Forward gets rejected

ecdlguy

Hi,
In SoGo I’ve created a forward for “user@mailcow” in to an external address “user@external”.
If I now send a mail from a freemailer like e.g. t-online.de, the forward gets rejected by rspamd. The main reason seems to be “FREEMAIL_POLICY_FAILURE” with a score of 16.
Is this the expected behavior?

Along with the reject the rspamd error log shows:

(module lua): signing failure: cannot make request to load DKIM selector for domain t-online.de: nil
So rspamd thinks it should sign the mail?

The mail flow in our setup is:
(in) external mailgateway -> university mailgateway -> mailcow -> university mailgateway -> external mailgateway (out)

I’ve added the IPs of the mailgateways as “Forwarding Hosts” (System -> Configuration -> Options -> Forwarding Hosts) with spam filtering enabled. If I disable the spam filter for the forwarding hosts, the email is not rejected.

cheers,
Thorsten

esackbauer

ecdlguy If I disable the spam filter for the forwarding hosts, the email is not rejected.

Why don’t you leave it then disabled? Then also rspamd does not try to sign mails from other domains.
In my setup I have also a mail gateway in front (Sophos Firewall) and I leave antispam only to this mailgateway.
The mailgateway either blocks spam rightaway during reception, or if its not so sure, it is tagged as spam.
So I have a global sieve rule in place that moves any spam tagged mails to the users junk folders.
Antispam should happen only at the edges, so that means your external gateway! University pays a shit load of money for that already 😉
It’s their job to fight spam, not yours.

ecdlguy

I found something related here.
However, I’ve already whitelisted the IPs of the mail-gateways.
I don’t understand why the mail gets rejected. The “FREEMAIL_POLICY_FAILURE” contains !WHITELISTED_FWD_HOST:

Edit: Here’s another related post. I don’t have the option to not use the mail-gateways. Please help 🙂

ecdlguy

Hi esackbauer,

Thanks for your reply!

I really like to understand technically what’s happening here, so

Why does the mail get rejected although it comes from 172.22.1.250?
Why does the mail get rejected although the IPs of the mailgateways are whitelisted as forward hosts?
Why does rspamd try to sign the mail?

The filtering of the DFN is not that good unfortunately. There’s quite a lot of spam coming through.
I really don’t know, but DFN-MailSupport is probably a free service for universities.

cheeers, Thorsten

esackbauer

Its complicated. Fact is, that you can only do proper antispam at the edge, where mail enters from public IP addresses/MTA’s into the boundaries of your organisation, because the accepting MTA might change SMTP headers.
It really gets hard to do it when its already been relayed by internal gateways/MTAs, and I have virtually no experience with that as my Sophos Firewall does a pretty good job.
“FREEMAIL_POLICY_FAILURE” could be the reason that you are somehow sending via t-online.de (which is by definition a freemailer) and DKIM was not applied by T-Online.

ecdlguy

esackbauer “FREEMAIL_POLICY_FAILURE” could be the reason that you are somehow sending via t-online.de (which is by definition a freemailer) and DKIM was not applied by T-Online.

Yes, but the “FREEMAIL_POLICY_FAILURE” rule contains !WHITELISTED_FWD_HOST and this should prevent the rule to be triggered.

Do you know why the Docker IP (172.22.1.250) the mail is coming from isn’t sufficient to let the mail pass?

I’m wondering if it would break something if I add the Docker subnet 172.22.1.0/24 to the forward host whiltelist and disable spam checking for that subnet?

Thanks again,
Thorsten

esackbauer

Seems you want to mess around with the mailcow internal way of working, which does not sound like a good idea. As I said, I have no experience with that, also because that would be not best practice…
Maybe somebody else has experience.

ecdlguy

esackbauer Seems you want to mess around with the mailcow internal way of working

No, I just want a working forwarding 😉

Maybe I should open a github issue because not relaying 172.22.1.250 seems like a bug to me.

Is there anyone who can help trying to understand what’s going on here?

ecdlguy

What I found is that the IP of the sieve container (172.22.1.250) is not among the list according to rspamd’s multimap.conf:

WHITELISTED_FWD_HOST {
  type = "ip";
  map = "redis://WHITELISTED_FWD_HOST";
  symbols_set = ["WHITELISTED_FWD_HOST"];
}

But there is

SIEVE_HOST {
  type = "ip";
  map = "${LOCAL_CONFDIR}/custom/dovecot_trusted.map";
  symbols_set = ["SIEVE_HOST"];
}

And “dovecot_trusted.map” contains: 172.22.1.250/32
So maybe the rules containing !WHITELIST_FWD_HOST like e.g. the FREEMAIL_POLICY_FAILURE should be extended with !SIEVE_HOST?

esackbauer

I want to bring another aspect into the discussion. You are complaining about too much spam being passed by DFN mail gateway. Maybe they are legally obliged to not set the filters too strong. Would you in your department have also the same legal obligations?
Also be aware that if rspamd classifies mail sent from the mail gateways to your mailcow, mailcow might create bounce mails, which are then sent out via DFN mail gateway. Which will affect the spam rating of DFN to the worse.