[Rspamd-Users] dkim signing of non-local domains.
Benny Pedersen
me at junc.eu
Fri Dec 6 13:24:38 UTC 2024
Andrew Lewis via Users skrev den 2024-12-06 12:30:
> Hi Danjel,
>
> On Fri, 2024-12-06 at 11:41 +0100, Danjel Jungersen via Users wrote:
>> It indicates an ip 127.0.0.1, but why?
+1
> There is queue ID here; it could be used to confirm actual sending
> address of the message.
>
>> - I may have found the answer, see further down...
>> Received headers from the mail:
>
> Yes, it looks like it has been re-injected via Sieve.
>
>> If yes, how do I avoid these errors?
in my setup without rspamd i use amavisd, amavisd-milter, the milter
connects to amavisd inbound policy bank, this is only dkim verified, not
dkim-signed, hint :)
> Do you need to sign unauthenticated messages from local addresses?- If
> not set `sign_local = false` in dkim_signing configuration.
sign_local should really change to false on external clients ips, so
only sasl-auth clients sign_local = true
>
> Do you need to sign messages from the loopback address / messages with
> `X-Sieve-Redirected-From` header?- you could add a condition for the
> `DKIM_SIGNED` symbol (or apply `settings` module):
>
> ~~~
> -- /etc/rspamd/rspamd.local.lua
> rspamd_config:add_condition('DKIM_SIGNED', function(task)
> if task:has_header('X-Sieve-Redirected-From') then
> return false
> end
> return true
> end)
> ~~~
lets hope it can be extended to know local ips and make desistion on
this info
for the rspamd procect it still needs more work on with clients ips
content is from, see just list.sys4.de how many fails it have with
breaking dkim before rspamd have arc-signed and arc-sealed state on
original direct mails, it would not help much to ignore this, but
maillist have to take the consequense on this error with take over from:
headers, badly work around there
for now i hope rspamd would solved it better, all parts is already
there, but policy banks missing to make the right things still
to Daniel: you should not accept local envelope sender domain in mta
stage, this should be rejected as forged senders, partly also why you
see logs on rspamd
>
> https://rspamd.com/doc/faq.html#how-can-i-disable-some-rspamd-rules-safely
>
> Best,
> -AL.
More information about the Users
mailing list