[Rspamd-Users] Received: lines being reordered on DKIM check?

Steve Watt steve at watt.com
Wed Apr 28 23:33:56 UTC 2021 

Greetings!

 

It appears that rspamd is somehow relocating a Received: header during DKIM
signature checking, but I'm not 100% sure.

 

System environment: FreeBSD 12.2p6, Sendmail, rspamd the trailing milter in
my configuration (the other ones are my message logger, milter-regex, and
ClamAV, in order).  The user delivery happens via Procmail and Dovecot
deliver.  Lotta places where things could go wrong, I recognize.

 

The message logger is something I wrote to preserve mail content as it
arrives, before Sendmail gets to it.  I use it to generate reliable spam
reports, as well as debugging various weird mail issues over the . uh,
decades.

 

Reordering Received: headers breaks spamcop reporting, as it makes it
impossible for their system to determine where my system received the
incoming messages.

 

With that introduction, I have the following mail in my message log for a
sample victim message.   The FROM and RCPT are from the SMTP commands.

 

-- Tue Apr 27 23:20:51 2021

Connect from s1-ba8d.socketlabs.email-od.com, TLSv1.2
(s1-ba8d.socketlabs.email-od.com [142.0.186.141])

FROM <2bf8.82.15f9d00014096f6.c396624901ad3f7720b1b7e4be7c27cd at email-od.com>
(1 argument)

RCPT <XXXX at XXXX.XXXXXXXX.NET> (1 argument)

 

DKIM-Signature: v=1; a=rsa-sha256; d=lplmod.com;s=deluxe;

        c=relaxed/relaxed; q=dns/txt; t=1619590852; x=1622182852;

 
h=message-id:content-type:subject:date:to:from:mime-version:reply-to:x-threa
d-info;

        bh=XLmDLZb2krpQlRZqjDXnbm4vOV6wbe3iIa/e6lRvjJk=;

 
b=lSqzkgqh/rhuVd3jGwetCs2OJYMhv+UhIiCR2BJZpaQyWTVDgXakD7oZd2v+OmJEhjj3kdjITC
JBq/vMSqSgWTVXOaoM8/3A+jNYRsVPmChHuGV3H9i/azDaMiQAAzdgQZ1eRLnWirVdaLqZOFR6vR
gfc/Ysr5+ipajKdIsbgFQW09AInYEwqj+JriGSLk9+oHi7go8rUOYLnR7BlfdYPNtJj2geu+NqP3
6QIy9hJS4ORetp7Z7E8FsGOcv+aPihdEHfpy3UgLvsqbNI3Up+o3kaEXvmUverz3i4hD9Al9Fqkm
LzWk7RFYUCbX8CWbFN90rYiaxlbCsw7TkAb1cG6Q==

DKIM-Signature: v=1; a=rsa-sha256; d=email-od.com;i=@email-od.com;s=dkim;

        c=relaxed/relaxed; q=dns/txt; t=1619590852; x=1622182852;

 
h=message-id:content-type:subject:date:to:from:mime-version:reply-to:x-threa
d-info;

        bh=XLmDLZb2krpQlRZqjDXnbm4vOV6wbe3iIa/e6lRvjJk=;

 
b=oUtTmD5NODl8Ti6Oa0fVK2+sgAVYBSWCN05NpM0tz3+7CNjNgh1hPsVpJYBM/caF3MBEdwwgMZ
8zeJm3sXEhYdnBVKXl709XZMI9gHH+dSKVIBcP9mxDCRPcerQS7LDoe9aRu2vu9CNFdwjOkVxxRn
FkIte6CXeJyXIRPJwYfN0=

X-Thread-Info:
MmJmOC4xZS4xNWY5ZDAwMDE0MDk2ZjYuMzE5Nlg0NTc2OTQuMzE5Nlg5MDM1LlRFQ0g9U1RFVkUu
V0FUVExJTksuTkVU

Received: from r2.us-west-2.aws.in.socketlabs.com
(r2.us-west-2.aws.in.socketlabs.com [142.0.190.2]) by mxrs4.email-od.com

        with ESMTP(version=Tls12 cipher=Aes256 bits=256); Wed, 28 Apr 2021
01:20:33 -0400

Received: from 127.0.0.1 (ec2-13-57-112-89.us-west-1.compute.amazonaws.com
[13.57.112.89]) by r2.us-west-2.aws.in.socketlabs.com

        with ESMTP; Wed, 28 Apr 2021 01:19:37 -0400

Received: from PRD-AppFW ([127.0.0.1]) by 127.0.0.1 with Microsoft
SMTPSVC(8.0.9200.16384);

         Tue, 27 Apr 2021 22:19:37 -0700

Reply-To: automation at lplmod.com

MIME-Version: 1.0

From: "FirstName123 LastName123" <automation at lplmod.com>

To: XXXX at XXXX.XXXXXXXX.NET

Date: 27 Apr 2021 22:19:37 -0700

Subject: Weekly Market Commentary

Content-Type: multipart/alternative;

boundary=--boundary_29600678_75a5c3f2-beab-4f40-8c1b-08b2b6921452

Return-Path: automation at lplmod.com

Message-ID: <PRD-APPFWQbPmhjM8os037fa3e8 at 127.0.0.1>

X-OriginalArrivalTime: 28 Apr 2021 05:19:37.0345 (UTC)
FILETIME=[1520DF10:01D73BEE]

 

This is a multipart message in MIME format.

 

And this is what appeared in the user mailbox (post rspamd, post
procmail/Dovecot-Deliver):

 

Received: from r2.us-west-2.aws.in.socketlabs.com
(r2.us-west-2.aws.in.socketlabs.com [142.0.190.2]) by mxrs4.email-od.com

        with ESMTP(version=Tls12 cipher=Aes256 bits=256); Wed, 28 Apr 2021
01:20:33 -0400

Received: from s1-ba8d.socketlabs.email-od.com
(s1-ba8d.socketlabs.email-od.com [142.0.186.141])

        by [myserver].watt.com (8.16.1/8.16.1) with ESMTPS id 13S6KmI8086214

        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO)

        for <XXXX at XXXX.XXXXXXXX.NET>; Tue, 27 Apr 2021 23:20:51 -0700 (PDT)

        (envelope-from
2bf8.82.15f9d00014096f6.c396624901ad3f7720b1b7e4be7c27cd at email-od.com)

Received: from PRD-AppFW ([127.0.0.1]) by 127.0.0.1 with Microsoft
SMTPSVC(8.0.9200.16384);

         Tue, 27 Apr 2021 22:19:37 -0700

Received: from 127.0.0.1 (ec2-13-57-112-89.us-west-1.compute.amazonaws.com
[13.57.112.89])

by r2.us-west-2.aws.in.socketlabs.com

        with ESMTP; Wed, 28 Apr 2021 01:19:37 -0400

Reply-To: <automation at lplmod.com>

From: "FirstName123 LastName123" <automation at lplmod.com>

To: <XXXX at XXXX.XXXXXXXX.NET>

Subject: Weekly Market Commentary

Date: Tue, 27 Apr 2021 22:19:37 -0700

Message-ID: <PRD-APPFWQbPmhjM8os037fa3e8 at 127.0.0.1>

MIME-Version: 1.0

Content-Type: multipart/alternative;

        boundary="----=_NextPart_000_023F_01D73C3F.ECA40F60"

X-Mailer: Microsoft Outlook 16.0

X-Archived: 1619590851.488821212@[myserver].watt.com

X-Rspamd-Queue-Id: 13S6KmI8086214

X-Spamd-Result: default: False [6.00 / 15.00];

         HAS_REPLYTO(0.00)[automation at lplmod.com];

         R_SPF_ALLOW(-0.20)[+ip4:142.0.176.0/20];

         REPLYTO_ADDR_EQ_FROM(0.00)[];

         TO_DN_NONE(0.00)[];

         MIME_BASE64_TEXT_BOGUS(1.00)[];

         RCVD_COUNT_THREE(0.00)[4];

         DKIM_TRACE(0.00)[lplmod.com:+,email-od.com:+];

         MIME_BASE64_TEXT(0.10)[];

         DMARC_POLICY_ALLOW(-0.50)[lplmod.com,quarantine];

 
FORGED_SENDER(0.30)[automation at lplmod.com,2bf8.82.15f9d00014096f6.c396624901
ad3f7720b1b7e4be7c27cd at email-od.com];

         MIME_TRACE(0.00)[0:+,1:+,2:~];

         RCVD_TLS_LAST(0.00)[];

         HAS_DATA_URI(0.00)[];

         ASN(0.00)[asn:27357, ipnet:142.0.184.0/22, country:US];

 
FROM_NEQ_ENVFROM(0.00)[automation at lplmod.com,2bf8.82.15f9d00014096f6.c396624
901ad3f7720b1b7e4be7c27cd at email-od.com];

         DWL_DNSWL_NONE(0.00)[email-od.com:dkim];

         ARC_NA(0.00)[];

         R_PARTS_DIFFER(1.00)[100.0%];

         R_DKIM_ALLOW(-0.20)[lplmod.com:s=deluxe,email-od.com:s=dkim];

         BAYES_HAM(-0.40)[77.83%];

         FROM_HAS_DN(0.00)[];

         EXT_CSS(1.00)[];

         TO_MATCH_

        ENVRCPT_ALL(0.00)[];

         MIME_GOOD(-0.10)[multipart/alternative,text/plain];

         DCC_REJECT(2.00)[bulk Body=2 Fuz1=many Fuz2=many rep=43% ];

         RCPT_COUNT_ONE(0.00)[1];

         RCVD_IN_DNSWL_NONE(0.00)[142.0.186.141:from,142.0.190.2:received];

         NEURAL_HAM(-0.00)[-0.075];

         MID_BARE_IP(2.00)[];

         GREYLIST(0.00)[pass,body]

X-Rspamd-Server: [myserver].watt.com

Thread-Index: AQHuXfoAxb12HzsxxoxEHkUjbCrPPg==

X-OlkEid:
000000004E54284C7D342340818A7240D59EC7E1070034AD76187591974DBF6C4F76951C873A
01005300000000003318C3580047674EA0507EDC1854346100000000AA2E000080C5333892A0
354CBA85384A024C75AB

X-Thread-Info:
MmJmOC4xZS4xNWY5ZDAwMDE0MDk2ZjYuMzE5Nlg0NTc2OTQuMzE5Nlg5MDM1LlRFQ0g9U1RFVkUu
V0FUVExJTksuTkVU

X-OriginalArrivalTime: 28 Apr 2021 05:19:37.0345 (UTC)
FILETIME=[1520DF10:01D73BEE]

 

This is a multipart message in MIME format.

 

None of the other milters know anything about DKIM, and my .procmailrc
didn't trigger anything but a deliver recipe, so no formail runs or the
like.

 

I note the complete absence of the DKIM-Signature headers in the delivered
message, plus the movement of the mxrs4.email-od.com Received: header so
it's in front of the by [myserver] one.

 

So it appears that the Received: line is somehow migrating during DKIM
checking/stripping?  But that's weird.

 

Thoughts?  Is this an rspamd bug?  Ideas on how to localize further?

 

Thanks,

 

-- 

Steve Watt   KD6GGD     PP-ASEL-IA   factories.words.yappy

Don't let your schooling get in the way of your education.

More information about the Users mailing list