[Rspamd-Users] [ext] locally generated mails have an incorrect DKIM signature.

Tue May 14 20:57:54 UTC 2024

On Tue, 14 May 2024 15:30:46 +0200
Ralf Hildebrandt via Users <users at lists.rspamd.com> wrote:

> > non_smtpd_milters = { unix:/var/lib/rspamd/milter.sock, connect_timeout=5s, default_action=accept }  
> 
> That looks ok
>  
> > when I send mail from mailserver somehow as:
> >   echo -e "Ahoj"|mail -s "posilam ahoj" franta at hanzlici.cz  
> 
> Warning: this does NOT contain a From: header, so there's nothing to
> sign.
> 
> -- 
Hi Ralf, thanks for your reply! I have some additional infos to add.
Maybe "mail" program (I use one from GNU Mailutils, v3.17) or Postfix
add some mail header items. RSPAMD log records on sending side are:

2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; proxy; proxy_accept_socket: accepted milter connection from /var/lib/rspamd/milter.sock port 0
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; milter; rspamd_milter_process_command: got connection from 127.0.0.1:0
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; proxy; rspamd_mime_parse_message: cannot find content-type for a message, assume text/plain
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; proxy; rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; proxy; rspamd_message_parse: loaded message; id: <20240513183132.A62BF213B5 at mail.mulac.cz>; queue-id: <A62BF213B5>; size: 237; checksum: <d4e25433c9df99130c6a710e052399ea>
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; lua; greylist.lua:219: skip greylisting for local networks and/or authorized users
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; lua; spf.lua:186: skip SPF checks for local networks and authorized users
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; lua; dmarc.lua:353: skip DMARC checks as either SPF or DKIM were not checked
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; dkim_signing; lua_dkim_tools.lua:191: mail is from local address
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; dkim_signing; lua_dkim_tools.lua:374: local: use domain(mulac.cz) for signature: mulac.cz
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; dkim_signing; lua_dkim_tools.lua:427: final DKIM domain: mulac.cz
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; dkim_signing; lua_dkim_tools.lua:53: set domain to "mulac.cz" using dkim_domain
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; dkim_signing; dkim_signing.lua:129: using key "/etc/rspamd/dkim/mulac.cz.default.key", use selector "default" for domain "mulac.cz"
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; lua; once_received.lua:102: Skipping once_received for authenticated user or local network
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; lua; greylist.lua:335: Score too low - skip greylisting
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; lua; neural.lua:355: skip ham sample to keep spam/ham balance; probability 0.6666666666666667; 1 spam and 2 ham vectors stored
2024-05-13 20:31:32 #3789205(rspamd_proxy) <0b2e7e>; proxy; rspamd_task_write_log: 
 id: <20240513183132.A62BF213B5 at mail.mulac.cz>, qid: <A62BF213B5>, ip: 127.0.0.1, 
 FROM: <root at mulac.home>, RCPT: <franta at hanzlici.cz>, 
 CFrom:"koren-na-mail.mulac" <root at mulac.home>, CTo: <franta at hanzlici.cz>, CCc:nil, 
 CSubj:posilam ahoj,
 (default: F (no action): [-0.10/13.00] [
   MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},
   DKIM_SIGNED(0.00){mulac.cz:s=default;},
   FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},MIME_TRACE(0.00){0:+;}, 
   RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},
   SINGLE_SHORT_PART(0.00){},TO_DN_NONE(0.00){},
   TO_MATCH_ENVRCPT_ALL(0.00){}
  ]
 ), len: 237, time: 295.516ms, dns req: 3, digest: <d4e25433c9df99130c6a710e052399ea>

where CFrom:, CTo:, Cc: and CSubj: are header parts logged from customized
/etc/rspamd/local.d/logging.inc:

log_format =<<EOD
id: <$mid>,$if_qid{ qid: <$>,}$if_ip{ ip: $,}$if_user{ user: $,}$if_smtp_from{ FROM: <$>,}$if_smtp_rcpts{ RCPT: <$>,}
$lua{
  return function(task)
    return 'CFrom:' .. tostring(task:get_header('From')) .. ', CTo: ' .. tostring(task:get_header('To')) .. ', CCc:' .. tostring(task:get_header('Cc')) .. ', CSubj:' .. tostring(task:get_header('Subject')) .. ','
  end
}
(default: $is_spam ($action): [$scores] [$symbols_scores_params]),
len: $len, time: $time_real, dns req: $dns_req,
digest: <$digest>$if_filename{, file: $}$if_forced_action{, forced: $}$if_settings_id{, settings_id: $}
EOD

And RSPAMD log on receiving mailserver is (see 'R_DKIM_REJECT'):

2024-05-13 20:31:34 #3965555(rspamd_proxy) <1d8a25>; proxy; rspamd_task_write_log: 
 id: <20240513183132.A62BF213B5 at mail.mulac.cz>, qid: <2E4932B77E4>, ip: 84.242.95.170, 
 FROM: <root at mulac.cz>, RCPT: <franta at hanzlici.cz>, 
 CFrom:"koren-na-mail.mulac" <root at mulac.cz>, CTo: <franta at hanzlici.cz>, CCc:nil, 
 CSubj:posilam ahoj, 
 (default: F (no action): [0.80/15.00] [
   R_DKIM_REJECT(1.00){mulac.cz:s=default;},
   R_SPF_ALLOW(-0.20){+mx;},
   MIME_GOOD(-0.10){text/plain;},ONCE_RECEIVED(0.10){},ARC_NA(0.00){},
   ASN(0.00){asn:16019, ipnet:84.242.64.0/19, country:CZ;},
   DKIM_TRACE(0.00){mulac.cz:-;},DMARC_NA(0.00){mulac.cz: no valid DMARC record;},
   FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},MID_RHS_MATCH_FROMTLD(0.00){},MIME_TRACE(0.00){0:+;},
   RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ONE(0.00){1;}, RCVD_TLS_LAST(0.00){},
   SINGLE_SHORT_PART(0.00){},TO_DN_NONE(0.00){},
   TO_MATCH_ENVRCPT_ALL(0.00){}
  ]
 ), len: 748, time: 1069.375ms, dns req: 28, digest: <d4e25433c9df99130c6a710e052399ea>

(I manually wrapped rspamd_task_write_log record, on sending side too)
And received mail in recipient maibox:

Return-Path: <root at mulac.cz>
X-Original-To: franta at hanzlici.cz
Delivered-To: franta at hanzlici.cz
Received: from mail.mulac.cz (mulacupc [84.242.95.170])
	by mail.hanzlici.cz (Postfix) with ESMTPS id 2E4932B77E4
	for <franta at hanzlici.cz>; Mon, 13 May 2024 20:31:33 +0200 (CEST)
Received: by mail.mulac.cz (Postfix, from userid 0)
	id A62BF213B5; Mon, 13 May 2024 20:31:32 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mulac.cz; s=default;
	t=1715625092;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc; bh=w1BK14ne86WbcUFsEywJNsksGd+kc65zeiu1WFDKQeQ=;
	b=hPgdGEddWnceZ5NJcV1LwIaWT7+LaUvtEm+sbItJmNSaSVRWbUACeeUpvwAZBgUbjk+B4K
	SZKJ3lB4pMTXoLsRNkR2smBASQT1yrZuLCG3+pcWqa02qH7zXFM2HUkV6uK7+SqQBRhulw
	q3ZYlfol1gu7wbk4v/QLeuGOquBsttM=
Subject: posilam ahoj
To: <franta at hanzlici.cz>
User-Agent: mail (GNU Mailutils 3.17)
Date: Mon, 13 May 2024 20:31:32 +0200
Message-Id: <20240513183132.A62BF213B5 at mail.mulac.cz>
From: "koren-na-mail.mulac" <root at mulac.cz>

Ahoj

I don't know how to grasp it, how to find out through which parts of 
the email and how the signature was made.
I will be grateful for any help.
-- 
Thanks, Franta Hanzlík