From albrecht.backhaus at gmail.com  Wed Jan  3 15:57:21 2024
From: albrecht.backhaus at gmail.com (Albrecht Backhaus)
Date: Wed, 3 Jan 2024 16:57:21 +0100
Subject: [Rspamd-Users] csession;
 rspamd_controller_error_handler: http error occurred
Message-ID: <73ab36db-abf8-481f-8566-bda31e2349f2@gmail.com>

Hi there

I am running v 3.7.5 and do get csession http errors frequently - see 
example below

> 2024-01-03 16:12:52 #1283389(controller) <80e272>; csession; 
> rspamd_controller_error_handler: http error occurred: Not found 
> 2024-01-03 16:12:52 #1283389(controller) 
> rspamd_http_router_finish_handler: path: /robots.txt not found 
> 2024-01-03 16:12:54 #1283389(controller) <15832f>; csession; 
> rspamd_controller_error_handler: http error occurred: Not found 
> 2024-01-03 16:12:54 #1283389(controller) 
> rspamd_http_router_finish_handler: path: /sitemap.xml not found

I checked my config, but I was not able to find the issue.

Any help and advice is highly appreciated.

Thanks, Albrecht

From moiseev at mezonplus.ru  Wed Jan  3 16:37:15 2024
From: moiseev at mezonplus.ru (Alexander Moisseev)
Date: Wed, 3 Jan 2024 19:37:15 +0300
Subject: [Rspamd-Users] csession;
 rspamd_controller_error_handler: http error occurred
In-Reply-To: <73ab36db-abf8-481f-8566-bda31e2349f2@gmail.com>
References: <73ab36db-abf8-481f-8566-bda31e2349f2@gmail.com>
Message-ID: <0223d5b2-3f3e-8a5d-4ddd-bfb3c37df782@mezonplus.ru>

On 03.01.2024 18:57, Albrecht Backhaus wrote:
> Hi there
> 
> I am running v 3.7.5 and do get csession http errors frequently - see example below
> 
>> 2024-01-03 16:12:52 #1283389(controller) <80e272>; csession; rspamd_controller_error_handler: http error occurred: Not found 2024-01-03 16:12:52 #1283389(controller) rspamd_http_router_finish_handler: path: /robots.txt not found 2024-01-03 16:12:54 #1283389(controller) <15832f>; csession; rspamd_controller_error_handler: http error occurred: Not found 2024-01-03 16:12:54 #1283389(controller) rspamd_http_router_finish_handler: path: /sitemap.xml not found
> 
> I checked my config, but I was not able to find the issue.
> 
> Any help and advice is highly appreciated.
> 
> Thanks, Albrecht

I guess your controller is exposed to the world, so it is crawled and indexed by search engine bots.

From albrecht.backhaus at gmail.com  Wed Jan  3 18:06:21 2024
From: albrecht.backhaus at gmail.com (Albrecht Backhaus)
Date: Wed, 3 Jan 2024 19:06:21 +0100
Subject: [Rspamd-Users] csession;
 rspamd_controller_error_handler: http error occurred
In-Reply-To: <0223d5b2-3f3e-8a5d-4ddd-bfb3c37df782@mezonplus.ru>
References: <73ab36db-abf8-481f-8566-bda31e2349f2@gmail.com>
 <0223d5b2-3f3e-8a5d-4ddd-bfb3c37df782@mezonplus.ru>
Message-ID: <c284cc98-7d05-4739-a1d4-8786bfd2565a@gmail.com>

*Von:/From:* Alexander Moisseev via Users <users at lists.rspamd.com>
*Gesendet:/Sent:* Mittwoch, 03.01.2024 - 17:37
*An:/To:* <users at lists.rspamd.com>
*Kopie:/CC:* Alexander Moisseev <moiseev at mezonplus.ru>
*Betreff:/Subject:* Re: [Rspamd-Users] csession; 
rspamd_controller_error_handler: http error occurred
> On 03.01.2024 18:57, Albrecht Backhaus wrote:
>> Hi there
>>
>> I am running v 3.7.5 and do get csession http errors frequently - see 
>> example below
>>
>>> 2024-01-03 16:12:52 #1283389(controller) <80e272>; csession; 
>>> rspamd_controller_error_handler: http error occurred: Not found 
>>> 2024-01-03 16:12:52 #1283389(controller) 
>>> rspamd_http_router_finish_handler: path: /robots.txt not found 
>>> 2024-01-03 16:12:54 #1283389(controller) <15832f>; csession; 
>>> rspamd_controller_error_handler: http error occurred: Not found 
>>> 2024-01-03 16:12:54 #1283389(controller) 
>>> rspamd_http_router_finish_handler: path: /sitemap.xml not found
>>
>> I checked my config, but I was not able to find the issue.
>>
>> Any help and advice is highly appreciated.
>>
>> Thanks, Albrecht
>
> I guess your controller is exposed to the world, so it is crawled and 
> indexed by search engine bots.

Sorry - but I do not understand.? My worker-controller config is:

> worker {
> ??? controller {
> ??????? count = 1;
> ??????? bind_socket = "localhost:11334";
> ??????? enable_password = "REMOVED-FOR-PRIVACY-REASONS";
> ??????? secure_ip = "127.0.0.1";
> ??????? static_dir = "/usr/share/rspamd/www";
> ??????? password = "REMOVED-FOR-PRIVACY-REASONS";
> ??? }
> }
 From my understanding it is not exposed to the public. The log entries 
in my first post are from the rspamd-log. It looks as if the two files 
robots.txt and sitemap.xml are missing. I never changed ore deleted 
anything in that path which is obviously /usr/share/rspamd/www.

Are the two files expected to be there ?

I am unfortunately still at a loss ...


From peter_rspamd at reinhold.dk  Wed Jan  3 18:51:00 2024
From: peter_rspamd at reinhold.dk (Peter Reinhold)
Date: Wed, 03 Jan 2024 19:51:00 +0100
Subject: [Rspamd-Users] csession;
 rspamd_controller_error_handler: http error occurred
In-Reply-To: <c284cc98-7d05-4739-a1d4-8786bfd2565a@gmail.com>
References: <73ab36db-abf8-481f-8566-bda31e2349f2@gmail.com>
 <0223d5b2-3f3e-8a5d-4ddd-bfb3c37df782@mezonplus.ru>
 <c284cc98-7d05-4739-a1d4-8786bfd2565a@gmail.com>
Message-ID: <68d4e29877ed677cbf205769e06f4af5@reinhold.dk>

99.9% sure your admin panel is on the open internet, and the errors are 
because a crawler tried to retrieve robots.txt, which isn't there, and 
shouldn't be, because you should definitely not run the admin panel 
publicly.


---
Peter Reinhold


On 2024-01-03 19:06, Albrecht Backhaus wrote:
> *Von:/From:* Alexander Moisseev via Users <users at lists.rspamd.com>
> *Gesendet:/Sent:* Mittwoch, 03.01.2024 - 17:37
> *An:/To:* <users at lists.rspamd.com>
> *Kopie:/CC:* Alexander Moisseev <moiseev at mezonplus.ru>
> *Betreff:/Subject:* Re: [Rspamd-Users] csession; 
> rspamd_controller_error_handler: http error occurred
>> On 03.01.2024 18:57, Albrecht Backhaus wrote:
>>> Hi there
>>> 
>>> I am running v 3.7.5 and do get csession http errors frequently - see 
>>> example below
>>> 
>>>> 2024-01-03 16:12:52 #1283389(controller) <80e272>; csession; 
>>>> rspamd_controller_error_handler: http error occurred: Not found 
>>>> 2024-01-03 16:12:52 #1283389(controller) 
>>>> rspamd_http_router_finish_handler: path: /robots.txt not found 
>>>> 2024-01-03 16:12:54 #1283389(controller) <15832f>; csession; 
>>>> rspamd_controller_error_handler: http error occurred: Not found 
>>>> 2024-01-03 16:12:54 #1283389(controller) 
>>>> rspamd_http_router_finish_handler: path: /sitemap.xml not found
>>> 
>>> I checked my config, but I was not able to find the issue.
>>> 
>>> Any help and advice is highly appreciated.
>>> 
>>> Thanks, Albrecht
>> 
>> I guess your controller is exposed to the world, so it is crawled and 
>> indexed by search engine bots.
> 
> Sorry - but I do not understand.? My worker-controller config is:
> 
>> worker {
>> ??? controller {
>> ??????? count = 1;
>> ??????? bind_socket = "localhost:11334";
>> ??????? enable_password = "REMOVED-FOR-PRIVACY-REASONS";
>> ??????? secure_ip = "127.0.0.1";
>> ??????? static_dir = "/usr/share/rspamd/www";
>> ??????? password = "REMOVED-FOR-PRIVACY-REASONS";
>> ??? }
>> }
> From my understanding it is not exposed to the public. The log entries 
> in my first post are from the rspamd-log. It looks as if the two files 
> robots.txt and sitemap.xml are missing. I never changed ore deleted 
> anything in that path which is obviously /usr/share/rspamd/www.
> 
> Are the two files expected to be there ?
> 
> I am unfortunately still at a loss ...

From moiseev at mezonplus.ru  Wed Jan  3 19:22:53 2024
From: moiseev at mezonplus.ru (Alexander Moisseev)
Date: Wed, 3 Jan 2024 22:22:53 +0300
Subject: [Rspamd-Users] csession;
 rspamd_controller_error_handler: http error occurred
In-Reply-To: <c284cc98-7d05-4739-a1d4-8786bfd2565a@gmail.com>
References: <73ab36db-abf8-481f-8566-bda31e2349f2@gmail.com>
 <0223d5b2-3f3e-8a5d-4ddd-bfb3c37df782@mezonplus.ru>
 <c284cc98-7d05-4739-a1d4-8786bfd2565a@gmail.com>
Message-ID: <911e1d10-0661-848b-b689-9f8db6176300@mezonplus.ru>

On 03.01.2024 21:06, Albrecht Backhaus wrote:
> *Von:/From:* Alexander Moisseev via Users <users at lists.rspamd.com>
> *Gesendet:/Sent:* Mittwoch, 03.01.2024 - 17:37
> *An:/To:* <users at lists.rspamd.com>
> *Kopie:/CC:* Alexander Moisseev <moiseev at mezonplus.ru>
> *Betreff:/Subject:* Re: [Rspamd-Users] csession; rspamd_controller_error_handler: http error occurred
>> On 03.01.2024 18:57, Albrecht Backhaus wrote:
>>> Hi there
>>>
>>> I am running v 3.7.5 and do get csession http errors frequently - see example below
>>>
>>>> 2024-01-03 16:12:52 #1283389(controller) <80e272>; csession; rspamd_controller_error_handler: http error occurred: Not found 2024-01-03 16:12:52 #1283389(controller) rspamd_http_router_finish_handler: path: /robots.txt not found 2024-01-03 16:12:54 #1283389(controller) <15832f>; csession; rspamd_controller_error_handler: http error occurred: Not found 2024-01-03 16:12:54 #1283389(controller) rspamd_http_router_finish_handler: path: /sitemap.xml not found
>>>
>>> I checked my config, but I was not able to find the issue.
>>>
>>> Any help and advice is highly appreciated.
>>>
>>> Thanks, Albrecht
>>
>> I guess your controller is exposed to the world, so it is crawled and indexed by search engine bots.
> 
> Sorry - but I do not understand.? My worker-controller config is:
> 
>> worker {
>> ??? controller {
>> ??????? count = 1;
>> ??????? bind_socket = "localhost:11334";
>> ??????? enable_password = "REMOVED-FOR-PRIVACY-REASONS";
>> ??????? secure_ip = "127.0.0.1";
>> ??????? static_dir = "/usr/share/rspamd/www";
>> ??????? password = "REMOVED-FOR-PRIVACY-REASONS";
>> ??? }
>> }
>  From my understanding it is not exposed to the public. The log entries in my first post are from the rspamd-log. It looks as if the two files robots.txt and sitemap.xml are missing. I never changed ore deleted anything in that path which is obviously /usr/share/rspamd/www.
> 
> Are the two files expected to be there ?
> 
> I am unfortunately still at a loss ...
> 

Check processes listening on common web server ports.
Maybe you have a reverse proxy that forwards these requests.

From pete at valar.uk.net  Wed Jan  3 21:18:41 2024
From: pete at valar.uk.net (Pete Long)
Date: Wed, 3 Jan 2024 21:18:41 +0000
Subject: [Rspamd-Users] Rspamd Default Rejection String
Message-ID: <632F3961-4340-40F7-A959-BB6FB37E2DA6@valar.uk.net>

Hi all,

I?m fairly new to Rspamd but so far the journey has been enlightening.

My question is where can I find the default rejection message definition for mail that gets a 15.0 score by Rspamd?

I?ve tried a GTUBE test and Rspamd tells me exactly what happened but I?m wondering what (by default) the other senders will see if they score past 15.0?

Thanks.


Pete.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240103/1373e98d/attachment.bin>

From rspamd-users at judo.za.org  Wed Jan  3 22:16:42 2024
From: rspamd-users at judo.za.org (Andrew Lewis)
Date: Thu, 04 Jan 2024 00:16:42 +0200
Subject: [Rspamd-Users] Rspamd Default Rejection String
In-Reply-To: <632F3961-4340-40F7-A959-BB6FB37E2DA6@valar.uk.net>
References: <632F3961-4340-40F7-A959-BB6FB37E2DA6@valar.uk.net>
Message-ID: <d4b51a4f5bcde0a2abb62612ee796a921e56ad4c.camel@judo.za.org>

Hi Pete,

The default rejection message for milter can be set in
`/etc/rspamd/local.d/worker-proxy.inc`

reject_message = "Spam message rejected"; 

The implicit default is as above.

Best,
-AL.

On Wed, 2024-01-03 at 21:18 +0000, Pete Long via Users wrote:
> Hi all,
> 
> I?m fairly new to Rspamd but so far the journey has been
> enlightening.
> 
> My question is where can I find the default rejection message
> definition for mail that gets a 15.0 score by Rspamd?
> 
> I?ve tried a GTUBE test and Rspamd tells me exactly what happened but
> I?m wondering what (by default) the other senders will see if they
> score past 15.0?
> 
> Thanks.
> 
> 
> Pete.


From pete at valar.uk.net  Thu Jan  4 07:24:35 2024
From: pete at valar.uk.net (Pete Long)
Date: Thu, 4 Jan 2024 07:24:35 +0000
Subject: [Rspamd-Users] Rspamd Default Rejection String
In-Reply-To: <d4b51a4f5bcde0a2abb62612ee796a921e56ad4c.camel@judo.za.org>
References: <632F3961-4340-40F7-A959-BB6FB37E2DA6@valar.uk.net>
 <d4b51a4f5bcde0a2abb62612ee796a921e56ad4c.camel@judo.za.org>
Message-ID: <359A5481-35E3-4C0F-890C-2CFEE9D56635@valar.uk.net>

That?s great, thanks very much Andrew.


Pete.


> On 3 Jan 2024, at 22:16, Andrew Lewis via Users <users at lists.rspamd.com> wrote:
> 
> Hi Pete,
> 
> The default rejection message for milter can be set in
> `/etc/rspamd/local.d/worker-proxy.inc`
> 
> reject_message = "Spam message rejected";
> 
> The implicit default is as above.
> 
> Best,
> -AL.
> 
> On Wed, 2024-01-03 at 21:18 +0000, Pete Long via Users wrote:
>> Hi all,
>> 
>> I?m fairly new to Rspamd but so far the journey has been
>> enlightening.
>> 
>> My question is where can I find the default rejection message
>> definition for mail that gets a 15.0 score by Rspamd?
>> 
>> I?ve tried a GTUBE test and Rspamd tells me exactly what happened but
>> I?m wondering what (by default) the other senders will see if they
>> score past 15.0?
>> 
>> Thanks.
>> 
>> 
>> Pete.
> 
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240104/bbba2828/attachment.bin>

From christian.mack at uni-konstanz.de  Thu Jan  4 09:56:46 2024
From: christian.mack at uni-konstanz.de (Christian Mack)
Date: Thu, 4 Jan 2024 10:56:46 +0100
Subject: [Rspamd-Users] Compile error in util_tests.cxx
In-Reply-To: <20231222224947.GU14531@ns.sol.net>
References: <20231222224947.GU14531@ns.sol.net>
Message-ID: <4a15c319-04bb-4232-bd3f-7160d6906dbd@uni-konstanz.de>

Hello

Seems like your c++ compiler doesn't understand that template class.
Which one and which version of it do you use?


Kind regards,
Christian Mack

Am 22.12.23 um 23:49 schrieb Joe Greco via Users:
> Greetings!
> 
> I'm working to build rspamd in a /bin/sh-less FreeBSD jailed environment.
> 
> The purpose of this is to build Internet-exposed systems in a manner
> that is less vulnerable to stack smash exploits and the like.  Instead
> of beginning with a full FreeBSD environment inside the jail and then
> installing more stuff, we instead begin with an empty jail and then
> place only the stuff that's necessary in there.
> 
> Each jail is isolated in a UNIX top level directory, such as /rspamd
> or /postfix.  Basically the idea is that you can do a set of steps
> like
> 
> tar xvf somepackage-1.2.3.tar.gz
> cd somepackage-1.2.3
> ./configure --prefix=/rspamd
> make
> make install
> cd ..
> rm -fr somepackage-1.2.3
> 
> for each library or package that is required as part of the jail, and
> you end up with a relatively clean jail that only has those things
> inside.
> 
> I've been doing this since about the time Poul-Henning Kamp introduced
> jails to FreeBSD, and it works very well.  Usually.  :-)
> 
> However, I have a bit of a problem.  I don't "do" C++, and rspamd has
> thrown a bit of a loop at me.  I'm getting an error I don't really
> understand, and certainly don't understand how to rectify.
> 
> I'm getting:
> 
> ------------------------------------------------------------------
> [...generally reasonable looking build stuff...]
> 
> [ 55%] Building CXX object src/CMakeFiles/rspamd-server.dir/libutil/cxx/utf8_util.cxx.o
> [ 55%] Building CXX object src/CMakeFiles/rspamd-server.dir/libutil/cxx/util_tests.cxx.o
> /rspamd/src/rspamd-3.7.5/src/libutil/cxx/util_tests.cxx:63:25: error: expected body of lambda
>        expression
>                          auto compare_vec = []<class T>(const std::vector<T> &v1, const ...
>                                               ^
> /rspamd/src/rspamd-3.7.5/src/libutil/cxx/util_tests.cxx:63:26: error: expected expression
>                          auto compare_vec = []<class T>(const std::vector<T> &v1, const ...
>                                                ^
> 2 errors generated.
> *** Error code 1
> 
> Stop.
> make[2]: stopped in /rspamd/src/rspamd-3.7.5/build
> *** Error code 1
> 
> Stop.
> make[1]: stopped in /rspamd/src/rspamd-3.7.5/build
> *** Error code 1
> 
> Stop.
> make: stopped in /rspamd/src/rspamd-3.7.5/build
> ------------------------------------------------------------------
> 
> rspamd is configured with:
> 
> cmake   -DCMAKE_INSTALL_PREFIX=/${type} \
>          -DENABLE_HYPERSCAN=ON \
>          -DENABLELUAJIT=ON \
>          -DCMAKE_BUILD_TYPE=RelWithDebuginfo \
>          -DCONFDIR=/${type}/conf \
>          -DRUNDIR=/${type}/data/run \
>          -DDBDIR=/${type}/data/db \
>          -DLOGDIR=/${type}/logs \
>          ..
> 
> ------------------------------------------------------------------
> 
> The jail also has the following versions of stuff installed:
> 
> openssl=1.1.1w
> jemalloc=5.3.0
> boost=1_84_0
> cmake=3.28.1
> readline=8.2
> Python=3.12.1
> meson=1.3.0
> glib=2.78.3
> ragel=6.10
> LuaJIT=2.1.1693350652
> sqlite=3440200
> file=5.20
> icu4c=55_1
> pcre2=10.42
> zlib=1.3
> libsodium=1.0.19
> hyperscan=5.4.2
> postfix=3.8.3
> redis=7.2.3
> rspamd=3.7.5
> 
> and rspamd is basically the last thing needed.  If anyone has any
> insight into this error, I'd very much appreciate it.
> 
> Thanks and Happy Holidays,
> 
> ... JG

-- 
Christian Mack
Universit?t Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Abteilung IT-Dienste Forschung, Lehre, Infrastruktur
78457 Konstanz
+49 7531 88-4416

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6007 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240104/e46a1a33/attachment.bin>

From t.hendricks at interpool.de  Thu Jan  4 10:42:53 2024
From: t.hendricks at interpool.de (Tino Hendricks)
Date: Thu, 4 Jan 2024 11:42:53 +0100
Subject: [Rspamd-Users] =?utf-8?q?Regex_=E2=80=93_how_to_do_it_right=3F?=
Message-ID: <71F881B4-A861-42AD-A9C8-B3100C69F0FF@interpool.de>

Dear list,

being new to rspamd I too often struggle with the (too?) extensive manuals.

I want to filter out the annoying parcel delivery spams coming from hotmail that obviously don?t get learned by Bayes.
It?s a multiline HTML that I consider the sufficient characteristic. (For testing purpose I started with a one line snippet.)

From the manuals I think there are 3 ways to go:
1. Mulitmap:
 https://rspamd.com/doc/modules/multimap.html#regexp-maps
2. Rules (Regex)
 https://rspamd.com/doc/tutorials/writing_rules.html#regexp-rules
3. Rules (Lua)
 https://rspamd.com/doc/tutorials/writing_rules.html#lua-rules


I tried #2 by putting 

config['regexp?][PAKETE_TEST'] = '/ *<p>Kunden.*<\/p>/'

into /etc/rspamd/local.d/rspamd.local.lua to no avail

Next I tried #3 with 

config['regexp']['PAKETE_TEST'] = {
    re = '/ *<p>Kunden.*<\/p>/',
    score = 10.0,
    condition = function(task) -- run this rule only if some condition is satisfied
        return true
    end,
}

into /etc/rspamd/local.d/pakete_rules.lua to no avail

#1 works but this seems to be the least comfortable way if it comes to many and maybe complex Regexes.

How do you do it?

Thanks,

Tino

From rspamd-users at judo.za.org  Thu Jan  4 13:37:26 2024
From: rspamd-users at judo.za.org (Andrew Lewis)
Date: Thu, 04 Jan 2024 15:37:26 +0200
Subject: [Rspamd-Users] 
 =?utf-8?q?Regex_=E2=80=93_how_to_do_it_right=3F?=
In-Reply-To: <71F881B4-A861-42AD-A9C8-B3100C69F0FF@interpool.de>
References: <71F881B4-A861-42AD-A9C8-B3100C69F0FF@interpool.de>
Message-ID: <e09712fb12b9e19dec0331f57f44d59d9030ef7d.camel@judo.za.org>

Hi Tino,

Use regex rules where possible, see here for additional information
about them:

https://rspamd.com/doc/modules/regexp.html

If you need/want to use maps, multimap may be a reasonable choice. If
you need flexibility beyond what's possible with regex rules you may
want to reach for Lua (or some combination of regex & Lua).

The correct path for rspamd.local.lua is directly under /etc/rspamd
(not under local.d).

You'd want something similar to as below I suppose:

config['regexp']['PAKETE_TEST'] = {
  -- use square quotes to avoid escaping, set match type
  re = [[/ *<p>Kunden.*<\/p>/{sa_raw_body}]],
  score = 10.0,
}

Best,
-AL.

On Thu, 2024-01-04 at 11:42 +0100, Tino Hendricks wrote:
> Dear list,
> 
> being new to rspamd I too often struggle with the (too?) extensive
> manuals.
> 
> I want to filter out the annoying parcel delivery spams coming from
> hotmail that obviously don?t get learned by Bayes.
> It?s a multiline HTML that I consider the sufficient characteristic.
> (For testing purpose I started with a one line snippet.)
> 
> From the manuals I think there are 3 ways to go:
> 1. Mulitmap:
> ?https://rspamd.com/doc/modules/multimap.html#regexp-maps
> 2. Rules (Regex)
> ?https://rspamd.com/doc/tutorials/writing_rules.html#regexp-rules
> 3. Rules (Lua)
> ?https://rspamd.com/doc/tutorials/writing_rules.html#lua-rules
> 
> 
> I tried #2 by putting 
> 
> config['regexp?][PAKETE_TEST'] = '/ *<p>Kunden.*<\/p>/'
> 
> into /etc/rspamd/local.d/rspamd.local.lua to no avail
> 
> Next I tried #3 with 
> 
> config['regexp']['PAKETE_TEST'] = {
> ??? re = '/ *<p>Kunden.*<\/p>/',
> ??? score = 10.0,
> ??? condition = function(task) -- run this rule only if some
> condition is satisfied
> ??????? return true
> ??? end,
> }
> 
> into /etc/rspamd/local.d/pakete_rules.lua to no avail
> 
> #1 works but this seems to be the least comfortable way if it comes
> to many and maybe complex Regexes.
> 
> How do you do it?
> 
> Thanks,
> 
> Tino


From rspamd at jubileegroup.co.uk  Thu Jan  4 13:56:06 2024
From: rspamd at jubileegroup.co.uk (G.W. Haywood)
Date: Thu, 4 Jan 2024 13:56:06 +0000 (GMT)
Subject: [Rspamd-Users] 
 =?utf-8?q?Regex_=E2=80=93_how_to_do_it_right=3F?=
In-Reply-To: <e09712fb12b9e19dec0331f57f44d59d9030ef7d.camel@judo.za.org>
References: <71F881B4-A861-42AD-A9C8-B3100C69F0FF@interpool.de>
 <e09712fb12b9e19dec0331f57f44d59d9030ef7d.camel@judo.za.org>
Message-ID: <b64917cd-2cdf-faef-4e1d-ab4494aac97@jubileegroup.co.uk>

Hi there,

On Thu, 4 Jan 2024, Andrew Lewis via Users wrote:

> ...
> You'd want something similar to as below I suppose:
>
> config['regexp']['PAKETE_TEST'] = {
>  -- use square quotes to avoid escaping, set match type
>  re = [[/ *<p>Kunden.*<\/p>/{sa_raw_body}]],
>  score = 10.0,
> }

A couple of points about the regex itself:

1. If the " *" at the beginning does mean "zero or more spaces" what's
the purpose of that?  It seems to me unlikely to be a valuable test.

2. The ".*" after "Kunden" would be much better written as a limited
range, because otherwise for example the regex engine can find itself
trying to match megabytes of base64-encoded garbage which is *never*
going to match, so it's just wasting CPU.  If you're not careful with
things like this in regexes processing overhead can grow exponentially
and you can end up DoSing yourself.

-- 

73,
Ged. (BJA 1st dan, 1983. :)

From t.hendricks at interpool.de  Fri Jan  5 16:47:11 2024
From: t.hendricks at interpool.de (Tino Hendricks)
Date: Fri, 5 Jan 2024 17:47:11 +0100
Subject: [Rspamd-Users] 
 =?utf-8?q?Regex_=E2=80=93_how_to_do_it_right=3F?=
In-Reply-To: <e09712fb12b9e19dec0331f57f44d59d9030ef7d.camel@judo.za.org>
References: <71F881B4-A861-42AD-A9C8-B3100C69F0FF@interpool.de>
 <e09712fb12b9e19dec0331f57f44d59d9030ef7d.camel@judo.za.org>
Message-ID: <2557B9BB-A959-49C8-83DF-0BBA94FAFE43@interpool.de>

Hey guys,

thank you so much for your input. I really appreciate your time!

As for the regex: Yes, it was just an (admittedly) stupid example, but I tried to keep it simple. 
The real regex is multiline with quantifiers (??{n}??).

Andrew, the fine manual lists ??should be stored in the file ${CONFDIR}/rspamd.local.lua,..?, and without reading any further I thought CONFDIR is the local.d. %-/
https://rspamd.com/doc/tutorials/writing_rules.html#configuration-files
I think it?s a little bit confusing here:
https://rspamd.com/doc/configuration/index.html#rspamd-variables

LOCAL_CONFDIR: site-local configuration directory for Rspamd (usually the same value as $CONFDIR, and not to be confused with local.d)
?Hey, we call it LOCAL? but it isn?t local.d!? ?

Putting rspamd.local.lua now into the correct place works like a charm, thank you!

Best,

Tino

> Am 04.01.2024 um 14:37 schrieb Andrew Lewis via Users <users at lists.rspamd.com>:
> 
> Hi Tino,
> 
> Use regex rules where possible, see here for additional information
> about them:
> 
> https://rspamd.com/doc/modules/regexp.html
> 
> If you need/want to use maps, multimap may be a reasonable choice. If
> you need flexibility beyond what's possible with regex rules you may
> want to reach for Lua (or some combination of regex & Lua).
> 
> The correct path for rspamd.local.lua is directly under /etc/rspamd
> (not under local.d).
> 
> You'd want something similar to as below I suppose:
> 
> config['regexp']['PAKETE_TEST'] = {
>  -- use square quotes to avoid escaping, set match type
>  re = [[/ *<p>Kunden.*<\/p>/{sa_raw_body}]],
>  score = 10.0,
> }
> 
> Best,
> -AL.
> 
> On Thu, 2024-01-04 at 11:42 +0100, Tino Hendricks wrote:
>> Dear list,
>> 
>> being new to rspamd I too often struggle with the (too?) extensive
>> manuals.
>> 
>> I want to filter out the annoying parcel delivery spams coming from
>> hotmail that obviously don?t get learned by Bayes.
>> It?s a multiline HTML that I consider the sufficient characteristic.
>> (For testing purpose I started with a one line snippet.)
>> 
>> From the manuals I think there are 3 ways to go:
>> 1. Mulitmap:
>>  https://rspamd.com/doc/modules/multimap.html#regexp-maps
>> 2. Rules (Regex)
>>  https://rspamd.com/doc/tutorials/writing_rules.html#regexp-rules
>> 3. Rules (Lua)
>>  https://rspamd.com/doc/tutorials/writing_rules.html#lua-rules
>> 
>> 
>> I tried #2 by putting 
>> 
>> config['regexp?][PAKETE_TEST'] = '/ *<p>Kunden.*<\/p>/'
>> 
>> into /etc/rspamd/local.d/rspamd.local.lua to no avail
>> 
>> Next I tried #3 with 
>> 
>> config['regexp']['PAKETE_TEST'] = {
>>     re = '/ *<p>Kunden.*<\/p>/',
>>     score = 10.0,
>>     condition = function(task) -- run this rule only if some
>> condition is satisfied
>>         return true
>>     end,
>> }
>> 
>> into /etc/rspamd/local.d/pakete_rules.lua to no avail
>> 
>> #1 works but this seems to be the least comfortable way if it comes
>> to many and maybe complex Regexes.
>> 
>> How do you do it?
>> 
>> Thanks,
>> 
>> Tino
> 
> -- 
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users


From tacodewolff at gmail.com  Fri Jan  5 19:31:34 2024
From: tacodewolff at gmail.com (Taco de Wolff)
Date: Fri, 5 Jan 2024 16:31:34 -0300
Subject: [Rspamd-Users] Prevent sender address spoofing envelope/header FROM
Message-ID: <CABDg7L5M+S6fdAC+mpR4J1sQpiDqnBdDtAQ0BMqBwxbakOCGXA@mail.gmail.com>

Hi,

I want to reduce the amount of misconfigured (and possibly spam) coming
from my mail server. I have a Postfix + Rspamd setup where Rspamd is DKIM
signing outgoing messages from /etc/opendkim/keys/[domain]/default.private.
I'd like to block sending out emails that have a different header FROM
address domain than their envelope FROM address domain. This ensures (as I
understand it) that all outgoing messages are then authenticated with DKIM.
The local part can be different though, that is fine.

Currently, I already enforce the envelope FROM address from Postfix so that
it is a valid mailbox and has a DKIM key. The user can set any header FROM
address however, and if they choose a header FROM address with a different
domain than the envelope address, Rspamd will not DKIM sign the message and
it will be rejected by the destination (eg. gmail) or put in spam. I want
to prevent sending it out to the destination in the first place, can that
be achieved with Rspamd?

Example: user logs in with intern at example.com and sends a mail to
xxx at gmail.com. The envelope FROM is intern at example.com. If the header FROM
is set to user at other.com, Rspamd should reject sending it. If it is
admin at example.com or intern at example.com, it is DKIM signed and send out.

Kind regards,
Taco de Wolff

From pete at valar.uk.net  Tue Jan  9 18:41:29 2024
From: pete at valar.uk.net (Pete Long)
Date: Tue, 9 Jan 2024 18:41:29 +0000
Subject: [Rspamd-Users] Thank You
Message-ID: <AA93A6FD-EB39-4981-B227-92B4C0372397@valar.uk.net>

Hi all,

No issues to report other than I need to learn more about Rspamd.

I?m totally impressed with this software; particularly how we get so much functionality and power.

I?m watching the logs daily in an easy way to read thanks to the web interface and I have to say I?m very impressed.

Running version 3.6 on FreeBSD together with OpenSMTPD 7.3.0-portable.

I can?t code but I can donate if there?s a link anywhere?

Thanks.


Pete.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240109/d749ea17/attachment.bin>

From christian.mack at uni-konstanz.de  Wed Jan 10 11:32:42 2024
From: christian.mack at uni-konstanz.de (Christian Mack)
Date: Wed, 10 Jan 2024 12:32:42 +0100
Subject: [Rspamd-Users] rspamd 3.7.5 changelogs?
Message-ID: <9af24bd6-0723-41e6-a9ef-962c39d4efd5@uni-konstanz.de>

Hello

Since beefore christmas there is a rspamd version 3.7.5 at least in the 
debian bullseye repo.
But I can not see any changelogs about it at
https://github.com/rspamd/rspamd/blob/master/ChangeLog

Is that really a valid version?
What has changed in it?


Kind regards,
Christian Mack

-- 
Christian Mack
Universit?t Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Abteilung IT-Dienste Forschung, Lehre, Infrastruktur
78457 Konstanz
+49 7531 88-4416
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6007 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240110/1772fb8d/attachment.bin>

From rspamd-users at judo.za.org  Wed Jan 10 11:41:46 2024
From: rspamd-users at judo.za.org (Andrew Lewis)
Date: Wed, 10 Jan 2024 13:41:46 +0200
Subject: [Rspamd-Users] rspamd 3.7.5 changelogs?
In-Reply-To: <9af24bd6-0723-41e6-a9ef-962c39d4efd5@uni-konstanz.de>
References: <9af24bd6-0723-41e6-a9ef-962c39d4efd5@uni-konstanz.de>
Message-ID: <ad8ad3e7043ea28e7445fe7eb6e17010a2dbb7ce.camel@judo.za.org>

Hi Christian,

It's valid; master branch is still missing the ChangeLog update.

https://github.com/rspamd/rspamd/blob/rspamd-3.7/ChangeLog

https://rspamd.com/announce/2023/12/15/rspamd-3.7.5.html

Best,
-AL.

On Wed, 2024-01-10 at 12:32 +0100, Christian Mack wrote:
> Hello
> 
> Since beefore christmas there is a rspamd version 3.7.5 at least in
> the 
> debian bullseye repo.
> But I can not see any changelogs about it at
> https://github.com/rspamd/rspamd/blob/master/ChangeLog
> 
> Is that really a valid version?
> What has changed in it?
> 
> 
> Kind regards,
> Christian Mack
> 


From rspamd at vlh.dk  Wed Jan 10 16:42:14 2024
From: rspamd at vlh.dk (rspamd at vlh.dk)
Date: Wed, 10 Jan 2024 16:42:14 +0000 (UTC)
Subject: [Rspamd-Users] Thank You
In-Reply-To: <AA93A6FD-EB39-4981-B227-92B4C0372397@valar.uk.net>
References: <AA93A6FD-EB39-4981-B227-92B4C0372397@valar.uk.net>
Message-ID: <00ae01da43e1$13b14c20$3b13e460$@vlh.dk>

Hi,

https://rspamd.com/ -> Donate in upper right corner - that's about the limits of my contribution, too.

Regards,
Kim Sindalsen

> -----Original Message-----
> From: Users <users-bounces at lists.rspamd.com> On Behalf Of Pete Long via
> Users
> Sent: 9. januar 2024 19:41
> To: User questions <users at lists.rspamd.com>
> Cc: Pete Long <pete at valar.uk.net>
> Subject: [Rspamd-Users] Thank You
> 
> Hi all,
> 
> No issues to report other than I need to learn more about Rspamd.
> 
> I?m totally impressed with this software; particularly how we get so much
> functionality and power.
> 
> I?m watching the logs daily in an easy way to read thanks to the web interface
> and I have to say I?m very impressed.
> 
> Running version 3.6 on FreeBSD together with OpenSMTPD 7.3.0-portable.
> 
> I can?t code but I can donate if there?s a link anywhere?
> 
> Thanks.
> 
> 
> Pete.


From albrecht.backhaus at gmail.com  Fri Jan 19 22:55:09 2024
From: albrecht.backhaus at gmail.com (Albrecht Backhaus)
Date: Fri, 19 Jan 2024 23:55:09 +0100
Subject: [Rspamd-Users] rspamd 3.8.0 available in jammy repo without
 official announcement ???
Message-ID: <0436218e-0e4b-4815-bf14-798099b916d5@gmail.com>

Hi there

I just got rspamd 3.8.0 offered after apt update:

> rspamd/unknown 3.8.0-1~28391190c~jammy amd64 [upgradable from: 
> 3.7.5-2~8c86c1676~jammy]

Is that really an official update ? There was no official announcement 
on the mailing list and the github repo still shows 3.7.5 as latest release.

thanks and regards Albrecht


From lucas at lucasrolff.com  Fri Jan 19 22:59:18 2024
From: lucas at lucasrolff.com (Lucas Rolff)
Date: Fri, 19 Jan 2024 22:59:18 +0000
Subject: [Rspamd-Users] rspamd 3.8.0 available in jammy repo without
 official announcement ???
In-Reply-To: <0436218e-0e4b-4815-bf14-798099b916d5@gmail.com>
References: <0436218e-0e4b-4815-bf14-798099b916d5@gmail.com>
Message-ID: <97C1C7B8-2F46-4B41-B69B-F848861FDB7D@lucasrolff.com>

The changelog in master branch shows 3.8.0 as released today: https://github.com/rspamd/rspamd/blob/master/ChangeLog

On 19 Jan 2024, at 23:55, Albrecht Backhaus <albrecht.backhaus at gmail.com> wrote:

Hi there

I just got rspamd 3.8.0 offered after apt update:

rspamd/unknown 3.8.0-1~28391190c~jammy amd64 [upgradable from: 3.7.5-2~8c86c1676~jammy]

Is that really an official update ? There was no official announcement on the mailing list and the github repo still shows 3.7.5 as latest release.

thanks and regards Albrecht

--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users


From rspamd at linuxmaker.com  Sat Jan 20 09:06:27 2024
From: rspamd at linuxmaker.com (Andreas)
Date: Sat, 20 Jan 2024 10:06:27 +0100
Subject: [Rspamd-Users] Control rspamd depending on subject content
Message-ID: <6012354.lOV4Wx5bFT@stuttgart>

Hello,
To avoid annoying spam that gets through Rspamd, I wrote this script

#!/bin/bash +x 
if [ ! $UID = 0 ] 
then 
       /usr/bin/su - 
fi 
/usr/bin/echo "$1" >> /etc/rspamd/local.d/maps.d/sender_domain_blacklist.map 
/usr/bin/systemctl restart rspamd.service

 which unfortunately still has to be fed with the domains manually.
Most emails have typical phrases such as ?r_ezept-frei?, ?Rezept-frei?, ?pharmacy?, Pharma? 
in the subject.
Can Rspamd be configured similarly to the script shown so that a reject is triggered 
immediately depending on special terms in the subject?

Thanks and Regards

Andreas

From rspamd at jubileegroup.co.uk  Sat Jan 20 10:16:04 2024
From: rspamd at jubileegroup.co.uk (G.W. Haywood)
Date: Sat, 20 Jan 2024 10:16:04 +0000 (GMT)
Subject: [Rspamd-Users] Control rspamd depending on subject content
In-Reply-To: <6012354.lOV4Wx5bFT@stuttgart>
References: <6012354.lOV4Wx5bFT@stuttgart>
Message-ID: <3934f26c-2fa-2b7a-69be-fc9ee765fa98@jubileegroup.co.uk>

Hi there,

On Sat, 20 Jan 2024, Andreas wrote:

> To avoid annoying spam that gets through Rspamd, I wrote this script
>
> #!/bin/bash +x
> if [ ! $UID = 0 ]
> then
>       /usr/bin/su -
> fi
> ...

In general I would advise against all use of sudo on a mail server
which is exposed to the Internet.  Its use makes the steps from an
initial compromise to full control of the machine very much easier
for the criminals.  Some of them are a lot better than we are, for
the simple reason that they do it for a living, all day every day.

> Can Rspamd be configured similarly to the script shown so that a reject is triggered
> immediately depending on special terms in the subject?

There is great flexibility in rspamd configuration.  See for example

https://rspamd.com/doc/tutorials/writing_rules.html#regexp-rules
https://rspamd.com/doc/modules/force_actions.html

Unfortunately things like using regexes to drop mail which contains
particular words or phrases can eventually degenerate into a game of
"whack-a-mole".  The maintenance can be costly.  I always try to look
for more general features in unwanted mail; the usually unseen headers
can be a rich source of information.

If you aren't using the rbl module

https://rspamd.com/doc/modules/rbl.html

then you should consider it.  After careful setup it can probably
remove a large fraction of your spam with almost no maintenance.

-- 

73,
Ged.

From rspamd at linuxmaker.com  Sat Jan 20 11:00:59 2024
From: rspamd at linuxmaker.com (Andreas)
Date: Sat, 20 Jan 2024 12:00:59 +0100
Subject: [Rspamd-Users] Control rspamd depending on subject content
In-Reply-To: <3934f26c-2fa-2b7a-69be-fc9ee765fa98@jubileegroup.co.uk>
References: <6012354.lOV4Wx5bFT@stuttgart>
 <3934f26c-2fa-2b7a-69be-fc9ee765fa98@jubileegroup.co.uk>
Message-ID: <12370978.O9o76ZdvQC@stuttgart>

Am Samstag, 20. Januar 2024, 11:16:04 CET schrieb G.W. Haywood:
> Hi there,
> 
> On Sat, 20 Jan 2024, Andreas wrote:
> > To avoid annoying spam that gets through Rspamd, I wrote this script
> > 
> > #!/bin/bash +x
> > if [ ! $UID = 0 ]
> > then
> > 
> >       /usr/bin/su -
> > 
> > fi
> > ...
> 
> In general I would advise against all use of sudo on a mail server
> which is exposed to the Internet.  Its use makes the steps from an
> initial compromise to full control of the machine very much easier
> for the criminals.  Some of them are a lot better than we are, for
> the simple reason that they do it for a living, all day every day.
> 
> > Can Rspamd be configured similarly to the script shown so that a reject is
> > triggered immediately depending on special terms in the subject?
> 
> There is great flexibility in rspamd configuration.  See for example
> 
> https://rspamd.com/doc/tutorials/writing_rules.html#regexp-rules
> https://rspamd.com/doc/modules/force_actions.html
> 
> Unfortunately things like using regexes to drop mail which contains
> particular words or phrases can eventually degenerate into a game of
> "whack-a-mole".  The maintenance can be costly.  I always try to look
> for more general features in unwanted mail; the usually unseen headers
> can be a rich source of information.
> 
> If you aren't using the rbl module
> 
> https://rspamd.com/doc/modules/rbl.html
> 
> then you should consider it.  After careful setup it can probably
> remove a large fraction of your spam with almost no maintenance.

Thank you for the URLs, they are very informative. 

I find the warning expose at the beginning a little inappropriate. We all know 
that a normal user on Linux cannot change anything in the system. Only the 
root can do this, or this sudo. That's exactly what I think is very dangerous 
- see Ubuntu. Because everyone, every village idiot can change something.
But those who administrate with "su -" plus root password, I think, are so 
skilled that they know what they're doing.

Anyway, thank you very much

Andreas



From rspamd at jubileegroup.co.uk  Sat Jan 20 12:35:33 2024
From: rspamd at jubileegroup.co.uk (G.W. Haywood)
Date: Sat, 20 Jan 2024 12:35:33 +0000 (GMT)
Subject: [Rspamd-Users] Control rspamd depending on subject content
In-Reply-To: <12370978.O9o76ZdvQC@stuttgart>
References: <6012354.lOV4Wx5bFT@stuttgart>
 <3934f26c-2fa-2b7a-69be-fc9ee765fa98@jubileegroup.co.uk>
 <12370978.O9o76ZdvQC@stuttgart>
Message-ID: <29eb592-a0c7-a18e-cb16-b0afd66d6e7b@jubileegroup.co.uk>

Hi there,

On Sat, 20 Jan 2024, Andreas wrote:
> Am Samstag, 20. Januar 2024, 11:16:04 CET schrieb G.W. Haywood:
>>> ...
>>
>> In general I would advise against all use of sudo on a mail server
>> which is exposed to the Internet.  Its use makes the steps from an
>> initial compromise to full control of the machine very much easier
>> for the criminals.  ...
> ...
> I find the warning expose at the beginning a little
> inappropriate. We all know that a normal user on Linux cannot change
> anything in the system. ...
> ...

That's how it's supposed to work, but often it doesn't.  Try searching
for "Linux CVE privilege escalation" for example.

https://www.cve.org/CVERecord?id=CVE-2023-33952
https://www.cve.org/CVERecord?id=CVE-2023?32629
https://www.cve.org/CVERecord?id=CVE-2023-32233
https://www.cve.org/CVERecord?id=CVE-2023-22809
https://www.cve.org/CVERecord?id=CVE-2023-4911
...

I have in the past used a vulnerability like this to hack into one of
my own systems when I lost the root password, just because at the time
it was more convenient than rebooting it.  The hack was trivial.  IIRC
the vulnerability had been present in the system for over a decade.

CVE-2023-22809 is particularly interesting in this context.  But if the
initial compromise happens to have given access for the malicious actor
to an account listed in 'sudoers' then it might already game over.  See
for example (random link taken from a search):

https://superuser.com/questions/1495807/can-someone-explain-what-is-user-all-all-nopasswdall-does-in-sudoers-file

-- 

73,
Ged.

From list+rspamd at gcore.biz  Sat Jan 20 12:56:33 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Sat, 20 Jan 2024 13:56:33 +0100
Subject: [Rspamd-Users] Control rspamd depending on subject content
In-Reply-To: <6012354.lOV4Wx5bFT@stuttgart>
References: <6012354.lOV4Wx5bFT@stuttgart>
Message-ID: <6240F85E-FBB9-401F-B4C9-8522C1BD59EC@gcore.biz>

> Hello,
> To avoid annoying spam that gets through Rspamd, I wrote this script
> 
> #!/bin/bash +x 
> if [ ! $UID = 0 ] 
> then 
>       /usr/bin/su - 
> fi 
> /usr/bin/echo "$1" >> /etc/rspamd/local.d/maps.d/sender_domain_blacklist.map 
> /usr/bin/systemctl restart rspamd.service
> 
> which unfortunately still has to be fed with the domains manually.
> Most emails have typical phrases such as ?r_ezept-frei?, ?Rezept-frei?, ?pharmacy?, Pharma? 
> in the subject.
> Can Rspamd be configured similarly to the script shown so that a reject is triggered 
> immediately depending on special terms in the subject?

See https://rspamd.com/doc/modules/multimap.html

Example:

/etc/rspamd/local.d/multimap.conf

BLOCK_SUBJECT {
        type = "header";
        header = "Subject";
        map = "https:// or file:// [1]";
        multi = true;
        regexp = true;
        prefilter = true;
        action = "reject";
        # message = "Spammy subject blocked";
        # score = 1.0;
}

--> action = "reject" will reject immediately, otherwise score will be added


[1] Content of map file:
# /regex/ SYMBOL:SCORE
/Bitcoin-Effekt/ BLOCK_SUBJECT:4.5


/etc/rspamd/local.d/metrics.conf

symbol "BLOCK_SUBJECT" {
        weight = 1.0;
}

Best regards,
Gerald


From albrecht.backhaus at gmail.com  Sat Jan 20 17:22:17 2024
From: albrecht.backhaus at gmail.com (Albrecht Backhaus)
Date: Sat, 20 Jan 2024 18:22:17 +0100
Subject: [Rspamd-Users] cannot learn task since update to 3.8.0
Message-ID: <44324a07-9122-4ec0-bcf9-b3bc9229f64b@gmail.com>

Since update to 3.8.0 today I do get the following error:

> cannot learn task: ERR Error running script (call to 
> f_011c3be117fb4380571ffe4d38e4884afaf37963): @user_script:1: 
> user_script:1: stack overflow (too many return values at once; use 
> unpack_one or unpack_limit instead.)

It worked previously without any problems. Any idea what I can do to 
solve this ?

Thanks in advance

Albrecht


From rspamd at vlh.dk  Sat Jan 20 19:50:47 2024
From: rspamd at vlh.dk (rspamd at vlh.dk)
Date: Sat, 20 Jan 2024 20:50:47 +0100
Subject: [Rspamd-Users] Time/date format in webui
Message-ID: <002401da4bd9$f6e7e530$e4b7af90$@vlh.dk>

Hi,

 

Is it possible to change/set the date/time format shown in ie. the
History-page of the webui?

 

Regards,

Kim Sindalsen


From moiseev at mezonplus.ru  Sun Jan 21 06:09:37 2024
From: moiseev at mezonplus.ru (Alexander Moisseev)
Date: Sun, 21 Jan 2024 09:09:37 +0300
Subject: [Rspamd-Users] Time/date format in webui
In-Reply-To: <002401da4bd9$f6e7e530$e4b7af90$@vlh.dk>
References: <002401da4bd9$f6e7e530$e4b7af90$@vlh.dk>
Message-ID: <aa0d366f-8648-f4d4-aa2a-dccceed9dd03@mezonplus.ru>

On 20.01.2024 22:50, Kim Sindalsen via Users wrote:
> 
> Is it possible to change/set the date/time format shown in ie. the
> History-page of the webui?
> 

Click on the "cog" icon in the upper-right corner, set desired time locale, then click the Update or Refresh button.


From rspamd at vlh.dk  Sun Jan 21 09:14:45 2024
From: rspamd at vlh.dk (rspamd at vlh.dk)
Date: Sun, 21 Jan 2024 10:14:45 +0100
Subject: [Rspamd-Users] Time/date format in webui
In-Reply-To: <aa0d366f-8648-f4d4-aa2a-dccceed9dd03@mezonplus.ru>
References: <002401da4bd9$f6e7e530$e4b7af90$@vlh.dk>
 <aa0d366f-8648-f4d4-aa2a-dccceed9dd03@mezonplus.ru>
Message-ID: <000901da4c4a$46c00090$d44001b0$@vlh.dk>

> -----Original Message-----
> From: Users <users-bounces at lists.rspamd.com> On Behalf Of Alexander
> Moisseev via Users
> Sent: 21. januar 2024 07:10
> To: users at lists.rspamd.com
> Cc: Alexander Moisseev <moiseev at mezonplus.ru>
> Subject: Re: [Rspamd-Users] Time/date format in webui
> 
> 
> Click on the "cog" icon in the upper-right corner, set desired time
locale, then
> click the Update or Refresh button.

Oh my - thanks, dunno why I never tried to click that...


From albrecht.backhaus at gmail.com  Sun Jan 21 11:18:16 2024
From: albrecht.backhaus at gmail.com (Albrecht Backhaus)
Date: Sun, 21 Jan 2024 12:18:16 +0100
Subject: [Rspamd-Users] Control rspamd depending on subject content
In-Reply-To: <22cf49f4-1508-474d-8fb5-3d49ac81fd40@gmail.com>
References: <22cf49f4-1508-474d-8fb5-3d49ac81fd40@gmail.com>
Message-ID: <04f72b3e-fe99-48fa-9b15-7c8292008f65@gmail.com>


> Hi there,
>
> On Sat, 20 Jan 2024, Andreas wrote:
>
>> To avoid annoying spam that gets through Rspamd, I wrote this script
>>
>> #!/bin/bash +x
>> if [ ! $UID = 0 ]
>> then
>> ????? /usr/bin/su -
>> fi
>> ...
>
I had this kind of spam approaching my server as well.? These mails 
usually do have subjects like e.g.

> info reze-ptfrei anfordern
The rbl module does not help here. I do use rbl and these kind of mails 
do not get filtered by rbl and they do have a proper dkim signature and 
pass spf and dmarc whithout problems. See following example:
> *DMARC_POLICY_ALLOW*(-0.5)[smartlocaldigital.com,reject]
> *R_DKIM_ALLOW*(-0.2)[smartlocaldigital.com:s=root]
> *R_SPF_ALLOW*(-0.2)[+ip4:198.98.61.0/24]
> *MIME_GOOD*(-0.1)[multipart/alternative,text/plain]
> *MX_GOOD*(-0.01)[]
> *FROM_HAS_DN*(0)
> *TO_DN_ALL*(0)
> *FROM_EQ_ENVFROM*(0)
> *RCPT_COUNT_ONE*(0)[1]
> *ASN*(0)[asn:53667, ipnet:198.98.48.0/20, country:US]
> *TO_MATCH_ENVRCPT_ALL*(0)
> *MISSING_XM_UA*(0)
> *MID_RHS_MATCH_FROMTLD*(0)
> *RCVD_COUNT_ZERO*(0)[0]
> *DKIM_TRACE*(0)[smartlocaldigital.com:+]
> *MIME_TRACE*(0)[0:+,1:+,2:~]
> *ARC_NA*(0)

I then use the following multimap definitions to fight against that kind 
of spam:

> body_content_blacklisted {
> ??????????? type = "content";
> ??????????? filter = "body"; # can be headers, full, oneline, text, 
> rawtext
> ??????????? map = 
> "file:///etc/rspamd/local.d/maps.d/blacklist_body_content.map";
> ??????????? symbol = "BODY_CONTENT_BLACKLISTED";
> ??????????? regexp = true;
> }
> header_content_blacklisted {
> ??????????? type = "content";
> ??????????? filter = "headers"; # can be headers, full, oneline, text, 
> rawtext
> ??????????? map = 
> "file:///etc/rspamd/local.d/maps.d/blacklist_header_content.map";
> ??????????? symbol = "HEADER_CONTENT_BLACKLISTED";
> ??????????? regexp = true;
> }
> full_content_blacklisted {
> ??????????? type = "content";
> ??????????? filter = "full"; # can be headers, full, oneline, text, 
> rawtext
> ??????????? map = 
> "file:///etc/rspamd/local.d/maps.d/blacklist_full_content.map";
> ??????????? symbol = "FULL_CONTENT_BLACKLISTED";
> ??????????? regexp = true;
> }

You then can easily populate the respective map via web gui with the 
desired expression. Example map:

> /etc/rspamd/local.d/maps.d/blacklist_full_content.map
> # blacklisted full content
> Abverkauf
> Arbeitsbeginn
> Bewerbungsprozess
> deepblue
> discount
> erektion
> Gratis-Muster
> iphone
> Kaufentscheider
> klicktipp
> Kryptohandel
> Lager-?berhang
> Liebesleben
> Liebesspiel
> Litauen
> Lohnkosten
> Manneskraft
> Mitarbeiter?berlassung
> Orgasmus
> Osteuropa
> Potenz
> Praeparate
> Schn?ppchenpreis
> sensationelles Angebot
> sexuell
> Sonderaktion
> Sonderangebot
> Sonderposten
> Sonderpreis
> Sonderverkauf
> Spar-Tipp
> Top_Angebot
> traden
> unschlagbares Angebot
> Vorteilspreis
> Werbemittel
> Wunderpillen
> Zeitarbeitsfirma
> Zielgruppe



From t.hendricks at interpool.de  Sun Jan 21 11:37:24 2024
From: t.hendricks at interpool.de (Tino Hendricks)
Date: Sun, 21 Jan 2024 12:37:24 +0100
Subject: [Rspamd-Users] Control rspamd depending on subject content
In-Reply-To: <04f72b3e-fe99-48fa-9b15-7c8292008f65@gmail.com>
References: <04f72b3e-fe99-48fa-9b15-7c8292008f65@gmail.com>
Message-ID: <6EAB3BF0-C343-4ED0-B386-DB5902F35CFD@interpool.de>

Hi Albrecht,

thanks for sharing because we all get hit by these mails. 
I don?t see which of the words in your blacklist_full_content.map would hit the
>> info reze-ptfrei anfordern

Because the hyphen is at another position every time. 

Thanks 

Tino
> Am 21.01.2024 um 12:23 schrieb Albrecht Backhaus <albrecht.backhaus at gmail.com>:
> 
> ?
>> Hi there,
>> 
>>> On Sat, 20 Jan 2024, Andreas wrote:
>>> 
>>> To avoid annoying spam that gets through Rspamd, I wrote this script
>>> 
>>> #!/bin/bash +x
>>> if [ ! $UID = 0 ]
>>> then
>>>       /usr/bin/su -
>>> fi
>>> ...
>> 
> I had this kind of spam approaching my server as well.  These mails usually do have subjects like e.g.
> 
>> info reze-ptfrei anfordern
> The rbl module does not help here. I do use rbl and these kind of mails do not get filtered by rbl and they do have a proper dkim signature and pass spf and dmarc whithout problems. See following example:
>> *DMARC_POLICY_ALLOW*(-0.5)[smartlocaldigital.com,reject]
>> *R_DKIM_ALLOW*(-0.2)[smartlocaldigital.com:s=root]
>> *R_SPF_ALLOW*(-0.2)[+ip4:198.98.61.0/24]
>> *MIME_GOOD*(-0.1)[multipart/alternative,text/plain]
>> *MX_GOOD*(-0.01)[]
>> *FROM_HAS_DN*(0)
>> *TO_DN_ALL*(0)
>> *FROM_EQ_ENVFROM*(0)
>> *RCPT_COUNT_ONE*(0)[1]
>> *ASN*(0)[asn:53667, ipnet:198.98.48.0/20, country:US]
>> *TO_MATCH_ENVRCPT_ALL*(0)
>> *MISSING_XM_UA*(0)
>> *MID_RHS_MATCH_FROMTLD*(0)
>> *RCVD_COUNT_ZERO*(0)[0]
>> *DKIM_TRACE*(0)[smartlocaldigital.com:+]
>> *MIME_TRACE*(0)[0:+,1:+,2:~]
>> *ARC_NA*(0)
> 
> I then use the following multimap definitions to fight against that kind of spam:
> 
>> body_content_blacklisted {
>>             type = "content";
>>             filter = "body"; # can be headers, full, oneline, text, rawtext
>>             map = "file:///etc/rspamd/local.d/maps.d/blacklist_body_content.map";
>>             symbol = "BODY_CONTENT_BLACKLISTED";
>>             regexp = true;
>> }
>> header_content_blacklisted {
>>             type = "content";
>>             filter = "headers"; # can be headers, full, oneline, text, rawtext
>>             map = "file:///etc/rspamd/local.d/maps.d/blacklist_header_content.map";
>>             symbol = "HEADER_CONTENT_BLACKLISTED";
>>             regexp = true;
>> }
>> full_content_blacklisted {
>>             type = "content";
>>             filter = "full"; # can be headers, full, oneline, text, rawtext
>>             map = "file:///etc/rspamd/local.d/maps.d/blacklist_full_content.map";
>>             symbol = "FULL_CONTENT_BLACKLISTED";
>>             regexp = true;
>> }
> 
> You then can easily populate the respective map via web gui with the desired expression. Example map:
> 
>> /etc/rspamd/local.d/maps.d/blacklist_full_content.map
>> # blacklisted full content
>> Abverkauf
>> Arbeitsbeginn
>> Bewerbungsprozess
>> deepblue
>> discount
>> erektion
>> Gratis-Muster
>> iphone
>> Kaufentscheider
>> klicktipp
>> Kryptohandel
>> Lager-?berhang
>> Liebesleben
>> Liebesspiel
>> Litauen
>> Lohnkosten
>> Manneskraft
>> Mitarbeiter?berlassung
>> Orgasmus
>> Osteuropa
>> Potenz
>> Praeparate
>> Schn?ppchenpreis
>> sensationelles Angebot
>> sexuell
>> Sonderaktion
>> Sonderangebot
>> Sonderposten
>> Sonderpreis
>> Sonderverkauf
>> Spar-Tipp
>> Top_Angebot
>> traden
>> unschlagbares Angebot
>> Vorteilspreis
>> Werbemittel
>> Wunderpillen
>> Zeitarbeitsfirma
>> Zielgruppe
> 
> 
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users

From albrecht.backhaus at gmail.com  Sun Jan 21 11:50:36 2024
From: albrecht.backhaus at gmail.com (Albrecht Backhaus)
Date: Sun, 21 Jan 2024 12:50:36 +0100
Subject: [Rspamd-Users] Control rspamd depending on subject content
In-Reply-To: <6EAB3BF0-C343-4ED0-B386-DB5902F35CFD@interpool.de>
References: <04f72b3e-fe99-48fa-9b15-7c8292008f65@gmail.com>
 <6EAB3BF0-C343-4ED0-B386-DB5902F35CFD@interpool.de>
Message-ID: <e662bb34-4568-4782-8530-8fe1d4f5b32b@gmail.com>

> thanks for sharing because we all get hit by these mails.
> I don?t see which of the words in your blacklist_full_content.map would hit the
>>> info reze-ptfrei anfordern
> Because the hyphen is at another position every time.
>
> Thanks
>
> Tino

Hi Tino

The check against the full message content (i.e. not just the subject) 
helps me quite well here.? I do this using the word list provided.

I've just been too lazy so far to compose a sophisticated regex 
expression against the subject content.
I have therefore looked at the previous content of the spam and used 
some terms from it for my map.
Since I have been doing this, all these mails have been reliably 
rejected.? I have given the symbols a correspondingly high score.

Should it be necessary, I would then take the time to create a 
corresponding regex expression for filtering the subject. But so far 
everything is going well for me ...

Regards

Albrecht

From rspamd at jubileegroup.co.uk  Sun Jan 21 12:38:09 2024
From: rspamd at jubileegroup.co.uk (G.W. Haywood)
Date: Sun, 21 Jan 2024 12:38:09 +0000 (GMT)
Subject: [Rspamd-Users] Control rspamd depending on subject content
In-Reply-To: <6EAB3BF0-C343-4ED0-B386-DB5902F35CFD@interpool.de>
References: <04f72b3e-fe99-48fa-9b15-7c8292008f65@gmail.com>
 <6EAB3BF0-C343-4ED0-B386-DB5902F35CFD@interpool.de>
Message-ID: <0ae84f7-f6d3-86b9-dac2-a33fb620b1cc@jubileegroup.co.uk>

Hi there,

On Sun, 21 Jan 2024, Tino Hendricks wrote:

> I don?t see which of the words in your blacklist_full_content.map would hit the
>>> info reze-ptfrei anfordern
>
> Because the hyphen is at another position every time.

This is the sort of thing I mean when I say "whack-a-mole".

You *can* write a regex which will match the phrase even if random

$ perl -e 'if( "in-fo reze-pt-frei an-for-dern" =~ /i.?n.?f.?o.? .?r.?e.?z.?e.?p.?t.?f.?r.?e.?i.? .?a.?n.?f.?o.?r.?d.?e.?.?r.?n/ ){print "matched\n";}'
matched

punctuation is inserted, and you can even code something which will
take a list of phrases in plain text and generate a bunch of regexes
automatically, but usually the law of diminishing returns will assert
itself.  The malicious actor need only change one of his words, or the
spelling, or the entire phrase - and of course he will - and Mole will
pop up his head somewhere else and you'll have to change your regexes.

Better to try to find something else which identifies the messages.

As I said earlier there are usually things in the headers which can
give you a way to identify unwanted mail.

-- 

73,
Ged.

From t.hendricks at interpool.de  Sun Jan 21 14:57:43 2024
From: t.hendricks at interpool.de (Tino Hendricks)
Date: Sun, 21 Jan 2024 15:57:43 +0100
Subject: [Rspamd-Users] cannot parse resolv.conf and no nameservers defined,
 so no ways to resolve addresses
Message-ID: <38B8754A-DFBA-4AFD-97EC-845C5BEC03E0@interpool.de>

Hi there,

what could be the problem with my

mail ~ # more /etc/rspamd/local.d/options.inc
dns {
  nameserver = ["127.0.0.1"];
}

resulting in error

cannot parse resolv.conf and no nameservers defined, so no ways to resolve addresses

I literally copied the entry from https://rspamd.com/doc/faq.html#resolver-setup
So typo might not be the case here.
?
Thanks

Tino 

From t.hendricks at interpool.de  Sun Jan 21 15:04:08 2024
From: t.hendricks at interpool.de (Tino Hendricks)
Date: Sun, 21 Jan 2024 16:04:08 +0100
Subject: [Rspamd-Users] Control rspamd depending on subject content
In-Reply-To: <0ae84f7-f6d3-86b9-dac2-a33fb620b1cc@jubileegroup.co.uk>
References: <04f72b3e-fe99-48fa-9b15-7c8292008f65@gmail.com>
 <6EAB3BF0-C343-4ED0-B386-DB5902F35CFD@interpool.de>
 <0ae84f7-f6d3-86b9-dac2-a33fb620b1cc@jubileegroup.co.uk>
Message-ID: <E2C2D100-94D6-4081-ACC4-D740E256498D@interpool.de>

Guys, you are gold! ?

Thanks a bunch!

> Am 21.01.2024 um 13:38 schrieb G.W. Haywood <rspamd at jubileegroup.co.uk>:
> 
> Hi there,
> 
> On Sun, 21 Jan 2024, Tino Hendricks wrote:
> 
>> I don?t see which of the words in your blacklist_full_content.map would hit the
>>>> info reze-ptfrei anfordern
>> 
>> Because the hyphen is at another position every time.
> 
> This is the sort of thing I mean when I say "whack-a-mole".
> 
> You *can* write a regex which will match the phrase even if random
> 
> $ perl -e 'if( "in-fo reze-pt-frei an-for-dern" =~ /i.?n.?f.?o.? .?r.?e.?z.?e.?p.?t.?f.?r.?e.?i.? .?a.?n.?f.?o.?r.?d.?e.?.?r.?n/ ){print "matched\n";}'
> matched
> 
> punctuation is inserted, and you can even code something which will
> take a list of phrases in plain text and generate a bunch of regexes
> automatically, but usually the law of diminishing returns will assert
> itself.  The malicious actor need only change one of his words, or the
> spelling, or the entire phrase - and of course he will - and Mole will
> pop up his head somewhere else and you'll have to change your regexes.
> 
> Better to try to find something else which identifies the messages.
> 
> As I said earlier there are usually things in the headers which can
> give you a way to identify unwanted mail.
> 
> -- 
> 
> 73,
> Ged.
> -- 
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users


From rspamd at jubileegroup.co.uk  Sun Jan 21 16:23:02 2024
From: rspamd at jubileegroup.co.uk (G.W. Haywood)
Date: Sun, 21 Jan 2024 16:23:02 +0000 (GMT)
Subject: [Rspamd-Users] cannot parse resolv.conf and no nameservers
 defined, so no ways to resolve addresses
In-Reply-To: <38B8754A-DFBA-4AFD-97EC-845C5BEC03E0@interpool.de>
References: <38B8754A-DFBA-4AFD-97EC-845C5BEC03E0@interpool.de>
Message-ID: <a267cb9c-9011-93ea-76e-73e0a9c156e@jubileegroup.co.uk>

Hi there,

On Sun, 21 Jan 2024, Tino Hendricks wrote:

> what could be the problem with my
> 
> mail ~ # more /etc/rspamd/local.d/options.inc
> dns {
>  nameserver = ["127.0.0.1"];
> }
> 
> resulting in error
> 
> cannot parse resolv.conf and no nameservers defined, so no ways to resolve addresses
> 
> I literally copied the entry from https://rspamd.com/doc/faq.html#resolver-setup
> So typo might not be the case here.

What led you to make this configuration change?

How did rspamd behave before the change?

There could be a few reasons for your problem (and there will be
people far more experience than I with making configuration changes
for rspamd).  Do you have a file in the directory /etc/ called
"resolv.conf"?  If so *exactly* what's in it?

The configuration for rspamd is rather complex.  Changes you make
might not always do what you think they do.  Have you tried to use the
'rspamadm configdump' command to see what your changes actually did?

Because handling mail makes use of DNS extensively, rspamd may be a bit
fussy about name resolution.  You do have a working resolver on the box?

-- 

73,
Ged.

From list+rspamd at gcore.biz  Sun Jan 21 17:45:44 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Sun, 21 Jan 2024 18:45:44 +0100
Subject: [Rspamd-Users] cannot parse resolv.conf and no nameservers
 defined, so no ways to resolve addresses
In-Reply-To: <38B8754A-DFBA-4AFD-97EC-845C5BEC03E0@interpool.de>
References: <38B8754A-DFBA-4AFD-97EC-845C5BEC03E0@interpool.de>
Message-ID: <E704A6DE-9E0A-45F2-8C7B-DF34C7058319@gcore.biz>

> what could be the problem with my
> 
> mail ~ # more /etc/rspamd/local.d/options.inc
> dns {
>  nameserver = ["127.0.0.1"];
> }
> 
> resulting in error
> 
> cannot parse resolv.conf and no nameservers defined, so no ways to resolve addresses

My guess is that /etc/resolv.conf does not exist or is malformed.

Your options.inc's sytax is correct and does work on my installation
even with all entries in /etc/resolv.conf commented out - but the file
/etc/resolv.conf must exist.

Generally it is sufficient to configure nameservers in /etc/resolv.conf
which rspamd will use. Only set dns in options.inc if you want rspamd
to query specific/non-default nameservers or special use cases (fallback/hash):
https://rspamd.com/doc/faq.html#resolver-setup

Best regards,
Gerald



From list+rspamd at gcore.biz  Sun Jan 21 18:32:29 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Sun, 21 Jan 2024 19:32:29 +0100
Subject: [Rspamd-Users] Prevent sender address spoofing envelope/header
 FROM
In-Reply-To: <CABDg7L5M+S6fdAC+mpR4J1sQpiDqnBdDtAQ0BMqBwxbakOCGXA@mail.gmail.com>
References: <CABDg7L5M+S6fdAC+mpR4J1sQpiDqnBdDtAQ0BMqBwxbakOCGXA@mail.gmail.com>
Message-ID: <21EF4008-1254-475B-B13A-F682EF5D31BF@gcore.biz>

> I'd like to block sending out emails that have a different header FROM
> address domain than their envelope FROM address domain.

I don't think there is an easy way to accomplish that and you need to
keep in mind legitimate reasons for "header/envelope from" to differ,
e.g. sender rewriting scheme (SRS).

There is a symbol named FROM_NEQ_ENVFROM which you could use as an
example for a custom lua rule and then act upon authenticated users:

https://github.com/rspamd/rspamd/blob/master/rules/headers_checks.lua
Line 630 - 676.

https://rspamd.com/doc/tutorials/writing_rules.html
https://rspamd.com/doc/lua/

Best regards,
Gerald



From list+rspamd at gcore.biz  Sun Jan 21 21:38:29 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Sun, 21 Jan 2024 22:38:29 +0100
Subject: [Rspamd-Users] cannot learn task since update to 3.8.0
In-Reply-To: <44324a07-9122-4ec0-bcf9-b3bc9229f64b@gmail.com>
References: <44324a07-9122-4ec0-bcf9-b3bc9229f64b@gmail.com>
Message-ID: <027383F1-3CFE-4BD6-93B5-CA5479E77377@gcore.biz>


> Since update to 3.8.0 today I do get the following error:
> 
>> cannot learn task: ERR Error running script (call to f_011c3be117fb4380571ffe4d38e4884afaf37963): @user_script:1: user_script:1: stack overflow (too many return values at once; use unpack_one or unpack_limit instead.)
> 
> It worked previously without any problems. Any idea what I can do to solve this ?

What's your stack size limit?

Depending on your distribution there may be system-wide limits,
limits in initscripts for particular services, like

  [root at server ~]# ulimit -s
  8192

or systemd, which ignores the latter:

  [root at server ~]# systemctl show redis | egrep "^Limit"
  [root at server ~]# systemctl show rspamd | egrep "^Limit"

  LimitCPU=18446744073709551615
  LimitFSIZE=18446744073709551615
  LimitDATA=18446744073709551615
  LimitSTACK=18446744073709551615
  ^^^^^^^^^^^
  LimitCORE=18446744073709551615
  LimitRSS=18446744073709551615
  LimitNOFILE=1048576
  ....

Best regards,
Gerald

From alberto at bersol.info  Sun Jan 21 21:55:02 2024
From: alberto at bersol.info (Alberto)
Date: Sun, 21 Jan 2024 22:55:02 +0100
Subject: [Rspamd-Users] Multimap combined rules not working
Message-ID: <4964054f-cd1e-588a-15dc-cb6691634c7e@bersol.info>

Hi,

I'm trying to set a Combined rule (From+Rcpt) in Multimap, but I'm 
receiving this error message:

...

# Jan 21 11:14:29 MyHostname docker_rspamd[935]: 2024-01-21 11:14:29 
#1(main) <i1wecq>; lua; lua_maps_expressions.lua:126: cannot add maps 
combination for module multimap: required elements are missing
# Jan 21 11:14:29 MyHostname docker_rspamd[935]: 2024-01-21 11:14:29 
#1(main) <i1wecq>; lua; multimap.lua:1211: cannot add combined map for 
COMB_FROM_RCPT
# Jan 21 11:14:29 MyHostname docker_rspamd[935]: 2024-01-21 11:14:29 
#1(main) <i1wecq>; lua; multimap.lua:1334: cannot add rule: 
"COMB_FROM_RCPT"

...


Do I have to enable some module o something like that?

My version is 3.7.5 from Docker image.

Best Regards,



From pcernko at mpi-klsb.mpg.de  Mon Jan 22 04:59:34 2024
From: pcernko at mpi-klsb.mpg.de (Patrick Cernko)
Date: Mon, 22 Jan 2024 05:59:34 +0100
Subject: [Rspamd-Users] "rezeptfrei" spam (was: Re: Control rspamd depending
 on subject content)
In-Reply-To: <6012354.lOV4Wx5bFT@stuttgart>
References: <6012354.lOV4Wx5bFT@stuttgart>
Message-ID: <a2f2515a-60e1-46fe-8eef-1d4568104882@mpi-klsb.mpg.de>

Hello list, hello Andreas,

On 20.01.24 10:06, Andreas wrote:
> Most emails have typical phrases such as ?r_ezept-frei?, ?Rezept-frei?, ?pharmacy?, Pharma?
> in the subject.

I came up with a custom lua script to fight this kind of spam. The idea 
was, that this spam can be detected by checking if the subject starts 
with the recipient's local_part, contains an obfuscated version of the 
string "rezeptfrei" and the content starts with "GREETING <local_part>". 
Code in attachment.

In addition, I added some composites that bump scores drastically:

# apothekenspam with:
# - subject starting with local part of To
# - url regexp matches
MPI_APONL_WITH_URL_COMPOSITE {
     # the '-' prefix is required to KEEP the symbol and score,
     # otherwise, composites remove the symbols used and their scores
     expression = "-MPI_APONL_LP and -MPI_APONL_URL";
     score = 10.0;
}

MPI_APONL_WITH_SENDER_COMPOSITE {
     # the '-' prefix is required to KEEP the symbol and score,
     # otherwise, composites remove the symbols used and their scores
     expression = "-MPI_APONL_LP and -MPI_APONL_SENDER";
     score = 10.0;
}

Best,
-- 
Patrick Cernko <pcernko at mpi-klsb.mpg.de> +49 681 9325 5815
Joint Scientific IT and Technical Service
Max-Planck-Institute f?r Informatik & Softwaresysteme
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rspamd.local.lua
Type: text/x-lua
Size: 4322 bytes
Desc: not available
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240122/7f8f2852/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5871 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240122/7f8f2852/attachment-0001.bin>

From albrecht.backhaus at gmail.com  Mon Jan 22 06:23:23 2024
From: albrecht.backhaus at gmail.com (Albrecht Backhaus)
Date: Mon, 22 Jan 2024 07:23:23 +0100
Subject: [Rspamd-Users] cannot learn task since update to 3.8.0
In-Reply-To: <c6987848-63f8-4a1a-b2ba-740458a24048@dojokun.ch>
References: <c6987848-63f8-4a1a-b2ba-740458a24048@dojokun.ch>
Message-ID: <919bc64c-9019-45a7-89c4-1dc0eb0979bd@gmail.com>


>> Since update to 3.8.0 today I do get the following error:
>>
>>> cannot learn task: ERR Error running script (call to f_011c3be117fb4380571ffe4d38e4884afaf37963): @user_script:1: user_script:1: stack overflow (too many return values at once; use unpack_one or unpack_limit instead.)
>> It worked previously without any problems. Any idea what I can do to solve this ?
> What's your stack size limit?
>
> Depending on your distribution there may be system-wide limits,
> limits in initscripts for particular services, like
>
>     [root at server ~]# ulimit -s
>     8192
>
> or systemd, which ignores the latter:
>
>     [root at server ~]# systemctl show redis | egrep "^Limit"
>     [root at server ~]# systemctl show rspamd | egrep "^Limit"
>
Here are my values:

ulimit -s?? => 8192

systemctl show redis | egrep "^Limit"

LimitCPU=infinity
LimitCPUSoft=infinity
LimitFSIZE=infinity
LimitFSIZESoft=infinity
LimitDATA=infinity
LimitDATASoft=infinity
LimitSTACK=infinity
LimitSTACKSoft=8388608
LimitCORE=infinity
LimitCORESoft=0
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=65535
LimitNOFILESoft=65535
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=1030038
LimitNPROCSoft=1030038
LimitMEMLOCK=65536
LimitMEMLOCKSoft=65536
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=1030038
LimitSIGPENDINGSoft=1030038
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity



systemctl show rspamd | egrep "^Limit"

LimitCPU=infinity
LimitCPUSoft=infinity
LimitFSIZE=infinity
LimitFSIZESoft=infinity
LimitDATA=infinity
LimitDATASoft=infinity
LimitSTACK=infinity
LimitSTACKSoft=8388608
LimitCORE=infinity
LimitCORESoft=0
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=1048576
LimitNOFILESoft=1048576
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=1030038
LimitNPROCSoft=1030038
LimitMEMLOCK=65536
LimitMEMLOCKSoft=65536
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=1030038
LimitSIGPENDINGSoft=1030038
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity



From alberto at bersol.info  Mon Jan 22 08:08:35 2024
From: alberto at bersol.info (Alberto)
Date: Mon, 22 Jan 2024 09:08:35 +0100
Subject: [Rspamd-Users] Multimap combined rules not working
In-Reply-To: <4964054f-cd1e-588a-15dc-cb6691634c7e@bersol.info>
References: <4964054f-cd1e-588a-15dc-cb6691634c7e@bersol.info>
Message-ID: <3e396241-89be-64da-6ebf-61c64e546167@bersol.info>

El 21/1/24 a las 22:55, Alberto escribi?:
> Hi,
>
> I'm trying to set a Combined rule (From+Rcpt) in Multimap, but I'm 
> receiving this error message:
>
> ...
>
> # Jan 21 11:14:29 MyHostname docker_rspamd[935]: 2024-01-21 11:14:29 
> #1(main) <i1wecq>; lua; lua_maps_expressions.lua:126: cannot add maps 
> combination for module multimap: required elements are missing
> # Jan 21 11:14:29 MyHostname docker_rspamd[935]: 2024-01-21 11:14:29 
> #1(main) <i1wecq>; lua; multimap.lua:1211: cannot add combined map for 
> COMB_FROM_RCPT
> # Jan 21 11:14:29 MyHostname docker_rspamd[935]: 2024-01-21 11:14:29 
> #1(main) <i1wecq>; lua; multimap.lua:1334: cannot add rule: 
> "COMB_FROM_RCPT"
>
> ...
>
>
> Do I have to enable some module o something like that?
>
> My version is 3.7.5 from Docker image.
>
> Best Regards,
>
Sorry, I've resent mail, because I think my DMARC policy could block 
correct reception in many members.

I've configured munging for avoid it.



From johannes at rohr.org  Mon Jan 22 09:50:41 2024
From: johannes at rohr.org (Johannes Rohr)
Date: Mon, 22 Jan 2024 10:50:41 +0100
Subject: [Rspamd-Users] phpmail() generated mail is not signed regardless of
 sign_local=true
Message-ID: <5445b082-418b-463f-8384-29277c426e01@rohr.org>

As the subject says, I notice that mail generated by the phpmail 
function (mostly by wordpress) is not being signed regardless of the 
value of sign_local. Why is that?? As of lately, google rejects any 
unsigned mail, so this is a nuissance.

Does anyone have an idea why that is?

Cheers,

Johannes


From albrecht.backhaus at gmail.com  Mon Jan 22 10:19:18 2024
From: albrecht.backhaus at gmail.com (Albrecht Backhaus)
Date: Mon, 22 Jan 2024 11:19:18 +0100
Subject: [Rspamd-Users] phpmail() generated mail is not signed
 regardless of sign_local=true
In-Reply-To: <5445b082-418b-463f-8384-29277c426e01@rohr.org>
References: <5445b082-418b-463f-8384-29277c426e01@rohr.org>
Message-ID: <f4f6255e-801d-48be-ac8c-9e89547c12c1@gmail.com>


> As the subject says, I notice that mail generated by the phpmail 
> function (mostly by wordpress) is not being signed regardless of the 
> value of sign_local. Why is that?? As of lately, google rejects any 
> unsigned mail, so this is a nuissance.
>
> Does anyone have an idea why that is?
>
I had a similar problem once in the past. Maybe your phpmail script is 
not using SMTP authentification on your "rspamd-powered" mail-server.

DKIM - signatures are only added, when you use SMTP - authentification ( 
the DKIM - feature would be pretty useless, if there would be no 
authentification at all ...)

Regards, Albrecht

From cr at ncxs.de  Mon Jan 22 10:44:06 2024
From: cr at ncxs.de (Carsten Rosenberg)
Date: Mon, 22 Jan 2024 11:44:06 +0100
Subject: [Rspamd-Users] phpmail() generated mail is not signed
 regardless of sign_local=true
In-Reply-To: <5445b082-418b-463f-8384-29277c426e01@rohr.org>
References: <5445b082-418b-463f-8384-29277c426e01@rohr.org>
Message-ID: <82916c4b-903f-4f90-b166-e16dd35d8f84@ncxs.de>

On 22.01.24 10:50, Johannes Rohr wrote:
> As the subject says, I notice that mail generated by the phpmail 
> function (mostly by wordpress) is not being signed regardless of the 
> value of sign_local. Why is that?? As of lately, google rejects any 
> unsigned mail, so this is a nuissance.
> 
> Does anyone have an idea why that is?
> 
> Cheers,
> 
> Johannes
> 

Hey,

It would be helpful if you have some logs and dkim_signing config for 
us. As I also asked in the chat. Was the mail scanned at all by rspamd?

If you are using Postfix and PHP defaults mail() function the mail will 
not be scanned without setting 'non_smtpd_milters'


Carsten

From johannes at rohr.org  Mon Jan 22 11:23:03 2024
From: johannes at rohr.org (Johannes Rohr)
Date: Mon, 22 Jan 2024 12:23:03 +0100
Subject: [Rspamd-Users] phpmail() generated mail is not signed
 regardless of sign_local=true
In-Reply-To: <f4f6255e-801d-48be-ac8c-9e89547c12c1@gmail.com>
References: <5445b082-418b-463f-8384-29277c426e01@rohr.org>
 <f4f6255e-801d-48be-ac8c-9e89547c12c1@gmail.com>
Message-ID: <1e8df60e-829d-4588-b5bc-98612e136a30@rohr.org>


Am 22.01.24 um 11:19 schrieb Albrecht Backhaus:
>
>> As the subject says, I notice that mail generated by the phpmail 
>> function (mostly by wordpress) is not being signed regardless of the 
>> value of sign_local. Why is that?? As of lately, google rejects any 
>> unsigned mail, so this is a nuissance.
>>
>> Does anyone have an idea why that is?
>>
> I had a similar problem once in the past. Maybe your phpmail script is 
> not using SMTP authentification on your "rspamd-powered" mail-server.
Well, that's exactly the problem. And my assumption was that sign_local 
would solve it. WordPress stubbornly uses PHP's mail() function unless 
you install a plugin. But there are about 60 wordpress instances on my 
server.
>
>
> DKIM - signatures are only added, when you use SMTP - authentification 
> ( the DKIM - feature would be pretty useless, if there would be no 
> authentification at all ...)

That seems to be not quite the case. It is also added to mails submitted 
via sendmail, just not to mails submitted through the mechanism that 
php's mail() uses, whatever it is . The mails I am concerned about do 
originate from a local user on the server (www-data), so there would be 
no reason not to authenticate it as coming from this server's fdqn. Or 
am I missing something?

Johannes



>
> Regards, Albrecht

From albrecht.backhaus at gmail.com  Mon Jan 22 11:47:46 2024
From: albrecht.backhaus at gmail.com (Albrecht Backhaus)
Date: Mon, 22 Jan 2024 12:47:46 +0100
Subject: [Rspamd-Users] phpmail() generated mail is not signed
 regardless of sign_local=true
In-Reply-To: <1e8df60e-829d-4588-b5bc-98612e136a30@rohr.org>
References: <5445b082-418b-463f-8384-29277c426e01@rohr.org>
 <f4f6255e-801d-48be-ac8c-9e89547c12c1@gmail.com>
 <1e8df60e-829d-4588-b5bc-98612e136a30@rohr.org>
Message-ID: <c83463a8-50b7-4690-a2d8-e7b785d72062@gmail.com>


>> DKIM - signatures are only added, when you use SMTP - 
>> authentification ( the DKIM - feature would be pretty useless, if 
>> there would be no authentification at all ...)
>
> That seems to be not quite the case. It is also added to mails 
> submitted via sendmail, just not to mails submitted through the 
> mechanism that php's mail() uses, whatever it is . The mails I am 
> concerned about do originate from a local user on the server 
> (www-data), so there would be no reason not to authenticate it as 
> coming from this server's fdqn. Or am I missing something? 

That question is not easy to answer without knowing more about the 
complete setting. What kind of mail server do you use etc. ....

I personally would never assume that there is no reason to authenticate 
local email, only because the sender is "saying - I am 
"www-data.domain.tld".

I am sure that there are suitable plugins for wordpress which are able 
to use smtp-auth - another workaround could be to use a function to do 
the same.

Regards, Albrecht



From johannes at rohr.org  Mon Jan 22 12:44:48 2024
From: johannes at rohr.org (Johannes Rohr)
Date: Mon, 22 Jan 2024 13:44:48 +0100
Subject: [Rspamd-Users] phpmail() generated mail is not signed
 regardless of sign_local=true
In-Reply-To: <c83463a8-50b7-4690-a2d8-e7b785d72062@gmail.com>
References: <5445b082-418b-463f-8384-29277c426e01@rohr.org>
 <f4f6255e-801d-48be-ac8c-9e89547c12c1@gmail.com>
 <1e8df60e-829d-4588-b5bc-98612e136a30@rohr.org>
 <c83463a8-50b7-4690-a2d8-e7b785d72062@gmail.com>
Message-ID: <e4f4725f-a7cf-40b4-87ca-cb365defbf1b@rohr.org>


Am 22.01.24 um 12:47 schrieb Albrecht Backhaus:
>
>>> DKIM - signatures are only added, when you use SMTP - 
>>> authentification ( the DKIM - feature would be pretty useless, if 
>>> there would be no authentification at all ...)
>>
>> That seems to be not quite the case. It is also added to mails 
>> submitted via sendmail, just not to mails submitted through the 
>> mechanism that php's mail() uses, whatever it is . The mails I am 
>> concerned about do originate from a local user on the server 
>> (www-data), so there would be no reason not to authenticate it as 
>> coming from this server's fdqn. Or am I missing something? 
>
> That question is not easy to answer without knowing more about the 
> complete setting. What kind of mail server do you use etc. ....
Nothing unusual. Using postfix, nginx, php fpm, running as user 
www-data, pretty standard stuff, I'd say.
>
> I personally would never assume that there is no reason to 
> authenticate local email, only because the sender is "saying - I am 
> "www-data.domain.tld".

According to that logic, rspamd should also refuse to sign mail 
delivered to the mta via mail, mailx or sendmail. But somehow, in those 
cases it does, just not when the mail is generated by the PHP mail() 
function. The only difference seems to be that the latter uses the 
loopback interface rather than sendmail.

When the local user www-data delivers mail through the loopback 
interface, you can be just as sure that it originates from the local 
machine as when mail is delivered via sendmail. I therefore can't think 
of any reason not to authenticate it as coming from the local machine.

>
> I am sure that there are suitable plugins for wordpress which are able 
> to use smtp-auth - another workaround could be to use a function to do 
> the same.

Yes, there are. And I have installed them in those? wordpress instances 
that I maintain, but there are several dozens more instances on my 
server, and the bounces are always sent to www-data, rather than to the 
owner of the respective WP instance. So I am looking for a solution that 
covers all of them.

Cheers,

Johannes

>
> Regards, Albrecht
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x050B8DB21EF5916F.asc
Type: application/pgp-keys
Size: 11788 bytes
Desc: OpenPGP public key
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240122/e3dc4965/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240122/e3dc4965/attachment-0001.bin>

From johannes at rohr.org  Mon Jan 22 13:24:40 2024
From: johannes at rohr.org (Johannes Rohr)
Date: Mon, 22 Jan 2024 14:24:40 +0100
Subject: [Rspamd-Users] phpmail() generated mail is not signed
 regardless of sign_local=true
In-Reply-To: <82916c4b-903f-4f90-b166-e16dd35d8f84@ncxs.de>
References: <5445b082-418b-463f-8384-29277c426e01@rohr.org>
 <82916c4b-903f-4f90-b166-e16dd35d8f84@ncxs.de>
Message-ID: <b39e3a95-af11-4bab-8e1b-4031c02121f0@rohr.org>


Am 22.01.24 um 11:44 schrieb Carsten Rosenberg:
> [
[...]
>
> It would be helpful if you have some logs and dkim_signing config for 
> us. As I also asked in the chat. Was the mail scanned at all by rspamd?

I'm trying to generate logs by executing a php script that calls the 
mail() function, but somehow, those mails get properly signed and thus 
accepted by google. So I still have to understand what Wordpress does 
differently, using the same function. This is confusing.

Oh, well, now I made another test. This time, the $from variable in the 
script is a gmail address, and that mail gets promptly rejected by Google.

This is what the rspamd log says:

2024-01-22 14:20:01 #1532799(normal) <d5a4dd>; task; 
rspamd_task_write_log: id: <20240122132001.EDD2137D6211B at mail.**>, qid: 
<EDD2137D6211B>, ip: 127.0.0.1, from: <**@mail.**>, (default: F (no 
action): [0.19/13.00] 
[FORGED_SENDER(0.30){***@gmail.com;**@mail.***;},MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},FREEMAIL_ENVRCPT(0.00){gmail.com;},FREEMAIL_FROM(0.00){gmail.com;},FREEMAIL_TO(0.00){gmail.com;},FROM_NEQ_ENVFROM(0.00){***@gmail.com;jr at mail.rooot.de;},FROM_NO_DN(0.00){},GENERIC_REPUTATION(0.00){-0.30494941150341;},MIME_TRACE(0.00){0:+;},MISSING_XM_UA(0.00){},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},SINGLE_SHORT_PART(0.00){},TO_DN_NONE(0.00){},TO_EQ_FROM(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), 
len: 234, time: 3.335ms, dns req: 2, digest: 
<d94911cad8a7fe13912128a127bbb1f7>, rcpts: <***@gmail.com>, mime_rcpts: 
<***@gmail.com>
2024-01-22 14:20:01 #1532799(normal) <d5a4dd>; task; 
rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 
regexps matched, 176 regexps total, 37 regexps cached, 0B scanned using 
pcre, 367B scanned total

So I guess, this is correct then, and the solution is to ensure that 
wordpress does not use a forged sender address. I'm not sure how to do that.

>
> If you are using Postfix and PHP defaults mail() function the mail 
> will not be scanned without setting 'non_smtpd_milters'

That setting was in place already.

Johannes

>
>
> Carsten

From list+rspamd at gcore.biz  Mon Jan 22 14:01:03 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Mon, 22 Jan 2024 15:01:03 +0100
Subject: [Rspamd-Users] cannot learn task since update to 3.8.0
In-Reply-To: <919bc64c-9019-45a7-89c4-1dc0eb0979bd@gmail.com>
References: <c6987848-63f8-4a1a-b2ba-740458a24048@dojokun.ch>
 <919bc64c-9019-45a7-89c4-1dc0eb0979bd@gmail.com>
Message-ID: <F8A93010-189D-4F67-9A3D-4DAD9431A5A5@gcore.biz>

>>> Since update to 3.8.0 today I do get the following error:
>>> 
>>>> cannot learn task: ERR Error running script (call to f_011c3be117fb4380571ffe4d38e4884afaf37963): @user_script:1: user_script:1: stack overflow (too many return values at once; use unpack_one or unpack_limit instead.)
>>> It worked previously without any problems. Any idea what I can do to solve this ?
>> What's your stack size limit?
>> 
>> Depending on your distribution there may be system-wide limits,
>> limits in initscripts for particular services, like
>> 
>>    [root at server ~]# ulimit -s
>>    8192
>> 
>> or systemd, which ignores the latter:
>> 
>>    [root at server ~]# systemctl show redis | egrep "^Limit"
>>    [root at server ~]# systemctl show rspamd | egrep "^Limit"
>> 
> Here are my values:
> 
> ulimit -s   => 8192
> 
> systemctl show redis | egrep "^Limit"
> 
> LimitCPU=infinity
> LimitCPUSoft=infinity
> LimitFSIZE=infinity
> LimitFSIZESoft=infinity
> LimitDATA=infinity
> LimitDATASoft=infinity
> LimitSTACK=infinity
> LimitSTACKSoft=8388608

^^^^^^^^^^^^^^

Try to remove that softlimit.

Best regards
Gerald

From list+rspamd at gcore.biz  Mon Jan 22 14:13:16 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Mon, 22 Jan 2024 15:13:16 +0100
Subject: [Rspamd-Users] Multimap combined rules not working
In-Reply-To: <4964054f-cd1e-588a-15dc-cb6691634c7e@bersol.info>
References: <4964054f-cd1e-588a-15dc-cb6691634c7e@bersol.info>
Message-ID: <F00B3914-781A-4CE5-A5C5-58A7D856C563@gcore.biz>

> I'm trying to set a Combined rule (From+Rcpt) in Multimap, but I'm receiving this error message:
> 
> ...
> 
> # Jan 21 11:14:29 MyHostname docker_rspamd[935]: 2024-01-21 11:14:29 #1(main) <i1wecq>; lua; lua_maps_expressions.lua:126: cannot add maps combination for module multimap: required elements are missing
> # Jan 21 11:14:29 MyHostname docker_rspamd[935]: 2024-01-21 11:14:29 #1(main) <i1wecq>; lua; multimap.lua:1211: cannot add combined map for COMB_FROM_RCPT
> # Jan 21 11:14:29 MyHostname docker_rspamd[935]: 2024-01-21 11:14:29 #1(main) <i1wecq>; lua; multimap.lua:1334: cannot add rule: "COMB_FROM_RCPT"
> 
> ...
> 
> 
> Do I have to enable some module o something like that?

You should check your config. From lua code:

   if not obj or not obj.rules or not obj.expression then
   rspamd_logger.errx(cfg, 'cannot add maps combination for module %s: required elements are missing',

So any of object, rule or expression is missing.

See examples: https://rspamd.com/doc/modules/multimap.html#combined-maps
and the hint "Combined maps support merely selectors syntax, not general multimap rules".

As an alternative you can use force_actions to combine symbols:
https://rspamd.com/doc/modules/force_actions.html

Best regards,
Gerald

From tacodewolff at gmail.com  Mon Jan 22 15:02:24 2024
From: tacodewolff at gmail.com (Taco de Wolff)
Date: Mon, 22 Jan 2024 12:02:24 -0300
Subject: [Rspamd-Users] Prevent sender address spoofing envelope/header
 FROM
In-Reply-To: <21EF4008-1254-475B-B13A-F682EF5D31BF@gcore.biz>
References: <CABDg7L5M+S6fdAC+mpR4J1sQpiDqnBdDtAQ0BMqBwxbakOCGXA@mail.gmail.com>
 <21EF4008-1254-475B-B13A-F682EF5D31BF@gcore.biz>
Message-ID: <CABDg7L6_ZMxGh6DZyY=pSWB-ODuO65cq4BCMLMJK94zdWNbeCw@mail.gmail.com>

Thanks Gerald, that's worth a try. I had another idea that might work and
wanted to check.

While SPF verifies the envelope FROM address, and DKIM signs the message,
it is DMARC that enforces the header FROM address which makes it sent to
spam at the destination server. By default, Rspamd disables DMARC for
outgoing messages, what if we enable it so that it verifies DMARC locally
before sending out. This prevents it from getting to spam on the
destination server as it isn't sent out in the first place. Would that work?

Kind regards,
Taco de Wolff


On Sun, Jan 21, 2024 at 3:33?PM Gerald Galster <list+rspamd at gcore.biz>
wrote:

> > I'd like to block sending out emails that have a different header FROM
> > address domain than their envelope FROM address domain.
>
> I don't think there is an easy way to accomplish that and you need to
> keep in mind legitimate reasons for "header/envelope from" to differ,
> e.g. sender rewriting scheme (SRS).
>
> There is a symbol named FROM_NEQ_ENVFROM which you could use as an
> example for a custom lua rule and then act upon authenticated users:
>
> https://github.com/rspamd/rspamd/blob/master/rules/headers_checks.lua
> Line 630 - 676.
>
> https://rspamd.com/doc/tutorials/writing_rules.html
> https://rspamd.com/doc/lua/
>
> Best regards,
> Gerald
>
>
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>

From rspamd at jubileegroup.co.uk  Mon Jan 22 15:28:53 2024
From: rspamd at jubileegroup.co.uk (G.W. Haywood)
Date: Mon, 22 Jan 2024 15:28:53 +0000 (GMT)
Subject: [Rspamd-Users] Prevent sender address spoofing envelope/header
 FROM
In-Reply-To: <CABDg7L6_ZMxGh6DZyY=pSWB-ODuO65cq4BCMLMJK94zdWNbeCw@mail.gmail.com>
References: <CABDg7L5M+S6fdAC+mpR4J1sQpiDqnBdDtAQ0BMqBwxbakOCGXA@mail.gmail.com>
 <21EF4008-1254-475B-B13A-F682EF5D31BF@gcore.biz>
 <CABDg7L6_ZMxGh6DZyY=pSWB-ODuO65cq4BCMLMJK94zdWNbeCw@mail.gmail.com>
Message-ID: <5dde893e-f4f7-b988-1aa9-466619cd30d7@jubileegroup.co.uk>

Hi there,

On Mon, 22 Jan 2024, Taco de Wolff wrote:

> ...
> While SPF verifies the envelope FROM address, and DKIM signs the message,
> it is DMARC that enforces the header FROM address which makes it sent to
> spam at the destination server. ...

How do you know that?  That's certainly not how the filters work here.

Are you saying that you know how the spam filtering works on all the
servers which receive mail from yours?

> ... what if we enable it so that it verifies DMARC locally before
> sending out. ...

Would it not be better to address the problem at its source?

-- 

73,
Ged.

From tacodewolff at gmail.com  Mon Jan 22 15:50:03 2024
From: tacodewolff at gmail.com (Taco de Wolff)
Date: Mon, 22 Jan 2024 12:50:03 -0300
Subject: [Rspamd-Users] Prevent sender address spoofing envelope/header
 FROM
In-Reply-To: <5dde893e-f4f7-b988-1aa9-466619cd30d7@jubileegroup.co.uk>
References: <CABDg7L5M+S6fdAC+mpR4J1sQpiDqnBdDtAQ0BMqBwxbakOCGXA@mail.gmail.com>
 <21EF4008-1254-475B-B13A-F682EF5D31BF@gcore.biz>
 <CABDg7L6_ZMxGh6DZyY=pSWB-ODuO65cq4BCMLMJK94zdWNbeCw@mail.gmail.com>
 <5dde893e-f4f7-b988-1aa9-466619cd30d7@jubileegroup.co.uk>
Message-ID: <CABDg7L6cY7H3x4pfP=3YVZMW0DoqD9RYgh8_XH=mACFhA7NGFw@mail.gmail.com>

My DMARC settings for those domains specify explicitly that a failing DMARC
should go to spam:

_dmarc.mailserver 86400 TXT v=DMARC1; p=quarantine; pct=100; fo=1;
ruf=mailto:admin at mailserver; rua=mailto:admin at mailserver

DMARC checks for alignment of the header FROM address (more information
here: https://www.mailhardener.com/kb/dmarc). Surely this only happens for
DMARC capable destinations, but it is what I want to happen: mails that
fail SPF, DKIM, or DMARC checks should be rejected or sent to spam.

> Would it not be better to address the problem at its source?

That's what I'm trying to achieve. Right now Postfix+Rspamd are happy to
send out mail that fails DMARC which is subsequently sent to spam
(hopefully) at the destination. I want to prevent sending them out in the
first place. What other source could this be addressed at? It might be
possible restricting this in Postfix itself, but since the DKIM check is
happening in the Rspamd milter I believe it would be appropriate to check
the DMARC there as well. SPF is not required as it is guaranteed to come
from the local host (the only permitted sender). Happy to hear an
alternative though!

Kind regards,
Taco de Wolff


On Mon, Jan 22, 2024 at 12:29?PM G.W. Haywood <rspamd at jubileegroup.co.uk>
wrote:
>
> Hi there,
>
> On Mon, 22 Jan 2024, Taco de Wolff wrote:
>
> > ...
> > While SPF verifies the envelope FROM address, and DKIM signs the
message,
> > it is DMARC that enforces the header FROM address which makes it sent to
> > spam at the destination server. ...
>
> How do you know that?  That's certainly not how the filters work here.
>
> Are you saying that you know how the spam filtering works on all the
> servers which receive mail from yours?
>
> > ... what if we enable it so that it verifies DMARC locally before
> > sending out. ...
>
> Would it not be better to address the problem at its source?
>
> --
>
> 73,
> Ged.
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users

From rspamd at jubileegroup.co.uk  Mon Jan 22 16:17:07 2024
From: rspamd at jubileegroup.co.uk (G.W. Haywood)
Date: Mon, 22 Jan 2024 16:17:07 +0000 (GMT)
Subject: [Rspamd-Users] Prevent sender address spoofing envelope/header
 FROM
In-Reply-To: <CABDg7L6cY7H3x4pfP=3YVZMW0DoqD9RYgh8_XH=mACFhA7NGFw@mail.gmail.com>
References: <CABDg7L5M+S6fdAC+mpR4J1sQpiDqnBdDtAQ0BMqBwxbakOCGXA@mail.gmail.com>
 <21EF4008-1254-475B-B13A-F682EF5D31BF@gcore.biz>
 <CABDg7L6_ZMxGh6DZyY=pSWB-ODuO65cq4BCMLMJK94zdWNbeCw@mail.gmail.com>
 <5dde893e-f4f7-b988-1aa9-466619cd30d7@jubileegroup.co.uk>
 <CABDg7L6cY7H3x4pfP=3YVZMW0DoqD9RYgh8_XH=mACFhA7NGFw@mail.gmail.com>
Message-ID: <962ac3f-4b37-9437-3e1d-df6a21a9d56d@jubileegroup.co.uk>

Hi there,

On Mon, 22 Jan 2024, Taco de Wolff wrote:

> My DMARC settings for those domains specify explicitly that a failing DMARC
> should go to spam:
>
> _dmarc.mailserver 86400 TXT v=DMARC1; p=quarantine; pct=100; fo=1;
> ruf=mailto:admin at mailserver; rua=mailto:admin at mailserver

That's just what you have in the DNS.  It doesn't mean that recipients
will all slavishly follow your suggestions.  Incidentally for things
like this it's far better not to hide the real content.

> DMARC checks for alignment of the header FROM address (more information
> here: https://www.mailhardener.com/kb/dmarc). Surely this only happens for
> DMARC capable destinations, but it is what I want to happen: mails that
> fail SPF, DKIM, or DMARC checks should be rejected or sent to spam.

The trouble is that if everybody invents his own version of what the
specifications say, "severe interoperability problems" may ensue:

https://datatracker.ietf.org/doc/html/rfc4871#section-6.3

>> Would it not be better to address the problem at its source?
>
> That's what I'm trying to achieve. Right now Postfix+Rspamd are happy to
> send out mail that fails DMARC which is subsequently sent to spam
> (hopefully) at the destination. I want to prevent sending them out in the
> first place. What other source could this be addressed at? ...

I was thinking of addressing the problem before it reached the Postfix
instance on your server.

-- 

73,
Ged.

From list+rspamd at gcore.biz  Mon Jan 22 18:56:02 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Mon, 22 Jan 2024 19:56:02 +0100
Subject: [Rspamd-Users] Prevent sender address spoofing envelope/header
 FROM
In-Reply-To: <CABDg7L6_ZMxGh6DZyY=pSWB-ODuO65cq4BCMLMJK94zdWNbeCw@mail.gmail.com>
References: <CABDg7L5M+S6fdAC+mpR4J1sQpiDqnBdDtAQ0BMqBwxbakOCGXA@mail.gmail.com>
 <21EF4008-1254-475B-B13A-F682EF5D31BF@gcore.biz>
 <CABDg7L6_ZMxGh6DZyY=pSWB-ODuO65cq4BCMLMJK94zdWNbeCw@mail.gmail.com>
Message-ID: <40948A7F-A54C-4F20-9471-352E47AA7BF6@gcore.biz>

> Thanks Gerald, that's worth a try. I had another idea that might work and
> wanted to check.
> 
> While SPF verifies the envelope FROM address, and DKIM signs the message,
> it is DMARC that enforces the header FROM address which makes it sent to
> spam at the destination server. By default, Rspamd disables DMARC for
> outgoing messages, what if we enable it so that it verifies DMARC locally
> before sending out. This prevents it from getting to spam on the
> destination server as it isn't sent out in the first place. Would that work?

I don't think that will work. Dkim-signing means you trust the sender
because of its ip or sasl authentification. That way you would revoke
that trust. If a legitimate sender, that enforces dmarc for its domain,
undergoes dmarc-checks before signing, that unsigned / to-be-signed mail
would be rejected.

Moreover checking dmarc in rspamd does not mean enforcing that policy,
e.g. DMARC_POLICY_REJECT could just add to the spamlevel, not rejecting
the mail immediately. To enforce that, something like

actions = {
  qarantine = "add_header";
  reject = "reject";
}

had to be added to local.d/dmarc.conf.

I would go with the lua example, extracting and comparing the
lowercase envelope-sender/from domains for authenticated submitters.

Best regards
Gerald

From allen at huarp.harvard.edu  Mon Jan 22 21:28:23 2024
From: allen at huarp.harvard.edu (Allen, Norton T.)
Date: Mon, 22 Jan 2024 16:28:23 -0500
Subject: [Rspamd-Users] First Time: DKIM Signing Only
Message-ID: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>

Guess why? I've been putting DKIM signing off for too long.

I've spent the past couple days poring over the rspamd documentation 
(and the DKIM, ARC, DMARC,? and Google doc). I just threw together my 
best guess at the configuration I think would work, including:

  * /etc/rspamd/local.d/arc.conf: closely following the example here
    <https://rspamd.com/doc/modules/arc.html>
  * /etc/rspamd/local.d/dkim_signing.conf: closely following the example
    here <https://rspamd.com/doc/modules/dkim_signing.html>
  * /etc/rspamd/rspamd.conf.local: closely following the FAQ here
    <https://rspamd.com/doc/faq.html#can-i-just-sign-messages-using-dkim>

I have two domains, and I listed them explicitly in the arc.conf and 
dkim_signing.conf, so no maps.

I tested with the command recommended in the FAQ above:

    rspamc --header="settings-id=dkim" message.eml

using a couple different example emails, one inbound, one outbound. In 
each case, the result was "Action: no action".

I am of course not sure what I should expect to see, and would be happy 
to hear any suggestions on the best way to test and/or fix my 
configuration. I reviewed the logs, and I did not see anything that 
looked like a problem.

I will be integrating with postfix, but I'd like to test rspamd 
separately first if possible.

I do have a question about the settings module. I see two different 
suggestions that seem similar:

  * The one from the FAQ
    <https://rspamd.com/doc/faq.html#can-i-just-sign-messages-using-dkim>
  * The one from the DKIM signing
    <https://rspamd.com/doc/modules/dkim_signing.html#optimize-signing-only-mode>

These differ in what keywords are involved, and it isn't clear to me how 
those are selected. In the FAQ the settings are 'sign_id', 
'sign_authenticated' and 'sign_networks', but under DKIM signing, it's 
just 'dkim_signing'. Do I perhaps need both?


From list+rspamd at gcore.biz  Mon Jan 22 23:12:20 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Tue, 23 Jan 2024 00:12:20 +0100
Subject: [Rspamd-Users] First Time: DKIM Signing Only
In-Reply-To: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
References: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
Message-ID: <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>


> Guess why? I've been putting DKIM signing off for too long.
> 
> I've spent the past couple days poring over the rspamd documentation (and the DKIM, ARC, DMARC,  and Google doc). I just threw together my best guess at the configuration I think would work, including:
> 
> * /etc/rspamd/local.d/arc.conf: closely following the example here
>   <https://rspamd.com/doc/modules/arc.html>

If you're using rspamd for "DKIM signing only" then you're all about sending email, not receiving and filtering spam.

https://en.wikipedia.org/wiki/Authenticated_Received_Chain

"Authenticated Received Chain (ARC) is an email authentication system designed to allow an intermediate mail server like a mailing list or forwarding service to sign an email's original authentication results. This allows a receiving service to validate an email when the email's SPF and DKIM records are rendered invalid by an intermediate server's processing."

If you don't receive email, there are no signatures to verify by ARC.
If you don't forward received DKIM-signed email, there is no point in ARC signing.

[...]

> I will be integrating with postfix, but I'd like to test rspamd separately first if possible.

You won't see "action: dkim-signed" because that's not an action like "reject".

It's better to test with postfix integration (smtpd_milters/non_smtpd_milters).
Then you can send emails to yourself and have a look at the headers added by rspamd.

> I do have a question about the settings module. I see two different suggestions that seem similar:
> 
> * The one from the FAQ
>   <https://rspamd.com/doc/faq.html#can-i-just-sign-messages-using-dkim>
> * The one from the DKIM signing
>   <https://rspamd.com/doc/modules/dkim_signing.html#optimize-signing-only-mode>
> 
> These differ in what keywords are involved, and it isn't clear to me how those are selected. In the FAQ the settings are 'sign_id', 'sign_authenticated' and 'sign_networks', but under DKIM signing, it's just 'dkim_signing'. Do I perhaps need both?

"dkim_signing", "sign_networks", ... are just names you can choose:

settings {
  foobar {
    authenticated = true;
    apply {
      symbols_enabled = ["DKIM_SIGNED"];
      flags = ["skip_process"];
    }
  }
}

Here "foobar" is the name for a user setting that matches authenticated connections (sasl_username in postfix).
Then it enables DKIM_SIGNED only and skips spam processing.

If you replace "authenticated = true;" with "ip = ["10.0.0.0/8"];" then "foobar" will DKIM sign an email delivered by e.g. 10.0.0.1, no sasl auth needed.

So it's just a name for a user setting that defines which emails are to be dkim signed.

Best regards,
Gerald


From piper at hrz.uni-marburg.de  Wed Jan 24 10:32:19 2024
From: piper at hrz.uni-marburg.de (Andreas Piper)
Date: Wed, 24 Jan 2024 11:32:19 +0100
Subject: [Rspamd-Users] rspamd-3.8.0 crashes on Debian 11
Message-ID: <1153c564-e500-4b33-9e14-77d6c56138e8@hrz.uni-marburg.de>

Hello,

after upgrading from rspamd-3.7.5 to rspamd-3.8.0 
rspamd-worker-processes crash every few minutes (Segmentation fault). I 
don't see any relation to individual messages.

My system is Debian 11.8, 'uname -a' gives
Linux vhrz1846 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) 
x86_64 GNU/Linux
the installed rspamd-package is
rspamd         3.8.0-1~28391190c~bullseye amd64

In the logs appears a listing of 'log_backtrace'-messages, attached is 
an example for one crashed process.

I can provide a coredump if you tell me where to place it.

Any help will be appreciated.

With best regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rspamd_21758.log
Type: text/x-log
Size: 16027 bytes
Desc: not available
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240124/3297e755/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4242 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240124/3297e755/attachment-0001.bin>

From allen at huarp.harvard.edu  Wed Jan 24 15:57:05 2024
From: allen at huarp.harvard.edu (Allen, Norton T.)
Date: Wed, 24 Jan 2024 10:57:05 -0500
Subject: [Rspamd-Users] First Time: DKIM Signing Only
In-Reply-To: <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>
References: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
 <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>
Message-ID: <c9a2c67c-03e3-47b4-a9d8-eb7f253de846@huarp.harvard.edu>

On 1/22/2024 6:12 PM, Gerald Galster wrote:
>> Guess why? I've been putting DKIM signing off for too long.
>>
>> I've spent the past couple days poring over the rspamd documentation (and the DKIM, ARC, DMARC,  and Google doc). I just threw together my best guess at the configuration I think would work, including:
>>
>> * /etc/rspamd/local.d/arc.conf: closely following the example here
>>    <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2frspamd.com%2fdoc%2fmodules%2farc.html&c=E,1,5NAXs5n6GMsVaR_cghIJrUElBd12lbC7IoX7Qwc1iOX8Dl6IGHLSaSDP6RyKywDJ2a70jBCumvz2wJ_QjxaW8P2ojxnCl77GCoFouwxkifXu&typo=1>
> If you're using rspamd for "DKIM signing only" then you're all about sending email, not receiving and filtering spam.
>
> https://en.wikipedia.org/wiki/Authenticated_Received_Chain
>
> "Authenticated Received Chain (ARC) is an email authentication system designed to allow an intermediate mail server like a mailing list or forwarding service to sign an email's original authentication results. This allows a receiving service to validate an email when the email's SPF and DKIM records are rendered invalid by an intermediate server's processing."
>
> If you don't receive email, there are no signatures to verify by ARC.
> If you don't forward received DKIM-signed email, there is no point in ARC signing.

Correct. We do receive mail, we forward mail and we have a number of 
mailing lists. We have upstream spam and anti-virus, which is why we are 
looking to skip that here.


>
> [...]
>
>> I will be integrating with postfix, but I'd like to test rspamd separately first if possible.
> You won't see "action: dkim-signed" because that's not an action like "reject".
>
> It's better to test with postfix integration (smtpd_milters/non_smtpd_milters).
> Then you can send emails to yourself and have a look at the headers added by rspamd.

Fair enough


>
>> I do have a question about the settings module. I see two different suggestions that seem similar:
>>
>> * The one from the FAQ
>>    <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2frspamd.com%2fdoc%2ffaq.html%23can-i-just-sign-messages-using-dkim&c=E,1,GkQuD8QL05W-fiZ6OwD53V7K1VyuNUhmSQbfGy9OgbDbtMKvVMbiYsCSD2rWubqdKkN_qwg0Su7aYeo7VVRXxIHt5x27On_bKEVoM7bXoHuqxWJcZtyqozFH&typo=1>
>> * The one from the DKIM signing
>>    <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2frspamd.com%2fdoc%2fmodules%2fdkim_signing.html%23optimize-signing-only-mode&c=E,1,c77dMR5Qrmd8KcVDoEUGuOTBpj3tpL3pY0ytnyyNkfioN9dDG3A1aFJpRlTkZA0qzmwGh_yJ4JtpJKXKi4lpp9UePfZg2Qdim9g4sVgEM7PpbgqZJlUmzLA,&typo=1>
>>
>> These differ in what keywords are involved, and it isn't clear to me how those are selected. In the FAQ the settings are 'sign_id', 'sign_authenticated' and 'sign_networks', but under DKIM signing, it's just 'dkim_signing'. Do I perhaps need both?
> "dkim_signing", "sign_networks", ... are just names you can choose:
>
> settings {
>    foobar {
>      authenticated = true;
>      apply {
>        symbols_enabled = ["DKIM_SIGNED"];
>        flags = ["skip_process"];
>      }
>    }
> }
>
> Here "foobar" is the name for a user setting that matches authenticated connections (sasl_username in postfix).
> Then it enables DKIM_SIGNED only and skips spam processing.
>
> If you replace "authenticated = true;" with "ip = ["10.0.0.0/8"];" then "foobar" will DKIM sign an email delivered by e.g. 10.0.0.1, no sasl auth needed.
>
> So it's just a name for a user setting that defines which emails are to be dkim signed.

That is definitely helpful. A few things I am still unclear on.

  * Is it up to me to figure out through settings which messages are
    outbound and hence need to be DKIM signed? In order to process
    outbound messages, the doc says to specify rspamd in both
    smtpd_milters and non_smtpd_milters, which IIUC means all messages
    go through rpsamd. Some of those ultimately go to local delivery,
    while others will be sent out. The ARC and DKIM Signing modules'
    docs list a number of conditions they consider before signing,
    although they don't explicitly mention that the message must be
    heading outbound. Is it possible these already provide most of the
    filtering required?
      o [I will definitely be using settings to limit what is signed
        during testing!]
  * If it is up to me, is there a standard recipe to identify outbound mail?
  * Since I am not currently interested in spam filtering or anti-virus,
    I would like to disable just about everything on any messages that
    are not outbound. If there is a recipe to identify what does need
    signing, is there a way to match every other condition in order to
    specify 'symbols_enabled = [];' say?
      o I could imagine there could be a low priority group that matches
        everything (somehow) with higher priority groups to identify
        mail for signing. The settings doc is unclear whether it
        supports a section with an empty match list or whether it would
        interpret that as a match or not. (I will just try to test that,
        but it would be good to know whether the behavior is supported.)
      o Is there a better way?

Thanks for you help!

From list+rspamd at gcore.biz  Wed Jan 24 23:21:28 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Thu, 25 Jan 2024 00:21:28 +0100
Subject: [Rspamd-Users] First Time: DKIM Signing Only
In-Reply-To: <c9a2c67c-03e3-47b4-a9d8-eb7f253de846@huarp.harvard.edu>
References: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
 <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>
 <c9a2c67c-03e3-47b4-a9d8-eb7f253de846@huarp.harvard.edu>
Message-ID: <385FB089-0FE1-4B76-B777-759B5C1E8400@gcore.biz>


>> "dkim_signing", "sign_networks", ... are just names you can choose:
>> 
>> settings {
>>   foobar {
>>     authenticated = true;
>>     apply {
>>       symbols_enabled = ["DKIM_SIGNED"];
>>       flags = ["skip_process"];
>>     }
>>   }
>> }
>> 
>> Here "foobar" is the name for a user setting that matches authenticated connections (sasl_username in postfix).
>> Then it enables DKIM_SIGNED only and skips spam processing.
>> 
>> If you replace "authenticated = true;" with "ip = ["10.0.0.0/8"];" then "foobar" will DKIM sign an email delivered by e.g. 10.0.0.1, no sasl auth needed.
>> 
>> So it's just a name for a user setting that defines which emails are to be dkim signed.
> 
> That is definitely helpful. A few things I am still unclear on.
> 
> * Is it up to me to figure out through settings which messages are
>   outbound and hence need to be DKIM signed? In order to process

The example above is primarily to enable dkim signing and disabling
*all other* spamchecks.

See: https://rspamd.com/doc/modules/dkim_signing.html#principles-of-operation
"In order to be eligible for signing, an email must either be received from an
authenticated user, a reserved (local) IP address, ..."

If rspamd receives an email via milter from postfix that a user sent after
sasl authentification, then rspamd will see that information on the milter
connection and consider the mail eligible for dkim signing if
"sign_authenticated = true;" in dkim_signing.conf.

An email received from e.g. amazon is not sasl_authenticated and is not
received from a local ip and will therefore not be signed.

>   outbound messages, the doc says to specify rspamd in both
>   smtpd_milters and non_smtpd_milters, which IIUC means all messages
>   go through rpsamd. Some of those ultimately go to local delivery,

smtpd_milters is for emails received via smtp connections, that means
sockets on port 25, 587 ...

non_smtpd_milters is for emails received by calling the /usr/sbin/sendmail
binary or from a queue file (pickup)

Cron-Mails or PHP-scripts using the mail() function are typically using
/usr/sbin/sendmail and won't be dkim-signed if non_smtpd_milters is unset. 

>   while others will be sent out. The ARC and DKIM Signing modules'
>   docs list a number of conditions they consider before signing,
>   although they don't explicitly mention that the message must be
>   heading outbound. Is it possible these already provide most of the
>   filtering required?

Yes. 

>     o [I will definitely be using settings to limit what is signed
>       during testing!]
> * If it is up to me, is there a standard recipe to identify outbound mail?

For dkim-signing replace outbound with authenticated. The direction does
not matter but usually only authenticated users can send emails, so
dkim-signed mails are usually outbound.

> * Since I am not currently interested in spam filtering or anti-virus,
>   I would like to disable just about everything on any messages that
>   are not outbound. If there is a recipe to identify what does need
>   signing

I can't tell, this depends on your setup. You could set sign_authenticated
to false and sign_local to false in dkim_signing.conf and enable it
for select ip addresses only (sign_networks ...).

Best regards,
Gerald

From allen at huarp.harvard.edu  Thu Jan 25 18:49:25 2024
From: allen at huarp.harvard.edu (Allen, Norton T.)
Date: Thu, 25 Jan 2024 13:49:25 -0500
Subject: [Rspamd-Users] First Time: DKIM Signing Only
In-Reply-To: <385FB089-0FE1-4B76-B777-759B5C1E8400@gcore.biz>
References: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
 <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>
 <c9a2c67c-03e3-47b4-a9d8-eb7f253de846@huarp.harvard.edu>
 <385FB089-0FE1-4B76-B777-759B5C1E8400@gcore.biz>
Message-ID: <f8ad997a-a441-4106-8e3b-23fb90b9a141@huarp.harvard.edu>

On 1/24/2024 6:21 PM, Gerald Galster wrote:
> while others will be sent out. The ARC and DKIM Signing modules'
>>    docs list a number of conditions they consider before signing,
>>    although they don't explicitly mention that the message must be
>>    heading outbound. Is it possible these already provide most of the
>>    filtering required?
> Yes.
>
>>      o [I will definitely be using settings to limit what is signed
>>        during testing!]
>> * If it is up to me, is there a standard recipe to identify outbound mail?
> For dkim-signing replace outbound with authenticated. The direction does
> not matter but usually only authenticated users can send emails, so
> dkim-signed mails are usually outbound.

DKIM signing authenticated email is certainly something we'll need, so 
thanks for that. The mailing lists are more complicated. Incoming mail 
comes in via SMTP, so not authenticated, and is delivered via local(8) 
to the mailing list software. The message is then resubmitted after 
minor modifications via sendmail(1). If I understand correctly, I will 
need to identify the two cases separately. Since the messages will be 
modified, they need to be ARC-signed when they first arrive, then they 
need to be DKIM-signed after resubmission. Presumably something like 
this should work for the first case:

    inbound_list_email { rcpt = my-internal-incoming-mail-alias1; rcpt =
    my-internal-incoming-mail-alias2; apply { symbols_enabled =
    ["ARC_SIGNED"]; } }

For the second case, is there some way I can pass in an argument via 
sendmail that I can use to identify outbound mailing list messages? If 
so, I could use that to enable DKIM signing and ideally DMARC munging as 
well.

From list+rspamd at gcore.biz  Thu Jan 25 22:06:08 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Thu, 25 Jan 2024 23:06:08 +0100
Subject: [Rspamd-Users] First Time: DKIM Signing Only
In-Reply-To: <f8ad997a-a441-4106-8e3b-23fb90b9a141@huarp.harvard.edu>
References: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
 <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>
 <c9a2c67c-03e3-47b4-a9d8-eb7f253de846@huarp.harvard.edu>
 <385FB089-0FE1-4B76-B777-759B5C1E8400@gcore.biz>
 <f8ad997a-a441-4106-8e3b-23fb90b9a141@huarp.harvard.edu>
Message-ID: <E2295CF4-6B29-44F1-A94A-0EE78C0ABDDA@gcore.biz>

> On 1/24/2024 6:21 PM, Gerald Galster wrote:
>> while others will be sent out. The ARC and DKIM Signing modules'
>>>   docs list a number of conditions they consider before signing,
>>>   although they don't explicitly mention that the message must be
>>>   heading outbound. Is it possible these already provide most of the
>>>   filtering required?
>> Yes.
>> 
>>>     o [I will definitely be using settings to limit what is signed
>>>       during testing!]
>>> * If it is up to me, is there a standard recipe to identify outbound mail?
>> For dkim-signing replace outbound with authenticated. The direction does
>> not matter but usually only authenticated users can send emails, so
>> dkim-signed mails are usually outbound.
> 
> DKIM signing authenticated email is certainly something we'll need, so thanks for that. The mailing lists are more complicated. Incoming mail comes in via SMTP, so not authenticated, and is delivered via local(8) to the mailing list software. The message is then resubmitted after minor modifications via sendmail(1). If I understand correctly, I will need to identify the two cases separately. Since the messages will be modified, they need to be ARC-signed when they first arrive, then they need to be DKIM-signed after resubmission. Presumably something like this should work for the first case:
> 
>   inbound_list_email { rcpt = my-internal-incoming-mail-alias1; rcpt =
>   my-internal-incoming-mail-alias2; apply { symbols_enabled =
>   ["ARC_SIGNED"]; } }
> 
> For the second case, is there some way I can pass in an argument via sendmail that I can use to identify outbound mailing list messages? If so, I could use that to enable DKIM signing and ideally DMARC munging as well.

There are several options depending on your software stack.

For example, mailman could run in its own virtual machine/container and accept mails via lmtp.
Then it has a dedicated (internal) ip which you could authorize for dkim signing in rspamd.

Or you could add an additional smtp service in postfix master.cf: copy smtpd to smtpd2 and bind that to an additional ip.
Via postfix' sender dependent transport you could overwrite the nexthop target for mails coming from @mailinglist_domains to smtpd2.
https://www.postfix.org/postconf.5.html#default_transport

This way you could also set a tag that is provided to rspamd:
https://www.postfix.org/postconf.5.html#milter_macro_daemon_name

master.cf:
smtpd2 ...
  -o milter_macro_daemon_name=mymailinglist

https://rspamd.com/doc/configuration/settings.html#settings-structure

rspamd settings conf:

mailinglist {
	...
	request_header {
		"MTA-Tag" = "mymailinglist";
	}
	apply {
		symbols_enabled = ["DKIM_SIGNED"];
		flags = ["skip_process"];
	}
}

I'm not sure but I don't think you can add this kind of parameters when calling /usr/sbin/sendmail.

It's also possible to run multiple postfix instances on the same server:
https://www.postfix.org/MULTI_INSTANCE_README.html

Mailman knows about dkim/arc and could sign mails independently of rspamd and has options for dmarc mitigation.

You could also reject invalid dkim-signed mails before delivering to the mailinglist software.
Then only valid mails are accepted, all existing dkim-headers can be removed and the mails that are delivered to subscribers will be signed with the mailinglist key only (= no arc). I know some people disagree, but I do not see additional benefits with adding arc to mailinglists.

Best regards,
Gerald



From rspamd at jubileegroup.co.uk  Thu Jan 25 23:15:47 2024
From: rspamd at jubileegroup.co.uk (G.W. Haywood)
Date: Thu, 25 Jan 2024 23:15:47 +0000 (GMT)
Subject: [Rspamd-Users] First Time: DKIM Signing Only
In-Reply-To: <f8ad997a-a441-4106-8e3b-23fb90b9a141@huarp.harvard.edu>
References: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
 <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>
 <c9a2c67c-03e3-47b4-a9d8-eb7f253de846@huarp.harvard.edu>
 <385FB089-0FE1-4B76-B777-759B5C1E8400@gcore.biz>
 <f8ad997a-a441-4106-8e3b-23fb90b9a141@huarp.harvard.edu>
Message-ID: <12a62e4-794f-9a6d-7b67-79583e6750a9@jubileegroup.co.uk>

Hi there,

On Thu, 25 Jan 2024, Allen, Norton T. wrote:

> ... is there some way I can pass in an argument via sendmail that I
> can use to identify outbound mailing list messages? If so, I could
> use that to enable DKIM signing and ideally DMARC munging as well.

Presumably your mailing list software adds headers to mail it sends
out.  Could they not identify your "outbound mailing list messages"?

If I understand what you want, then if I were doing this I'd just look
for the list header with a milter and sign it if the header is there.

I do something similar with my own signing - not for the same reason.

-- 

73,
Ged.

From list+rspamd at gcore.biz  Fri Jan 26 04:07:27 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Fri, 26 Jan 2024 05:07:27 +0100
Subject: [Rspamd-Users] First Time: DKIM Signing Only
In-Reply-To: <12a62e4-794f-9a6d-7b67-79583e6750a9@jubileegroup.co.uk>
References: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
 <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>
 <c9a2c67c-03e3-47b4-a9d8-eb7f253de846@huarp.harvard.edu>
 <385FB089-0FE1-4B76-B777-759B5C1E8400@gcore.biz>
 <f8ad997a-a441-4106-8e3b-23fb90b9a141@huarp.harvard.edu>
 <12a62e4-794f-9a6d-7b67-79583e6750a9@jubileegroup.co.uk>
Message-ID: <001406C3-9303-44AE-9A1D-B4FFC58920FE@gcore.biz>

>> ... is there some way I can pass in an argument via sendmail that I
>> can use to identify outbound mailing list messages? If so, I could
>> use that to enable DKIM signing and ideally DMARC munging as well.
> 
> Presumably your mailing list software adds headers to mail it sends
> out.  Could they not identify your "outbound mailing list messages"?
> 
> If I understand what you want, then if I were doing this I'd just look
> for the list header with a milter and sign it if the header is there.

Depending on your setup that could be a simple solution but you should
make sure that mails with non-mailinglist origin do not contain that
header. Otherwise this could lead to rspamd signing unwanted mails.

As not all headers are considered for dkim-signing it might be
possible to remove that line with (milter_)header_checks and the
IGNORE action.

https://www.postfix.org/postconf.5.html#header_checks
https://www.postfix.org/postconf.5.html#milter_header_checks
https://www.postfix.org/header_checks.5.html

Best regards,
Gerald

From allen at huarp.harvard.edu  Fri Jan 26 14:05:40 2024
From: allen at huarp.harvard.edu (Allen, Norton T.)
Date: Fri, 26 Jan 2024 09:05:40 -0500
Subject: [Rspamd-Users] First Time: DKIM Signing Only
In-Reply-To: <001406C3-9303-44AE-9A1D-B4FFC58920FE@gcore.biz>
References: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
 <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>
 <c9a2c67c-03e3-47b4-a9d8-eb7f253de846@huarp.harvard.edu>
 <385FB089-0FE1-4B76-B777-759B5C1E8400@gcore.biz>
 <f8ad997a-a441-4106-8e3b-23fb90b9a141@huarp.harvard.edu>
 <12a62e4-794f-9a6d-7b67-79583e6750a9@jubileegroup.co.uk>
 <001406C3-9303-44AE-9A1D-B4FFC58920FE@gcore.biz>
Message-ID: <95825c69-d2b1-436b-a383-3b73ded595d8@huarp.harvard.edu>

On 1/25/2024 11:07 PM, Gerald Galster wrote:
>>> ... is there some way I can pass in an argument via sendmail that I
>>> can use to identify outbound mailing list messages? If so, I could
>>> use that to enable DKIM signing and ideally DMARC munging as well.
>> Presumably your mailing list software adds headers to mail it sends
>> out.  Could they not identify your "outbound mailing list messages"?
>>
>> If I understand what you want, then if I were doing this I'd just look
>> for the list header with a milter and sign it if the header is there.
> Depending on your setup that could be a simple solution but you should
> make sure that mails with non-mailinglist origin do not contain that
> header. Otherwise this could lead to rspamd signing unwanted mails.
>
> As not all headers are considered for dkim-signing it might be
> possible to remove that line with (milter_)header_checks and the
> IGNORE action.
>
> https://www.postfix.org/postconf.5.html#header_checks
> https://www.postfix.org/postconf.5.html#milter_header_checks
> https://www.postfix.org/header_checks.5.html

Yes, that sounds like an excellent plan for identifying the mailing list 
mail. I have already made customizations to the mailing list software, 
so I could probably add my own custom header that would not be likely to 
occur in inbound mail, but the header_checks safeguard would certainly 
make sense.

I think the only real sticking point I am having trouble with now is how 
to identify the mail that doesn't match either of these conditions: not 
authenticated and doesn't include the mailing list header. In the "User 
settings" documentation, there is reference to an 'inverse' syntax: "- 
inverse match (e.g. it will NOT match when all elements are matched and 
vice-versa)". This sounds like exactly what I am looking for. 
Unfortunately, there are no examples, and I haven't been able to get it 
to work in trivial tests. Any ideas on that?

From list+rspamd at gcore.biz  Fri Jan 26 16:38:58 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Fri, 26 Jan 2024 17:38:58 +0100
Subject: [Rspamd-Users] First Time: DKIM Signing Only
In-Reply-To: <95825c69-d2b1-436b-a383-3b73ded595d8@huarp.harvard.edu>
References: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
 <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>
 <c9a2c67c-03e3-47b4-a9d8-eb7f253de846@huarp.harvard.edu>
 <385FB089-0FE1-4B76-B777-759B5C1E8400@gcore.biz>
 <f8ad997a-a441-4106-8e3b-23fb90b9a141@huarp.harvard.edu>
 <12a62e4-794f-9a6d-7b67-79583e6750a9@jubileegroup.co.uk>
 <001406C3-9303-44AE-9A1D-B4FFC58920FE@gcore.biz>
 <95825c69-d2b1-436b-a383-3b73ded595d8@huarp.harvard.edu>
Message-ID: <342BFE3D-FD79-49D6-AE19-FE1A20B017D6@gcore.biz>

> I think the only real sticking point I am having trouble with now is how to identify the mail that doesn't match either of these conditions: not authenticated and doesn't include the mailing list header. In the "User settings" documentation, there is reference to an 'inverse' syntax: "- inverse match (e.g. it will NOT match when all elements are matched and vice-versa)". This sounds like exactly what I am looking for. Unfortunately, there are no examples, and I haven't been able to get it to work in trivial tests. Any ideas on that?
> 

Did you try "inverse = true;" or "inverse = yes;" like with "authenticated = true;" ?

Are you using priority and is there another rule that might match before this one?

https://rspamd.com/doc/configuration/settings.html#settings-structure

"priority - high (3), medium (2), low (1) or any positive integer value (default priority is low). Rules with greater priorities are matched first. Starting from version 1.4, Rspamd checks rules with equal priorities in alphabetical order. Once a rule matches, only that rule is applied, and the rest are ignored."

Best regards,
Gerald

From allen at huarp.harvard.edu  Fri Jan 26 17:36:56 2024
From: allen at huarp.harvard.edu (Allen, Norton T.)
Date: Fri, 26 Jan 2024 12:36:56 -0500
Subject: [Rspamd-Users] First Time: DKIM Signing Only
In-Reply-To: <342BFE3D-FD79-49D6-AE19-FE1A20B017D6@gcore.biz>
References: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
 <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>
 <c9a2c67c-03e3-47b4-a9d8-eb7f253de846@huarp.harvard.edu>
 <385FB089-0FE1-4B76-B777-759B5C1E8400@gcore.biz>
 <f8ad997a-a441-4106-8e3b-23fb90b9a141@huarp.harvard.edu>
 <12a62e4-794f-9a6d-7b67-79583e6750a9@jubileegroup.co.uk>
 <001406C3-9303-44AE-9A1D-B4FFC58920FE@gcore.biz>
 <95825c69-d2b1-436b-a383-3b73ded595d8@huarp.harvard.edu>
 <342BFE3D-FD79-49D6-AE19-FE1A20B017D6@gcore.biz>
Message-ID: <3ab890df-002d-4bbe-b287-e525a4150112@huarp.harvard.edu>

On 1/26/2024 11:38 AM, Gerald Galster wrote:
>> I think the only real sticking point I am having trouble with now is how to identify the mail that doesn't match either of these conditions: not authenticated and doesn't include the mailing list header. In the "User settings" documentation, there is reference to an 'inverse' syntax: "- inverse match (e.g. it will NOT match when all elements are matched and vice-versa)". This sounds like exactly what I am looking for. Unfortunately, there are no examples, and I haven't been able to get it to work in trivial tests. Any ideas on that?
>>
> Did you try "inverse = true;" or "inverse = yes;" like with "authenticated = true;" ?

I had not, but I have now. I had a group that would match id=nothing, 
and it had a clear effect when I specified id=nothing. When I added 
inverse = true; there was no change in behavior. The rule still matched 
with id=nothing. Same with inverse = yes;

> Are you using priority and is there another rule that might match before this one?
>
> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2frspamd.com%2fdoc%2fconfiguration%2fsettings.html%23settings-structure&c=E,1,mHz-jPDMwkJConqqLQXk306e6U5blHlNKqkxbiaPD161AX_3LTKVQjQcpU3mcpIjZEiVRqcUS4Ya2YHOsuDgAj6oAzNAQXQoX8dRIE9HUo-JJXC7qXDd&typo=1
>
> "priority - high (3), medium (2), low (1) or any positive integer value (default priority is low). Rules with greater priorities are matched first. Starting from version 1.4, Rspamd checks rules with equal priorities in alphabetical order. Once a rule matches, only that rule is applied, and the rest are ignored."
I am not using priority yet, but I have thought about it. The problem 
with that is I need to be able to specify a block that will match 
everything in order to cover all cases (i.e. earlier or higher priority 
blocks for the specific cases, then the catch-all for everything else), 
and I have not found a way to do that either, though still thinking 
about it.

From list+rspamd at gcore.biz  Fri Jan 26 18:08:35 2024
From: list+rspamd at gcore.biz (Gerald Galster)
Date: Fri, 26 Jan 2024 19:08:35 +0100
Subject: [Rspamd-Users] First Time: DKIM Signing Only
In-Reply-To: <3ab890df-002d-4bbe-b287-e525a4150112@huarp.harvard.edu>
References: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
 <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>
 <c9a2c67c-03e3-47b4-a9d8-eb7f253de846@huarp.harvard.edu>
 <385FB089-0FE1-4B76-B777-759B5C1E8400@gcore.biz>
 <f8ad997a-a441-4106-8e3b-23fb90b9a141@huarp.harvard.edu>
 <12a62e4-794f-9a6d-7b67-79583e6750a9@jubileegroup.co.uk>
 <001406C3-9303-44AE-9A1D-B4FFC58920FE@gcore.biz>
 <95825c69-d2b1-436b-a383-3b73ded595d8@huarp.harvard.edu>
 <342BFE3D-FD79-49D6-AE19-FE1A20B017D6@gcore.biz>
 <3ab890df-002d-4bbe-b287-e525a4150112@huarp.harvard.edu>
Message-ID: <1EEAEDBE-C492-4D80-88CB-06B1333A8CE4@gcore.biz>

>> Are you using priority and is there another rule that might match before this one?
>> 
>> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2frspamd.com%2fdoc%2fconfiguration%2fsettings.html%23settings-structure&c=E,1,mHz-jPDMwkJConqqLQXk306e6U5blHlNKqkxbiaPD161AX_3LTKVQjQcpU3mcpIjZEiVRqcUS4Ya2YHOsuDgAj6oAzNAQXQoX8dRIE9HUo-JJXC7qXDd&typo=1
>> 
>> "priority - high (3), medium (2), low (1) or any positive integer value (default priority is low). Rules with greater priorities are matched first. Starting from version 1.4, Rspamd checks rules with equal priorities in alphabetical order. Once a rule matches, only that rule is applied, and the rest are ignored."
> I am not using priority yet, but I have thought about it. The problem with that is I need to be able to specify a block that will match everything in order to cover all cases (i.e. earlier or higher priority blocks for the specific cases, then the catch-all for everything else), and I have not found a way to do that either, though still thinking about it.

What about a catchall-setting (no dkim/filter) which is the only one using low priority and settings for sasl/authenticated users and mailinglists (headers) with medium or high priority. Then the catchall would be evaluated last. Also remember that rules with equal priorities are processed in alphabetical order.

Best regards,
Gerald

From allen at huarp.harvard.edu  Fri Jan 26 20:45:07 2024
From: allen at huarp.harvard.edu (Allen, Norton T.)
Date: Fri, 26 Jan 2024 15:45:07 -0500
Subject: [Rspamd-Users] First Time: DKIM Signing Only
In-Reply-To: <1EEAEDBE-C492-4D80-88CB-06B1333A8CE4@gcore.biz>
References: <a00670c1-072a-45f1-a48e-60b516813523@huarp.harvard.edu>
 <DDBF7D4E-876F-42BA-BD76-090C0E9827F4@gcore.biz>
 <c9a2c67c-03e3-47b4-a9d8-eb7f253de846@huarp.harvard.edu>
 <385FB089-0FE1-4B76-B777-759B5C1E8400@gcore.biz>
 <f8ad997a-a441-4106-8e3b-23fb90b9a141@huarp.harvard.edu>
 <12a62e4-794f-9a6d-7b67-79583e6750a9@jubileegroup.co.uk>
 <001406C3-9303-44AE-9A1D-B4FFC58920FE@gcore.biz>
 <95825c69-d2b1-436b-a383-3b73ded595d8@huarp.harvard.edu>
 <342BFE3D-FD79-49D6-AE19-FE1A20B017D6@gcore.biz>
 <3ab890df-002d-4bbe-b287-e525a4150112@huarp.harvard.edu>
 <1EEAEDBE-C492-4D80-88CB-06B1333A8CE4@gcore.biz>
Message-ID: <c46944dd-6254-47e3-bc31-3a5ca51df0aa@huarp.harvard.edu>

On 1/26/2024 1:08 PM, Gerald Galster wrote:
>>> Are you using priority and is there another rule that might match before this one?
>>>
>>> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2frspamd.com%2fdoc%2fconfiguration%2fsettings.html%23settings-structure&c=E,1,mHz-jPDMwkJConqqLQXk306e6U5blHlNKqkxbiaPD161AX_3LTKVQjQcpU3mcpIjZEiVRqcUS4Ya2YHOsuDgAj6oAzNAQXQoX8dRIE9HUo-JJXC7qXDd&typo=1
>>>
>>> "priority - high (3), medium (2), low (1) or any positive integer value (default priority is low). Rules with greater priorities are matched first. Starting from version 1.4, Rspamd checks rules with equal priorities in alphabetical order. Once a rule matches, only that rule is applied, and the rest are ignored."
>> I am not using priority yet, but I have thought about it. The problem with that is I need to be able to specify a block that will match everything in order to cover all cases (i.e. earlier or higher priority blocks for the specific cases, then the catch-all for everything else), and I have not found a way to do that either, though still thinking about it.
> What about a catchall-setting (no dkim/filter) which is the only one using low priority and settings for sasl/authenticated users and mailinglists (headers) with medium or high priority. Then the catchall would be evaluated last. Also remember that rules with equal priorities are processed in alphabetical order.

I think I finally found something that will work for a catchall:

    header {
     ? "To" = ".";
    }

Thanks for the reminder on alphabetical order!

From mwl at mwl.io  Tue Jan 30 18:50:24 2024
From: mwl at mwl.io (Michael W. Lucas)
Date: Tue, 30 Jan 2024 13:50:24 -0500
Subject: [Rspamd-Users] list symbols at command line?
Message-ID: <ZblE8AIhAQnAsVuD@mail.ratoperatedvehicle.com>

Hi,

Is there a way to search for specific symbols and their meaning at the
command line? Or to get a list of all symbols and their description?

I can get many but not all symbols from "rspamadm configdump."

Thanks,
==ml

-- 
Michael W. Lucas        https://mwl.io/
author of: Absolute OpenBSD, SSH Mastery, git commit murder,
 Absolute FreeBSD, Butterfly Stomp Waltz, TLS Mastery, etc...
### New books: DNSSEC Mastery, Letters to ed(1), $ git sync murder ###

From boris at cation.de  Tue Jan 30 21:55:38 2024
From: boris at cation.de (Boris)
Date: Tue, 30 Jan 2024 22:55:38 +0100
Subject: [Rspamd-Users] rspamd-3.8.0 crashes on Debian 11
In-Reply-To: <1153c564-e500-4b33-9e14-77d6c56138e8@hrz.uni-marburg.de>
References: <1153c564-e500-4b33-9e14-77d6c56138e8@hrz.uni-marburg.de>
Message-ID: <a4b5abc6-3a12-4366-8ae7-e76bee96f49c@cation.de>

Hej Andreas,

Am 24.01.24 um 11:32 schrieb Andreas Piper via Users:
> Hello,
> 
> after upgrading from rspamd-3.7.5 to rspamd-3.8.0 
> rspamd-worker-processes crash every few minutes (Segmentation fault). I 
> don't see any relation to individual messages.
> 
> My system is Debian 11.8, 'uname -a' gives
> Linux vhrz1846 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) 
> x86_64 GNU/Linux
> the installed rspamd-package is
> rspamd???????? 3.8.0-1~28391190c~bullseye amd64
> 
> In the logs appears a listing of 'log_backtrace'-messages, attached is 
> an example for one crashed process.

We had serious troubles with rspamd on arm64, too, exactly like you 
describe.

Now we have a working system with Debian 12 and 
3.8.1-1~b8a2d79ee~bookworm from rspamd.com.

Regards,

Boris


From Boris at cation.de  Wed Jan 31 04:57:49 2024
From: Boris at cation.de (Boris)
Date: Wed, 31 Jan 2024 05:57:49 +0100 (GMT+01:00)
Subject: [Rspamd-Users] rspamd-3.8.0 crashes on Debian 11
In-Reply-To: <a4b5abc6-3a12-4366-8ae7-e76bee96f49c@cation.de>
References: <1153c564-e500-4b33-9e14-77d6c56138e8@hrz.uni-marburg.de>
 <a4b5abc6-3a12-4366-8ae7-e76bee96f49c@cation.de>
Message-ID: <7333e91b-1ba0-4aa6-86a5-476cd4f3f52b@cation.de>

Sorry, I was reading arm instead of amd.....

From rspamd-users at judo.za.org  Wed Jan 31 11:00:11 2024
From: rspamd-users at judo.za.org (Andrew Lewis)
Date: Wed, 31 Jan 2024 13:00:11 +0200
Subject: [Rspamd-Users] list symbols at command line?
In-Reply-To: <ZblE8AIhAQnAsVuD@mail.ratoperatedvehicle.com>
References: <ZblE8AIhAQnAsVuD@mail.ratoperatedvehicle.com>
Message-ID: <541f6ebaa4f6587a3153cd5da3faf211baa2e3b5.camel@judo.za.org>

Hi Michael,

On Tue, 2024-01-30 at 13:50 -0500, Michael W. Lucas wrote:
> Is there a way to search for specific symbols and their meaning at
> the
> command line? Or to get a list of all symbols and their description?

You can find that in WebUI, or with `curl
http://127.0.0.1:11334/symbols`

Best,
-AL.

From konstantin.kletschke at inside-m2m.de  Wed Jan 31 13:50:42 2024
From: konstantin.kletschke at inside-m2m.de (Konstantin Kletschke)
Date: Wed, 31 Jan 2024 14:50:42 +0100
Subject: [Rspamd-Users] Skip spam check for authenticated (SASL) users howto
 with postfix?
Message-ID: <ZbpQMi5FFSrZjz-f@hephaistos.inside-m2m.de>

Dear rspam community,

I have a rspamd up and running fine with a postfix installation.

What is missing is that when users deliver mail via SASL AUTH spam
checks should be skipped, I am to stupid.
Postfix calls the rspamd via:

smtpd_milters = inet:localhost:11332, inet:localhost:12345

11332 ist rpsamd, 12345 is opendkim.
milter_mail_macros is set to:

milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}

My expectation is, that authenticated users' mails are not spam checked,
do I miss additional settings?

Postfix recognizes that mail ist SASL AUTHed:

Jan 30 13:51:45 mail postfix/smtpd[224854]: C16674014E: client=XXX.customers.d1-online.com[80.187.115.42], sasl_method=PLAIN, sasl_username=YYY at inside-m2m.de

rspamd adds spam headeri, though:

(normal) <b2d822>; task; rspamd_worker_body_handler: accepted connection from 127.0.0.1 port 39608, task ptr: 00007F1B012A2A20
(normal) <b2d822>; task; rspamd_message_parse: loaded message; id: <C7B973E7-D719-48E0-AF2F-A56230DDAD5D at inside-m2m.de>; queue-id: <C16674014E>; size: 1951822; checksum: <7290610468f94d6b2b64258eecf1007b>
(normal) <b2d822>; task; rspamd_url_text_extract: got empty text part
(normal) <b2d822>; task; rspamd_mime_part_detect_language: detected part language: de
(normal) <b2d822>; task; rspamd_mime_part_detect_language: detected part language: en
(normal) <b2d822>; lua; greylist.lua:217: skip greylisting for local networks and/or authorized users
(normal) <b2d822>; lua; once_received.lua:102: Skipping once_received for authenticated user or local network
(normal) <b2d822>; lua; spf.lua:186: skip SPF checks for local networks and authorized users
(normal) <b2d822>; task; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
(normal) <b2d822>; lua; dmarc.lua:349: skip DMARC checks as either SPF or DKIM were not checked
(normal) <b2d822>; task; finalize_item: slow rule: SEM_URIBL_UNKNOWN(459): 356.00 ms; enable slow timer delay
(normal) <b2d822>; task; finalize_item: slow rule: SURBL_MULTI(438): 380.00 ms
(normal) <b2d822>; task; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 0; 200 required
(normal) <b2d822>; task; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 0; 200 required
(normal) <b2d822>; task; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
(normal) <b2d822>; task; rspamd_task_write_log: id: <C7B973E7-D719-48E0-AF2F-A56230DDAD5D at inside-m2m.de>, qid: <C16674014E>, ip: 80.187.115.42, user: YYY at inside-m2m.de, from: <YYY at inside-m2m.de>, (default: T (add header): [8.60/15.00] [R_SUSPICIOUS_URL(5.00){wa.me;},MIME_MA_MISSING_TEXT(2.00){},URI_COUNT_ODD(1.00){7;},MV_CASE(0.50){},MIME_HTML_ONLY(0.20){},MIME_GOOD(-0.10){multipart/alternative;multipart/mixed;},ARC_NA(0.00){},ASN(0.00){asn:3320, ipnet:80.187.0.0/16, country:DE;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;3:~;4:~;5:~;6:~;7:~;...;},NEURAL_HAM(0.00){-0.991;},RCPT_COUNT_THREE(0.00){4;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 1951822, time: 492.748ms, dns req: 60, digest: <7290610468f94d6b2b64258eecf1007b>, rcpts: <AAA at inside-m2m.de,BBB at inside-m2m.de,CCC at inside-m2m.de,DDD at inside-m2m.de>, mime_rcpts: <EEE at inside-m2m.de,FFF at inside-m2m.de,GGG at inside-m2m.de,...>

I also tried this:

settings {
   authenticated {
       authenticated = true;
       priority = "high";
       apply {
           groups_disabled [
               "rbl",
               "spf",
           ]
           flags [
               "skip_process",
           ]
           symbols_enabled [
               "DKIM_SIGNED",
           ]
       }
   }
}

But this does not change the behaviour.
This is a debian installation, if importand.

What am I missing?

Kind Regards
Konstantin




-- 
INSIDE M2M GmbH
Konstantin Kletschke
Berenbosteler Stra?e 76 B
30823 Garbsen

Telefon: +49 (0) 5137 90950136
Mobil: +49 (0) 151 15256238
Fax: +49 (0) 5137 9095010

konstantin.kletschke at inside-m2m.de
http://www.inside-m2m.de 

Gesch?ftsf?hrung: Michael Emmert, Derek Uhlig
HRB: 111204, AG Hannover


From allen at huarp.harvard.edu  Wed Jan 31 14:44:05 2024
From: allen at huarp.harvard.edu (Allen, Norton T.)
Date: Wed, 31 Jan 2024 09:44:05 -0500
Subject: [Rspamd-Users] Skip spam check for authenticated (SASL) users
 howto with postfix?
In-Reply-To: <ZbpQMi5FFSrZjz-f@hephaistos.inside-m2m.de>
References: <ZbpQMi5FFSrZjz-f@hephaistos.inside-m2m.de>
Message-ID: <b0e5f24b-2cb6-4fdf-902d-f10a5dacd8e6@huarp.harvard.edu>

Konstantin,

I am new to this, so if someone with more experience wants to correct 
me, that would be great.

Have you tried removing your groups_disabled block, leaving just flags 
and symbols_enabled in the apply block? groups_disabled has the side 
effect of enabling all other rules, whereas symbols_enabled has the side 
effect of disabling all other rules. Those seem to be in conflict, and 
the enables may be winning. I have had success with just flags and 
symbols_enabled as you have them.

On 1/31/2024 8:50 AM, Konstantin Kletschke via Users wrote:
> Dear rspam community,
>
> I have a rspamd up and running fine with a postfix installation.
>
> What is missing is that when users deliver mail via SASL AUTH spam
> checks should be skipped, I am to stupid.
> Postfix calls the rspamd via:
>
> smtpd_milters = inet:localhost:11332, inet:localhost:12345
>
> 11332 ist rpsamd, 12345 is opendkim.
> milter_mail_macros is set to:
>
> milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}
>
> My expectation is, that authenticated users' mails are not spam checked,
> do I miss additional settings?
>
> Postfix recognizes that mail ist SASL AUTHed:
>
> Jan 30 13:51:45 mail postfix/smtpd[224854]: C16674014E: client=https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fXXX.customers.d1-online.com&c=E,1,emiHo3tmzpAyCqw0JpmSnCwRGw2WJBll63vfW2Ts1pvc8u7L_4tPXaJKgLiq4X5SMCSnwnUrJJhvhBnnXcxUEma5DRZIhm1xxGua9Mls1YkwLr2GI3n85Ew,&typo=1[80.187.115.42], sasl_method=PLAIN, sasl_username=YYY at inside-m2m.de
>
> rspamd adds spam headeri, though:
>
> (normal) <b2d822>; task; rspamd_worker_body_handler: accepted connection from 127.0.0.1 port 39608, task ptr: 00007F1B012A2A20
> (normal) <b2d822>; task; rspamd_message_parse: loaded message; id: <C7B973E7-D719-48E0-AF2F-A56230DDAD5D at inside-m2m.de>; queue-id: <C16674014E>; size: 1951822; checksum: <7290610468f94d6b2b64258eecf1007b>
> (normal) <b2d822>; task; rspamd_url_text_extract: got empty text part
> (normal) <b2d822>; task; rspamd_mime_part_detect_language: detected part language: de
> (normal) <b2d822>; task; rspamd_mime_part_detect_language: detected part language: en
> (normal) <b2d822>; lua; greylist.lua:217: skip greylisting for local networks and/or authorized users
> (normal) <b2d822>; lua; once_received.lua:102: Skipping once_received for authenticated user or local network
> (normal) <b2d822>; lua; spf.lua:186: skip SPF checks for local networks and authorized users
> (normal) <b2d822>; task; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
> (normal) <b2d822>; lua; dmarc.lua:349: skip DMARC checks as either SPF or DKIM were not checked
> (normal) <b2d822>; task; finalize_item: slow rule: SEM_URIBL_UNKNOWN(459): 356.00 ms; enable slow timer delay
> (normal) <b2d822>; task; finalize_item: slow rule: SURBL_MULTI(438): 380.00 ms
> (normal) <b2d822>; task; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 0; 200 required
> (normal) <b2d822>; task; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 0; 200 required
> (normal) <b2d822>; task; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
> (normal) <b2d822>; task; rspamd_task_write_log: id: <C7B973E7-D719-48E0-AF2F-A56230DDAD5D at inside-m2m.de>, qid: <C16674014E>, ip: 80.187.115.42, user: YYY at inside-m2m.de, from: <YYY at inside-m2m.de>, (default: T (add header): [8.60/15.00] [R_SUSPICIOUS_URL(5.00){https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwa.me&c=E,1,uGIxyk33dp0UrAoPyMxeHXFw7sbcHeopLRNbThIs5ggD_m7L3aniVUa5axNAChpFQrSmTUrUSJWPW7p2kaItpnLkfoyoYJGPqZJzttGaBX_8VlrY2qso25MM&typo=1;},MIME_MA_MISSING_TEXT(2.00){},URI_COUNT_ODD(1.00){7;},MV_CASE(0.50){},MIME_HTML_ONLY(0.20){},MIME_GOOD(-0.10){multipart/alternative;multipart/mixed;},ARC_NA(0.00){},ASN(0.00){asn:3320, ipnet:80.187.0.0/16, country:DE;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;3:~;4:~;5:~;6:~;7:~;...;},NEURAL_HAM(0.00){-0.991;},RCPT_COUNT_THREE(0.00){4;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 1951822, time: 492.748ms, dns req: 60, digest: <7290610468f94d6b2b64258eecf1007b>, rcpts: <AAA at inside-m2m.de,BBB at inside-m2m.de,CCC at inside-m2m.de,DDD at inside-m2m.de>, mime_rcpts: <EEE at inside-m2m.de,FFF at inside-m2m.de,GGG at inside-m2m.de,...>
>
> I also tried this:
>
> settings {
>     authenticated {
>         authenticated = true;
>         priority = "high";
>         apply {
>             groups_disabled [
>                 "rbl",
>                 "spf",
>             ]
>             flags [
>                 "skip_process",
>             ]
>             symbols_enabled [
>                 "DKIM_SIGNED",
>             ]
>         }
>     }
> }
>
> But this does not change the behaviour.
> This is a debian installation, if importand.
>
> What am I missing?
>
> Kind Regards
> Konstantin
>
>
>
>

From allen at huarp.harvard.edu  Wed Jan 31 14:47:46 2024
From: allen at huarp.harvard.edu (Allen, Norton T.)
Date: Wed, 31 Jan 2024 09:47:46 -0500
Subject: [Rspamd-Users] Skip spam check for authenticated (SASL) users
 howto with postfix?
In-Reply-To: <b0e5f24b-2cb6-4fdf-902d-f10a5dacd8e6@huarp.harvard.edu>
References: <ZbpQMi5FFSrZjz-f@hephaistos.inside-m2m.de>
 <b0e5f24b-2cb6-4fdf-902d-f10a5dacd8e6@huarp.harvard.edu>
Message-ID: <e6cfd302-1914-4947-bab9-acbcf4b1badd@huarp.harvard.edu>

I should have noted the reference where those side effects are documented:

    https://rspamd.com/doc/configuration/settings.html

On 1/31/2024 9:44 AM, Allen, Norton T. wrote:
> Konstantin,
>
> I am new to this, so if someone with more experience wants to correct 
> me, that would be great.
>
> Have you tried removing your groups_disabled block, leaving just flags 
> and symbols_enabled in the apply block? groups_disabled has the side 
> effect of enabling all other rules, whereas symbols_enabled has the 
> side effect of disabling all other rules. Those seem to be in 
> conflict, and the enables may be winning. I have had success with just 
> flags and symbols_enabled as you have them.
>
> On 1/31/2024 8:50 AM, Konstantin Kletschke via Users wrote:
>> Dear rspam community,
>>
>> I have a rspamd up and running fine with a postfix installation.
>>
>> What is missing is that when users deliver mail via SASL AUTH spam
>> checks should be skipped, I am to stupid.
>> Postfix calls the rspamd via:
>>
>> smtpd_milters = inet:localhost:11332, inet:localhost:12345
>>
>> 11332 ist rpsamd, 12345 is opendkim.
>> milter_mail_macros is set to:
>>
>> milter_mail_macros = i {auth_type} {auth_authen} {auth_author} 
>> {mail_addr} {mail_host} {mail_mailer}
>>
>> My expectation is, that authenticated users' mails are not spam checked,
>> do I miss additional settings?
>>
>> Postfix recognizes that mail ist SASL AUTHed:
>>
>> Jan 30 13:51:45 mail postfix/smtpd[224854]: C16674014E: 
>> client=https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fXXX.customers.d1-online.com&c=E,1,emiHo3tmzpAyCqw0JpmSnCwRGw2WJBll63vfW2Ts1pvc8u7L_4tPXaJKgLiq4X5SMCSnwnUrJJhvhBnnXcxUEma5DRZIhm1xxGua9Mls1YkwLr2GI3n85Ew,&typo=1[80.187.115.42], 
>> sasl_method=PLAIN, sasl_username=YYY at inside-m2m.de
>>
>> rspamd adds spam headeri, though:
>>
>> (normal) <b2d822>; task; rspamd_worker_body_handler: accepted 
>> connection from 127.0.0.1 port 39608, task ptr: 00007F1B012A2A20
>> (normal) <b2d822>; task; rspamd_message_parse: loaded message; id: 
>> <C7B973E7-D719-48E0-AF2F-A56230DDAD5D at inside-m2m.de>; queue-id: 
>> <C16674014E>; size: 1951822; checksum: 
>> <7290610468f94d6b2b64258eecf1007b>
>> (normal) <b2d822>; task; rspamd_url_text_extract: got empty text part
>> (normal) <b2d822>; task; rspamd_mime_part_detect_language: detected 
>> part language: de
>> (normal) <b2d822>; task; rspamd_mime_part_detect_language: detected 
>> part language: en
>> (normal) <b2d822>; lua; greylist.lua:217: skip greylisting for local 
>> networks and/or authorized users
>> (normal) <b2d822>; lua; once_received.lua:102: Skipping once_received 
>> for authenticated user or local network
>> (normal) <b2d822>; lua; spf.lua:186: skip SPF checks for local 
>> networks and authorized users
>> (normal) <b2d822>; task; dkim_symbol_callback: skip DKIM checks for 
>> local networks and authorized users
>> (normal) <b2d822>; lua; dmarc.lua:349: skip DMARC checks as either 
>> SPF or DKIM were not checked
>> (normal) <b2d822>; task; finalize_item: slow rule: 
>> SEM_URIBL_UNKNOWN(459): 356.00 ms; enable slow timer delay
>> (normal) <b2d822>; task; finalize_item: slow rule: SURBL_MULTI(438): 
>> 380.00 ms
>> (normal) <b2d822>; task; rspamd_redis_connected: skip obtaining bayes 
>> tokens for BAYES_HAM of classifier bayes: not enough learns 0; 200 
>> required
>> (normal) <b2d822>; task; rspamd_redis_connected: skip obtaining bayes 
>> tokens for BAYES_SPAM of classifier bayes: not enough learns 0; 200 
>> required
>> (normal) <b2d822>; task; rspamd_stat_classifiers_process: skip 
>> statistics as SPAM class is missing
>> (normal) <b2d822>; task; rspamd_task_write_log: id: 
>> <C7B973E7-D719-48E0-AF2F-A56230DDAD5D at inside-m2m.de>, qid: 
>> <C16674014E>, ip: 80.187.115.42, user: YYY at inside-m2m.de, from: 
>> <YYY at inside-m2m.de>, (default: T (add header): [8.60/15.00] 
>> [R_SUSPICIOUS_URL(5.00){https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwa.me&c=E,1,uGIxyk33dp0UrAoPyMxeHXFw7sbcHeopLRNbThIs5ggD_m7L3aniVUa5axNAChpFQrSmTUrUSJWPW7p2kaItpnLkfoyoYJGPqZJzttGaBX_8VlrY2qso25MM&typo=1;},MIME_MA_MISSING_TEXT(2.00){},URI_COUNT_ODD(1.00){7;},MV_CASE(0.50){},MIME_HTML_ONLY(0.20){},MIME_GOOD(-0.10){multipart/alternative;multipart/mixed;},ARC_NA(0.00){},ASN(0.00){asn:3320, 
>> ipnet:80.187.0.0/16, 
>> country:DE;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;3:~;4:~;5:~;6:~;7:~;...;},NEURAL_HAM(0.00){-0.991;},RCPT_COUNT_THREE(0.00){4;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), 
>> len: 1951822, time: 492.748ms, dns req: 60, dig
> est: <7290610468f94d6b2b64258eecf1007b>, rcpts: 
> <AAA at inside-m2m.de,BBB at inside-m2m.de,CCC at inside-m2m.de,DDD at inside-m2m.de>, 
> mime_rcpts: <EEE at inside-m2m.de,FFF at inside-m2m.de,GGG at inside-m2m.de,...>
>>
>> I also tried this:
>>
>> settings {
>> ??? authenticated {
>> ??????? authenticated = true;
>> ??????? priority = "high";
>> ??????? apply {
>> ??????????? groups_disabled [
>> ??????????????? "rbl",
>> ??????????????? "spf",
>> ??????????? ]
>> ??????????? flags [
>> ??????????????? "skip_process",
>> ??????????? ]
>> ??????????? symbols_enabled [
>> ??????????????? "DKIM_SIGNED",
>> ??????????? ]
>> ??????? }
>> ??? }
>> }
>>
>> But this does not change the behaviour.
>> This is a debian installation, if importand.
>>
>> What am I missing?
>>
>> Kind Regards
>> Konstantin
>>
>>
>>
>>

From konstantin.kletschke at inside-m2m.de  Wed Jan 31 15:05:34 2024
From: konstantin.kletschke at inside-m2m.de (Konstantin Kletschke)
Date: Wed, 31 Jan 2024 16:05:34 +0100
Subject: [Rspamd-Users] Skip spam check for authenticated (SASL) users
 howto with postfix?
In-Reply-To: <b0e5f24b-2cb6-4fdf-902d-f10a5dacd8e6@huarp.harvard.edu>
References: <ZbpQMi5FFSrZjz-f@hephaistos.inside-m2m.de>
 <b0e5f24b-2cb6-4fdf-902d-f10a5dacd8e6@huarp.harvard.edu>
Message-ID: <ZbphvtOz_jhrKf8z@hephaistos.inside-m2m.de>

On Wed, Jan 31, 2024 at 09:44:05AM -0500, Allen, Norton T. wrote:
> 
> Have you tried removing your groups_disabled block, leaving just flags and
> symbols_enabled in the apply block? groups_disabled has the side effect of

No this does not change something, still spam checked.

I change to (rspamadm configdump|less):

settings {
    authenticated {
        priority = "high";
        apply {
            symbols_enabled [
                "DKIM_SIGNED",
            ]
            flags [
                "skip_process",
            ]
        }
        authenticated = true;
    }
}

-- 
INSIDE M2M GmbH
Konstantin Kletschke
Berenbosteler Stra?e 76 B
30823 Garbsen

Telefon: +49 (0) 5137 90950136
Mobil: +49 (0) 151 15256238
Fax: +49 (0) 5137 9095010

konstantin.kletschke at inside-m2m.de
http://www.inside-m2m.de 

Gesch?ftsf?hrung: Michael Emmert, Derek Uhlig
HRB: 111204, AG Hannover


From allen at huarp.harvard.edu  Wed Jan 31 15:19:32 2024
From: allen at huarp.harvard.edu (Allen, Norton T.)
Date: Wed, 31 Jan 2024 10:19:32 -0500
Subject: [Rspamd-Users] Skip spam check for authenticated (SASL) users
 howto with postfix?
In-Reply-To: <ZbphvtOz_jhrKf8z@hephaistos.inside-m2m.de>
References: <ZbpQMi5FFSrZjz-f@hephaistos.inside-m2m.de>
 <b0e5f24b-2cb6-4fdf-902d-f10a5dacd8e6@huarp.harvard.edu>
 <ZbphvtOz_jhrKf8z@hephaistos.inside-m2m.de>
Message-ID: <d19142e5-e669-444e-9efe-96dd18af083b@huarp.harvard.edu>

On 1/31/2024 10:05 AM, Konstantin Kletschke wrote:
> On Wed, Jan 31, 2024 at 09:44:05AM -0500, Allen, Norton T. wrote:
>> Have you tried removing your groups_disabled block, leaving just flags and
>> symbols_enabled in the apply block? groups_disabled has the side effect of
> No this does not change something, still spam checked.

Then I am afraid I am likely out of my depth. Have you checked in the 
rspamd.log for "apply static settings authenticated"? That at least 
should show up on authenticated email.


From konstantin.kletschke at inside-m2m.de  Wed Jan 31 15:40:21 2024
From: konstantin.kletschke at inside-m2m.de (Konstantin Kletschke)
Date: Wed, 31 Jan 2024 16:40:21 +0100
Subject: [Rspamd-Users] Skip spam check for authenticated (SASL) users
 howto with postfix?
In-Reply-To: <d19142e5-e669-444e-9efe-96dd18af083b@huarp.harvard.edu>
References: <ZbpQMi5FFSrZjz-f@hephaistos.inside-m2m.de>
 <b0e5f24b-2cb6-4fdf-902d-f10a5dacd8e6@huarp.harvard.edu>
 <ZbphvtOz_jhrKf8z@hephaistos.inside-m2m.de>
 <d19142e5-e669-444e-9efe-96dd18af083b@huarp.harvard.edu>
Message-ID: <Zbpp5bxQgKFU58At@hephaistos.inside-m2m.de>

On Wed, Jan 31, 2024 at 10:19:32AM -0500, Allen, Norton T. wrote:
> 
> Then I am afraid I am likely out of my depth. Have you checked in the

No problem!

> rspamd.log for "apply static settings authenticated"? That at least should
> show up on authenticated email.

Yes, it shows up! Sometimes...
I see our JIRA bot and confluence bot (anytime) and sometimes a human user flagged
like that.
But not my test mail sent from me via SASL AUTH (our bot systems do the
same...)

Hmmm... -> ?


> 

-- 
INSIDE M2M GmbH
Konstantin Kletschke
Berenbosteler Stra?e 76 B
30823 Garbsen

Telefon: +49 (0) 5137 90950136
Mobil: +49 (0) 151 15256238
Fax: +49 (0) 5137 9095010

konstantin.kletschke at inside-m2m.de
http://www.inside-m2m.de 

Gesch?ftsf?hrung: Michael Emmert, Derek Uhlig
HRB: 111204, AG Hannover


From allen at huarp.harvard.edu  Wed Jan 31 16:01:10 2024
From: allen at huarp.harvard.edu (Allen, Norton T.)
Date: Wed, 31 Jan 2024 11:01:10 -0500
Subject: [Rspamd-Users] Skip spam check for authenticated (SASL) users
 howto with postfix?
In-Reply-To: <Zbpp5bxQgKFU58At@hephaistos.inside-m2m.de>
References: <ZbpQMi5FFSrZjz-f@hephaistos.inside-m2m.de>
 <b0e5f24b-2cb6-4fdf-902d-f10a5dacd8e6@huarp.harvard.edu>
 <ZbphvtOz_jhrKf8z@hephaistos.inside-m2m.de>
 <d19142e5-e669-444e-9efe-96dd18af083b@huarp.harvard.edu>
 <Zbpp5bxQgKFU58At@hephaistos.inside-m2m.de>
Message-ID: <2930cfda-9a8d-4503-a8df-4333a6b925ef@huarp.harvard.edu>


On 1/31/2024 10:40 AM, Konstantin Kletschke wrote:
> On Wed, Jan 31, 2024 at 10:19:32AM -0500, Allen, Norton T. wrote:
>> Then I am afraid I am likely out of my depth. Have you checked in the
> No problem!
>
>> rspamd.log for "apply static settings authenticated"? That at least should
>> show up on authenticated email.
> Yes, it shows up! Sometimes...
> I see our JIRA bot and confluence bot (anytime) and sometimes a human user flagged
> like that.
> But not my test mail sent from me via SASL AUTH (our bot systems do the
> same...)
>
> Hmmm... -> ?
Well that at least means those apply rules might work if the message is 
identified correctly, but from what you've shown me, I don't see why it 
wasn't identified as authenticated.