Hello everyone! I was using Mailcow 2025-02 without any issues, but after updating to 2025-03a, I noticed that when I send emails with attachments, recipients are unable to download them, regardless of the email client they use. The attachment simply does not appear as available for download. Has anyone else experienced this issue or found a solution? I appreciate any help!

Hi everyone! I found that the issue with the attachments was caused by the default signature of one of the domains. It was in HTML, and its formatting was corrupting the MIME structure of the message, preventing proper attachment parsing by email clients. I'm currently using version 2025-03b without any issues. Thanks to everyone who viewed the message. If you face something similar, it’s worth checking the HTML structure of your signatures.

This doesn't seem like a viable solution. Why should I be punished for not being able to add an attachment if someone's email signature mimetype is corrupted? Mailcow should let me be able to attach a document to send back to someone if they have an HTML signature

**Clarification** I had the exact same issue. The OP referred to it as "default signature of a domain", this is actually the "Domain wide footer" that is causing this issue and not the "Signature" of the email in the classical sense I hope this helps someone else in future.

Well, i've a (new?) variant of the problem, tested with Mailcow versions 2025-05 and 2025-07. In my case it only manifests, when having an additional inline graphic (like writing text and making a quick screenshot and paste it into the compose window) in the mail. And only then, when attachements are added, these don't get displayed (even with SOGo) at the receivers side. Everything else is correctly displayed (even the inline graphics) and the added domain footer with html formatting. When i disable the domain footer, everything is displayed correctly. But, in real the email does include the attachements, cause the size is correct and when displayed inside SOGo (with the option raw) it can be seen as encoded multi parts. Also when downloaded via SOGo as .eml file, my eMail programm displays it correctly (including the inline graphic and the attachements and footer). I need to add, that the domain footer here is extreme simple: nothing fancy at all. The plain version is only 3 paragraphs long and the html version of it uses only and tags, nothing else! So it seems to be a not properly encoded stream of data/parts and the displaying (interpreter) finally ignores the attachements. Do i remember rightly, that the domain footer was added via rspams provided functionality? If so, it could be a very simply, but wrongly added/positioned encapsulating tag/string. Just a thought. What do others think?

@"sOliver"#p26244 I can confirm that tests did on my setup, did include a html signature with inline graphics. However I did do some tests where even without the signature (and thus inline image) inserted, when the email was encoded as html (both from Outlook or SOGo Web) it would still strip the attachments. Plain Text mails did not show this behaviour.

I too am having issues with emails striping Attachments I have tried this will all the email clients I know including the new Outlook, which has issues also adding my IMAP accounts in the first instance. This has something to do with AutoDiscover not playing nicely either. But agree attachments are not being received on the recipient end even though RSPAMD shows the attachment is their. This is making Mailcow unusable. Using 2025-07 and have a company wide domain footer with basic html, but use cdn linked images. I would not say using an earlier version of Mailcow is solved because that would mean any future releases of Mailcow would be pointless if that is the case.

I just wanted to test this myself by adding a HTML signature to my testing domain `Test signature from {= from_name =}` Then I sent an attachment via Sogo. The mail was received including the attachment, just as it should be. What are the exact steps to reproduce this? Some of you wrote to include an inline image, how did you do that in the mailcow UI? I can't paste an image into the text field of the HTML footer **EDIT:** in case I misunderstood, even adding an inline image to the email body (text + paste image + text, HTML signature active) delivers the attachment as it should **EDIT 2:** maybe it's your signature itself, do you mind sharing what exactly you put into the footer text field (and if you used the HTML or the PLAIN footer field)

Sure this is what I have as a footer ``` ` Cylinder Lifter Limited Innovative Gas Cylinder Handling Solutions 📧 {= from_user =}@cylinderlifter.com 📞 +44 (0)1242 502 191 🌐 www.cylinderlifter.com UK Head Office: Cylinder Lifter Limited – Company Reg. No: 16197049 123 Promenade, Cheltenham, GL50 1NW, United Kingdom Licensed Global Manufacturer: PALI Trading LLC – Trade Licence No: 1514425 Office 101, Ranya Business Center, Al Barsha First, Behind Mall of Emirates, P.O. Box 6155, Dubai, United Arab Emirates Manufactured exclusively for Cylinder Lifter Limited by PALI Trading LLC. Cylinder Lifter is a registered brand and patented design. This email and any attachments are confidential and intended solely for the named recipient(s). If you have received this email in error, please notify the sender immediately and delete it from your system. Unauthorised use, disclosure, or copying is prohibited. Email transmission cannot be guaranteed to be secure or error-free. We do not accept liability for any errors or omissions arising from email transmission. If verification is required, please request a hard copy. ``` Its Outlook friendly too... that was the hardest part to get it to sit nicely.

OK, I just added your exact HTML code to my domain's HTML footer and sent an email with inline image and attachment via Sogo to my GMX address. No problem at all here... Attachment received

I agree, its does not seem to be an issue, just every now and then it happens and when its important to my boss to send emails with attachments. I would expect it is on the recipient end with strong security in place that rejects attachments, being a financial establishment and all. Thanks for your assistance here. I even increased the email size to 30mb across Postfix, ClamAV and rspamd to ensure transition takes place. Also set ClamAV to scan as a complete Blob, before Postfix got its hands on the content.

I'm chiming in, to clarify a bit more... In the Mailcow footer section i had setup both types with the same content: the PLAIN version (only text) and the HTML version (witch only used some text formatting like bold & italic). I guessed, that for every format of an eMail i want to have a corresponding footer. The problem here is 100% reproducable: 1) create new email and write some text 2) make a screenshot and paste that after the text (now we've a inline graphic) 3) write some more text (after the pasted graphic) 4) add attachements (we had PDFs, not big at all ~60 KB) 5) send eMail Now on the receiver side the eMail shows no attachements, but everything else is displayed correctly (text + inline graphic + text). Even SOGo does not show the attachements. BUT: almost all eMails (only very few didn't) contain the attachements (looking at the raw source of the email, the multi-part segments are there, which also have the correct file names of the attachements). Crosscheck On the sender side i use the (before) sent same eMail (with inline graphic and attachments) and: 1) delete that inline graphic, keep the attachements and send again (to the same adress): success! 2) or leave it as it was (text, inline graphic, ataachements), but only disable the mailcow footer, send it – success! So my thought is, whenever the automatic footer is active, somehow mailcow (or probably rspam) does somewhere an encoding mistake (not properly positioned or closed tages, etc.) and then the interpreter on the receiving side simply falls over it and strips the rest (which is then the attachements). Else i can't explain it – removing the inline graphic, or disabling the footer results in 100% success.

Attachment issue after updating to Mailcow 2025-03a

CK_beats

shaneodoo
Thank you again and again for working with the footer and the old Outlook versions! 😊😊😊
I just installed your new rspamd.local.lua as a test.
Backup of the previous file created beforehand.

For me, the rspamd.local.lua is stored in the /opt/mailcow-dockerized/data/conf/rspamd/lua/ folder.

Unfortunately no changes to the umlauts with your new rspamd.local.lua.
I’m very sorry that I can’t say anything better. 😪😪😪😪

If I put the file in /opt/mailcow-dockerized/data/conf/rspamd/ the umlauts work normally again. However, the footer is completely missing.
Even saving the footer again via the GUI does not bring any change.

I would like to tell you something positive.
I’m so sorry it still doesn’t work.

gabriel-gfs
If you are using a standard installation of Mailcow (current version), please save the rspamd.local.lua here: /opt/mailcow-dockerized/data/conf/rspamd/lua/

Your original file should also be there.

shaneodoo

CK_beats ok thanks for the update. I’m going to go back to the original and see why is gone pear shaped.

The simple option upgrade outlook 😆 😂

Seriously though I will not let this beat me. Honestly would not have this issue if rspamd upstream fixed the lua code.

CK_beats

shaneodoo
I’ve also thought about installing a newer version of Outlook.
Can you tell me from which version the problems no longer exist?
Outlook 2016?
Or 2019?

Update:
Installed newer version Outlook 2016 for testing.
Same result as Outlook 2013.
Mixed email with PDF-Attachment will not get the footer.

shaneodoo

Guys I have spent hours trying to sort this out and used all my knowledge and hit a wall. If there are any other coders who would like to join in the fight for a fully working domain wide footer that does not strip attachments and gets miss placed then fill your boots. I have tried to fix your issue, but end up going around in circles. Fixing one thing breaks another. I feel defeated. But at least I have tried to help pinpoint the issue.

But I will leave you with this final fix, I have removed the patch added for the lua.mime override and revisited the original code and found it to have a few inconsistencies, trying to make it backwards compatible with MS 2013/2016, does work for me and displays the footer with attachments but testing this yourselves will only tell..

got to mailcow-dockerized/data/conf/rspamd/lua back up original rspamd.local.lua and overwrite with the code below.

restart rspamd container and test.

-- Mailcow Rspamd.local.lua fix for broken MIME and missing attachments.

rspamd_config.MAILCOW_AUTH = {
  callback = function(task)
    local uname = task:get_user()
    if uname then
      return 1
    end
  end
}

local monitoring_hosts = rspamd_config:add_map{
  url = "/etc/rspamd/custom/monitoring_nolog.map",
  description = "Monitoring hosts",
  type = "regexp"
}

rspamd_config:register_symbol({
  name = 'SMTP_ACCESS',
  type = 'postfilter',
  callback = function(task)
    local util = require("rspamd_util")
    local rspamd_logger = require "rspamd_logger"
    local rspamd_ip = require 'rspamd_ip'
    local uname = task:get_user()
    local limited_access = task:get_symbol("SMTP_LIMITED_ACCESS")

    if not uname then
      return false
    end

    if not limited_access then
      return false
    end

    local hash_key = 'SMTP_ALLOW_NETS_' .. uname

    local redis_params = rspamd_parse_redis_server('smtp_access')
    local ip = task:get_from_ip()

    if ip == nil or not ip:is_valid() then
      return false
    end

    local from_ip_string = tostring(ip)
    smtp_access_table = {from_ip_string}

    local maxbits = 128
    local minbits = 32
    if ip:get_version() == 4 then
        maxbits = 32
        minbits = 8
    end
    for i=maxbits,minbits,-1 do
      local nip = ip:apply_mask(i):to_string() .. "/" .. i
      table.insert(smtp_access_table, nip)
    end
    local function smtp_access_cb(err, data)
      if err then
        rspamd_logger.infox(rspamd_config, "smtp_access query request for ip %s returned invalid or empty data (\"%s\") or error (\"%s\")", ip, data, err)
        return false
      else
        rspamd_logger.infox(rspamd_config, "checking ip %s for smtp_access in %s", from_ip_string, hash_key)
        for k,v in pairs(data) do
          if (v and v ~= userdata and v == '1') then
            rspamd_logger.infox(rspamd_config, "found ip in smtp_access map")
            task:insert_result(true, 'SMTP_ACCESS', 0.0, from_ip_string)
            return true
          end
        end
        rspamd_logger.infox(rspamd_config, "couldnt find ip in smtp_access map")
        task:insert_result(true, 'SMTP_ACCESS', 999.0, from_ip_string)
        return true
      end
    end
    table.insert(smtp_access_table, 1, hash_key)
    local redis_ret_user = rspamd_redis_make_request(task,
      redis_params, -- connect params
      hash_key, -- hash key
      false, -- is write
      smtp_access_cb, --callback
      'HMGET', -- command
      smtp_access_table -- arguments
    )
    if not redis_ret_user then
      rspamd_logger.infox(rspamd_config, "cannot check smtp_access redis map")
    end
  end,
  priority = 10
})

rspamd_config:register_symbol({
  name = 'POSTMASTER_HANDLER',
  type = 'prefilter',
  callback = function(task)
    local rcpts = task:get_recipients('smtp')
    local rspamd_logger = require "rspamd_logger"
    local lua_util = require "lua_util"
    local from = task:get_from(1)

    -- not applying to mails with more than one rcpt to avoid bypassing filters by addressing postmaster
    if rcpts and #rcpts == 1 then
      for _,rcpt in ipairs(rcpts) do
        local rcpt_split = rspamd_str_split(rcpt['addr'], '@')
        if #rcpt_split == 2 then
          if rcpt_split[1] == 'postmaster' then
            task:set_pre_result('accept', 'whitelisting postmaster smtp rcpt', 'postmaster')
            return
          end
        end
      end
    end

    if from then
      for _,fr in ipairs(from) do
        local fr_split = rspamd_str_split(fr['addr'], '@')
        if #fr_split == 2 then
          if fr_split[1] == 'postmaster' and task:get_user() then
            -- no whitelist, keep signatures
            task:insert_result(true, 'POSTMASTER_FROM', -2500.0)
            return
          end
        end
      end
    end

  end,
  priority = 10
})

rspamd_config:register_symbol({
  name = 'KEEP_SPAM',
  type = 'prefilter',
  callback = function(task)
    local util = require("rspamd_util")
    local rspamd_logger = require "rspamd_logger"
    local rspamd_ip = require 'rspamd_ip'
    local uname = task:get_user()

    if uname then
      return false
    end

    local redis_params = rspamd_parse_redis_server('keep_spam')
    local ip = task:get_from_ip()

    if ip == nil or not ip:is_valid() then
      return false
    end

    local from_ip_string = tostring(ip)
    ip_check_table = {from_ip_string}

    local maxbits = 128
    local minbits = 32
    if ip:get_version() == 4 then
        maxbits = 32
        minbits = 8
    end
    for i=maxbits,minbits,-1 do
      local nip = ip:apply_mask(i):to_string() .. "/" .. i
      table.insert(ip_check_table, nip)
    end
    local function keep_spam_cb(err, data)
      if err then
        rspamd_logger.infox(rspamd_config, "keep_spam query request for ip %s returned invalid or empty data (\"%s\") or error (\"%s\")", ip, data, err)
        return false
      else
        for k,v in pairs(data) do
          if (v and v ~= userdata and v == '1') then
            rspamd_logger.infox(rspamd_config, "found ip in keep_spam map, setting pre-result")
            task:set_pre_result('accept', 'ip matched with forward hosts', 'keep_spam')
          end
        end
      end
    end
    table.insert(ip_check_table, 1, 'KEEP_SPAM')
    local redis_ret_user = rspamd_redis_make_request(task,
      redis_params, -- connect params
      'KEEP_SPAM', -- hash key
      false, -- is write
      keep_spam_cb, --callback
      'HMGET', -- command
      ip_check_table -- arguments
    )
    if not redis_ret_user then
      rspamd_logger.infox(rspamd_config, "cannot check keep_spam redis map")
    end
  end,
  priority = 19
})

rspamd_config:register_symbol({
  name = 'TLS_HEADER',
  type = 'postfilter',
  callback = function(task)
    local rspamd_logger = require "rspamd_logger"
    local tls_tag = task:get_request_header('TLS-Version')
    if type(tls_tag) == 'nil' then
      task:set_milter_reply({
        add_headers = {['X-Last-TLS-Session-Version'] = 'None'}
      })
    else
      task:set_milter_reply({
        add_headers = {['X-Last-TLS-Session-Version'] = tostring(tls_tag)}
      })
    end
  end,
  priority = 12
})

rspamd_config:register_symbol({
  name = 'TAG_MOO',
  type = 'postfilter',
  callback = function(task)
    local util = require("rspamd_util")
    local rspamd_logger = require "rspamd_logger"
    local redis_params = rspamd_parse_redis_server('taghandler')
    local rspamd_http = require "rspamd_http"
    local rcpts = task:get_recipients('smtp')
    local lua_util = require "lua_util"

    local tagged_rcpt = task:get_symbol("TAGGED_RCPT")
    local mailcow_domain = task:get_symbol("RCPT_MAILCOW_DOMAIN")

    local function remove_moo_tag()
      local moo_tag_header = task:get_header('X-Moo-Tag', false)
      if moo_tag_header then
        task:set_milter_reply({
          remove_headers = {['X-Moo-Tag'] = 0},
        })
      end
      return true
    end

    if tagged_rcpt and tagged_rcpt[1].options and mailcow_domain then
      local tag = tagged_rcpt[1].options[1]
      rspamd_logger.infox("found tag: %s", tag)
      local action = task:get_metric_action('default')
      rspamd_logger.infox("metric action now: %s", action)

      if action ~= 'no action' and action ~= 'greylist' then
        rspamd_logger.infox("skipping tag handler for action: %s", action)
        remove_moo_tag()
        return true
      end

      local function http_callback(err_message, code, body, headers)
        if body ~= nil and body ~= "" then
          rspamd_logger.infox(rspamd_config, "expanding rcpt to \"%s\"", body)

          local function tag_callback_subject(err, data)
            if err or type(data) ~= 'string' then
              rspamd_logger.infox(rspamd_config, "subject tag handler rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying subfolder tag handler...", body, data, err)

              local function tag_callback_subfolder(err, data)
                if err or type(data) ~= 'string' then
                  rspamd_logger.infox(rspamd_config, "subfolder tag handler for rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\")", body, data, err)
                  remove_moo_tag()
                else
                  rspamd_logger.infox("Add X-Moo-Tag header")
                  task:set_milter_reply({
                    add_headers = {['X-Moo-Tag'] = 'YES'}
                  })
                end
              end

              local redis_ret_subfolder = rspamd_redis_make_request(task,
                redis_params, -- connect params
                body, -- hash key
                false, -- is write
                tag_callback_subfolder, --callback
                'HGET', -- command
                {'RCPT_WANTS_SUBFOLDER_TAG', body} -- arguments
              )
              if not redis_ret_subfolder then
                rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt")
                remove_moo_tag()
              end

            else
              rspamd_logger.infox("user wants subject modified for tagged mail")
              local sbj = task:get_header('Subject')
              new_sbj = '=?UTF-8?B?' .. tostring(util.encode_base64('[' .. tag .. '] ' .. sbj)) .. '?='
              task:set_milter_reply({
                remove_headers = {
                  ['Subject'] = 1,
                  ['X-Moo-Tag'] = 0
                },
                add_headers = {['Subject'] = new_sbj}
              })
            end
          end

          local redis_ret_subject = rspamd_redis_make_request(task,
            redis_params, -- connect params
            body, -- hash key
            false, -- is write
            tag_callback_subject, --callback
            'HGET', -- command
            {'RCPT_WANTS_SUBJECT_TAG', body} -- arguments
          )
          if not redis_ret_subject then
            rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt")
            remove_moo_tag()
          end

        end
      end

      if rcpts and #rcpts == 1 then
        for _,rcpt in ipairs(rcpts) do
          local rcpt_split = rspamd_str_split(rcpt['addr'], '@')
          if #rcpt_split == 2 then
            if rcpt_split[1] == 'postmaster' then
              rspamd_logger.infox(rspamd_config, "not expanding postmaster alias")
              remove_moo_tag()
            else
              rspamd_http.request({
                task=task,
                url='http://nginx:8081/aliasexp.php',
                body='',
                callback=http_callback,
                headers={Rcpt=rcpt['addr']},
              })
            end
          end
        end
      end
    else
      remove_moo_tag()
    end
  end,
  priority = 19
})

rspamd_config:register_symbol({
  name = 'BCC',
  type = 'postfilter',
  callback = function(task)
    local util = require("rspamd_util")
    local rspamd_http = require "rspamd_http"
    local rspamd_logger = require "rspamd_logger"

    local from_table = {}
    local rcpt_table = {}

    if task:has_symbol('ENCRYPTED_CHAT') then
      return -- stop
    end

    local send_mail = function(task, bcc_dest)
      local lua_smtp = require "lua_smtp"
      local function sendmail_cb(ret, err)
        if not ret then
          rspamd_logger.errx(task, 'BCC SMTP ERROR: %s', err)
        else
          rspamd_logger.infox(rspamd_config, "BCC SMTP SUCCESS TO %s", bcc_dest)
        end
      end
      if not bcc_dest then
        return -- stop
      end
      -- dot stuff content before sending
      local email_content = tostring(task:get_content())
      email_content = string.gsub(email_content, "\r\n%.", "\r\n..")
      -- send mail
      lua_smtp.sendmail({
        task = task,
        host = os.getenv("IPV4_NETWORK") .. '.253',
        port = 591,
        from = task:get_from(stp)[1].addr,
        recipients = bcc_dest,
        helo = 'bcc',
        timeout = 20,
      }, email_content, sendmail_cb)
    end

    -- determine from
    local from = task:get_from('smtp')
    if from then
      for _, a in ipairs(from) do
        table.insert(from_table, a['addr']) -- add this rcpt to table
        table.insert(from_table, '@' .. a['domain']) -- add this rcpts domain to table
      end
    else
      return -- stop
    end

    -- determine rcpts
    local rcpts = task:get_recipients('smtp')
    if rcpts then
      for _, a in ipairs(rcpts) do
        table.insert(rcpt_table, a['addr']) -- add this rcpt to table
        table.insert(rcpt_table, '@' .. a['domain']) -- add this rcpts domain to table
      end
    else
      return -- stop
    end

    local action = task:get_metric_action('default')
    rspamd_logger.infox("metric action now: %s", action)

    local function rcpt_callback(err_message, code, body, headers)
      if err_message == nil and code == 201 and body ~= nil then
        if action == 'no action' or action == 'add header' or action == 'rewrite subject' then
          send_mail(task, body)
        end
      end
    end

    local function from_callback(err_message, code, body, headers)
      if err_message == nil and code == 201 and body ~= nil then
        if action == 'no action' or action == 'add header' or action == 'rewrite subject' then
          send_mail(task, body)
        end
      end
    end

    if rcpt_table then
      for _,e in ipairs(rcpt_table) do
        rspamd_logger.infox(rspamd_config, "checking bcc for rcpt address %s", e)
        rspamd_http.request({
          task=task,
          url='http://nginx:8081/bcc.php',
          body='',
          callback=rcpt_callback,
          headers={Rcpt=e}
        })
      end
    end

    if from_table then
      for _,e in ipairs(from_table) do
        rspamd_logger.infox(rspamd_config, "checking bcc for from address %s", e)
        rspamd_http.request({
          task=task,
          url='http://nginx:8081/bcc.php',
          body='',
          callback=from_callback,
          headers={From=e}
        })
      end
    end

    return true
  end,
  priority = 20
})

rspamd_config:register_symbol({
  name = 'DYN_RL_CHECK',
  type = 'prefilter',
  callback = function(task)
    local util = require("rspamd_util")
    local redis_params = rspamd_parse_redis_server('dyn_rl')
    local rspamd_logger = require "rspamd_logger"
    local envfrom = task:get_from(1)
    local envrcpt = task:get_recipients(1) or {}
    local uname = task:get_user()
    if not envfrom or not uname then
      return false
    end

    local uname = uname:lower()

    if #envrcpt == 1 and envrcpt[1].addr:lower() == uname then
      return false
    end

    local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case

    local function redis_cb_user(err, data)

      if err or type(data) ~= 'string' then
        rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for user %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying dynamic ratelimit for domain...", uname, data, err)

        local function redis_key_cb_domain(err, data)
          if err or type(data) ~= 'string' then
            rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for domain %s returned invalid or empty data (\"%s\") or error (\"%s\")", env_from_domain, data, err)
          else
            rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for domain %s with value %s", env_from_domain, data)
            task:insert_result('DYN_RL', 0.0, data, env_from_domain)
          end
        end

        local redis_ret_domain = rspamd_redis_make_request(task,
          redis_params, -- connect params
          env_from_domain, -- hash key
          false, -- is write
          redis_key_cb_domain, --callback
          'HGET', -- command
          {'RL_VALUE', env_from_domain} -- arguments
        )
        if not redis_ret_domain then
          rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for domain")
        end
      else
        rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for user %s with value %s", uname, data)
        task:insert_result('DYN_RL', 0.0, data, uname)
      end

    end

    local redis_ret_user = rspamd_redis_make_request(task,
      redis_params, -- connect params
      uname, -- hash key
      false, -- is write
      redis_cb_user, --callback
      'HGET', -- command
      {'RL_VALUE', uname} -- arguments
    )
    if not redis_ret_user then
      rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for user")
    end
    return true
  end,
  flags = 'empty',
  priority = 20
})

rspamd_config:register_symbol({
  name = 'NO_LOG_STAT',
  type = 'postfilter',
  callback = function(task)
    local from = task:get_header('From')
    if from and (monitoring_hosts:get_key(from) or from == "watchdog@localhost") then
      task:set_flag('no_log')
      task:set_flag('no_stat')
    end
  end
})

rspamd_config:register_symbol({
  name = 'MOO_FOOTER',
  type = 'prefilter',
  callback = function(task)
    local cjson = require "cjson"
    local lua_mime = require "lua_mime"
    local lua_util = require "lua_util"
    local rspamd_logger = require "rspamd_logger"
    local rspamd_http = require "rspamd_http"
    local envfrom = task:get_from(1)
    local uname = task:get_user()
    if not envfrom or not uname then
      return false
    end
    local uname = uname:lower()
    local env_from_domain = envfrom[1].domain:lower()
    local env_from_addr = envfrom[1].addr:lower()

    -- determine newline type
    local function newline(task)
      local t = task:get_newlines_type()

      if t == 'cr' then
        return '\r'
      elseif t == 'lf' then
        return '\n'
      end

      return '\r\n'
    end
    -- retrieve footer
    local function footer_cb(err_message, code, data, headers)
      if err_message or type(data) ~= 'string' then
        rspamd_logger.infox(rspamd_config, "domain wide footer request for user %s returned invalid or empty data (\"%s\") or error (\"%s\")", uname, data, err_message)
      else

        -- parse json string
        local footer = cjson.decode(data)
        if not footer then
          rspamd_logger.infox(rspamd_config, "parsing domain wide footer for user %s returned invalid or empty data (\"%s\") or error (\"%s\")", uname, data, err_message)
        else
          if footer and type(footer) == "table" and (footer.html and footer.html ~= "" or footer.plain and footer.plain ~= "")  then
            rspamd_logger.infox(rspamd_config, "found domain wide footer for user %s: html=%s, plain=%s, vars=%s", uname, footer.html, footer.plain, footer.vars)

            if footer.skip_replies ~= 0 then
              in_reply_to = task:get_header_raw('in-reply-to')
              if in_reply_to then
                rspamd_logger.infox(rspamd_config, "mail is a reply - skip footer")
                return
              end
            end

            local envfrom_mime = task:get_from(2)
            local from_name = ""
            if envfrom_mime and envfrom_mime[1].name then
              from_name = envfrom_mime[1].name
            elseif envfrom and envfrom[1].name then
              from_name = envfrom[1].name
            end

            -- default replacements
            local replacements = {
              auth_user = uname,
              from_user = envfrom[1].user,
              from_name = from_name,
              from_addr = envfrom[1].addr,
              from_domain = envfrom[1].domain:lower()
            }
            -- add custom mailbox attributes
            if footer.vars and type(footer.vars) == "string" then
              local footer_vars = cjson.decode(footer.vars)

              if type(footer_vars) == "table" then
                for key, value in pairs(footer_vars) do
                  replacements[key] = value
                end
              end
            end
            if footer.html and footer.html ~= "" then
              footer.html = lua_util.jinja_template(footer.html, replacements, true)
            end
            if footer.plain and footer.plain ~= "" then
              footer.plain = lua_util.jinja_template(footer.plain, replacements, true)
            end

            -- add footer
            local out = {}
            local rewrite = lua_mime.add_text_footer(task, footer.html, footer.plain) or {}

            local seen_cte
            local newline_s = newline(task)

            -- Check if this is a multipart message
            local ct = task:get_header('Content-Type', false)
            local is_multipart = ct and ct:lower():match('^multipart/')

            -- Check if footer contains non-ASCII characters (like German umlauts)
            local function has_non_ascii(text)
              if not text or text == "" then
                return false
              end
              -- Check if string contains bytes > 127 (non-ASCII)
              return text:match('[\128-\255]') ~= nil
            end

            local footer_needs_utf8 = has_non_ascii(footer.html) or has_non_ascii(footer.plain)

            local function rewrite_ct_cb(name, hdr)
              if rewrite.need_rewrite_ct then
                if name:lower() == 'content-type' then
                  -- include boundary if present
                  local boundary_part = rewrite.new_ct.boundary and
                    string.format('; boundary="%s"', rewrite.new_ct.boundary) or ''

                  -- Preserve original charset for Outlook compatibility, but force UTF-8 if footer has special chars
                  local charset_part = ''
                  if not is_multipart then
                    -- Force UTF-8 if footer contains non-ASCII characters (e.g., German umlauts)
                    if footer_needs_utf8 then
                      charset_part = '; charset=utf-8'
                      rspamd_logger.infox(rspamd_config, "footer contains non-ASCII characters, forcing UTF-8 charset")
                    else
                      -- Extract original charset or use UTF-8 as fallback
                      local orig_charset = hdr.raw:match('[Cc][Hh][Aa][Rr][Ss][Ee][Tt]%s*=%s*"?([^;%s"]+)')
                      if orig_charset then
                        -- Keep original charset as-is (or fall back to UTF-8 if needed)
                        charset_part = string.format('; charset=%s', orig_charset)
                      else
                        charset_part = '; charset=utf-8'
                      end
                    end
                  end

                  local nct = string.format('%s: %s/%s%s%s',
                      'Content-Type', rewrite.new_ct.type, rewrite.new_ct.subtype, charset_part, boundary_part)
                  out[#out + 1] = nct
                  -- update Content-Type header (include boundary if present)
                  task:set_milter_reply({
                    remove_headers = {['Content-Type'] = 0},
                  })
                  task:set_milter_reply({
                    add_headers = {['Content-Type'] = string.format('%s/%s%s%s',
                      rewrite.new_ct.type, rewrite.new_ct.subtype, charset_part, boundary_part)}
                  })
                  return
                elseif name:lower() == 'content-transfer-encoding' then
                  -- Only rewrite encoding for non-multipart messages
                  if not is_multipart then
                    out[#out + 1] = string.format('%s: %s',
                        'Content-Transfer-Encoding', 'quoted-printable')
                    -- update Content-Transfer-Encoding header
                    task:set_milter_reply({
                      remove_headers = {['Content-Transfer-Encoding'] = 0},
                    })
                    task:set_milter_reply({
                      add_headers = {['Content-Transfer-Encoding'] = 'quoted-printable'}
                    })
                    seen_cte = true
                  else
                    -- Preserve original encoding for multipart messages
                    out[#out + 1] = hdr.raw:gsub('\r?\n?$', '')
                  end
                  return
                end
              end
              out[#out + 1] = hdr.raw:gsub('\r?\n?$', '')
            end

            task:headers_foreach(rewrite_ct_cb, {full = true})

            if not seen_cte and rewrite.need_rewrite_ct and not is_multipart then
              out[#out + 1] = string.format('%s: %s', 'Content-Transfer-Encoding', 'quoted-printable')
            end

            -- End of headers
            out[#out + 1] = newline_s

            if rewrite.out then
              for _,o in ipairs(rewrite.out) do
                out[#out + 1] = o
              end
            else
              out[#out + 1] = task:get_rawbody()
            end

            local out_parts = {}
            for _,o in ipairs(out) do
              if type(o) ~= 'table' then
                out_parts[#out_parts + 1] = o
                out_parts[#out_parts + 1] = newline_s
              else
                -- Properly handle multipart boundaries without corrupting them
                local part_content = tostring(o[1])
                -- Don't strip boundary markers from multipart messages
                if is_multipart then
                  out_parts[#out_parts + 1] = part_content
                else
                  -- Only apply prefix removal for non-multipart messages
                  local removePrefix = "--\r\nContent-Type"
                  if string.lower(string.sub(part_content, 1, string.len(removePrefix))) == string.lower(removePrefix) then
                    part_content = string.sub(part_content, string.len("--\r\n") + 1)
                  end
                  out_parts[#out_parts + 1] = part_content
                end
                if o[2] then
                  out_parts[#out_parts + 1] = newline_s
                end
              end
            end
            task:set_message(out_parts)
          else
            rspamd_logger.infox(rspamd_config, "domain wide footer request for user %s returned invalid or empty data (\"%s\")", uname, data)
          end
        end
      end
    end

    -- fetch footer
    rspamd_http.request({
      task=task,
      url='http://nginx:8081/footer.php',
      body='',
      callback=footer_cb,
      headers={Domain=env_from_domain,Username=uname,From=env_from_addr},
    })

    return true
  end,
  priority = 1
})

Also for the German Ulmauts change the last section in data/conf/rspamd/dynmaps footer.php

// return footer
$footer["vars"] = $custom_attributes;
// Use JSON_UNESCAPED_UNICODE to preserve German umlauts and other special characters
echo json_encode($footer, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);

This might help MS 2013/2016 unicode

CK_beats

shaneodoo
You are absolute madness!!
Thank you so much for persisting with the domain-wide footer problem!
You have my utmost respect!

I saved your new code in /opt/mailcow-dockerized/data/conf/rspamd/lua/rspamd.local.lua.
Of course, as always, save the existing file using mv.

After I completely restarted the container with docker compose down && docker compose up -d, the footer was no longer displayed at all.
I went to the GUI Email –> Configuration –> Domain selected –> domain-wide footer again on “Save changes”. Without making any changes at all.
After that, the footer was displayed correctly in every email.
Umlauts are also displayed absolutely error-free.
No matter whether in the header or in the text!
You did great!!

Finally, I only had the problem that the test emails I sent were not saved in “sent items”.
They were moved directly to the Trash/Deleted Items. For whatever reason.
Restarting the entire Docker container again helped here too!

I’m still on a snapshot, but it seems to be running absolutely reliably!

My biggest thanks to you again!
Apparently no one else took up the matter.
Unfortunately, I have no knowledge of programming/coding at all.

Can you now ensure that the new rspamd.local.lua file is implemented in the next Mailcow update?
So that everyone can enjoy the domain-wide footer?

I haven’t made any changes in data/conf/rspamd/dynmaps footer.php yet.
Umlauts work perfectly with Outlook 2013.

Should I still adjust this?

Best regards
Constantin

function1983

shaneodoo Just want to say thank you and confirm it works. Greeting footer causes issue out of nowhere. There is one problem with file name with German umlaut, gmail will rename the attachment as “noname”, in my case “dührkop.pdf” will become “noname.pdf”. Other than that, everything went smoothly.

shaneodoo

CK_beats

I am so please for you that it is working as expected. Finally.. the issue you have with the mail going to the deleted folder is outlook not knowing where to map the sent emails..

Outlook 2013/2016 doesn’t automatically detect the server’s special folders. Mailcow uses the standard folder names like “Sent” and “Trash”, but Outlook prefers its own naming conventions such as “Sent Items” and “Deleted Items”. Because of this mismatch, Outlook ends up choosing the wrong place to store sent messages, and in my case it was dropping them straight into Trash.

To fix it, I had to adjust the mapping manually:

I went to File → Account Settings → Account Settings.

Selected the IMAP account, clicked Change, then More Settings.

Under the “Deleted Items/Sent Items” tab, I set Outlook to “Save sent items in this folder on the server”, and then selected the correct Sent folder from the IMAP list.

I also made sure “Save copies of messages in Sent Items folder” was enabled.

After a restart, Outlook finally started saving sent mail in the right folder

As you have had success with the lua file I will look to commit this to mailcow repo. Thank you for believing in me to get this working finally.. its a complex beast and has been one of excitement, head banging and deep thought.

Here is the pull request https://github.com/mailcow/mailcow-dockerized/pull/6934

Now this is finally fixed. Everyone can send attachment Christmas Cards lol!!

shaneodoo

CK_beats I haven’t made any changes in data/conf/rspamd/dynmaps footer.php yet.
Umlauts work perfectly with Outlook 2013.

Should I still adjust this?

No not required. It was just a back up precaution.

CK_beats

shaneodoo
You really showed persistence! My greatest respect and thanks!
I think I speak on behalf of all users who love the domain-wide footer as much as I do!

I never imagined that such a small element could cause so much trouble.
Especially with Outlook, as it is one of the most used email clients.
But I was taught otherwise!

Yesterday I sent a lot of emails with file attachments in the production system. The footer was appended every time, as I could see in the answers!
Just beautiful! 😍
Uniform, clean in appearance!

This is one of the best Christmas presents this year! 🎄🎄
Moving from Exchange to Mailcow took a lot of effort!
Now owning an open source system that is sometimes even more productive than Exchange is simply a huge joy!

Thank you very much for your work, your time and your persistence!

We do not use IMAP protocol to synchronize folders.
For us everything runs via the Exchange Active Sync protocol.
This means that calendar entries, contacts and tasks are synchronized cleanly, even without a third-party tool.
With EAS you cannot select the folder to store the emails.
No change possible.
As I said, the error only existed once. After restarting the containers everything was as usual again.

shaneodoo

CK_beats Thank you for your words.

Just needs a maintainer to pick this up and test it before merging in to Staging -> Main If anyone is out there please check out. @FreddleSpl0it

https://github.com/mailcow/mailcow-dockerized/pull/6934

CK_beats

shaneodoo
Did I see correctly that your changes are NOT included in the current update version 2025-12?

shaneodoo

CK_beats Not yet if you look at the commit, it only had someone assigned to review it 16 hours ago. Once this has been done its make or break. Though I am sure if you update your mailcow the script will still work for you until it has been pulled in to main.

CK_beats

shaneodoo
I set your revised rspamd.local.lua to not changeable with chattr +i before the update.

The original file was therefore retained.
Still works perfectly!

I had the problem with one or two emails out of about 100 that the file location was broken again.
Was not transferred, but displayed correctly in Outlook.
But it was an exceptional case.

Thank you again for your commitment and persistence!

Have a quiet and relaxing Christmas in advance!

shaneodoo

CK_beats That is really good to here, hopefully the MC team will pull the file in to Main, thank for the testing.

Have a great Christmas, you can now send all your cards via email lol

CK_beats

After extensive testing, I can rarely find small errors:
When sending an email with one or more file attachments and an inlay graphic, the source code appears to break.
The file attachments are not transmitted, but the footer is transmitted every time. 😊😊

If you forward the email again from your smartphone after the recipient has reported it, it will be delivered complete including all content and file attachments.
So the error is still MS Outlook.

Have a wonderful and relaxing Christmas time everyone!
It’s nice that you and this forum exist!

I used to always be a skeptic when it came to open source solutions, but what the “swarm” is now doing here is simply gigantic.
Just great!

function1983

CK_beats that’s true. Some employees now report they have their own signature in outlook (inline base64) and the attachments are missing again. Without the signature the attachment are shown. Footer greeting are shown in both cases. I tested sender on outlook (windows) and evolution (linux). Receiver on 3 clients outlook (windows), evolution (linux), and SOGo with same result.

shaneodoo

function1983 @CK_beats

Outlook creates an absolute mess when you have a custom signature with an image plus file attachments. It nests everything in this complex multipart structure - you’ve got multipart/related for the signature image, multipart/mixed for the attachments, and they’re all nested inside each other. When our footer code tried to insert itself into this structure, it was basically breaking the boundaries that tell email clients where one part ends and another begins. Result: attachments just disappear.
What I Did
I added some detection logic that analyzes the email structure before trying to add the footer. It walks through all the MIME parts and checks:

How many layers deep is this thing nested?
Is there a multipart/related section? (Outlook signatures)
Is there a multipart/mixed section? (attachments)
Are there both inline images AND separate file attachments?

If it sees that specific combination - the Outlook signature mess plus attachments - it just skips adding the footer entirely. Better to not have a footer than lose someone’s files.
I also threw in some extra logging so we can see in the rspamd logs what it’s detecting. Makes troubleshooting easier if issues come up.

The Trade-off
Users with Outlook signatures won’t get Domain Wide footers on their emails anymore. But they’ll actually receive all their attachments, which seems like the more important problem to solve.
The Gmail filename issue with umlauts (where dührkop.pdf turns into noname.pdf) is still there - that’s a different encoding problem and I didn’t want to change too much at once.

Testing
Deploy it, check the logs for “SKIPPING footer” messages on those problematic Outlook emails, and see if the attachment complaints stop. Everything that was working before (simple emails, German umlauts, regular forwards) should keep working exactly the same.

I am beginning to think there is not a one size fits all approach where the Domain Wide Footer is concerned. If you prefer to just use inline signatures then turn off Domain Wide Footer for them email accounts, or remove inline signatures to use just DWF. Having both seems like overkill.

rspamd_config.MAILCOW_AUTH = {
  callback = function(task)
    local uname = task:get_user()
    if uname then
      return 1
    end
  end
}

local monitoring_hosts = rspamd_config:add_map{
  url = "/etc/rspamd/custom/monitoring_nolog.map",
  description = "Monitoring hosts",
  type = "regexp"
}

rspamd_config:register_symbol({
  name = 'SMTP_ACCESS',
  type = 'postfilter',
  callback = function(task)
    local util = require("rspamd_util")
    local rspamd_logger = require "rspamd_logger"
    local rspamd_ip = require 'rspamd_ip'
    local uname = task:get_user()
    local limited_access = task:get_symbol("SMTP_LIMITED_ACCESS")

    if not uname then
      return false
    end

    if not limited_access then
      return false
    end

    local hash_key = 'SMTP_ALLOW_NETS_' .. uname

    local redis_params = rspamd_parse_redis_server('smtp_access')
    local ip = task:get_from_ip()

    if ip == nil or not ip:is_valid() then
      return false
    end

    local from_ip_string = tostring(ip)
    smtp_access_table = {from_ip_string}

    local maxbits = 128
    local minbits = 32
    if ip:get_version() == 4 then
        maxbits = 32
        minbits = 8
    end
    for i=maxbits,minbits,-1 do
      local nip = ip:apply_mask(i):to_string() .. "/" .. i
      table.insert(smtp_access_table, nip)
    end
    local function smtp_access_cb(err, data)
      if err then
        rspamd_logger.infox(rspamd_config, "smtp_access query request for ip %s returned invalid or empty data (\"%s\") or error (\"%s\")", ip, data, err)
        return false
      else
        rspamd_logger.infox(rspamd_config, "checking ip %s for smtp_access in %s", from_ip_string, hash_key)
        for k,v in pairs(data) do
          if (v and v ~= userdata and v == '1') then
            rspamd_logger.infox(rspamd_config, "found ip in smtp_access map")
            task:insert_result(true, 'SMTP_ACCESS', 0.0, from_ip_string)
            return true
          end
        end
        rspamd_logger.infox(rspamd_config, "couldnt find ip in smtp_access map")
        task:insert_result(true, 'SMTP_ACCESS', 999.0, from_ip_string)
        return true
      end
    end
    table.insert(smtp_access_table, 1, hash_key)
    local redis_ret_user = rspamd_redis_make_request(task,
      redis_params, hash_key, false, smtp_access_cb, 'HMGET', smtp_access_table
    )
    if not redis_ret_user then
      rspamd_logger.infox(rspamd_config, "cannot check smtp_access redis map")
    end
  end,
  priority = 10
})

rspamd_config:register_symbol({
  name = 'POSTMASTER_HANDLER',
  type = 'prefilter',
  callback = function(task)
    local rcpts = task:get_recipients('smtp')
    local rspamd_logger = require "rspamd_logger"
    local lua_util = require "lua_util"
    local from = task:get_from(1)

    if rcpts and #rcpts == 1 then
      for _,rcpt in ipairs(rcpts) do
        local rcpt_split = rspamd_str_split(rcpt['addr'], '@')
        if #rcpt_split == 2 then
          if rcpt_split[1] == 'postmaster' then
            task:set_pre_result('accept', 'whitelisting postmaster smtp rcpt', 'postmaster')
            return
          end
        end
      end
    end

    if from then
      for _,fr in ipairs(from) do
        local fr_split = rspamd_str_split(fr['addr'], '@')
        if #fr_split == 2 then
          if fr_split[1] == 'postmaster' and task:get_user() then
            task:insert_result(true, 'POSTMASTER_FROM', -2500.0)
            return
          end
        end
      end
    end
  end,
  priority = 10
})

rspamd_config:register_symbol({
  name = 'KEEP_SPAM',
  type = 'prefilter',
  callback = function(task)
    local util = require("rspamd_util")
    local rspamd_logger = require "rspamd_logger"
    local rspamd_ip = require 'rspamd_ip'
    local uname = task:get_user()

    if uname then
      return false
    end

    local redis_params = rspamd_parse_redis_server('keep_spam')
    local ip = task:get_from_ip()

    if ip == nil or not ip:is_valid() then
      return false
    end

    local from_ip_string = tostring(ip)
    ip_check_table = {from_ip_string}

    local maxbits = 128
    local minbits = 32
    if ip:get_version() == 4 then
        maxbits = 32
        minbits = 8
    end
    for i=maxbits,minbits,-1 do
      local nip = ip:apply_mask(i):to_string() .. "/" .. i
      table.insert(ip_check_table, nip)
    end
    local function keep_spam_cb(err, data)
      if err then
        rspamd_logger.infox(rspamd_config, "keep_spam query request for ip %s returned invalid or empty data (\"%s\") or error (\"%s\")", ip, data, err)
        return false
      else
        for k,v in pairs(data) do
          if (v and v ~= userdata and v == '1') then
            rspamd_logger.infox(rspamd_config, "found ip in keep_spam map, setting pre-result")
            task:set_pre_result('accept', 'ip matched with forward hosts', 'keep_spam')
          end
        end
      end
    end
    table.insert(ip_check_table, 1, 'KEEP_SPAM')
    local redis_ret_user = rspamd_redis_make_request(task,
      redis_params, 'KEEP_SPAM', false, keep_spam_cb, 'HMGET', ip_check_table
    )
    if not redis_ret_user then
      rspamd_logger.infox(rspamd_config, "cannot check keep_spam redis map")
    end
  end,
  priority = 19
})

rspamd_config:register_symbol({
  name = 'TLS_HEADER',
  type = 'postfilter',
  callback = function(task)
    local rspamd_logger = require "rspamd_logger"
    local tls_tag = task:get_request_header('TLS-Version')
    if type(tls_tag) == 'nil' then
      task:set_milter_reply({
        add_headers = {['X-Last-TLS-Session-Version'] = 'None'}
      })
    else
      task:set_milter_reply({
        add_headers = {['X-Last-TLS-Session-Version'] = tostring(tls_tag)}
      })
    end
  end,
  priority = 12
})

rspamd_config:register_symbol({
  name = 'TAG_MOO',
  type = 'postfilter',
  callback = function(task)
    local util = require("rspamd_util")
    local rspamd_logger = require "rspamd_logger"
    local redis_params = rspamd_parse_redis_server('taghandler')
    local rspamd_http = require "rspamd_http"
    local rcpts = task:get_recipients('smtp')
    local lua_util = require "lua_util"

    local tagged_rcpt = task:get_symbol("TAGGED_RCPT")
    local mailcow_domain = task:get_symbol("RCPT_MAILCOW_DOMAIN")

    local function remove_moo_tag()
      local moo_tag_header = task:get_header('X-Moo-Tag', false)
      if moo_tag_header then
        task:set_milter_reply({
          remove_headers = {['X-Moo-Tag'] = 0},
        })
      end
      return true
    end

    if tagged_rcpt and tagged_rcpt[1].options and mailcow_domain then
      local tag = tagged_rcpt[1].options[1]
      rspamd_logger.infox("found tag: %s", tag)
      local action = task:get_metric_action('default')
      rspamd_logger.infox("metric action now: %s", action)

      if action ~= 'no action' and action ~= 'greylist' then
        rspamd_logger.infox("skipping tag handler for action: %s", action)
        remove_moo_tag()
        return true
      end

      local function http_callback(err_message, code, body, headers)
        if body ~= nil and body ~= "" then
          rspamd_logger.infox(rspamd_config, "expanding rcpt to \"%s\"", body)

          local function tag_callback_subject(err, data)
            if err or type(data) ~= 'string' then
              rspamd_logger.infox(rspamd_config, "subject tag handler rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying subfolder tag handler...", body, data, err)

              local function tag_callback_subfolder(err, data)
                if err or type(data) ~= 'string' then
                  rspamd_logger.infox(rspamd_config, "subfolder tag handler for rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\")", body, data, err)
                  remove_moo_tag()
                else
                  rspamd_logger.infox("Add X-Moo-Tag header")
                  task:set_milter_reply({
                    add_headers = {['X-Moo-Tag'] = 'YES'}
                  })
                end
              end

              local redis_ret_subfolder = rspamd_redis_make_request(task,
                redis_params, body, false, tag_callback_subfolder, 'HGET', {'RCPT_WANTS_SUBFOLDER_TAG', body}
              )
              if not redis_ret_subfolder then
                rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt")
                remove_moo_tag()
              end

            else
              rspamd_logger.infox("user wants subject modified for tagged mail")
              local sbj = task:get_header('Subject')
              new_sbj = '=?UTF-8?B?' .. tostring(util.encode_base64('[' .. tag .. '] ' .. sbj)) .. '?='
              task:set_milter_reply({
                remove_headers = {
                  ['Subject'] = 1,
                  ['X-Moo-Tag'] = 0
                },
                add_headers = {['Subject'] = new_sbj}
              })
            end
          end

          local redis_ret_subject = rspamd_redis_make_request(task,
            redis_params, body, false, tag_callback_subject, 'HGET', {'RCPT_WANTS_SUBJECT_TAG', body}
          )
          if not redis_ret_subject then
            rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt")
            remove_moo_tag()
          end

        end
      end

      if rcpts and #rcpts == 1 then
        for _,rcpt in ipairs(rcpts) do
          local rcpt_split = rspamd_str_split(rcpt['addr'], '@')
          if #rcpt_split == 2 then
            if rcpt_split[1] == 'postmaster' then
              rspamd_logger.infox(rspamd_config, "not expanding postmaster alias")
              remove_moo_tag()
            else
              rspamd_http.request({
                task=task,
                url='http://nginx:8081/aliasexp.php',
                body='',
                callback=http_callback,
                headers={Rcpt=rcpt['addr']},
              })
            end
          end
        end
      end
    else
      remove_moo_tag()
    end
  end,
  priority = 19
})

rspamd_config:register_symbol({
  name = 'BCC',
  type = 'postfilter',
  callback = function(task)
    local util = require("rspamd_util")
    local rspamd_http = require "rspamd_http"
    local rspamd_logger = require "rspamd_logger"

    local from_table = {}
    local rcpt_table = {}

    if task:has_symbol('ENCRYPTED_CHAT') then
      return
    end

    local send_mail = function(task, bcc_dest)
      local lua_smtp = require "lua_smtp"
      local function sendmail_cb(ret, err)
        if not ret then
          rspamd_logger.errx(task, 'BCC SMTP ERROR: %s', err)
        else
          rspamd_logger.infox(rspamd_config, "BCC SMTP SUCCESS TO %s", bcc_dest)
        end
      end
      if not bcc_dest then
        return
      end
      local email_content = tostring(task:get_content())
      email_content = string.gsub(email_content, "\r\n%.", "\r\n..")
      lua_smtp.sendmail({
        task = task,
        host = os.getenv("IPV4_NETWORK") .. '.253',
        port = 591,
        from = task:get_from(stp)[1].addr,
        recipients = bcc_dest,
        helo = 'bcc',
        timeout = 20,
      }, email_content, sendmail_cb)
    end

    local from = task:get_from('smtp')
    if from then
      for _, a in ipairs(from) do
        table.insert(from_table, a['addr'])
        table.insert(from_table, '@' .. a['domain'])
      end
    else
      return
    end

    local rcpts = task:get_recipients('smtp')
    if rcpts then
      for _, a in ipairs(rcpts) do
        table.insert(rcpt_table, a['addr'])
        table.insert(rcpt_table, '@' .. a['domain'])
      end
    else
      return
    end

    local action = task:get_metric_action('default')
    rspamd_logger.infox("metric action now: %s", action)

    local function rcpt_callback(err_message, code, body, headers)
      if err_message == nil and code == 201 and body ~= nil then
        if action == 'no action' or action == 'add header' or action == 'rewrite subject' then
          send_mail(task, body)
        end
      end
    end

    local function from_callback(err_message, code, body, headers)
      if err_message == nil and code == 201 and body ~= nil then
        if action == 'no action' or action == 'add header' or action == 'rewrite subject' then
          send_mail(task, body)
        end
      end
    end

    if rcpt_table then
      for _,e in ipairs(rcpt_table) do
        rspamd_logger.infox(rspamd_config, "checking bcc for rcpt address %s", e)
        rspamd_http.request({
          task=task,
          url='http://nginx:8081/bcc.php',
          body='',
          callback=rcpt_callback,
          headers={Rcpt=e}
        })
      end
    end

    if from_table then
      for _,e in ipairs(from_table) do
        rspamd_logger.infox(rspamd_config, "checking bcc for from address %s", e)
        rspamd_http.request({
          task=task,
          url='http://nginx:8081/bcc.php',
          body='',
          callback=from_callback,
          headers={From=e}
        })
      end
    end

    return true
  end,
  priority = 20
})

rspamd_config:register_symbol({
  name = 'DYN_RL_CHECK',
  type = 'prefilter',
  callback = function(task)
    local util = require("rspamd_util")
    local redis_params = rspamd_parse_redis_server('dyn_rl')
    local rspamd_logger = require "rspamd_logger"
    local envfrom = task:get_from(1)
    local envrcpt = task:get_recipients(1) or {}
    local uname = task:get_user()
    if not envfrom or not uname then
      return false
    end

    local uname = uname:lower()

    if #envrcpt == 1 and envrcpt[1].addr:lower() == uname then
      return false
    end

    local env_from_domain = envfrom[1].domain:lower()

    local function redis_cb_user(err, data)

      if err or type(data) ~= 'string' then
        rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for user %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying dynamic ratelimit for domain...", uname, data, err)

        local function redis_key_cb_domain(err, data)
          if err or type(data) ~= 'string' then
            rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for domain %s returned invalid or empty data (\"%s\") or error (\"%s\")", env_from_domain, data, err)
          else
            rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for domain %s with value %s", env_from_domain, data)
            task:insert_result('DYN_RL', 0.0, data, env_from_domain)
          end
        end

        local redis_ret_domain = rspamd_redis_make_request(task,
          redis_params, env_from_domain, false, redis_key_cb_domain, 'HGET', {'RL_VALUE', env_from_domain}
        )
        if not redis_ret_domain then
          rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for domain")
        end
      else
        rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for user %s with value %s", uname, data)
        task:insert_result('DYN_RL', 0.0, data, uname)
      end

    end

    local redis_ret_user = rspamd_redis_make_request(task,
      redis_params, uname, false, redis_cb_user, 'HGET', {'RL_VALUE', uname}
    )
    if not redis_ret_user then
      rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for user")
    end
    return true
  end,
  flags = 'empty',
  priority = 20
})

rspamd_config:register_symbol({
  name = 'NO_LOG_STAT',
  type = 'postfilter',
  callback = function(task)
    local from = task:get_header('From')
    if from and (monitoring_hosts:get_key(from) or from == "watchdog@localhost") then
      task:set_flag('no_log')
      task:set_flag('no_stat')
    end
  end
})

rspamd_config:register_symbol({
  name = 'MOO_FOOTER',
  type = 'prefilter',
  callback = function(task)
    local cjson = require "cjson"
    local lua_mime = require "lua_mime"
    local lua_util = require "lua_util"
    local rspamd_logger = require "rspamd_logger"
    local rspamd_http = require "rspamd_http"
    local envfrom = task:get_from(1)
    local uname = task:get_user()
    if not envfrom or not uname then
      return false
    end
    local uname = uname:lower()
    local env_from_domain = envfrom[1].domain:lower()
    local env_from_addr = envfrom[1].addr:lower()

    local function newline(task)
      local t = task:get_newlines_type()
      if t == 'cr' then return '\r' elseif t == 'lf' then return '\n' end
      return '\r\n'
    end

    -- NEW: Analyze MIME structure complexity
    local function analyze_mime_structure(task)
      local parts = task:get_parts()
      if not parts or #parts == 0 then 
        return {simple = true, depth = 0, multipart_types = {}} 
      end

      local max_depth = 0
      local multipart_types = {}
      local has_related = false
      local has_mixed = false
      local has_inline_images = false
      local has_attachments = false

      local function traverse(part, depth)
        if depth > max_depth then max_depth = depth end

        if part:is_multipart() then
          local mtype, msubtype = part:get_type()
          if mtype == 'multipart' then
            table.insert(multipart_types, msubtype)
            if msubtype == 'related' then has_related = true end
            if msubtype == 'mixed' then has_mixed = true end
          end
          
          local children = part:get_parts()
          if children then
            for _, child in ipairs(children) do
              traverse(child, depth + 1)
            end
          end
        elseif part:is_attachment() then
          has_attachments = true
        elseif part:is_image() then
          local cd = part:get_header('Content-Disposition')
          if cd and cd:lower():match('inline') then
            has_inline_images = true
          end
        end
      end

      for _, part in ipairs(parts) do
        traverse(part, 0)
      end

      -- Complex structure = Outlook signature scenario
      local is_complex = (has_related and has_mixed and has_inline_images and has_attachments) or max_depth > 2

      return {
        simple = max_depth <= 1,
        depth = max_depth,
        has_related = has_related,
        has_mixed = has_mixed,
        has_inline_images = has_inline_images,
        has_attachments = has_attachments,
        multipart_types = multipart_types,
        is_complex = is_complex
      }
    end

    local function footer_cb(err_message, code, data, headers)
      if err_message or type(data) ~= 'string' then
        rspamd_logger.infox(rspamd_config, "domain wide footer request for user %s returned invalid or empty data (\"%s\") or error (\"%s\")", uname, data, err_message)
      else
        local footer = cjson.decode(data)
        if not footer then
          rspamd_logger.infox(rspamd_config, "parsing domain wide footer for user %s returned invalid or empty data (\"%s\") or error (\"%s\")", uname, data, err_message)
        else
          if footer and type(footer) == "table" and (footer.html and footer.html ~= "" or footer.plain and footer.plain ~= "")  then
            
            -- NEW: Analyze structure BEFORE processing
            local structure = analyze_mime_structure(task)
            
            rspamd_logger.infox(rspamd_config, "found domain wide footer for user %s: html=%s, plain=%s, vars=%s", uname, footer.html, footer.plain, footer.vars)
            rspamd_logger.infox(rspamd_config, "MIME structure analysis: depth=%d, has_related=%s, has_mixed=%s, has_inline=%s, has_attach=%s, complex=%s", 
              structure.depth, 
              tostring(structure.has_related), 
              tostring(structure.has_mixed), 
              tostring(structure.has_inline_images), 
              tostring(structure.has_attachments),
              tostring(structure.is_complex))

            -- NEW: Skip footer for ultra-complex structures (Outlook signature + attachments)
            if structure.is_complex then
              rspamd_logger.warnx(rspamd_config, "SKIPPING footer for complex MIME structure (likely Outlook signature + attachments) to prevent attachment loss for user %s", uname)
              return
            end

            if footer.skip_replies ~= 0 then
              in_reply_to = task:get_header_raw('in-reply-to')
              if in_reply_to then
                rspamd_logger.infox(rspamd_config, "mail is a reply - skip footer")
                return
              end
            end

            local envfrom_mime = task:get_from(2)
            local from_name = ""
            if envfrom_mime and envfrom_mime[1].name then
              from_name = envfrom_mime[1].name
            elseif envfrom and envfrom[1].name then
              from_name = envfrom[1].name
            end

            local replacements = {
              auth_user = uname,
              from_user = envfrom[1].user,
              from_name = from_name,
              from_addr = envfrom[1].addr,
              from_domain = envfrom[1].domain:lower()
            }
            
            if footer.vars and type(footer.vars) == "string" then
              local footer_vars = cjson.decode(footer.vars)
              if type(footer_vars) == "table" then
                for key, value in pairs(footer_vars) do
                  replacements[key] = value
                end
              end
            end
            
            if footer.html and footer.html ~= "" then
              footer.html = lua_util.jinja_template(footer.html, replacements, true)
            end
            if footer.plain and footer.plain ~= "" then
              footer.plain = lua_util.jinja_template(footer.plain, replacements, true)
            end

            local out = {}
            local rewrite = lua_mime.add_text_footer(task, footer.html, footer.plain) or {}

            local seen_cte
            local newline_s = newline(task)

            local ct = task:get_header('Content-Type', false)
            local is_multipart = ct and ct:lower():match('^multipart/')

            local function has_non_ascii(text)
              if not text or text == "" then return false end
              return text:match('[\128-\255]') ~= nil
            end

            local footer_needs_utf8 = has_non_ascii(footer.html) or has_non_ascii(footer.plain)

            local function rewrite_ct_cb(name, hdr)
              if rewrite.need_rewrite_ct then
                if name:lower() == 'content-type' then
                  local boundary_part = rewrite.new_ct.boundary and
                    string.format('; boundary="%s"', rewrite.new_ct.boundary) or ''

                  local charset_part = ''
                  if not is_multipart then
                    if footer_needs_utf8 then
                      charset_part = '; charset=utf-8'
                      rspamd_logger.infox(rspamd_config, "footer contains non-ASCII characters, forcing UTF-8 charset")
                    else
                      local orig_charset = hdr.raw:match('[Cc][Hh][Aa][Rr][Ss][Ee][Tt]%s*=%s*"?([^;%s"]+)')
                      if orig_charset then
                        charset_part = string.format('; charset=%s', orig_charset)
                      else
                        charset_part = '; charset=utf-8'
                      end
                    end
                  end

                  local nct = string.format('%s: %s/%s%s%s',
                      'Content-Type', rewrite.new_ct.type, rewrite.new_ct.subtype, charset_part, boundary_part)
                  out[#out + 1] = nct
                  task:set_milter_reply({
                    remove_headers = {['Content-Type'] = 0},
                  })
                  task:set_milter_reply({
                    add_headers = {['Content-Type'] = string.format('%s/%s%s%s',
                      rewrite.new_ct.type, rewrite.new_ct.subtype, charset_part, boundary_part)}
                  })
                  return
                elseif name:lower() == 'content-transfer-encoding' then
                  if not is_multipart then
                    out[#out + 1] = string.format('%s: %s',
                        'Content-Transfer-Encoding', 'quoted-printable')
                    task:set_milter_reply({
                      remove_headers = {['Content-Transfer-Encoding'] = 0},
                    })
                    task:set_milter_reply({
                      add_headers = {['Content-Transfer-Encoding'] = 'quoted-printable'}
                    })
                    seen_cte = true
                  else
                    out[#out + 1] = hdr.raw:gsub('\r?\n?$', '')
                  end
                  return
                end
              end
              out[#out + 1] = hdr.raw:gsub('\r?\n?$', '')
            end

            task:headers_foreach(rewrite_ct_cb, {full = true})

            if not seen_cte and rewrite.need_rewrite_ct and not is_multipart then
              out[#out + 1] = string.format('%s: %s', 'Content-Transfer-Encoding', 'quoted-printable')
            end

            out[#out + 1] = newline_s

            if rewrite.out then
              for _,o in ipairs(rewrite.out) do
                out[#out + 1] = o
              end
            else
              out[#out + 1] = task:get_rawbody()
            end

            local out_parts = {}
            for _,o in ipairs(out) do
              if type(o) ~= 'table' then
                out_parts[#out_parts + 1] = o
                out_parts[#out_parts + 1] = newline_s
              else
                local part_content = tostring(o[1])
                if is_multipart then
                  out_parts[#out_parts + 1] = part_content
                else
                  local removePrefix = "--\r\nContent-Type"
                  if string.lower(string.sub(part_content, 1, string.len(removePrefix))) == string.lower(removePrefix) then
                    part_content = string.sub(part_content, string.len("--\r\n") + 1)
                  end
                  out_parts[#out_parts + 1] = part_content
                end
                if o[2] then
                  out_parts[#out_parts + 1] = newline_s
                end
              end
            end
            task:set_message(out_parts)
          else
            rspamd_logger.infox(rspamd_config, "domain wide footer request for user %s returned invalid or empty data (\"%s\")", uname, data)
          end
        end
      end
    end

    rspamd_http.request({
      task=task,
      url='http://nginx:8081/footer.php',
      body='',
      callback=footer_cb,
      headers={Domain=env_from_domain,Username=uname,From=env_from_addr},
    })

    return true
  end,
  priority = 1
})

@[deleted]

Gmail Filename Encoding Issue
The problem is Gmail doesn’t understand non-ASCII characters in the basic filename=“dührkop.pdf” format. It needs RFC 2231 encoding which looks like: filename*=UTF-8′'d%C3%BChrkop.pdf

The Challenge
We need to re-encode attachment filenames, but there’s a catch - rspamd’s Lua API might not let us modify MIME part headers after they’ve been processed by the built-in footer function.

What We Need to Try
Add this function somewhere near the top with the other helper functions (around line 15-20):

-- Encode filename for RFC 2231 (fixes Gmail umlaut issue)
local function encode_filename_rfc2231(filename)
  if not filename or filename == "" then return filename end
  
  -- Check if already has non-ASCII
  if not filename:match('[\128-\255]') then return filename end
  
  -- Percent-encode non-ASCII bytes
  local encoded = ""
  for i = 1, #filename do
    local byte = string.byte(filename, i)
    if byte > 127 or byte == 37 or byte == 39 or byte == 42 then
      encoded = encoded .. string.format("%%%02X", byte)
    else
      encoded = encoded .. string.char(byte)
    end
  end
  
  return string.format("UTF-8''%s", encoded)
end

Then add this code after the footer is applied but before task:set_message(out_parts) - around line 790:

-- FIX: Re-encode attachment filenames with umlauts for Gmail
local parts = task:get_parts()
for _, part in ipairs(parts) do
  if part:is_attachment() then
    local cd = part:get_header('Content-Disposition')
    if cd then
      local filename = cd:match('filename="?([^";]+)"?')
      if filename and filename:match('[\128-\255]') then
        local encoded = encode_filename_rfc2231(filename)
        local new_cd = cd:gsub('filename="?[^";]+"?', 'filename*=' .. encoded)
        
        -- Try to update header (might not work)
        pcall(function()
          part:set_header('Content-Disposition', new_cd)
        end)
        
        rspamd_logger.infox(rspamd_config, "Re-encoded filename: %s -> %s", filename, encoded)
      end
    end
  end
end

The Problem
I’m not confident part:set_header() actually exists or works in rspamd. This might just silently fail.
Alternative Approach (If Above Fails)

We’d need to modify the MIME reconstruction in the out_parts loop to manually rewrite Content-Disposition headers, which is way more invasive and risky.

My honest take. Try the code above first. If logs show “Re-encoded filename” but Gmail still shows “noname”, then rspamd doesn’t let us modify headers after the fact and we’d need a completely different approach, possibly patching at the postfix level instead of rspamd.

@[deleted]

What We Need to Try
Add this function somewhere near the top with the other helper functions (around line 15-20):

-- Encode filename for RFC 2231 (fixes Gmail umlaut issue)
local function encode_filename_rfc2231(filename)
  if not filename or filename == "" then return filename end
  
  -- Check if already has non-ASCII
  if not filename:match('[\128-\255]') then return filename end
  
  -- Percent-encode non-ASCII bytes
  local encoded = ""
  for i = 1, #filename do
    local byte = string.byte(filename, i)
    if byte > 127 or byte == 37 or byte == 39 or byte == 42 then
      encoded = encoded .. string.format("%%%02X", byte)
    else
      encoded = encoded .. string.char(byte)
    end
  end
  
  return string.format("UTF-8''%s", encoded)
end

Then add this code after the footer is applied but before task:set_message(out_parts) - around line 790:

-- FIX: Re-encode attachment filenames with umlauts for Gmail
local parts = task:get_parts()
for _, part in ipairs(parts) do
  if part:is_attachment() then
    local cd = part:get_header('Content-Disposition')
    if cd then
      local filename = cd:match('filename="?([^";]+)"?')
      if filename and filename:match('[\128-\255]') then
        local encoded = encode_filename_rfc2231(filename)
        local new_cd = cd:gsub('filename="?[^";]+"?', 'filename*=' .. encoded)
        
        -- Try to update header (might not work)
        pcall(function()
          part:set_header('Content-Disposition', new_cd)
        end)
        
        rspamd_logger.infox(rspamd_config, "Re-encoded filename: %s -> %s", filename, encoded)
      end
    end
  end
end

The Problem
I’m not confident part:set_header() actually exists or works in rspamd. This might just silently fail.
Alternative Approach (If Above Fails)

We’d need to modify the MIME reconstruction in the out_parts loop to manually rewrite Content-Disposition headers, which is way more invasive and risky.

function1983

shaneodoo The Trade-off
Users with Outlook signatures won’t get Domain Wide footers on their emails anymore. But they’ll actually receive all their attachments, which seems like the more important problem to solve.
The Gmail filename issue with umlauts (where dührkop.pdf turns into noname.pdf) is still there - that’s a different encoding problem and I didn’t want to change too much at once.

Thank you so much for the code, it was a great help. There is one slight problem where analyze_mime_structure will silently fail when parsing email sent by Outlook (at least for me). I include the changes here in case it can help someone.

local function analyze_mime_structure(task)
  local parts = task:get_parts()
  if not parts or #parts == 0 then 
    return {simple = true, depth = 0, is_complex = false} 
  end
  local max_depth = 0
  local has_related = false
  local has_mixed = false
  local has_inline_images = false
  local has_attachments = false
  for _, part in ipairs(parts) do
    if part:is_multipart() then
      local _, msubtype = part:get_type()
      if msubtype == 'related' then has_related = true end
      if msubtype == 'mixed' then has_mixed = true end
    end
    if part:is_attachment() then
      has_attachments = true
    end
    if part:is_image() then
      local cd = part:get_header('Content-Disposition')
      if cd and cd:lower():match('inline') then
        has_inline_images = true
      end
    end
  end
  local is_complex = (has_related and has_mixed and has_attachments)
  return {
    has_related = has_related,
    has_mixed = has_mixed,
    has_inline_images = has_inline_images,
    has_attachments = has_attachments,
    is_complex = is_complex
  }
end

CK_beats

ebizz
Unfortunately, the error (only) exists in connection with old MS Outlook versions and Mailcow. All other mail clients, including the GUI SoGo, do not have this problem.
Therefore it will not be pushed further.
If I read correctly, the Mailcow programmers/maintainers complained about shaneodoo has changing something in the code. That supposedly shouldn’t be the case. But seems to be the solution to our problem.
If we continue to use the modified rspamd.local.lua from shaneodoo ha it works.

CK_beats

You two are really absolutely fit when it comes to coding and programming.
For a layman like me the only option is trial and error.

Is it very rude to ask if someone can put together the newrspamd.local.lua as a code for me and other beginners?
I’m afraid of making a mistake when inserting several parts. In the end nothing works at all.

function1983

CK_beats
Well, the beauty of opensource is no one can say with 100% confidence that it will work for your set up. @shaneodoo did the heavy lifting.

Here is my rspamd.local.lua in its entirety for your reference:

rspamd_config.MAILCOW_AUTH = {
  callback = function(task)
    local uname = task:get_user()
    if uname then
      return 1
    end
  end
}

local monitoring_hosts = rspamd_config:add_map{
  url = "/etc/rspamd/custom/monitoring_nolog.map",
  description = "Monitoring hosts",
  type = "regexp"
}

rspamd_config:register_symbol({
  name = 'SMTP_ACCESS',
  type = 'postfilter',
  callback = function(task)
    local util = require("rspamd_util")
    local rspamd_logger = require "rspamd_logger"
    local rspamd_ip = require 'rspamd_ip'
    local uname = task:get_user()
    local limited_access = task:get_symbol("SMTP_LIMITED_ACCESS")

    if not uname then
      return false
    end

    if not limited_access then
      return false
    end

    local hash_key = 'SMTP_ALLOW_NETS_' .. uname

    local redis_params = rspamd_parse_redis_server('smtp_access')
    local ip = task:get_from_ip()

    if ip == nil or not ip:is_valid() then
      return false
    end

    local from_ip_string = tostring(ip)
    smtp_access_table = {from_ip_string}

    local maxbits = 128
    local minbits = 32
    if ip:get_version() == 4 then
        maxbits = 32
        minbits = 8
    end
    for i=maxbits,minbits,-1 do
      local nip = ip:apply_mask(i):to_string() .. "/" .. i
      table.insert(smtp_access_table, nip)
    end
    local function smtp_access_cb(err, data)
      if err then
        rspamd_logger.infox(rspamd_config, "smtp_access query request for ip %s returned invalid or empty data (\"%s\") or error (\"%s\")", ip, data, err)
        return false
      else
        rspamd_logger.infox(rspamd_config, "checking ip %s for smtp_access in %s", from_ip_string, hash_key)
        for k,v in pairs(data) do
          if (v and v ~= userdata and v == '1') then
            rspamd_logger.infox(rspamd_config, "found ip in smtp_access map")
            task:insert_result(true, 'SMTP_ACCESS', 0.0, from_ip_string)
            return true
          end
        end
        rspamd_logger.infox(rspamd_config, "couldnt find ip in smtp_access map")
        task:insert_result(true, 'SMTP_ACCESS', 999.0, from_ip_string)
        return true
      end
    end
    table.insert(smtp_access_table, 1, hash_key)
    local redis_ret_user = rspamd_redis_make_request(task,
      redis_params, hash_key, false, smtp_access_cb, 'HMGET', smtp_access_table
    )
    if not redis_ret_user then
      rspamd_logger.infox(rspamd_config, "cannot check smtp_access redis map")
    end
  end,
  priority = 10
})

rspamd_config:register_symbol({
  name = 'POSTMASTER_HANDLER',
  type = 'prefilter',
  callback = function(task)
    local rcpts = task:get_recipients('smtp')
    local rspamd_logger = require "rspamd_logger"
    local lua_util = require "lua_util"
    local from = task:get_from(1)

    if rcpts and #rcpts == 1 then
      for _,rcpt in ipairs(rcpts) do
        local rcpt_split = rspamd_str_split(rcpt['addr'], '@')
        if #rcpt_split == 2 then
          if rcpt_split[1] == 'postmaster' then
            task:set_pre_result('accept', 'whitelisting postmaster smtp rcpt', 'postmaster')
            return
          end
        end
      end
    end

    if from then
      for _,fr in ipairs(from) do
        local fr_split = rspamd_str_split(fr['addr'], '@')
        if #fr_split == 2 then
          if fr_split[1] == 'postmaster' and task:get_user() then
            task:insert_result(true, 'POSTMASTER_FROM', -2500.0)
            return
          end
        end
      end
    end
  end,
  priority = 10
})

rspamd_config:register_symbol({
  name = 'KEEP_SPAM',
  type = 'prefilter',
  callback = function(task)
    local util = require("rspamd_util")
    local rspamd_logger = require "rspamd_logger"
    local rspamd_ip = require 'rspamd_ip'
    local uname = task:get_user()

    if uname then
      return false
    end

    local redis_params = rspamd_parse_redis_server('keep_spam')
    local ip = task:get_from_ip()

    if ip == nil or not ip:is_valid() then
      return false
    end

    local from_ip_string = tostring(ip)
    ip_check_table = {from_ip_string}

    local maxbits = 128
    local minbits = 32
    if ip:get_version() == 4 then
        maxbits = 32
        minbits = 8
    end
    for i=maxbits,minbits,-1 do
      local nip = ip:apply_mask(i):to_string() .. "/" .. i
      table.insert(ip_check_table, nip)
    end
    local function keep_spam_cb(err, data)
      if err then
        rspamd_logger.infox(rspamd_config, "keep_spam query request for ip %s returned invalid or empty data (\"%s\") or error (\"%s\")", ip, data, err)
        return false
      else
        for k,v in pairs(data) do
          if (v and v ~= userdata and v == '1') then
            rspamd_logger.infox(rspamd_config, "found ip in keep_spam map, setting pre-result")
            task:set_pre_result('accept', 'ip matched with forward hosts', 'keep_spam')
          end
        end
      end
    end
    table.insert(ip_check_table, 1, 'KEEP_SPAM')
    local redis_ret_user = rspamd_redis_make_request(task,
      redis_params, 'KEEP_SPAM', false, keep_spam_cb, 'HMGET', ip_check_table
    )
    if not redis_ret_user then
      rspamd_logger.infox(rspamd_config, "cannot check keep_spam redis map")
    end
  end,
  priority = 19
})

rspamd_config:register_symbol({
  name = 'TLS_HEADER',
  type = 'postfilter',
  callback = function(task)
    local rspamd_logger = require "rspamd_logger"
    local tls_tag = task:get_request_header('TLS-Version')
    if type(tls_tag) == 'nil' then
      task:set_milter_reply({
        add_headers = {['X-Last-TLS-Session-Version'] = 'None'}
      })
    else
      task:set_milter_reply({
        add_headers = {['X-Last-TLS-Session-Version'] = tostring(tls_tag)}
      })
    end
  end,
  priority = 12
})

rspamd_config:register_symbol({
  name = 'TAG_MOO',
  type = 'postfilter',
  callback = function(task)
    local util = require("rspamd_util")
    local rspamd_logger = require "rspamd_logger"
    local redis_params = rspamd_parse_redis_server('taghandler')
    local rspamd_http = require "rspamd_http"
    local rcpts = task:get_recipients('smtp')
    local lua_util = require "lua_util"

    local tagged_rcpt = task:get_symbol("TAGGED_RCPT")
    local mailcow_domain = task:get_symbol("RCPT_MAILCOW_DOMAIN")

    local function remove_moo_tag()
      local moo_tag_header = task:get_header('X-Moo-Tag', false)
      if moo_tag_header then
        task:set_milter_reply({
          remove_headers = {['X-Moo-Tag'] = 0},
        })
      end
      return true
    end

    if tagged_rcpt and tagged_rcpt[1].options and mailcow_domain then
      local tag = tagged_rcpt[1].options[1]
      rspamd_logger.infox("found tag: %s", tag)
      local action = task:get_metric_action('default')
      rspamd_logger.infox("metric action now: %s", action)

      if action ~= 'no action' and action ~= 'greylist' then
        rspamd_logger.infox("skipping tag handler for action: %s", action)
        remove_moo_tag()
        return true
      end

      local function http_callback(err_message, code, body, headers)
        if body ~= nil and body ~= "" then
          rspamd_logger.infox(rspamd_config, "expanding rcpt to \"%s\"", body)

          local function tag_callback_subject(err, data)
            if err or type(data) ~= 'string' then
              rspamd_logger.infox(rspamd_config, "subject tag handler rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying subfolder tag handler...", body, data, err)

              local function tag_callback_subfolder(err, data)
                if err or type(data) ~= 'string' then
                  rspamd_logger.infox(rspamd_config, "subfolder tag handler for rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\")", body, data, err)
                  remove_moo_tag()
                else
                  rspamd_logger.infox("Add X-Moo-Tag header")
                  task:set_milter_reply({
                    add_headers = {['X-Moo-Tag'] = 'YES'}
                  })
                end
              end

              local redis_ret_subfolder = rspamd_redis_make_request(task,
                redis_params, body, false, tag_callback_subfolder, 'HGET', {'RCPT_WANTS_SUBFOLDER_TAG', body}
              )
              if not redis_ret_subfolder then
                rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt")
                remove_moo_tag()
              end

            else
              rspamd_logger.infox("user wants subject modified for tagged mail")
              local sbj = task:get_header('Subject')
              new_sbj = '=?UTF-8?B?' .. tostring(util.encode_base64('[' .. tag .. '] ' .. sbj)) .. '?='
              task:set_milter_reply({
                remove_headers = {
                  ['Subject'] = 1,
                  ['X-Moo-Tag'] = 0
                },
                add_headers = {['Subject'] = new_sbj}
              })
            end
          end

          local redis_ret_subject = rspamd_redis_make_request(task,
            redis_params, body, false, tag_callback_subject, 'HGET', {'RCPT_WANTS_SUBJECT_TAG', body}
          )
          if not redis_ret_subject then
            rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt")
            remove_moo_tag()
          end

        end
      end

      if rcpts and #rcpts == 1 then
        for _,rcpt in ipairs(rcpts) do
          local rcpt_split = rspamd_str_split(rcpt['addr'], '@')
          if #rcpt_split == 2 then
            if rcpt_split[1] == 'postmaster' then
              rspamd_logger.infox(rspamd_config, "not expanding postmaster alias")
              remove_moo_tag()
            else
              rspamd_http.request({
                task=task,
                url='http://nginx:8081/aliasexp.php',
                body='',
                callback=http_callback,
                headers={Rcpt=rcpt['addr']},
              })
            end
          end
        end
      end
    else
      remove_moo_tag()
    end
  end,
  priority = 19
})

rspamd_config:register_symbol({
  name = 'BCC',
  type = 'postfilter',
  callback = function(task)
    local util = require("rspamd_util")
    local rspamd_http = require "rspamd_http"
    local rspamd_logger = require "rspamd_logger"

    local from_table = {}
    local rcpt_table = {}

    if task:has_symbol('ENCRYPTED_CHAT') then
      return
    end

    local send_mail = function(task, bcc_dest)
      local lua_smtp = require "lua_smtp"
      local function sendmail_cb(ret, err)
        if not ret then
          rspamd_logger.errx(task, 'BCC SMTP ERROR: %s', err)
        else
          rspamd_logger.infox(rspamd_config, "BCC SMTP SUCCESS TO %s", bcc_dest)
        end
      end
      if not bcc_dest then
        return
      end
      local email_content = tostring(task:get_content())
      email_content = string.gsub(email_content, "\r\n%.", "\r\n..")
      lua_smtp.sendmail({
        task = task,
        host = os.getenv("IPV4_NETWORK") .. '.253',
        port = 591,
        from = task:get_from(stp)[1].addr,
        recipients = bcc_dest,
        helo = 'bcc',
        timeout = 20,
      }, email_content, sendmail_cb)
    end

    local from = task:get_from('smtp')
    if from then
      for _, a in ipairs(from) do
        table.insert(from_table, a['addr'])
        table.insert(from_table, '@' .. a['domain'])
      end
    else
      return
    end

    local rcpts = task:get_recipients('smtp')
    if rcpts then
      for _, a in ipairs(rcpts) do
        table.insert(rcpt_table, a['addr'])
        table.insert(rcpt_table, '@' .. a['domain'])
      end
    else
      return
    end

    local action = task:get_metric_action('default')
    rspamd_logger.infox("metric action now: %s", action)

    local function rcpt_callback(err_message, code, body, headers)
      if err_message == nil and code == 201 and body ~= nil then
        if action == 'no action' or action == 'add header' or action == 'rewrite subject' then
          send_mail(task, body)
        end
      end
    end

    local function from_callback(err_message, code, body, headers)
      if err_message == nil and code == 201 and body ~= nil then
        if action == 'no action' or action == 'add header' or action == 'rewrite subject' then
          send_mail(task, body)
        end
      end
    end

    if rcpt_table then
      for _,e in ipairs(rcpt_table) do
        rspamd_logger.infox(rspamd_config, "checking bcc for rcpt address %s", e)
        rspamd_http.request({
          task=task,
          url='http://nginx:8081/bcc.php',
          body='',
          callback=rcpt_callback,
          headers={Rcpt=e}
        })
      end
    end

    if from_table then
      for _,e in ipairs(from_table) do
        rspamd_logger.infox(rspamd_config, "checking bcc for from address %s", e)
        rspamd_http.request({
          task=task,
          url='http://nginx:8081/bcc.php',
          body='',
          callback=from_callback,
          headers={From=e}
        })
      end
    end

    return true
  end,
  priority = 20
})

rspamd_config:register_symbol({
  name = 'DYN_RL_CHECK',
  type = 'prefilter',
  callback = function(task)
    local util = require("rspamd_util")
    local redis_params = rspamd_parse_redis_server('dyn_rl')
    local rspamd_logger = require "rspamd_logger"
    local envfrom = task:get_from(1)
    local envrcpt = task:get_recipients(1) or {}
    local uname = task:get_user()
    if not envfrom or not uname then
      return false
    end

    local uname = uname:lower()

    if #envrcpt == 1 and envrcpt[1].addr:lower() == uname then
      return false
    end

    local env_from_domain = envfrom[1].domain:lower()

    local function redis_cb_user(err, data)

      if err or type(data) ~= 'string' then
        rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for user %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying dynamic ratelimit for domain...", uname, data, err)

        local function redis_key_cb_domain(err, data)
          if err or type(data) ~= 'string' then
            rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for domain %s returned invalid or empty data (\"%s\") or error (\"%s\")", env_from_domain, data, err)
          else
            rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for domain %s with value %s", env_from_domain, data)
            task:insert_result('DYN_RL', 0.0, data, env_from_domain)
          end
        end

        local redis_ret_domain = rspamd_redis_make_request(task,
          redis_params, env_from_domain, false, redis_key_cb_domain, 'HGET', {'RL_VALUE', env_from_domain}
        )
        if not redis_ret_domain then
          rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for domain")
        end
      else
        rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for user %s with value %s", uname, data)
        task:insert_result('DYN_RL', 0.0, data, uname)
      end

    end

    local redis_ret_user = rspamd_redis_make_request(task,
      redis_params, uname, false, redis_cb_user, 'HGET', {'RL_VALUE', uname}
    )
    if not redis_ret_user then
      rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for user")
    end
    return true
  end,
  flags = 'empty',
  priority = 20
})

rspamd_config:register_symbol({
  name = 'NO_LOG_STAT',
  type = 'postfilter',
  callback = function(task)
    local from = task:get_header('From')
    if from and (monitoring_hosts:get_key(from) or from == "watchdog@localhost") then
      task:set_flag('no_log')
      task:set_flag('no_stat')
    end
  end
})

rspamd_config:register_symbol({
  name = 'MOO_FOOTER',
  type = 'prefilter',
  callback = function(task)
    local cjson = require "cjson"
    local lua_mime = require "lua_mime"
    local lua_util = require "lua_util"
    local rspamd_logger = require "rspamd_logger"
    local rspamd_http = require "rspamd_http"
    local envfrom = task:get_from(1)
    local uname = task:get_user()
    if not envfrom or not uname then
      return false
    end
    local uname = uname:lower()
    local env_from_domain = envfrom[1].domain:lower()
    local env_from_addr = envfrom[1].addr:lower()

    local function newline(task)
      local t = task:get_newlines_type()
      if t == 'cr' then return '\r' elseif t == 'lf' then return '\n' end
      return '\r\n'
    end

    -- NEW: Analyze MIME structure complexity
    local function analyze_mime_structure(task)
      local parts = task:get_parts()
      if not parts or #parts == 0 then 
        return {simple = true, depth = 0, is_complex = false} 
      end
      local max_depth = 0
      local has_related = false
      local has_mixed = false
      local has_inline_images = false
      local has_attachments = false
      for _, part in ipairs(parts) do
        if part:is_multipart() then
          local _, msubtype = part:get_type()
          if msubtype == 'related' then has_related = true end
          if msubtype == 'mixed' then has_mixed = true end
        end
        if part:is_attachment() then
          has_attachments = true
        end
        if part:is_image() then
          local cd = part:get_header('Content-Disposition')
          if cd and cd:lower():match('inline') then
            has_inline_images = true
          end
        end
      end
      local is_complex = (has_related and has_mixed and has_attachments)
      return {
        has_related = has_related,
        has_mixed = has_mixed,
        has_inline_images = has_inline_images,
        has_attachments = has_attachments,
        is_complex = is_complex
      }
    end

    local function footer_cb(err_message, code, data, headers)
      if err_message or type(data) ~= 'string' then
        rspamd_logger.infox(rspamd_config, "domain wide footer request for user %s returned invalid or empty data (\"%s\") or error (\"%s\")", uname, data, err_message)
      else
        local footer = cjson.decode(data)
        if not footer then
          rspamd_logger.infox(rspamd_config, "parsing domain wide footer for user %s returned invalid or empty data (\"%s\") or error (\"%s\")", uname, data, err_message)
        else
          if footer and type(footer) == "table" and (footer.html and footer.html ~= "" or footer.plain and footer.plain ~= "")  then
            
            -- NEW: Analyze structure BEFORE processing
            local structure = analyze_mime_structure(task)
            
            rspamd_logger.infox(rspamd_config, "found domain wide footer for user %s: html=%s, plain=%s, vars=%s", uname, footer.html, footer.plain, footer.vars)
            rspamd_logger.infox(rspamd_config, "MIME structure analysis: depth=%d, has_related=%s, has_mixed=%s, has_inline=%s, has_attach=%s, complex=%s", 
              structure.depth, 
              tostring(structure.has_related), 
              tostring(structure.has_mixed), 
              tostring(structure.has_inline_images), 
              tostring(structure.has_attachments),
              tostring(structure.is_complex))

            -- NEW: Skip footer for ultra-complex structures (Outlook signature + attachments)
            if structure.is_complex then
              rspamd_logger.warnx(rspamd_config, "SKIPPING footer for complex MIME structure (likely Outlook signature + attachments) to prevent attachment loss for user %s", uname)
              return
            end

            if footer.skip_replies ~= 0 then
              in_reply_to = task:get_header_raw('in-reply-to')
              if in_reply_to then
                rspamd_logger.infox(rspamd_config, "mail is a reply - skip footer")
                return
              end
            end

            local envfrom_mime = task:get_from(2)
            local from_name = ""
            if envfrom_mime and envfrom_mime[1].name then
              from_name = envfrom_mime[1].name
            elseif envfrom and envfrom[1].name then
              from_name = envfrom[1].name
            end

            local replacements = {
              auth_user = uname,
              from_user = envfrom[1].user,
              from_name = from_name,
              from_addr = envfrom[1].addr,
              from_domain = envfrom[1].domain:lower()
            }
            
            if footer.vars and type(footer.vars) == "string" then
              local footer_vars = cjson.decode(footer.vars)
              if type(footer_vars) == "table" then
                for key, value in pairs(footer_vars) do
                  replacements[key] = value
                end
              end
            end
            
            if footer.html and footer.html ~= "" then
              footer.html = lua_util.jinja_template(footer.html, replacements, true)
            end
            if footer.plain and footer.plain ~= "" then
              footer.plain = lua_util.jinja_template(footer.plain, replacements, true)
            end

            local out = {}
            local rewrite = lua_mime.add_text_footer(task, footer.html, footer.plain) or {}

            local seen_cte
            local newline_s = newline(task)

            local ct = task:get_header('Content-Type', false)
            local is_multipart = ct and ct:lower():match('^multipart/')

            local function has_non_ascii(text)
              if not text or text == "" then return false end
              return text:match('[\128-\255]') ~= nil
            end

            local footer_needs_utf8 = has_non_ascii(footer.html) or has_non_ascii(footer.plain)

            local function rewrite_ct_cb(name, hdr)
              if rewrite.need_rewrite_ct then
                if name:lower() == 'content-type' then
                  local boundary_part = rewrite.new_ct.boundary and
                    string.format('; boundary="%s"', rewrite.new_ct.boundary) or ''

                  local charset_part = ''
                  if not is_multipart then
                    if footer_needs_utf8 then
                      charset_part = '; charset=utf-8'
                      rspamd_logger.infox(rspamd_config, "footer contains non-ASCII characters, forcing UTF-8 charset")
                    else
                      local orig_charset = hdr.raw:match('[Cc][Hh][Aa][Rr][Ss][Ee][Tt]%s*=%s*"?([^;%s"]+)')
                      if orig_charset then
                        charset_part = string.format('; charset=%s', orig_charset)
                      else
                        charset_part = '; charset=utf-8'
                      end
                    end
                  end

                  local nct = string.format('%s: %s/%s%s%s',
                      'Content-Type', rewrite.new_ct.type, rewrite.new_ct.subtype, charset_part, boundary_part)
                  out[#out + 1] = nct
                  task:set_milter_reply({
                    remove_headers = {['Content-Type'] = 0},
                  })
                  task:set_milter_reply({
                    add_headers = {['Content-Type'] = string.format('%s/%s%s%s',
                      rewrite.new_ct.type, rewrite.new_ct.subtype, charset_part, boundary_part)}
                  })
                  return
                elseif name:lower() == 'content-transfer-encoding' then
                  if not is_multipart then
                    out[#out + 1] = string.format('%s: %s',
                        'Content-Transfer-Encoding', 'quoted-printable')
                    task:set_milter_reply({
                      remove_headers = {['Content-Transfer-Encoding'] = 0},
                    })
                    task:set_milter_reply({
                      add_headers = {['Content-Transfer-Encoding'] = 'quoted-printable'}
                    })
                    seen_cte = true
                  else
                    out[#out + 1] = hdr.raw:gsub('\r?\n?$', '')
                  end
                  return
                end
              end
              out[#out + 1] = hdr.raw:gsub('\r?\n?$', '')
            end

            task:headers_foreach(rewrite_ct_cb, {full = true})

            if not seen_cte and rewrite.need_rewrite_ct and not is_multipart then
              out[#out + 1] = string.format('%s: %s', 'Content-Transfer-Encoding', 'quoted-printable')
            end

            out[#out + 1] = newline_s

            if rewrite.out then
              for _,o in ipairs(rewrite.out) do
                out[#out + 1] = o
              end
            else
              out[#out + 1] = task:get_rawbody()
            end

            local out_parts = {}
            for _,o in ipairs(out) do
              if type(o) ~= 'table' then
                out_parts[#out_parts + 1] = o
                out_parts[#out_parts + 1] = newline_s
              else
                local part_content = tostring(o[1])
                if is_multipart then
                  out_parts[#out_parts + 1] = part_content
                else
                  local removePrefix = "--\r\nContent-Type"
                  if string.lower(string.sub(part_content, 1, string.len(removePrefix))) == string.lower(removePrefix) then
                    part_content = string.sub(part_content, string.len("--\r\n") + 1)
                  end
                  out_parts[#out_parts + 1] = part_content
                end
                if o[2] then
                  out_parts[#out_parts + 1] = newline_s
                end
              end
            end
            task:set_message(out_parts)
          else
            rspamd_logger.infox(rspamd_config, "domain wide footer request for user %s returned invalid or empty data (\"%s\")", uname, data)
          end
        end
      end
    end

    rspamd_http.request({
      task=task,
      url='http://nginx:8081/footer.php',
      body='',
      callback=footer_cb,
      headers={Domain=env_from_domain,Username=uname,From=env_from_addr},
    })

    return true
  end,
  priority = 1
})

CK_beats

function1983
I would like to thank you very much for merging the individual codes intorspamd.local.lua!
I pasted all your code and restarted Docker.
I’m excited to see how it will work for us! 👌
I will report!

First of all, a relaxing Christmas holiday and Merry Christmas to all of you! 🎄🎄🎄
Thank you for your commitment and support! 😊😊

CK_beats

shaneodoo
I have to give a little update on this:
Apparently the code from your “Document 1” differs from this code: function1983 .
Suddenly the domain-wide footers were missing from all emails.
I went back to the “old” rspamd.local.lua code and the footer worked again.
MS Outlook 2013 was always used as the client.
Just for information.

« Previous Page Next Page »