[Rspamd-Users] Filtering outgoing emails

Philippe Paget phil at tatm.com
Sat May 11 17:01:27 UTC 2019 

Le 11/05/2019 02:16, Tim Harman via Users a écrit :

> I still think there's another hop in here somewhere.
> 
> 13.177.173.37.list.dnswl.org:server fail
> 
> That indicates to me (and maybe I'm wrong) that 37.173.177.13 is the
> host making the connection.
> It then ANNOUNCES itself as HFILTER_HELO_BADIP(4.50)[192.168.0.112,1];
> 
> Do you have NAT or something going on here?  Can you post the logs of
> your mailserver when it gets the mail from your K9 client?

Thanks for your reply. I've spent more time on all the logs of the 
server and finish to understood the problem.

This server was a 8 year old setup (but maintained :) ) working like a 
charm with Postfix + Spamassassin. Since a few days I've migrate it to 
Rspamd.

As you point me, the Rspamd see my local client as an external IP and 
not a local one. As it's a correct assumption I've follow this path.

To call Rspamd from Postfix I've added the following :

#antispam rdspam
smtpd_milters=inet:127.0.0.1:11333
non_smtpd_milters=inet:127.0.0.1:11333
milter_protocol=6
milter_mail_macros="i {mail_addr} {client_addr} {client_name} 
{auth_authen}"

And the mistake was here, the correct one is:

#antispam rdspam
smtpd_milters=inet:127.0.0.1:11333
non_smtpd_milters=inet:127.0.0.1:11333
milter_protocol=6
milter_mail_macros=i {mail_addr} {client_addr} {client_name} 
{auth_authen}

With this error, Rspamd lost the fact the current email came from an 
authenticated sender, and not as a regular incoming email.


Now the outbound emails are scanned nicely, with this kind of log:

2019-05-11 14:30:48 #1852(rspamd_proxy) <bcaa9d>; proxy; 
proxy_accept_socket: accepted milter connection from 127.0.0.1 port 
55210
2019-05-11 14:30:48 #1852(rspamd_proxy) <bcaa9d>; milter; 
rspamd_milter_process_command: got connection from 92.184.100.198:34456
2019-05-11 14:30:49 #1857(normal) <f1eded>; task; accept_socket: 
accepted connection from 127.0.0.1 port 59292, task ptr: 
00005555E3196000
2019-05-11 14:30:49 #1857(normal) <f1eded>; task; rspamd_message_parse: 
loaded message; id: <93850AD0-032C-457A-9959-3195C1E36692 at tatm.com>; 
queue-id: <D3909260073>; size: 778; checksum: 
<a37864deb0d13465c27b500dc46f34c1>
2019-05-11 14:30:49 #1857(normal) <f1eded>; task; 
rspamd_mime_part_detect_language: detected part language: fr
2019-05-11 14:30:49 #1857(normal) <f1eded>; task; 
rspamd_mime_part_detect_language: detected part language: fr
2019-05-11 14:30:49 #1857(normal) <f1eded>; task; spf_symbol_callback: 
skip SPF checks for local networks and authorized users
2019-05-11 14:30:49 #1857(normal) <f1eded>; task; dkim_symbol_callback: 
skip DKIM checks for local networks and authorized users
2019-05-11 14:30:49 #1857(normal) <f1eded>; lua; once_received.lua:95: 
Skipping once_received for authenticated user or local network
2019-05-11 14:30:49 #1857(normal) <f1eded>; lua; dmarc.lua:569: skip 
DMARC checks for local networks and authorized users
2019-05-11 14:30:49 #1857(normal) <f1eded>; task; bayes_classify: skip 
classification as ham class has not enough learns: 0, 200 required
2019-05-11 14:30:49 #1857(normal) <f1eded>; task; rspamd_task_write_log: 
id: <93850AD0-032C-457A-9959-3195C1E36692 at tatm.com>, qid: <D3909260073>, 
ip: 92.184.100.198, user: phil at tatm.com, from: <phil at tatm.com>,
(default: F (no action): [0.40/30.00] 
[SUBJECT_ENDS_SPACES(0.50){},MIME_GOOD(-0.10){multipart/alternative;text/plain;},ARC_NA(0.00){},ASN(0.00){asn:3215, 
ipnet:92.184.100.0/22, 
country:FR;},DKIM_SIGNED(0.00){},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_ALL(0.00){},TO_EQ_FROM(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), 
len: 778, time: 22.523ms real, 6.643ms virtual, dns req: 1, digest: 
<a37864deb0d13465c27b500dc46f34c1>, rcpts: <phil at tatm.com>, mime_rcpts: 
<phil at tatm.com>
2019-05-11 14:30:49 #1857(normal) <f1eded>; task; 
rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 3 
regexps matched, 185 regexps total, 95 regexps cached, 0B scanned using 
pcre, 792B scanned total
2019-05-11 14:30:49 #1852(rspamd_proxy) <856f50>; proxy; 
proxy_milter_finish_handler: finished milter connection


I think I'm ok with the mandatory stuff to get Rspamd working.
Now I need to start monitoring false positive & doing a little tuning to 
get the things better: a lot of regular & legal mailing are tagged as 
spam and it was not the case with Spamassassin.


Tim, thanks you very much for your help, it show me the path to solve 
the issue.

Regards,

Phil

More information about the Users mailing list