Authenticated outgoing email is marked as spam by PBL on mailserver

Hi all,

I'm having a problem with valid mails being marked as spam on the MX mail
server for a domain. See my description below. If you'd need more details
let me know and I'll be happy to provide. I'm posting this here while this
might not be a postfix issue itself it is related with how postfix is
configured an how it might need a configuration change.

Users are sending email, authenticated, through the submission port on my
mailserver (their domain MX record points to mailserver; postfix).

What's been setup

- A record
- MX record (pointing to same mailserver for all domains)
- PTR record resolving to mailserver name
- DKIM: pass
- SPF: pass
- DMARC: pass
- MailScanner with clamd and spamassassin
- SASL authentication (mail headers mention user is authenticated)
- No open relay
- ...

I see that mails are authenticated in the headers.

However I see that spamassassin marks it as spam (it mentions that the IP
of the client is on the RBL). When I query spamhaus I see that the client
IP (which is dynamic due to mobile ISP). Zenhaus says it's on the PBL, so
basically it is marked as spam as a policy based on the client

Apart from that there's nothing wrong with those emails. The other ISPs
don't have this problem and the emails are then delivered properly.

Now on to my questions... :)

- is mail send through submission port supposed to go through
Mailscanner (spamassassin + clamd)? I would suppose yes as it would already
prevent people from sending spam in the first place (instead of preventing
spam email to be delivered). On the other hand a receiving mailserver can't
trust what's in the headers so it'll probably check it anyway.
- Is there a way to not mark as spam if only mentioned on the PBL?
- Will releasing the message make it deliverable? Or will it just move
the problem? (so the receiving mailserver might check and mark as spam due
to the PBL) If it moves the problem it doesn't seem a valid solution to try
to bypass the PBL for authenticated users.
- Will a receiving mailserver only check the last header (so the header
added by my mail server)? In this case disabling spam check might actually
resolve the issue and not move it on to the next machine).
- another thing that comes to mind is removing/modifying the first
header so the IP is no longer mentioned. However this seems like a bad
- What's the proper/appropriate way to handle this?

For clarity: the mails are received on the smtp server that the users have
configured on their laptop/mobile and put in the postfix queue. So no
direct rejection to the clients. Only after mailscanner jumps in and checks
the email before sending (in this case marking it as spam and not sending

Thanks a lot in advance!


Re: Authenticated outgoing email is marked as spam by PBL on mai

By Dominic Raferd at 06/16/2017 - 06:07

On 16 June 2017 at 10:29, PenguinWhispererThe . <

The reason that other mailservers don't have any problem with emails from
your dynamic ips is that the emails are 'cleansed' of their dynamic IP by
being forwarded through your static-ip server. So no problem releasing them
for onward delivery - the only IP that an onward server is likely to
consider is the client's (i.e. of your server), not what any headers might
say in the message about previous hops.

I'm not sure what the 'proper' way to handle this, but here are a few

​A way to prevent spamassassin from inspecting mail from authenticated​
senders is suggested at
<a href="" title=""></a>

I use spamassassin+clamd via amavis; it does check mail from authenticated
senders but I have turned off all RBL checks in spamassassin and instead
have postfix perform these - but only for non-authenticated senders. Like
this (suggestions for improvement welcome):

smtpd_sender_restrictions =
permit_mynetworks # only the local machine
# check_sender_access: REJECT emails (by envelope address) from a few
known spam senders, OK a very few 'false positives'
check_sender_access hash:/etc/postfix/check_sender_access
# check_client_access: OK a very few ips prone to 'false positives'
check_client_access hash:/etc/postfix/check_client_access
# accept whitelisted per hostkarma,,
# check against spamhaus etc
[... and others similar]
[... and others similar]
[... and others similar]
[... and others similar]

I think it is regarded as better practice to use postscreen instead, but my
setup is working well for now.