[Rspamd-Users] I'm confused...

Steve Witten caponecicero at gmail.com
Sat Feb 3 18:47:54 UTC 2024 

Hello.

I have two systems:

   - *mail.example.com <http://mail.example.com>* (where postfix runs)
   - *rspamd.example.com <http://rspamd.example.com>* (where rspamd/redis
   runs)

Each of these are FreeBSD 14.0p4.  Each has three IP addresses -- 2 public
addresses (IPv4, IPv6) and a private (unroutable, IPv4) one.

FreeBSD generates daily/weekly/monthly reports about the results of routine
system checks and mails them to root (so-called *periodic* reports).

The periodic mail from *mail.example.com <http://mail.example.com>* is *not*
DKIM-signed and rspamd generates the following header for it:

X-Spamd-Result: default: False [7.99 / 15.00]; BAYES_HAM(-3.00)[99.99%];
> NEURAL_SPAM_SHORT(1.99)[0.996]; DMARC_POLICY_QUARANTINE(1.50)[example.com
> : No valid SPF, No valid DKIM,quarantine]; RCVD_NO_TLS_LAST(0.10)[];
> MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; R_SPF_NA(0.00)[no SPF
> record]; RCVD_COUNT_ONE(0.00)[1]; MISSING_XM_UA(0.00)[]; ARC_NA(0.00)[];
> FROM_NO_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[];
> FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:8000::/38,
> country:US]; TO_DN_NONE(0.00)[]; R_DKIM_NA(0.00)[];
> TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_SIGNED(0.00)[example.com:s=mailkey:i=1]
> X-Rspamd-Pre-Result: action=add header; module=dmarc; Action set by DMARC
> X-Spam-Status: Yes, score=7.99


The periodic mail from *rspamd**.example.com <http://example.com>*
*is* DKIM-signed
and rspamd generates the following header for it:


X-Spamd-Result: default: False [-1.91 / 15.00]; BAYES_HAM(-3.00)[99.99%];
> NEURAL_SPAM_SHORT(1.09)[0.547]; MIME_GOOD(-0.10)[text/plain];
> RCVD_NO_TLS_LAST(0.10)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1];
> MIME_TRACE(0.00)[0:+]; FROM_NO_DN(0.00)[]; ARC_NA(0.00)[];
> MID_RHS_MATCH_FROMTLD(0.00)[]; ARC_SIGNED(0.00)[example.com:s=mailkey:i=1];
> FROM_EQ_ENVFROM(0.00)[]; DKIM_SIGNED(0.00)[example.com:s=mailkey];
> TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MISSING_XM_UA(0.00)[]
> X-Spam-Status: No, score=-1.91
> Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
> s=mailkey; t=1706981766;
> h=from:from:reply-to:subject:subject:date:date:message-id:message-id:  to:to:cc;
> bh=j9fcdOWE0H02egnjagQqxaytDyAclmMs6pxRnWPQfpM=;
> b=KX178rXRVp3WamOHnf0xet9YkTG4/ypnrGZ051Wjn3+mA5UIN4yM5YsfOIpTRHm9I10pM8
> a0zoYcA89/ruFkQjSaM3JP6unS23VeLXe4a3bwWtmwjBWXjw1pG+jwfs1FGW1WmebWLUx6
> 83+0gmCxWKg+PBTRVnaBby6WSZHRjEc=


Both messages are scanned by the same rspamd instance using a single
configuration.  Here's my *dkim_signing.conf*:

domain {
>     example.com {
>         selector = "mailkey";
>         path = "/srv/rspamd/var/db/dkim/example.com.mailkey.key";
>     }
> }
>
> apply {
>     flags = ["skip_process"]; # Disable expensive MIME processing
> }
>
> # If false, messages with empty envelope from are not signed
> allow_envfrom_empty = true;
>
> # If true, envelope/header domain mismatch is ignored
> allow_hdrfrom_mismatch = false;
>
> # If true, multiple from headers are allowed (but only first is used)
> allow_hdrfrom_multiple = true;
>
> # If true, username does not need to contain matching domain
> allow_username_mismatch = true;
>
> # Default path to key, can include '$domain' and '$selector' variables
> #path = "/var/lib/rspamd/dkim/$domain.$selector.key";
>
> # Default selector to use
> #selector = "dkim";
>
> # If false, messages from authenticated users are not selected for signing
> sign_authenticated = true;
>
> # If false, messages from local networks are not selected for signing
> sign_local = true;
>
> # Map file of IP addresses/subnets to consider for signing
> # sign_networks = "/some/file"; # or url
>
> # Symbol to add when message is signed
> symbol = "DKIM_SIGNED";
>
> # Whether to fallback to global config
> try_fallback = false;
>
> # Domain to use for DKIM signing: can be "header" (MIME From), "envelope"
> (SMTP From) or "auth" (SMTP username)
> use_domain = "header";
>
> # Domain to use for DKIM signing when sender is in sign_networks
> ("header"/"envelope"/"auth")
> #use_domain_sign_networks = "header";
>
> # Domain to use for DKIM signing when sender is a local IP
> ("header"/"envelope"/"auth")
> #use_domain_sign_local = "header";
>
> # Whether to normalise domains to eSLD
> use_esld = true;
>
> # Whether to get keys from Redis
> use_redis = false;
>
> # Hash for DKIM keys in Redis
> #key_prefix = "DKIM_KEYS";
>
> # map of domains -> names of selectors (since rspamd 1.5.3)
> #selector_map = "/etc/rspamd/dkim_selectors.map";
>
> # map of domains -> paths to keys (since rspamd 1.5.3)
> #path_map = "/etc/rspamd/dkim_paths.map";
>
> # If `true` get pubkey from DNS record and check if it matches private key
> check_pubkey = true;
>
> # Set to `false` if you want to skip signing if public and private keys
> mismatch
> allow_pubkey_mismatch = true;
>

Obviously, there are SPF, DMARC, & DKIM records for example.com...otherwise
rspamd couldn't find them to sign messages from *rspamd.example.com
<http://rspamd.example.com>*.  The DKIM keys are re-generated automatically
once a month.

Why is one message signed and the other not?  Is this a postfix
configuration issue or an rspamd configuration issue?  At this point I've
run out of ideas about where to look.

I'd appreciate some pointers please.  More information cheerfully
supplied.  Thanks in advance for your kind responses.

Regards,

Steve Witten

More information about the Users mailing list