I’ve deployed mailcow-dockerized, and tested it against mail-tester.com Icon Newsletters spam test by mail-tester.com

mail-tester.com Icon mail-tester.com
Newsletters spam test by mail-tester.com
mail-tester.com is a free online service that allows you to test your emails for Spam, Malformed Content and Mail Server Configuration problems
mail-tester.com
- it gave me 10/10 from the begining… cool
Next I wanted to test spoofing protection with this site Email Spoof Test
emailspooftest.com
Email Spoof Test
Free connection level anti-fraud & email security test/ assessment for DMARC, SPF, DKIM, SPOOF, reverse DNS, and internal authentication
ESTemailspooftest.comemailspooftest.com

It sends 10 emails - E1-E10 with spoofed SPF,DKIM,DMARC etc.. If Your email server configured to reject all possible combinations of spoofs, You should recieve only 1 mail - E1. I recieve all 10 mails - it mean that none of SPF, DKIM, DMARC checks are not rejecting any email…
I see couple of possibilities to configure rspamd service:

  1. via command line
    • I added this to /etc/rspamd/lacal.d/force_actions.conf and it has no effect
      R_SPF_FAIL_REJECT {
      action = “reject”;
      expression = “R_SPF_FAIL”;
      }
  2. via webUI https://mail.example.com/rspamd/#symbols
    mail.example.com
    https://mail.example.com/rspamd/#symbols
    No preview could be generated for this link
    • I’ve configured R_SPF_FAIL, R_SPF_DNSFAIL, R_SPF_SOFTFAIL to be 15.00 (15 is reject) - no effect
  3. via Rsapmd settings map
    • I didn’t change anything - is there a presets for this options to reject all spoofing techniques?
      How to prevent this from happening?
      Thank You

You are on stock Mailcow, or you have same your own modification?

Because by default Rspamd this checks do, and do them well, when I search mine logs I can find messages that failed on those test, when all DMARC, SPF and DKIM failed in “strict” mode Rsapmd use this flag: DMARC_POLICY_REJECT (16) that is more than default score for rejection

So you did some modification that prevent this, or you have some bug, but default works fine, or the test is wrong.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

@ETNyx
I actually host mailcow in a vm (behind NAT) that connects to remote server with wireguard vpn, and forward all ports specified in docs.mailcow.email Icon Prepare your system - mailcow: dockerized documentation

docs.mailcow.email Icon docs.mailcow.email
Prepare your system - mailcow: dockerized documentation
None
docs.mailcow.email
via ssh remote port forwarding..
So letsencrypt certs all catchup. All DNS setup works as well, but…
In rspamd web-interface I see this:

undef	172.22.1.1	f.vask@laathm.online	f.vask@laathm.online	DIAG E9: Internal email authentication test for laathm.online ID: 9745	no action		2.50 / 15	1.44 KiB	0.156	05/12/2024, 11:38:16	unknown
[Envelope To] To/Cc/Bcc	f.vask@laathm.online
Symbols

Sort by:
MISSING_MID (2.5)
MIME_GOOD (-0.1) [text/plain]
FISHY_TLD (0.1) [laathm.online]
FROM_NO_DN (0)
TO_DN_NONE (0)
RCPT_COUNT_ONE (0) [1]
FROM_EQ_ENVFROM (0)
TO_MATCH_ENVRCPT_ALL (0)
RCVD_COUNT_ONE (0) [1]
CLAM_VIRUS_FAIL (0) [failed to scan and retransmits exceed]
BCC (0)
DKIM_SIGNED (0) [laathm.online:s=s1]
MIME_TRACE (0) [0:+]
TO_EQ_FROM (0)
RCVD_TLS_ALL (0)
ARC_NA (0)
RCPT_MAILCOW_DOMAIN (0) [laathm.online]
MAILCOW_DOMAIN_HEADER_FROM (0) [laathm.online]
MISSING_XM_UA (0)

I mean that rspamd sees all incoming mail from 172.22.1.0/24 network (internal to mailcow) - so maybe it is the reason that this checks not working?
You say, You send test emails from Email Spoof Test

emailspooftest.com
Email Spoof Test
Free connection level anti-fraud & email security test/ assessment for DMARC, SPF, DKIM, SPOOF, reverse DNS, and internal authentication
ESTemailspooftest.comemailspooftest.com
and none of them landed in inbox (except for E1) with default config?

Well before i did not test it, so I did now for you, E1 is in inbox and E7 land in spam,

DIAG E1: domain.com test ID: 2794 valid email baseline	no action	[ 1.79 / 15 ]
DIAG E3: Strict DKIM and Strict PF test for domain.com ID: 2794	reject	[ 30.50 / 15 ]
DIAG E5: Relaxed SPF and Strict DKIM test for domain.com ID: 2794	reject	[ 18.49 / 15 ]
DIAG E7: SPF fail with No DMARC test for domain.com ID: 2794	add header	[ 11.00 / 15 ]
DIAG E9: Internal email authentication test for domain.com ID: 2794	reject	[ 76.49 / 15 ]

Others are rejected before hitting Rspamd like this one:
NOQUEUE: reject: RCPT from p3nlsmtp01-01.prod.phx3.secureserver.net[50.63.9.53]: 450 4.1.8 <test2794@verybad.badspf.com>: Sender address rejected: Domain not found; from=<test2794@verybad.badspf.com> to=<info@domain.com> proto=ESMTP helo=<p3nlsmtp01-01.prod.phx3.secureserver.net>

And yes it looks like mailcow is thinking mail is originated in your local network, so it’s not able to do IP base checks.

    ETNyx E1 is in inbox and E7 land in spam,

    Exactly the same here

      2 months later

      • Bbkalai

          Moolevel 5
        • Post #7

        I don’t know if this the right thing to do but adding the VPN subnet to forwarders in mailcow fixed this for me

        No one is typing