This is actually a continuation from this post, but is different enough that I didn’t feel right simply updating that topic.
Again, I have two mailcow-dockerized stacks on two separate VPSes (same hosting provider, same data center). I’ve noticed when postfix-mailcow on my personal hobby server (mail.hobby.tld), I get different final scores in rspamd-mailcow for the message in the receiving mail.surname.tld logs whether the sending Postfix uses IPv4 versus IPv6.
The linked topic I resolved by adding AAAA records for the hobby.tld and mail.hobby.tld domains. That improved the situation; RSpamd had been telling Postfix on mail.surname.tld to reject the message outright, because SPF, DKIM, and DMARC didn’t match at all, so it was above the reject threshold.
After adding those AAAA records, the situation did improve. My logwatch messages from mail.hobby.tld were no longer being rejected, but the IPv6 sourced messages are still getting flagged because they’re above the add_header threshold. My hunch right now is I need IPv6-specific SPF, DKIM, and DMARC, but I’m not 100 percent sure that’s correct.
I did find the message that scored high yesterday in the rspamd-mailcow logs on mail.surname.tld, but I’m not entirely sure how to interpret it:
Oct 29 23:02:23 epsilonchunk docker/mailcow/rspamd:1.97-mailcowdockerized-rspamd-mailcow-1[925]: 2024-10-29 23:02:23 #39(normal) <2b74d1>; task; rspamd_task_write_log: id: <20241030040220.C8FF16066D@git.hobby.tld>, qid: <89E1EFFE30>, ip: ::1, from: <root@git.hobby.tld>, (default: T (add header): [17.21/30.00] [HFILTER_HOSTNAME_UNKNOWN(8.50){},BAYES_SPAM(2.38){92.34%;},BAD_REP_POLICIES(2.00){},RDNS_NONE(2.00){},IP_REPUTATION_SPAM(1.84){asn: 29802(-0.15), country: US(-0.00), ip: ::1(0.62);},FORGED_SENDER(0.30){logwatch@git.hobby.tld;root@git.hobby.tld;},MIME_HTML_ONLY(0.20){},MX_GOOD(-0.01){},ARC_NA(0.00){},ARC_SIGNED(0.00){surname.tld:s=dkim:i=1;},ASN(0.00){asn:29802, ip: ::1/48, country:US;},BCC(0.00){},DMARC_POLICY_ALLOW(0.00){hobby.tld;reject;},FROM_NEQ_ENVFROM(0.00){logwatch@git.hobby.tld;root@git.hobby.tld;},FROM_NO_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:~;},MISSING_XM_UA(0.00){},NEURAL_HAM(0.00){-1.000;},PRECEDENCE_BULK(0.00){},RCPT_COUNT_ONE(0.00){1;},RCPT_MAILCOW_DOMAIN(0.00){surname.tld;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},R_DKIM_NA(0.00){},R_SPF_ALLOW(0.00){+mx;},TAGGED_RCPT(0.00){logwatch;},TAG_MOO(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 11282, time: 881.453ms, dns req: 33, digest: <beef5d3d94c27f19dfb46f2b7e125006>, rcpts: <trey+logwatch@surname.tld,trey@surname.tld>, mime_rcpts: <trey+logwatch@surname.tld,>
Here’s the message that came through today, this time via IPv4:
Oct 30 23:02:49 epsilonchunk docker/mailcow/rspamd:1.97-mailcowdockerized-rspamd-mailcow-1[925]: 2024-10-30 23:02:49 #39(normal) <dedb34>; task; rspamd_task_write_log: id: <20241031040244.6D7AE60C41@git.hobby.tld>, qid: <622E51019DC>, ip: 0.0.0.0, from: <root@git.hobby.tld>, (default: F (no action): [4.05/30.00] [BAYES_SPAM(2.28){91.85%;},BAD_REP_POLICIES(2.00){},IP_REPUTATION_HAM(-0.71){asn: 29802(-0.15), country: US(-0.00), ip: 0.0.0.0(-0.56);},FORGED_SENDER(0.30){logwatch@git.hobby.tld;root@git.hobby.tld;},MIME_HTML_ONLY(0.20){},MX_GOOD(-0.01){},ARC_NA(0.00){},ARC_SIGNED(0.00){surname.tld:s=dkim:i=1;},ASN(0.00){asn:29802, ipnet:0.0.0.0/24, country:US;},BCC(0.00){},DMARC_POLICY_ALLOW(0.00){hobby.tld;reject;},FROM_NEQ_ENVFROM(0.00){logwatch@git.hobby.tld;root@git.hobby.tld;},FROM_NO_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:~;},MISSING_XM_UA(0.00){},NEURAL_HAM(0.00){-1.000;},PRECEDENCE_BULK(0.00){},RCPT_COUNT_ONE(0.00){1;},RCPT_MAILCOW_DOMAIN(0.00){surname.tld;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},R_DKIM_NA(0.00){},R_SPF_ALLOW(0.00){+mx;},TAGGED_RCPT(0.00){logwatch;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 11159, time: 1343.337ms, dns req: 36, digest: <f04e0cb68b2ddaf7cc096a741ea43f43>, rcpts: <trey+logwatch@surname.tld,trey@surname.tld>, mime_rcpts: <trey+logwatch@surname.tld,>
Again, I’ve obfuscated the domain names, and the IPv4/IPv6 addresses/networks.