[Rspamd-Users] Why does rspamd try to dkmim sign incoming mail?

Johannes Rohr jorohr at gmail.com
Thu Aug 22 14:59:34 UTC 2024


Am 22.08.24 um 14:31 schrieb G.W. Haywood:
> Hi there,
>
> On Thu, 22 Aug 2024, Johannes Rohr wrote:
>
>> But if this is indeed an issue with mail forwarded by mailman being 
>> considered "local", I guess this is an issue that should be adressed.
>
> Do you mean mail from 'mailman' which you receive because you're a
> subscriber to mailing lists operated by mailman, or do you mean to say
> that you're running mailman yourself to operate mailing lists?

The latter. We run a mailman3 instance on the same server. However, the 
mail in question did NOT come from mailman. My suspicion was wrong. 
There is no trace of it in the mailman logs. In the postfix and dovecot 
log I see:

Aug 21 19:44:35 ida postfix/bounce[3085023]: 95BE63937124C: sender 
non-delivery notification: 43F553937124F
Aug 21 19:44:35 ida postfix/qmgr[3026741]: 43F553937124F: from=<>, 
size=5334, nrcpt=1 (queue active)
Aug 21 19:44:35 ida postfix/qmgr[3026741]: 95BE63937124C: removed
Aug 21 19:44:35 ida postfix/smtp[3085020]: 43F553937124F: 
to=<upnulxk at folowaunt.de>, relay=mail.folowaunt.de[217.79.178.57]:25, 
delay=0.08, delays=0.01/0/0.04/0.02, dsn=2.0.0, status=sent (250 2.0.0 
Ok: queued as 4F3848126737)
Aug 21 19:44:35 ida postfix/qmgr[3026741]: 43F553937124F: removed
Aug 21 19:44:36 ida dovecot: imap-login: Login: user=<*****@*****>, 
method=PLAIN, rip=2a01:4f8:10a:2758::2, lip=2a01:4f8:10a:2758::2, 
mpid=3085045, TLS, session=<hjN8GDUg7OAqAQT4AQonWAAAAAAAAAAC>
Aug 21 19:44:36 ida dovecot: 
imap(******@*****)<3085045><hjN8GDUg7OAqAQT4AQonWAAAAAAAAAAC>: 
Disconnected: Logged out in=320 out=1707 deleted=0 expunged=0 trashed=0 
hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

So mailman isn't involved. This message was delivered to a regular mail 
account.

So I remain at a loss why rspamd seems to receive it two times

In the rspamd log with debug turned on I see:


2024-08-21 19:44:34 #3011551(normal) <63b6c2>; protocol; 
rspamd_protocol_handle_url: got checkv2 command
2024-08-21 19:44:34 #3011551(normal) <63b6c2>; protocol; 
rspamd_protocol_handle_headers: read from header, value: 
upnulxk at folowaunt.de
2024-08-21 19:44:34 #3011551(normal) <63b6c2>; protocol; 
rspamd_protocol_handle_headers: read queue_id header, value: 95BE63937124C
2024-08-21 19:44:34 #3011551(normal) <63b6c2>; protocol; 
rspamd_protocol_handle_headers: read IP header, value: 127.0.0.1:0

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

What is this "IP header"? Asking because there is no standard email 
header by that name.

What also surprises me is this:

2024-08-21 19:44:34 #3011551(normal) <63b6c2>; protocol; 
rspamd_protocol_handle_headers: read user-agent header, value: Postfix 3.6.4
2024-08-21 19:44:34 #3011551(normal) <63b6c2>; protocol; 
rspamd_protocol_handle_headers: read MTA-Name header, value: mail.[myserver]

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Does this indicate, that this mail was really sent by my server or can 
this be spoofed as well?

And then, there is this:

2024-08-21 19:44:34 #3011551(normal) <63b6c2>; protocol; 
rspamd_protocol_handle_headers: read hostname header, value: localhost

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Again, is this taken from the header of the actual email or where does 
this come from?

Thanks a lot for any headsup....

Johannes




More information about the Users mailing list