Hi,
In SoGo I’ve created a forward for “user@mailcow” in to an external address “user@external”.
If I now send a mail from a freemailer like e.g. t-online.de, the forward gets rejected by rspamd. The main reason seems to be “FREEMAIL_POLICY_FAILURE” with a score of 16.
Is this the expected behavior?

Along with the reject the rspamd error log shows:

(module lua): signing failure: cannot make request to load DKIM selector for domain t-online.de: nil
So rspamd thinks it should sign the mail?

The mail flow in our setup is:
(in) external mailgateway -> university mailgateway -> mailcow -> university mailgateway -> external mailgateway (out)

I’ve added the IPs of the mailgateways as “Forwarding Hosts” (System -> Configuration -> Options -> Forwarding Hosts) with spam filtering enabled. If I disable the spam filter for the forwarding hosts, the email is not rejected.

cheers,
Thorsten

    6 days later

    I found something related mailcow community Icon here

    mailcow community Icon mailcow communityDiscussion
    signing failure: cannot make request to load DKIM selector for domain
    J jzt308
    Hi guys, I’am running Rspamd version 2.6 (pulled the latest mailcow update 2nd of Oktober 2020). I noticed the following message in my rspamd container logs: lua; dkim_signing.lua:104: signing failure: cannot make request to load DKIM selector for domain google.com: nil google is not the only one
    mailcow community
    7 2
    .
    However, I’ve already whitelisted the IPs of the mail-gateways.
    I don’t understand why the mail gets rejected. The “FREEMAIL_POLICY_FAILURE” contains !WHITELISTED_FWD_HOST:

    Edit: mailcow community Icon Here’s

    mailcow community Icon mailcow communityDiscussion
    rspamd DKIM signing failure
    Author avatar image sfmc
    Hello everyone!! I need help with the next question. I have enabled the email forwarding from the mailbox alex.k@oxgaming.com to the mailbox alex.smesh@gmail.com in the SOGo web interface. Then I sent a test email from the Gmail mailbox alex.k@oxtech.org to the mailbox alex.k@oxgaming.com. An
    mailcow community
    4 3
    another related post. I don’t have the option to not use the mail-gateways. Please help 🙂

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    ecdlguy If I disable the spam filter for the forwarding hosts, the email is not rejected.

    Why don’t you leave it then disabled? Then also rspamd does not try to sign mails from other domains.
    In my setup I have also a mail gateway in front (Sophos Firewall) and I leave antispam only to this mailgateway.
    The mailgateway either blocks spam rightaway during reception, or if its not so sure, it is tagged as spam.
    So I have a global sieve rule in place that moves any spam tagged mails to the users junk folders.
    Antispam should happen only at the edges, so that means your external gateway! University pays a shit load of money for that already 😉
    It’s their job to fight spam, not yours.

      Hi esackbauer,

      Thanks for your reply!

      I really like to understand technically what’s happening here, so

      1. Why does the mail get rejected although it comes from 172.22.1.250?
      2. Why does the mail get rejected although the IPs of the mailgateways are whitelisted as forward hosts?
      3. Why does rspamd try to sign the mail?

      The filtering of the DFN is not that good unfortunately. There’s quite a lot of spam coming through.
      I really don’t know, but DFN-MailSupport is probably a free service for universities.

      cheeers, Thorsten

      Its complicated. Fact is, that you can only do proper antispam at the edge, where mail enters from public IP addresses/MTA’s into the boundaries of your organisation, because the accepting MTA might change SMTP headers.
      It really gets hard to do it when its already been relayed by internal gateways/MTAs, and I have virtually no experience with that as my Sophos Firewall does a pretty good job.
      “FREEMAIL_POLICY_FAILURE” could be the reason that you are somehow sending via t-online.de (which is by definition a freemailer) and DKIM was not applied by T-Online.

        esackbauer “FREEMAIL_POLICY_FAILURE” could be the reason that you are somehow sending via t-online.de (which is by definition a freemailer) and DKIM was not applied by T-Online.

        Yes, but the “FREEMAIL_POLICY_FAILURE” rule contains !WHITELISTED_FWD_HOST and this should prevent the rule to be triggered.

        Do you know why the Docker IP (172.22.1.250) the mail is coming from isn’t sufficient to let the mail pass?

        I’m wondering if it would break something if I add the Docker subnet 172.22.1.0/24 to the forward host whiltelist and disable spam checking for that subnet?

        Thanks again,
        Thorsten

          Seems you want to mess around with the mailcow internal way of working, which does not sound like a good idea. As I said, I have no experience with that, also because that would be not best practice…
          Maybe somebody else has experience.

            esackbauer Seems you want to mess around with the mailcow internal way of working

            No, I just want a working forwarding 😉

            Maybe I should open a github issue because not relaying 172.22.1.250 seems like a bug to me.

            Is there anyone who can help trying to understand what’s going on here?

              What I found is that the IP of the sieve container (172.22.1.250) is not among the list according to rspamd’s multimap.conf:

              WHITELISTED_FWD_HOST {
  type = "ip";
  map = "redis://WHITELISTED_FWD_HOST";
  symbols_set = ["WHITELISTED_FWD_HOST"];
}

              But there is

              SIEVE_HOST {
  type = "ip";
  map = "${LOCAL_CONFDIR}/custom/dovecot_trusted.map";
  symbols_set = ["SIEVE_HOST"];
}

              And “dovecot_trusted.map” contains: 172.22.1.250/32
              So maybe the rules containing !WHITELIST_FWD_HOST like e.g. the FREEMAIL_POLICY_FAILURE should be extended with !SIEVE_HOST?

              I want to bring another aspect into the discussion. You are complaining about too much spam being passed by DFN mail gateway. Maybe they are legally obliged to not set the filters too strong. Would you in your department have also the same legal obligations?
              Also be aware that if rspamd classifies mail sent from the mail gateways to your mailcow, mailcow might create bounce mails, which are then sent out via DFN mail gateway. Which will affect the spam rating of DFN to the worse.

              No one is typing