Hallo zusammen,
wir sind hinter einem Mailgateway (Mails kommen von 130.83.156.225, ist eingetragen als Weiterleitungs-Hosts).
Zwei Mails (Newsletter) vom gleichen Absender, praktisch identisch in Header und Inhalt, wurden innerhalb von Sekunden an mehrere Empfänger empfangen. Trotz gleicher IP des Gateways entscheidet rspamd unterschiedlich:
rspamd log für Mail 1 (add_header)
rspamd-mailcow-1 | 2025-10-27 20:02:43 #39(normal) <32f6a7>; task; rspamd_task_write_log: id: <undef>
qid: <E50698240A3B> **ip: 130.83.156.225** from: <b@mail.photonics.com> (default: T (add header): [8.26/16.00]
[
BAYES_SPAM(4.50){100.00%;}
MISSING_MID(2.50){}
URI_COUNT_ODD(1.00){21;}
IP_REPUTATION_HAM(-0.72){asn: 8365(-0.19)
country: DE(-0.00)
ip: 130.83.156.225(-0.53);}
MX_INVALID(0.50){}
FORGED_SENDER(0.30){newsletter@mail.photonics.com;b@mail.photonics.com;}
R_PARTS_DIFFER(0.25){62.6%;}
MIME_GOOD(-0.10){multipart/alternative;text/plain;}
MANY_INVISIBLE_PARTS(0.05){1;}
HAS_LIST_UNSUB(-0.01){}
ARC_NA(0.00){}
ARC_SIGNED(0.00){physik.tu-darmstadt.de:s=dkim:i=1;}
ASN(0.00){asn:8365
ipnet:130.83.0.0/16
country:DE;}
BCC(0.00){}
DKIM_TRACE(0.00){mail.photonics.com:-;}
FROM_HAS_DN(0.00){}
FROM_NEQ_ENVFROM(0.00){newsletter@mail.photonics.com;b@mail.photonics.com;}
HAS_REPLYTO(0.00){maillist@mail.photonics.com;}
MIME_TRACE(0.00){0:+;1:+;2:~;}
MISSING_XM_UA(0.00){}
PREVIOUSLY_DELIVERED(0.00){user1@physik.tu-darmstadt.de;}
RBL_SENDERSCORE_REPUT_BLOCKED(0.00){130.83.156.225:from;}
RCPT_COUNT_ONE(0.00){1;}
RCPT_MAILCOW_DOMAIN(0.00){physik.tu-darmstadt.de;}
RCVD_COUNT_TWO(0.00){2;}
RCVD_TLS_ALL(0.00){}
REPLYTO_DOM_EQ_FROM_DOM(0.00){}
REPLYTO_DOM_NEQ_TO_DOM(0.00){}
TO_DN_NONE(0.00){}
TO_MATCH_ENVRCPT_ALL(0.00){}
WHITELISTED_FWD_HOST(0.00){130.83.156.225;}
WL_FWD_HOST(0.00){}])
len: 46914
time: 610.785ms
dns req: 77
digest: <5699cf2a9b16945d90cf3eac7304075a>
rcpts: <user1@physik.tu-darmstadt.de>
mime_rcpts: <user1@physik.tu-darmstadt.de>
rspamd log für Mail 2 (reject)
rspamd-mailcow-1 | 2025-10-27 20:02:50 #39(normal) <b3d18a>; task; rspamd_task_write_log: id: <undef> qid: <C8B228240A3B> **ip: 130.83.156.225** from: <b@mail.photonics.com> (default: T (reject): [32.90/15.00]
[
DMARC_POLICY_QUARANTINE(8.00){mail.photonics.com : No valid SPF;quarantine;}
R_DKIM_REJECT(8.00){mail.photonics.com:s=8d666b203343f58;}
R_SPF_FAIL(8.00){-all:c;}
BAYES_SPAM(4.50){100.00%;}
RSPAMD_URIBL(4.50){jenoptik.us:url;}
MIME_GOOD(-0.10){multipart/alternative;text/plain;}
ARC_NA(0.00){}
ARC_SIGNED(0.00){physik.tu-darmstadt.de:s=dkim:i=1;}
ASN(0.00){asn:8365
ipnet:130.83.0.0/16
country:DE;}
BCC(0.00){}
DKIM_TRACE(0.00){mail.photonics.com:-;}
MIME_TRACE(0.00){0:+;1:+;2:~;}
RBL_SENDERSCORE_REPUT_BLOCKED(0.00){130.83.156.225:from;}
])
len: 46874
time: 454.514ms
dns req: 72
digest: <880486794eca7b5a5c627dd1547a64ba>
rcpts: <user2@physik.tu-darmstadt.de>
mime_rcpts: <user2@physik.tu-darmstadt.de>
Hier der Header beider Mails:
Received: from a2681.mx.srv.dfn.de (a2681.mx.srv.dfn.de [194.95.233.42])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mail-relay225.hrz.tu-darmstadt.de (Postfix) with ESMTPS id 4cwNDj3ky9zPjct
for <user@physik.tu-darmstadt.de>; Mon, 27 Oct 2025 20:02:45 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mgw8-han.srv.dfn.de
Authentication-Results: mgw8-han.srv.dfn.de (amavis); dkim=pass (2048-bit key)
header.d=mail.photonics.com
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=24.213.236.213; helo=mail.photonics.com; envelope-from=b@mail.photonics.com; receiver=<UNKNOWN>
Received: from mail.photonics.com (mail.photonics.com [24.213.236.213])
by a2681.mx.srv.dfn.de (Postfix) with ESMTPS id 7488440063
for user@physik.tu-darmstadt.de>; Mon, 27 Oct 2025 20:02:43 +0100 (CET)
X-SmarterMail-Authenticated-As: bypass
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mail.photonics.com; s=8d666b203343f58;
h=content-type:subject:date:reply-to:to:from:mime-version
:list-unsubscribe:x-timestamp:x-subscriber-email:x-return-path
:x-list-unsubscribe:x-receiver:x-sender;
bh=7SxwFllSg66nnj6EdtH1Oy06jsI5O+CfwZjbm6tpzh0=;
b=EFxlCKZS9VgOVMnQ+Fc7XM/RB1KnCCBDo8sklIE7YK8n1c2FwPHHuQLiAJV5jzq5L
uoGpCvgu8aAO4OLKbav49zK3+5U0o6ZgX/6PBvZewFQterghIJRL/ts23KR4sEgmJ
WHliALqWCqso5dnFi+/4n7Y97qQDsMhpVwNQTfd/JeTNB2yeUKdrdaJntDyLX1bQE
gP6MAL8Pcrbc068Owszw7NNZrvHgSpBKr8c5+z56E8wnIBOKeOYfZrCEZklkGFXKa
K1XUHpmvbEw6rPJlK9CKQEUN9rGdE7VmH2KpHAmWDaPmNT8JjCAdeMJifrNTRMxXv
gbYDZ/tkP+wwAi1zw==
X-Sender: "Photonics Media" <newsletter@mail.photonics.com>
X-Receiver: user@physik.tu-darmstadt.de
X-List-Unsubscribe: https://www.photonics.com/Newsletter/EmailUnsubscribe.aspx
X-Return-Path: b@mail.photonics.com
X-Subscriber-Email: user@physik.tu-darmstadt.de
X-Timestamp: 10/27/2025 3:00:00 PM
List-Unsubscribe: https://www.photonics.com/Newsletter/EmailUnsubscribe.aspx
Comments: {"CampaignId":"5270","RecurrenceId":"1","CustomerId":"23113133","PubCode":"BI2","EmailAddress":"user@physik.tu-darmstadt.de","EmailAddressId":"1003797","QueuedTimestamp":"10/27/2025
12:50:47 PM","SentTimestamp":"10/27/2025 3:00:00 PM"}
MIME-Version: 1.0
From: "Photonics Media" <newsletter@mail.photonics.com>
To: user@physik.tu-darmstadt.de
Reply-To: maillist@mail.photonics.com
Date: 27 Oct 2025 03:00:00 -0400
Subject: Final Reminder: Join us for a FREE webinar: "Tools for Analyzing,
Controlling, and Simulating Biological Systems"
Content-Type: multipart/alternative;
boundary=--boundary_64375_0d5bcede-865a-4d32-a84a-cd0e223508a0
----boundary_64375_0d5bcede-865a-4d32-a84a-cd0e223508a0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Wenn ich die .eml Dateien “offline” direkt mit rspamc prüfe, erhalte ich für beide reject:
root@rspamd:/etc/rspamd/override.d# rspamc symbols < reject.eml
Results for file: stdin (0.236 seconds)
[Metric: default]
**Action: reject**
Spam: true
Score: 29.70 / 15.00
Symbol: ARC_NA (0.00)
Symbol: ASN (0.00)[asn:680, ipnet:194.94.0.0/15, country:DE]
Symbol: BAYES_SPAM (4.50)[100.00%]
Symbol: DATE_IN_PAST (1.00)[49]
Symbol: DKIM_TRACE (0.00)[mail.photonics.com:-]
Symbol: DMARC_POLICY_QUARANTINE (8.00)[mail.photonics.com : No valid SPF, quarantine]
Symbol: FROM_HAS_DN (0.00)
Symbol: HAS_LIST_UNSUB (-0.01)
Symbol: HAS_REPLYTO (0.00)[maillist@mail.photonics.com]
Symbol: MANY_INVISIBLE_PARTS (0.05)[1]
Symbol: MIME_GOOD (-0.10)[multipart/alternative, text/plain]
Symbol: MIME_TRACE (0.00)[0:+, 1:+, 2:~]
Symbol: MISSING_MID (2.50)
Symbol: MISSING_XM_UA (0.00)
Symbol: PREVIOUSLY_DELIVERED (0.00)[user@physik.tu-darmstadt.de]
Symbol: RCPT_COUNT_ONE (0.00)[1]
Symbol: RCVD_COUNT_TWO (0.00)[2]
Symbol: RCVD_TLS_ALL (0.00)
Symbol: REPLYTO_DOM_EQ_FROM_DOM (0.00)
Symbol: REPLYTO_DOM_NEQ_TO_DOM (0.00)
Symbol: RSPAMD_URIBL (4.50)[jenoptik.us:url]
Symbol: R_DKIM_REJECT (8.00)[mail.photonics.com:s=8d666b203343f58]
Symbol: R_PARTS_DIFFER (0.26)[63.2%]
Symbol: R_SPF_NA (0.00)[No domain]
Symbol: TO_DN_NONE (0.00)
Symbol: URI_COUNT_ODD (1.00)[21]
Message-ID: undef
Urls: ["www.photonics.com","www.comsol.com","www.jenoptik.com","www.jenoptik.us","www.zaber.com","attendee.gotowebinar.com"]
Emails: ["user@physik.tu-darmstadt.de","info@photonics.com"]
Das liegt dann vermutlich daran, dass SPF gegen die IP des Gateway geprüft wird und das schlägt fehl. Bei der “echten” live Verarbeiung der Mail beim Empfang wird allerdings von postfix / milter die ip des mailgateways übergeben, (siehe rspamd log “ip: 130.83.156.225”). Wenn ich das nachstelle, gibt es keinen reject:
root@rspamd:/etc/rspamd/override.d# rspamc **-i 130.83.156.225** symbols < reject.eml
Results for file: stdin (0.511 seconds)
[Metric: default]
**Action: add header**
Spam: true
Score: 9.20 / 15.00
Symbol: ARC_NA (0.00)
Symbol: ARC_SIGNED (0.00)[physik.tu-darmstadt.de:s=dkim:i=1]
Symbol: ASN (0.00)[asn:8365, ipnet:130.83.0.0/16, country:DE]
Symbol: BAYES_SPAM (4.50)[100.00%]
Symbol: DATE_IN_PAST (1.00)[54]
Symbol: DKIM_TRACE (0.00)[mail.photonics.com:-]
Symbol: FROM_HAS_DN (0.00)
Symbol: HAS_LIST_UNSUB (-0.01)
Symbol: HAS_REPLYTO (0.00)[maillist@mail.photonics.com]
Symbol: MANY_INVISIBLE_PARTS (0.05)[1]
Symbol: MIME_GOOD (-0.10)[multipart/alternative, text/plain]
Symbol: MIME_TRACE (0.00)[0:+, 1:+, 2:~]
Symbol: MISSING_MID (2.50)
Symbol: MISSING_XM_UA (0.00)
Symbol: PREVIOUSLY_DELIVERED (0.00)[user@physik.tu-darmstadt.de]
Symbol: RBL_SENDERSCORE_REPUT_BLOCKED (0.00)[130.83.156.225:from]
Symbol: RCPT_COUNT_ONE (0.00)[1]
Symbol: RCPT_MAILCOW_DOMAIN (0.00)[physik.tu-darmstadt.de]
Symbol: RCVD_COUNT_TWO (0.00)[2]
Symbol: RCVD_TLS_ALL (0.00)
Symbol: REPLYTO_DOM_EQ_FROM_DOM (0.00)
Symbol: REPLYTO_DOM_NEQ_TO_DOM (0.00)
Symbol: R_PARTS_DIFFER (0.26)[63.2%]
Symbol: R_SPF_NA (0.00)[No domain]
Symbol: TO_DN_NONE (0.00)
Symbol: URI_COUNT_ODD (1.00)[21]
Symbol: WHITELISTED_FWD_HOST (0.00)[130.83.156.225]
Symbol: WL_FWD_HOST (0.00)
Message-ID: undef
Urls: ["www.comsol.com","www.photonics.com","www.jenoptik.com","www.jenoptik.us","www.zaber.com","attendee.gotowebinar.com"]
Emails: ["info@photonics.com","user@physik.tu-darmstadt.de"]
Bei der “live-Prüfung” beim Empfang gab es aber nun aber wie beschrieben zwei unterschiedliche Entscheidungen, obwohl die ip des gateways in beiden Fällen korrekt übergeben wurde an rspamd. Kann eine Art race-condition vorliegen, dass einmal die Prüfung der IP als WHITELISTED_FWD_HOST gewinnt und einmal die fehlgeschlagene SPF-Prüfung? Oder ein Timeout Problem von milter? Caching / timing Issues bei Redis?
Ich habe im Moment keine Idee mehr und brauch eure Hilfe.
Danke und viele Grüße,
Thorsten