Attachment issue after updating to Mailcow 2025-03a

shaneodoo

CK_beats Hey not just for you to make yourself feel special lol, but its nice to know where people are having the issues so they can be fixed. if you click on my pull request link at the bottom of the last message then you will see the changes.

CK_beats

shaneodoo
It works!
Thank you!

Tested on Outlook 2013 & 2016 Client via Active-Sync.

Email forwarded with screenshot embedded in the text and PDF as a file attachment.
Everything was transferred perfectly!
RspamD can completely read and understand the content of the email, sender and IP address.

I’m excited to hear what other users report!
From my side the footer is now perfect!

shaneodoo

CK_beats I am so pleased, I will say I had the issue myself not so many months ago. Checked every file I could to pin it to rspamd lua. Even went back to Windows and Outlook after 10 years of being a Linux user to test for clients (ugh!!). That was painful lol and to use the New Outlook as well what a step backwards that is, hate it with a passion. Anyway so pleased it worked for you just hope I have committed the changes correctly, for Mailcow to amend this.

My next project is to try and align the footer directly under reply messages rather than adding at the bottom of all previous reply messages.. That is not an easy task, but it would make things look a lot professional as though it was an inline reply signature.

CK_beats

shaneodoo
You did really well!
Linux is a really very interesting and versatile kernel!
The problem with many business applications is that support for Linux distributions is not offered.
Therefore, we are often simply forced to stay with Microsoft.
But it’s not that bad after all.
At least you have variety! 🤣🤣🤣🤣🤣

If you could get Mailcow to automatically place the footer under each reply, that would be more than perfect.
Over the years we have come to terms with the fact that the correct footer (even with Exchange) is always placed at the end of the email.
Better there than not at all.
When using various mobile and stationary clients, the effort required to manually maintain a signature on each device is simply far too high

CK_beats

I have to bother again.
We’ve been running the last rspamd.local.lua for 2 days now.
Now the following errors occur:
When forwarding an email internally with mixed file attachments (PDF & JPEG), these are not delivered to the recipient.
RspamD shows in its logs that file attachments are present and the size, but the recipient mailbox only receives the email text including the footer.

The size in the recipient mailbox only corresponds to the text with a few KB instead of approx. 10 MB

Has anyone else had this experience?

Update:
The error is probably caused when storing the mail in the new mailbox.
We use “MailStore Server” as an email archive.
The file attachments are all present in the email archived directly from Mailcow.
However, not in SoGo and Outlook (Active Sync).

shaneodoo

CK_beats You need to ensure that the /data/conf/postfix/main.cf message_size_limit = 104857600 is set to your desired email size. Anything over your quota should send attachments as file share links. I pushed mine out to 100MB which it will never reach and overkill, but by default most mailboxes only accept 5MB ~ 25MB

Also in /data/conf/clamav/clamd.conf check these this is what I have set to ensure clamav does not give up on scanning the files.
MaxScanSize 50M
MaxFileSize 25M

If you are having issues only when the domain footer is applied then maybe look at the footer code it might be breaking things. The HTML code I have in my footer is as follows.

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Email Signature</title>
</head>
<body style="font-family: Arial, Helvetica, sans-serif; background-color: #ffffff; margin: 0; padding: 0;">
  <table cellpadding="0" cellspacing="0" border="0" width="100%" style="max-width: 600px; table-layout: fixed;">
    <tr>
      <td width="120" valign="top" style="padding: 10px 10px 0 0;">
     ********************
      </td>
    </tr>
  </table>
</body>
</html>

I ensure I have the opening and closing <html> tags to encapsulate the footer so it does not break any other part HTML emails. Works faultlessly for me

CK_beats

shaneodoo
Thank you for your good support!
The maximum email size is adjusted to 125 MB in extra.conf and ClamAV according to the instructions.
It should also be borne in mind that Outlook from version 2016 only allows sending 20 MB by default.
A value must be set here in the registry.

What could still be possible for us is the HTML code of the footer.
This could be broken.
I completely revised and inserted it.
So far no further problems.

Your code has been adopted in the current version 2025-09a! I am very pleased!
I did the update straight away.
It’s been running error-free so far!

shaneodoo

Well I am pleased to confirm that my footer changes have now been included in the 2025-09a

https://github.com/mailcow/mailcow-dockerized/pull/6714 I would say this thread can now be closed. 🙂

shaneodoo

CK_beats Thats FAB news 🙂

CK_beats

Unfortunately I have to interject here again.

The error of not transmitted file attachments still exists in some cases.

But it is not reproducible.

Client is Outlook 2016, connected via Active-Sync (EAS).
The content of the email is HTML text, possibly a screenshot included.
File attachments are JPEG & PDF mixed.

The footer is now clean HTML and there should no longer be any errors. No image in the footer. Just a few hyperlinks.

If you receive a reply from the recipient about missing file attachments and then reply to this email, the file attachment is missing again, provided the footer remains switched on when replying.

I have an update:
An email forwarded via Outlook 2016 lost the attachment at the recipient.
Or the recipient client can no longer clearly recognize the file attachments.

The same email forwarded via the iPad’s standard mail client without changing the footer settings shows the attachments to the recipient.

I would say that Mailcow doesn’t “understand” something when handing over the Outlook client.

shaneodoo

CK_beats

I have noticed this aswell with clients using Outlook and Mailbird, I have taken a look at mime_types.conf which has not been updated for over a year now and have reason to believe that if some attachments are not listed in this file they can be flagged with a high spam score and certain recipients can reject the files

Outlook (and similar clients like Mailbird) fail with attachments because of MIME type handling. I’ll also explain why we changed each entry in your mime_types.conf.

###############################################################################
# MIME Types configuration for Rspamd
# Compatible with Outlook, Mailbird, Thunderbird, and other major email clients
###############################################################################

# Extensions treated as potentially dangerous
# Number is spam/virus score multiplier
bad_extensions = {
  apk = 4,
  appx = 4,
  appxbundle = 4,
  bat = 20,
  cab = 20,
  cmd = 20,
  com = 20,
  dmg = 8,
  exe = 20,
  jar = 12,
  jnlp = 12,
  js = 12,
  jse = 12,
  lnk = 20,
  mjs = 12,
  msi = 12,
  msix = 12,
  msixbundle = 12,
  ps1 = 12,
  scr = 20,
  sct = 20,
  vb = 20,
  vbe = 20,
  vbs = 20,
  py = 12,
  reg = 12,
};

# Extensions allowed in archives
archive_extensions = {
  zip = 1,
  rar = 1,
  tar = 1,
  gz  = 1,
  7z  = 1,
};

# Dangerous files inside archives (high penalty)
bad_archive_extensions = {
  bat = 12,
  cmd = 12,
  exe = 20,
  jar = 12,
  js = 12,
  vbs = 20,
  msi = 12,
};

# Forbidden MIME types
forbidden_type {
  application/x-msdownload = 1;
  application/x-executable = 1;
  application/x-dosexec = 1;
  application/x-bat = 1;
  application/x-cmd = 1;
  application/javascript = 1;
  application/x-javascript = 1;
  application/x-sharedlib = 1;
  application/java-archive = 1;
  application/x-msi = 1;
  application/x-iso9660-image = 1;

  # Safe MIME types that Outlook sometimes mislabels
  application/octet-stream = 0;      # critical: allows generic binaries like zip, docx, pdf
  application/x-zip-compressed = 0;  # critical for Outlook/Mailbird to attach zip files
};

# Explicitly allowed extensions with minimal penalty
allowed_extensions {
  pdf = 0.1;
  doc = 0.1;
  docx = 0.1;
  xls = 0.1;
  xlsx = 0.1;
  csv = 0.1;
  txt = 0.1;
  zip = 0.5;
  rar = 0.5;
  7z  = 0.5;

  # Common image formats
  png = 0.1;
  jpg = 0.1;
  jpeg = 0.1;
  gif = 0.1;
};

# Optional: low-risk penalty for archives containing allowed files
archive_penalty_safe = 0.5

Setting	Default Mailcow	Updated	Reason / Impact
`bat, cmd, exe`	bat=8, cmd=8, exe=20	all higher (bat=20, cmd=20, exe=20)	Stronger penalty for dangerous scripts
`jar, jnlp, js, msi`	jar=8, jnlp=8, js=8, msi=4	jar=12, jnlp=12, js=12, msi=12	Catches risky binaries/scripts in attachments
`application/octet-stream`	forbidden=0.0	forbidden=0	Allows Outlook to attach files that are mislabeled as `octet-stream` (zip, docx, pdf)
`application/x-zip-compressed`	forbidden=0.0	forbidden=0	Fixes Outlook/Mailbird zip attachment issues
Images	not explicitly listed	png/jpg/jpeg/gif allowed	Avoids false positives for common image attachments
Archive extensions	tar, gz	zip, rar, tar, gz, 7z	Ensures safe handling of common compressed files

Using the mime_type.conf code above save it in /docker/mailcow/data/conf/rspamd/local.d/mime_types.conf

Check the config Syntax: docker exec -it rspamd-mailcow-1 rspamadm configtest

Reload rspamd: docker exec -it rspamd-mailcow-1 rspamadm reload

Or you can just reload the container: docker compose restart rspamd-mailcow

It’s a battle and half, now at the point I am away to lose a client I have had for the past 2 years as a result of this. This is my last attempt to reignite, a happy round table meetings. Mailcow has so much potential in breaking away from the big mail services.

CK_beats

shaneodoo

Many thanks for your support!
I have added your configuration.

The storage location is /opt/mailcow-dockerized/data/conf/rspamd/local.d# just for completion.

I have also added the Office file extensions .doc, .xls, .docx and so on to the “bad_extensions” list.
We block the sending and receiving of office documents for security reasons.
Only receiving and sending image, video and PFD files is permitted.

The configuration check returned the following: cannot register delayed dependency LOCAL_BL_ASN -> MAILCOW_WHITE: destination MAILCOW_WHITE is missing syntax OK

In my case the check is carried out with: docker exec -it mailcowdockerized-rspamd-mailcow-1 rspamadm configtest

or out of the container.

Thank you very much and best regards
Constantin

shaneodoo

CK_beats

I have added this myself today, in the hope that recipants accepts my directors files, with them being unaccepting that some companies block attachment, he wants 100% of emails to land all of the time… if only life was that easy. lol

I too have noticed this cannot register delayed dependency LOCAL_BL_ASN -> MAILCOW_WHITE: destination MAILCOW_WHITE is missing, I am working on this as I write, as it was there in the early 2025 versions.

For you, you can maninpulate the mime_types.conf to suit your business, but remember this works for both out going and incoming messages.

Checking my DMARC, reports I am getting a 97.5% landing score. So I don’t think its that bad to be honest.

Thanks for the reply.

CK_beats

shaneodoo
I maintain that the time when mail servers and other systems generally MUST accept all file attachments is over.
Especially in these challenging times, a secure and not easily vulnerable system is worth more than 100% compatibility.

That’s exactly my goal, that we generally reject outgoing and incoming file types.
But I have already adjusted this in the GUI via the “Prefilter” item.

shaneodoo

CK_beats

What I am up against is if I can not sort the attachment issues with big companies like banks and financial government awarding bodies then they will move to Google Workspace.. thinking that will fix anything..

CK_beats

shaneodoo

😂😂😂😂😂 When it comes to circumventing a ban, people are generally very inventive.

From my point of view, there is nothing at all against using it on the intranet and within the network.

But not every file format has to flow into your own system from outside.
You can read about the problems that emails with malicious code lead to every day.

CK_beats

I have another small update:
It seems as if no more attachments are being “lost” at the moment.

However, Mailow appears to partially rename the file attachments.

File name of the original file (mail was held as SPAM and delivered manually): “Unknown attachment 00173.pdf”

File name after internal forwarding to another user:
“Unknown attachment 00082.pdf”.

I am relatively sure that the sender did not label his attachment (training program) as an “unknown attachment”.

Outlook 2016 is generally used as client software.
Access to Mailcow using EAS.

shaneodoo

CK_beats

I have an update to the script I did, I was capturing all the email content including the attachments in the a mixed, multipart. text printable MIME mess. Some times attachments get though other times they don’t on Outlook and Mailbird, but thunderbird is forgiving and sends the correct structure, as with bluemail and emClient. So the mess was hidden from me.

What the code now does is when an attachment is added it silently stops the domain wide footer and cleanly sends the attachments pdf where not going as base64 so become corrupt along the way now they do. When no attachments are in the email the domain wide footer is displayed once again.

Here is my commit https://github.com/shaneodoo/mailcow-dockerized/blob/master/data/conf/rspamd/lua/rspamd.local.lua

https://github.com/shaneodoo/mailcow-dockerized/commit/ff454876c9916531916b032c0b69223aed1b3faa

Replace everything from line 562 to the end.

Or just before –fetch footer this should get rid of the unknown attachment issue you have as MIME was formatting the file incorrectly and RSPAMD knew there was an attachment but didn’t know how to process it, its now untouched and cleanly moving off as it should be…

    -- retrieve footer
    local function footer_cb(err_message, code, data, headers)
      -- CHANGE 1: Fixed error variable name from 'err' to 'err_message' and added early return
      if err_message or type(data) ~= 'string' then
        rspamd_logger.infox(rspamd_config, "domain wide footer request for user %s returned invalid or empty data (\"%s\") or error (\"%s\")", uname, data, err_message)
        return
      end

      -- parse json string
      local footer = cjson.decode(data)
      -- CHANGE 2: Restructured validation with early returns instead of nested if/else
      if not footer then
        rspamd_logger.infox(rspamd_config, "parsing domain wide footer for user %s returned invalid or empty data (\"%s\")", uname, data)
        return
      end
      
      if not (footer and type(footer) == "table" and (footer.html and footer.html ~= "" or footer.plain and footer.plain ~= "")) then
        rspamd_logger.infox(rspamd_config, "domain wide footer request for user %s returned invalid or empty data (\"%s\")", uname, data)
        return
      end

      rspamd_logger.infox(rspamd_config, "found domain wide footer for user %s: html=%s, plain=%s, vars=%s", uname, footer.html, footer.plain, footer.vars)

      -- Check if mail is a reply and skip if needed
      if footer.skip_replies ~= 0 then
        local in_reply_to = task:get_header_raw('in-reply-to')
        if in_reply_to then
          rspamd_logger.infox(rspamd_config, "mail is a reply - skip footer")
          return
        end
      end

      -- CHANGE 3: NEW SAFETY CHECK - Skip multipart/mixed messages (likely have attachments)
      local ct = task:get_header('Content-Type')
      if ct and ct:lower():match('multipart/mixed') then
        rspamd_logger.infox(rspamd_config, "skipping footer for multipart/mixed message (has attachments)")
        return
      end

      local envfrom_mime = task:get_from(2)
      local from_name = ""
      if envfrom_mime and envfrom_mime[1].name then
        from_name = envfrom_mime[1].name
      elseif envfrom and envfrom[1].name then
        from_name = envfrom[1].name
      end

      -- default replacements
      local replacements = {
        auth_user = uname,
        from_user = envfrom[1].user,
        from_name = from_name,
        from_addr = envfrom[1].addr,
        from_domain = envfrom[1].domain:lower()
      }
      
      -- add custom mailbox attributes
      if footer.vars and type(footer.vars) == "string" then
        local footer_vars = cjson.decode(footer.vars)

        if type(footer_vars) == "table" then
          for key, value in pairs(footer_vars) do
            replacements[key] = value
          end
        end
      end
      
      if footer.html and footer.html ~= "" then
        footer.html = lua_util.jinja_template(footer.html, replacements, true)
      end
      if footer.plain and footer.plain ~= "" then
        footer.plain = lua_util.jinja_template(footer.plain, replacements, true)
      end

      -- add footer
      local out = {}
      local rewrite = lua_mime.add_text_footer(task, footer.html, footer.plain) or {}

      local seen_cte
      local newline_s = newline(task)

      local function rewrite_ct_cb(name, hdr)
        if rewrite.need_rewrite_ct then
          if name:lower() == 'content-type' then
            -- include boundary if present
            local boundary_part = rewrite.new_ct.boundary and
              string.format('; boundary="%s"', rewrite.new_ct.boundary) or ''
            local nct = string.format('%s: %s/%s; charset=utf-8%s',
                'Content-Type', rewrite.new_ct.type, rewrite.new_ct.subtype, boundary_part)
            out[#out + 1] = nct
            -- update Content-Type header (include boundary if present)
            task:set_milter_reply({
              remove_headers = {['Content-Type'] = 0},
            })
            task:set_milter_reply({
              add_headers = {['Content-Type'] = string.format('%s/%s; charset=utf-8%s',
                rewrite.new_ct.type, rewrite.new_ct.subtype, boundary_part)}
            })
            return
          elseif name:lower() == 'content-transfer-encoding' then
            -- CHANGE 4: Only change encoding for text parts, preserve base64 for attachments
            if rewrite.new_ct and rewrite.new_ct.type == 'text' then
              out[#out + 1] = string.format('%s: %s',
                  'Content-Transfer-Encoding', 'quoted-printable')
              task:set_milter_reply({
                remove_headers = {['Content-Transfer-Encoding'] = 0},
              })
              task:set_milter_reply({
                add_headers = {['Content-Transfer-Encoding'] = 'quoted-printable'}
              })
              seen_cte = true
            else
              -- Preserve original encoding for non-text parts
              out[#out + 1] = hdr.raw:gsub('\r?\n?$', '')
            end
            return
          end
        end
        out[#out + 1] = hdr.raw:gsub('\r?\n?$', '')
      end

      task:headers_foreach(rewrite_ct_cb, {full = true})

      if not seen_cte and rewrite.need_rewrite_ct then
        out[#out + 1] = string.format('%s: %s', 'Content-Transfer-Encoding', 'quoted-printable')
      end

      -- End of headers
      out[#out + 1] = newline_s

      if rewrite.out then
        for _,o in ipairs(rewrite.out) do
          out[#out + 1] = o
        end
      else
        out[#out + 1] = task:get_rawbody()
      end
      
      local out_parts = {}
      for _,o in ipairs(out) do
        if type(o) ~= 'table' then
          out_parts[#out_parts + 1] = o
          out_parts[#out_parts + 1] = newline_s
        else
          -- CHANGE 5: REMOVED boundary stripping code that was destroying MIME structure
          -- Just add the part as-is without modification
          out_parts[#out_parts + 1] = o[1]
          if o[2] then
            out_parts[#out_parts + 1] = newline_s
          end
        end
      end
      
      task:set_message(out_parts)
    end

    -- fetch footer

CK_beats

shaneodoo
Thanks for the update!
I immediately created a snapshot and added your changes to the script!
I am excited!
I will report!

I think the domain-wide footer is a really great feature!
It allows for an easy-to-configure uniform look for every email.
If the footer works correctly, Mailcow is the perfect replacement for our Exchange Server!
I am absolutely convinced of Mailcow!

Of course I made a mistake somewhere when inserting it. RspamD went offline.
Now inserted the completely revised rspamd.local.lua and it works again.

Why Your Boss Will Be Happy

Attachments will NEVER be lost again

Works with Outlook and Mailbird (the problematic clients)

Zero data loss - if there are attachments, footer is skipped

Tested solution - based on known mailcow GitHub issue mailcow#5892

Production-ready - conservative approach prioritizes data integrity

🤣🤣🤣🤣🤣🤣🤣🤣🙏🙏🙏🙏🙏
What a great comment!
You made my day!

CK_beats

shaneodoo

Update after testing:
In an email from Outlook as email client with a mixed file attachment (PDF & JPEG), the footer is now completely missing.
The file attachments are transmitted perfectly legible.

If you forward a received message without attachments, the footer is neatly added (option ignore footer when replying to emails disabled).

If you forward a received email with mixed file attachments, the footer is also missing.

Generally Outlook as an email client for sending and receiving, connected via Exchange Active Sync.

CK_beats

shaneodoo

Thank you for the great, interesting and good explanation of what RspamD and Mailcow do together here.

I added the new rspamd.local.lua to data/conf/rspamd/lua and restarted RspamD.

Should we see an improvement in the domain-wide footer or just a structural improvement in the MIME format?
I forwarded a mixed email with .msg and .pdf attachments.
Message is in HTML.

Was submitted as before with your improved version shaneodoo.
Attachments were readable and the entire content was transferred.

But without the footer.
Am I correct in assuming that outgoing emails with file attachments generally have to be delivered with a signature via Outlook?

shaneodoo

CK_beats

So its working to design… quoted above

What the code now does is when an attachment is added it silently stops the domain wide footer and cleanly sends the attachments pdf where not going as base64 so become corrupt along the way now they do. When no attachments are in the email the domain wide footer is displayed once again.

« Previous Page Next Page »