The right way to configure rspamd to reject spoofed emails

laathm

I’ve deployed mailcow-dockerized, and tested it against https://www.mail-tester.com/ - it gave me 10/10 from the begining… cool
Next I wanted to test spoofing protection with this site https://emailspooftest.com/index.aspx?mode=advanced
It sends 10 emails - E1-E10 with spoofed SPF,DKIM,DMARC etc.. If Your email server configured to reject all possible combinations of spoofs, You should recieve only 1 mail - E1. I recieve all 10 mails - it mean that none of SPF, DKIM, DMARC checks are not rejecting any email…
I see couple of possibilities to configure rspamd service:

via command line
- I added this to /etc/rspamd/lacal.d/force_actions.conf and it has no effect
  R_SPF_FAIL_REJECT {
  action = “reject”;
  expression = “R_SPF_FAIL”;
  }
via webUI https://mail.example.com/rspamd/#symbols
- I’ve configured R_SPF_FAIL, R_SPF_DNSFAIL, R_SPF_SOFTFAIL to be 15.00 (15 is reject) - no effect
via Rsapmd settings map
- I didn’t change anything - is there a presets for this options to reject all spoofing techniques?
  How to prevent this from happening?
  Thank You

ETNyx

You are on stock Mailcow, or you have same your own modification?

Because by default Rspamd this checks do, and do them well, when I search mine logs I can find messages that failed on those test, when all DMARC, SPF and DKIM failed in “strict” mode Rsapmd use this flag: DMARC_POLICY_REJECT (16) that is more than default score for rejection

So you did some modification that prevent this, or you have some bug, but default works fine, or the test is wrong.

laathm

@ETNyx
I actually host mailcow in a vm (behind NAT) that connects to remote server with wireguard vpn, and forward all ports specified in https://docs.mailcow.email/getstarted/prerequisite-system/#incoming-ports via ssh remote port forwarding..
So letsencrypt certs all catchup. All DNS setup works as well, but…
In rspamd web-interface I see this:

undef	172.22.1.1	f.vask@laathm.online	f.vask@laathm.online	DIAG E9: Internal email authentication test for laathm.online ID: 9745	no action		2.50 / 15	1.44 KiB	0.156	05/12/2024, 11:38:16	unknown
[Envelope To] To/Cc/Bcc	f.vask@laathm.online
Symbols

Sort by:
MISSING_MID (2.5)
MIME_GOOD (-0.1) [text/plain]
FISHY_TLD (0.1) [laathm.online]
FROM_NO_DN (0)
TO_DN_NONE (0)
RCPT_COUNT_ONE (0) [1]
FROM_EQ_ENVFROM (0)
TO_MATCH_ENVRCPT_ALL (0)
RCVD_COUNT_ONE (0) [1]
CLAM_VIRUS_FAIL (0) [failed to scan and retransmits exceed]
BCC (0)
DKIM_SIGNED (0) [laathm.online:s=s1]
MIME_TRACE (0) [0:+]
TO_EQ_FROM (0)
RCVD_TLS_ALL (0)
ARC_NA (0)
RCPT_MAILCOW_DOMAIN (0) [laathm.online]
MAILCOW_DOMAIN_HEADER_FROM (0) [laathm.online]
MISSING_XM_UA (0)

I mean that rspamd sees all incoming mail from 172.22.1.0/24 network (internal to mailcow) - so maybe it is the reason that this checks not working?
You say, You send test emails from https://emailspooftest.com/index.aspx?mode=advanced and none of them landed in inbox (except for E1) with default config?

ETNyx

Well before i did not test it, so I did now for you, E1 is in inbox and E7 land in spam,

DIAG E1: domain.com test ID: 2794 valid email baseline	no action	[ 1.79 / 15 ]
DIAG E3: Strict DKIM and Strict PF test for domain.com ID: 2794	reject	[ 30.50 / 15 ]
DIAG E5: Relaxed SPF and Strict DKIM test for domain.com ID: 2794	reject	[ 18.49 / 15 ]
DIAG E7: SPF fail with No DMARC test for domain.com ID: 2794	add header	[ 11.00 / 15 ]
DIAG E9: Internal email authentication test for domain.com ID: 2794	reject	[ 76.49 / 15 ]

Others are rejected before hitting Rspamd like this one:
NOQUEUE: reject: RCPT from p3nlsmtp01-01.prod.phx3.secureserver.net[50.63.9.53]: 450 4.1.8 <test2794@verybad.badspf.com>: Sender address rejected: Domain not found; from=<test2794@verybad.badspf.com> to=<info@domain.com> proto=ESMTP helo=<p3nlsmtp01-01.prod.phx3.secureserver.net>

And yes it looks like mailcow is thinking mail is originated in your local network, so it’s not able to do IP base checks.

DocFraggle

ETNyx E1 is in inbox and E7 land in spam,

Exactly the same here

laathm

@ETNyx
Thanks a lot..