24 hours with email2 - Initial observations

mail2
rspamd
v7
mailserver

(Eddie Atherton) #1

NethServer Version: NS7
Module: EMail2

I’ve now been running the new EMail2 for around 24 hours and wanted to share a couple of the anomalies I’ve found so far.

Basically I mainly run the POP3 Proxy to retrieve emails, for multiple accounts, from my external email provider. There is a machine in my local network that also can send emails directly to NS. There is a local service on NS that also sends out emails, plus as part of the test, I also sent myself emails directly to NS from a couple of external accounts.

Here first is the history report:


OK, so what am I seeing that I think is wrong.

Most, but strangely not all, the emails sent directly to NS appear in the report twice, highlighted in red.

Next, the emails highlighted under the Action column are all being delivered to my Windows mail client without modification:


Even when it really shouldn’t have:

The status is showing greylisted items:
image
But they are not listed in the history. Also, I have no idea what they might be, as apart from the emails I deliberately sent direct to NS all other emails were retrieved via POP3, where greylisting shouldn’t be invoked.

It looks like p3scan has not quite handed over total responsibility to rspamd for classifying incoming emails:
image

I’m seeing hundreds of error messages flooding the logs:

Mar 10 16:38:20 Nethserver rspamd[12781]: <e1e5b7>; csession; rspamd_controller_check_password: allow unauthorized connection from a trusted IP 127.0.0.1
Mar 10 16:38:21 Nethserver rspamd[12781]: <08e2a6>; csession; rspamd_controller_check_password: allow unauthorized connection from a trusted IP 127.0.0.1

The other issue I spotted was in regard to the statistics of messages scanned/clean/greylisted/etc. but I think that was probably caused by the redis issue I reported in the other thread.

I still have copies of all the emails highlighted in this report, should any more information be required.

BTW This is not meant to be a negative thread against this new feature. I, personally, think it’s a fantastic effort and thanks are due to all the folks who contributed to it.

Cheers.


(Davide Principi) #2

Thanks for reporting back @EddieA!

It seems they are similar messages (maybe same message ID) but how can we be sure they’re duplicate? They’re received at different times, and get different scores… Perhaps maillog has further details…

Did you look at message headers? BTW, I heard TB has a plugin that displays rspamd scoring headers too.

I don’t know why the history does not show any message in greylist state. As greylisting a transaction is actually delaying it, I could advance this hypothesis: the status is updated from greylisted to clean after final delivery /cc @stephdl @filippo_carletti

@stephdl what do you think? Can we reduce the log verbosity, or report upstream this issue?


(Stéphane de Labrusse) #3

yes it is particular but it is wanted by the developer to write to log when you use the UI without password.
We can shortcut the log and keep only warning and error with level = "warning"; in /etc/rspamd/local.d/logging.inc

but all rspamd transactions are missing


(Stéphane de Labrusse) #4

did you try to filter with the drop box and greylisting, by the way the history keeps only about 2000 emails just FYI


(Davide Principi) #5

Can we alter the log verbosity for specific components only? controller => warning, proxy => info, etc…


(Stéphane de Labrusse) #6

when you look in /etc/rspamd/loggin.inc you can see some log formatting


(Davide Principi) #7

To reduce logging noise, Rspamd detects sequential matching log messages and replaces them with a total number of repeats – https://rspamd.com/doc/configuration/logging.html#introduction

Is it true? :smile:

We could filter out unwanted messages with a /etc/rsyslog.d/ drop-in… What do you think?


(Stéphane de Labrusse) #8

looking about

allow unauthorized connection from a trusted IP 127.0.0.1

I have not much iterations of this log noise, in my case it corresponds when I use the UI, but in the case of @EddieA it seems much more. I would prefer before to hide, try to understand from where it comes

@EddieA can you check your log and try to understand when this line in logs comes…each rspamd action gets its specific ID, it is easy for filtering

my idea is that getmail or p3scan could do it, I must admit I have not so much experience with this two rpms

rspamd is really talkative


(Eddie Atherton) #9

But logging on to the UI asks for a password.

Every time you switch a tab, there are 3 or 4 lines output. Plus on the pages with auto-refresh, there are lines written for each refresh. I also saw lines being output when the UI was not active, when emails were received.

I just sent myself another message, and can guarantee that they are duplicate reporting of a single message. What’s the best way of getting a gz’d copy of the maillog to you.

Here are the headers, from the mail listed as “Rejected”:

|From: |35 2018 <>|
|---|---|
|X-Account-Key: |account3|
|X-UIDL: |c302000080e2ac55|
|X-Mozilla-Status: |0001|
|X-Mozilla-Status2: |00000000|
|X-Mozilla-Keys: ||
|X-SUS: |1|
|Received-SPF: |pass (mail61c45.carrierzone.com: domain of bounces@qrfkj.com designates 134.73.180.212 as permitted sender) receiver=mail61c45.carrierzone.com; client-ip=134.73.180.212; helo=for212.qrfkj.com; envelope-from=bounces@qrfkj.com; x-software=spfmilter 2.001 http://www.acme.com/software/spfmilter/ with libspf2-1.2.10;|
|Authentication-Results: |mail61c45.carrierzone.com; dkim=pass (1024-bit key) header.d=qrfkj.com header.i=service@qrfkj.com header.b="HCSqL2WF"|
|X-Envelope-From: |bounces@qrfkj.com|
|Return-Path: |<bounces@qrfkj.com>|
|Received: |from for212.qrfkj.com (for212.qrfkj.com [134.73.180.212]) by mail61c45.carrierzone.com (8.14.9/8.13.1) with ESMTP id w2AB74h0028726 for <xxxxxxxx@attglobal.net>; Sat, 10 Mar 2018 06:07:09 -0500|
|DKIM-Signature: |v=1; a=rsa-sha1; c=relaxed/relaxed; s=for; d=qrfkj.com; h=Date:To:From:Reply-To:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Type; i=service@qrfkj.com; bh=J771R9Uh7Kj6GrNXg1InID80fRA=; b=HCSqL2WFkDHYx58ZU4L4k6gdQ9wWungKb3TGsYMqsQj7s3fC2xzp2FS/PtyRSGRKYXhCa/V+XXfb fXkzfgrxArHB0SmKAH81ykPVnncGyFm1+QKVrV91jAS6RY7XvPrYWX7wG3lLpLsUUDcxmiRH1N83 gpPqbxDUtT216n3ZQHM=|
|DomainKey-Signature: |a=rsa-sha1; c=nofws; q=dns; s=for; d=qrfkj.com; b=W4o2MbPYOvkeKo9XfC3atZN/+dR7CgPhoEtio8qTm0thskMG6YhxfSoPTowjEqrczXjrMlz+BZ2g g+1FX9R+1LaUGBD6b9GLyba3jj7GBdqsj/wumd5tN3JPyGykUT9nxz7RQoZGu68xSdA/Yw05Kfjw zr3whRnFnp8FZ5jTkfs=;|
|Received: |by for212.qrfkj.com id hkgn281ef6c2 for <xxxxxxxx@attglobal.net>; Sat, 10 Mar 2018 11:12:31 -0800 (envelope-from <bounces@qrfkj.com>)|
|Date: |Sat, 10 Mar 2018 19:09:38 +0800|
|To: |xxxxxxxx@attglobal.net|
|From: |FSJ shoes <service@qrfkj.com>|
|Reply-To: |service@qrfkj.com|
|Subject: |Your Spring Obession Starts At FSJ, Fringe Worthy|
|Message-ID: |<f80f7a6e82559877da73d0ca2142224b@www.feinae.com>|
|List-Unsubscribe: |<http://www.feinae.com/unsubscribe.php?id=PGY4MGY3YTZlODI1NTk4NzdkYTczZDBjYTIxNDIyMjRiQHd3dy5mZWluYWUuY29tPg%3D%3D>|
|MIME-Version: |1.0|
|Content-Type: |multipart/alternative; boundary="b1_ad76ac7232aa195753c09d0b3e6ae212"|
|X-CTCH-Spam: |Confirmed|
|X-Spam-Flag: |YES|
|X-CTCH-VOD: |Unknown|
|X-CTCH-RefID: |str=0001.0A010203.5AA3BC5D.0040,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8|
|X-CSC: |100|
|X-CHA: |v=2.2 cv=TqeWvHfh c=1 sm=1 tr=0 p=6Yr26WmE23iE3U7YaJoA:9 p=QQlrnxQHAAAA:8 p=jZ8FuRrWAAAA:20 p=5m7OR1IfgIV65GOVYcgA:9 p=W7VLEhOfYY8A:10 a=W78v2lzp3fAPqVx4HRx+uA==:117 a=W78v2lzp3fAPqVx4HRx+uA==:17 a=v2DPQv5-lfwA:10 a=-uNXE31MpBQA:10 a=91Pe_CFaAAAA:8 a=59hVPkzn48BPecAu:21 a=QEXdDO2ut3YA:10 a=SSmOFEACAAAA:8 a=uWVTpsvmcCwiEA2M:21 a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10 a=fFLrDnR0wv8A:10 a=GbyUQX3JFGcA:10 a=Rx1hDtw9qM4A:10 a=RVFYjSCg5VVYt3PfuBMJ:22 a=sA2T5Xl_MN_jWjVYyMyU:22|
|X-WHL: |LR|
|X-P3Scan: |Version 2.3.2 by <laitcg@cox.net>/<folke@ashberg.de>|
|X-Spam-Scanner: |rspamc 1.6.6|
|X-Spam-Scan-Time: |10.011|
|X-Spam-Error: |IO timeout|

The issue with the greylist items not showing could have been related to the redis issues I had initially, as I am now seeing them. However, that re-raises the point that these messages were pulled via POP3 Proxy, and so should not be greylisted, as that should only be done by a receiving MTA refusing to accept.

And lastly (for now :grinning:), the statistics provided don’t seem to make any sense. Here’s the current snapshot from the throughput:

image

And the first items shown in the history:

I have no idea where the total of 28 comes from. It’s certainly not in the last hour (selected), but it’s also not what is shown in the graph, which is the last day.

Cheers.


(Stéphane de Labrusse) #10

the statistics comes from a rrd file, history comes from redis, two different sources maybe a step for explanation


(Stéphane de Labrusse) #11

it is not the pasword of rspamd, we use a apache specific user or a pam authentication (admin or member of the admins group)
for this the localhost only is allowed to use rspamd without the internal authentication…of course we play with a reverse proxy

Eventually the message for the secure IP could be hidden in syslog but

the email which triggered this lines in logs came with what way (getmail, smtp…)


(Stéphane de Labrusse) #12

|X-Spam-Flag: |YES|

so spam, but we do not have the score for rejection

for example ; X-Spamd-Result: default: False [0.42 / 19.90]


(Eddie Atherton) #13

Apart from a single email per day created locally by logwatch and the couple of ones I sent myself for testing, all other emails are pulled via POP3 Proxy. But this is only a handful of logged lines. It is the UI that spawns the vast majority.

Cheers.


(Eddie Atherton) #14

Here’s the headers for one just received, which rspamd flagged as “Reject”, but was still passed on to Thunderbird:

|From: |05 2018 <>|
|---|---|
|X-Account-Key: |account2|
|X-UIDL: |5e91000029eb9b55|
|X-Mozilla-Status: |0001|
|X-Mozilla-Status2: |00000000|
|X-Mozilla-Keys: ||
|X-Envelope-From: |xxxxxxxx@attglobal.net|
|Return-Path: |<xxxxxxx@attglobal.net>|
|Received: |from attglobal.net (118-169-233-211.dynamic-ip.hinet.net [118.169.233.211]) by mail79c45.carrierzone.com (8.14.9/8.13.1) with ESMTP id w2CGU6Qw023946 for <xxxxxxxx@attglobal.net>; Mon, 12 Mar 2018 12:30:11 -0400|
|Received: |by attglobal.net (Postfix, from uid 5) id 4F5FB7490C4; Mon, Mar 12 2018 15:55:40 +0000 (UTC)|
|To: |xxxxxxxx@attglobal.net|
|From: |xxxxxxxx@attglobal.net|
|Subject: |AllardAkay Some drugs work to treat deprsseion, but it isn t clear how – even doctos have abosluetly no idea|
|MIME-Version: |1.0|
|Message-Id: |<1520870140.4F5FB7490C4@attglobal.net>|
|Content-Type: |multipart/alternative; boundary="1DB462B010D-466003297"|
|Date: |Mon, Mar 12 2018 15:55:40 +0000 (UTC)|
|X-CTCH-Spam: |Confirmed|
|X-Spam-Flag: |YES|
|X-CTCH-VOD: |Unknown|
|X-CTCH-RefID: |str=0001.0A010205.5AA62127.0018,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8|
|X-CSC: |100|
|X-CHA: |v=2.2 cv=N85ZLy1B c=1 sm=1 tr=0 p=Etpo2YAPAAAA:8 a=GEJDMrVBV7/rFo/WWB1NPg==:117 a=GEJDMrVBV7/rFo/WWB1NPg==:17 a=YAce-SzAL2e7FX7CAg0A:9 a=wPNLvfGTeEIA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=D6Rgubrb4wUC8bNY:21 a=_W_S_7VecoQA:10 a=Tbr8n3vFGe0fK7-G5Nst:22|
|X-WHL: |LR|
|X-P3Scan: |Version 2.3.2 by <laitcg@cox.net>/<folke@ashberg.de>|
|X-Spam-Scanner: |rspamc 1.6.6|
|X-Spam-Scan-Time: |5.398|
|X-Spam: |yes|
|X-Spam-Action: |reject|
|X-Spam-Score: |32.40 / 20.00|
|X-Spam-Level: |*******************************|
|X-Spam-Symbols: |URIBL_SBL,RCPT_COUNT_ONE,R_SPF_NA,SUBJECT_NEEDS_ENCODING, RBL_SENDERSCORE,R_DKIM_NA,URIBL_BLACK,RBL_SPAMHAUS_XBL_ANY,FREEMAIL_ENVRCPT, HFILTER_HOSTNAME_5,FROM_NO_DN,MID_RHS_MATCH_FROM,TO_DN_NONE,MX_INVALID, FREEMAIL_ENVFROM,FREEMAIL_FROM,RCVD_NO_TLS_LAST,PREVIOUSLY_DELIVERED, SPAM_FLAG,FREEMAIL_TO,URI_COUNT_ODD,TO_EQ_FROM,DBL_SPAM,FROM_EQ_ENVFROM, AUTH_NA,DMARC_NA,ABUSE_SURBL,ASN,RECEIVED_SPAMHAUS,RBL_SPAMHAUS_PBL, RCVD_COUNT_TWO,MIME_GOOD|

I can also provide the headers for mails classified as “Rewrite Subject” that are received with the original subject intact.

Cheers.


Pop3 proxy and rspamd : no rejection, no rewrite subject
(Stéphane de Labrusse) #15

we need the relevant maillog transaction for your email rejection, do you use a POP3 Proxy for them ?

one way to test the spam rejection is the string below in an email

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

if you want to test the antivirus send a test attachment that you can find at http://securite-informatique.info/virus/eicar/

search for eicar if you don’t understand french


Pop3 proxy and rspamd : no rejection, no rewrite subject
(Stéphane de Labrusse) #16

3 posts were split to a new topic: Pop3 proxy and rspamd : no rejection, no rewrite subject