn't Working 1. In order for autolearn to work you need at least 200 trained messages in the ham and spam category.
2. If using Redis Bayes storage your Bayes Token TTL might be too low so the spam entries expire before they reach the 200 trained messages threshhold. Try raising the Bayes Token TTL to 180d
View Full Article...

In Amavis banned attachments are controlled by the $banned_filename_re option in the Amavis config file. Centos/RHEL/CLoudLinux/AlmaLinux Edit the file /etc/amavisd.conf/amavisd.conf and search for the $banned_filename_re option. You can comment out or add new file extensions: $banned_filename_re = new_RE( ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary # qr'^\.(exe|lha|cab|dll)$', # banned file(1) types ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: # [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives qr'.\.(pif|scr)$'i, # banned extensions - rudimentary # qr'^\.zip$', # block zip type ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^message/partial$'i, # rfc2046 MIME type # qr'^message/external-body$'i, # rfc2046 MIME type # qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type # qr'^\.wmf$', # Windows Metafile file(1) type # block certain double extensions in filenames qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, # qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict # qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic # qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi| # msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd| # wmf|wsc|wsf|wsh)$'ix, # banned extensions - long # qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also # qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename # qr'^\.ani$', # banned animated cursor file(1) type # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. ); Debian/Ubuntu Edit the file /etc/amavis/conf.d/20-debian_defaults and search for the $banned_filename_re option. You can comment out or add new file extensions: $banned_filename_re = new_RE( # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components # block certain double extensions anywhere in the base name qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^application/x-msmetafile$'i, # Windows Metafile MIME type # qr'^\.wmf$', # Windows Metafile file(1) type # qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types # [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed # [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives # [ qr'^application/x-zip-compressed$'i => 0], # allow any within such archives qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| # wmf|wsc|wsf|wsh)$'ix, # banned ext - long # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. qr'^\.(exe-ms)$', # banned file(1) types # qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types ); Restart Amavis: // Centos / RHEL / CloudLinux systemctl restart amavisd // Debian / Ubuntu systemctl restart amavis
View Full Article...

About Greylisting Important: Greylisting is recommended for advanced users only. Make sure to read though this article thoroughly so that you don't accidentally get extended delays in legitimate email after enabling greylisting.
Greylisting is a method of defending against spam. Greylisting will tell the mail server to temporarily reject any email from a sender it does not recognize. If the mail is legitimate, the originating server will try again after a delay, and if sufficient time has elapsed, the email will be accepted. Warden uses Plesk's built in greylisting tool. Server-wide and domain level greylisting management is supported by Warden. Personal level (mailbox level) grey listing management is not supported and should not be enabled.
Server-wide greylisting can be enabled/disabled in Warden ->Settings -> Greylisting Settings -> Greylisting . Unchecking and disabling the server wide setting will disable all greylisting and hide the greylisting tab in Warden for all domains. Domain level greylisting can be enabled/disabled under Warden -> Policies -> click the edit icon next to the domain on the grid -> Greylisting -> Disable greylisting option (yes or no). Greylisting defers emails from senders that use multiple IP addresses so it is important to whitelist those providers otherwise you will get extended delays in email. Look at the "Senders that use multiple IP addresses" section below for how to whitelist those mail servers. Greylisting will be applied to any non-authenticated email (both incoming and outgoing email). There will be longer delays in email delivery after first enabling greylisting as it might take a few days for entries to be populated in the greylisting database. Enabling Greylisting To enable greylisting server wide go to Warden -> Settings -> Greylisting Settings -> Check the greylisting option to enable it. Note that unchecking and disabling the server wide setting will disable all greylisting and hide the greylisting tab in Warden for all domains. After greylising is enabled server wide you have the option of disabling greylisting per domain under Warden -> Policies -> click the edit icon next to the domain on the grid -> Greylisting -> Disable greylisting (yes or no). Viewing Greylisted Emails Emails that are greylisted will be listed under Warden -> Logs -> Reject Log. Greylisted entries will have the a 451 4.7.1 status with the message Service unavailable - try again later (postfix is telling the other mail server to try again later). You can use the message select list on the reject page to filter by Service unavailable - try again later to view all greylisted entries. Normally greylisted emails will have at least 3 rejected entries before delivery is accepted. The Client rDNS column in the reject log is important as that is what you will use to whitelist a mail server from greylisting. If you see many entries for the same message coming from different IP addresses then you might need to create a wildcard whitelist for that provider. See: "Sender mail servers that use multiple IP addresses" below for more information. Sender mail servers that use multiple IP addresses After enabling greylisting it is important to review your Warden -> Logs -> Reject log over the next week in order to whitelist those mail service providers that send using multiple IP addresses otherwise you will get extended delays in email. It could take 1 or 2 days for delivery with greylisting enabled unless you whitelist those mail servers. You can whitelist the mail servers using a matching wildcard on the Client rDNS (PTR record) of the connecting mail server. Example: You might see the same email in the reject log coming from different mail servers from one provider: a15-177.smtp-out.amazonses.com a14-30.smtp-out.amazonses.com a15-229.smtp-out.amazonses.com e252-50.smtp-out.amazonses.com To whitelist emails from Amazon matching all of the mail servers you can whitelist it using a wildcard entry (Remember that you are whitelisting the client RDNS record of the email server not an email address): plesk bin grey_listing --update-server -domains-whitelist add:"*.amazonses.com" Known providers that send out using multiple IP addresses: // Adobe plesk bin grey_listing --update-server -domains-whitelist add:"*.adobe.com" // Amazon plesk bin grey_listing --update-server -domains-whitelist add:"*.amazonses.com" // Ebay plesk bin grey_listing --update-server -domains-whitelist add:"*.ebay.com" // Google plesk bin grey_listing --update-server -domains-whitelist add:"*.google.com" // Github plesk bin grey_listing --update-server -domains-whitelist add:"*.github.com" // Linkedin plesk bin grey_listing --update-server -domains-whitelist add:"*.linkedin.com" // Paypal plesk bin grey_listing --update-server -domains-whitelist add:"*.paypal.com" // Shopify plesk bin grey_listing --update-server -domains-whitelist add:"*.shopify.com" // Telus plesk bin grey_listing --update-server -domains-whitelist add:"*.telus.com" Configuring Greylisting Parameters like expire-interval, grey-interval, penalty-interval, and others can be configured under Warden -> Settings -> Greylisting Settings or using the Plesk CLI utility "grey_listing". Note: The personal command line option --update-mailname is not supported as it's tied to Plesk's legacy spam filter. To view the current greylisting settings: plesk bin grey_listing --info-server To enable greylisting for a specific domain: plesk bin grey_listing --update-domain example.com -status on To disable greylisting for a specific domain: plesk bin grey_listing --update-domain example.com -status off Whitelisting To whitelist a mail server from greylisting (Remember that you are whitelisting the client RDNS record of the email server not an email address): plesk bin grey_listing --update-server -domains-whitelist add:"mail.example.com" To remove a whitelisted mail server from greylisting: plesk bin grey_listing --update-server -domains-whitelist del:"mail.example.com" Blacklisting By default greylisting will block any client rDNS that matches the following patterns (The default patterns match dynamic hosts that should not be sending any emails). Mail servers that are blacklisted will be listed under Warden -> Logs -> Reject Log. Blacklisted entries will have the a 451 4.7.1 status with the message Command rejected. *[0-9][0-9]-[0-9][0-9]-[0-9][0-9]* *[0-9][0-9].[0-9][0-9].[0-9][0-9]* *[0-9][0-9][0-9]-[0-9][0-9][0-9]-[0-9][0-9][0-9]* *[0-9][0-9][0-9].[0-9][0-9][0-9].[0-9[0-9]][0-9]* dsl|broadband|hsd dynamic|static|ppp|dyn-ip|dial-up To add blacklist patterns: plesk bin grey_listing --update-server -domains-blacklist add:"mail.badserver.com" To remove blacklist patterns: plesk bin grey_listing --update-server -domains-blacklist del:"mail.badserver.com" Adjusting the Default Blacklist Patterns
Some of the default blacklist patterns will likely block email from legitimate providers so it is recommended that you remove them: // matches mta-70-12-15.sparkpostmail.com plesk bin grey_listing --update-server -domains-blacklist del:"*[0-9][0-9]-[0-9][0-9]-[0-9][0-9]*" // matches outbound-147-160-155-33.pinterestmail.com plesk bin grey_listing --update-server -domains-blacklist del:"*[0-9][0-9][0-9]-[0-9][0-9][0-9]-[0-9][0-9][0-9]*" // matches mail25.static.mailgun.info so we remove the "static" pattern then re-add the rest plesk bin grey_listing --update-server -domains-blacklist del:"dynamic|static|ppp|dyn-ip|dial-up" plesk bin grey_listing --update-server -domains-blacklist add:"dynamic|ppp|dyn-ip|dial-up" Disabling Greylisting For Newly Created Domains Some users may want to have greylisting enabled server wide but have greylisting disabled by default for newly created domains. This can be done using a Plesk event handler. In Plesk go to Tools & Settings -> Event Manager -> Add Event Handler: Event: Default domain (the first domain added to a subscription) created Priorty: lowest(0) User: root Command: /usr/local/psa/bin/grey_listing --update-domain <NEW_DOMAIN_NAME> -status off  
View Full Article...