Local_networks is missing in rspamd.conf

The Option “local_networks” is missing in the rspamd.conf

All trusted nets defined in Cocktpit GUI are expanded into the "local_addrs = " option.
But the “local_addr” option seems to ignore network input like 192.168.0.0/16 which leads to the behaviour that rspamd runs check it should not do.
Adding the local_networks option fixes that problem.

Version
NethServer 7.9.2009
nethserver-mail-filter 2.29.6 2.29.6-1.ns7

Reproduce :

• add Trusted Net 192.168.0.0/16 in Cockpit
• check rspamd.conf (only local_addr)
• configure postfix to relay from an address in trusted net
• send mail from an address in trusted net
  (this is my setup, dont know if there is a faster way)

Workaround

• template rspamd.conf/20Options, add option local_networks=“192.168.0.0/16”

Summoning @stephdl, master and commander of rSpamd

Could add to us the log transaction of rspamd with and without your customization please

if you check /etc/rspamd/options.inc you will see that the default rspamd settings use local_addrs

May i say that the rspamd directive should be populated by trusted networks subnets?

It is, add a trusted network and it should be populated, however it seems that @_me would like to use another directive : local_networks

thx for the fast replies

I dont need to use the “local_network” directive, it just happened to work with it

But i think i found the problem.

After trying different configurations which all failed (including local_networks) i noticed a difference in the syntax compared to the options.inc.

local_addrs = "127.0.0.1 192.168.0.0/16"; (template syntax)

compared to 

local_addrs = [127.0.0.1, 192.168.0.0/16]; (options.inc syntax)

I think in the “” Syntax it stops evaluating after the first space.

After i changed it manually it to the Bracket it recognizes the local net.

(on a sidenote, is the options.inc read by the system?, all the local nets defined there are not in my configdump local_addr)

Can confirm it works here to after changing the syntax.
Edited the the template for /etc/rspamd/rspamd.conf to test as visualized here

No it is not, at least not here… all the settings seem to be done in the templated /etc/rspamd/rspamd.conf

@mark_nl works for me

Thank you for: confirming and reporting a bug and find the probable cause and the direction for the solution.

This is a very valuable first post

The potential bug still need to be addressed… cc/ @stephdl

Could you please attach the maillog transaction with and without the customization

Thank in advance

With mod: with rspamadm configdump local_addrs expands to:

local_addrs [
    "127.0.0.1",
    "10.0.0.0/24",
    "10.0.2.0/24",
]

Log:

Jan 20 12:03:00 server postfix/smtpd[12031]: connect from localhost[127.0.0.1]
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Jan 20 12:03:00 server postfix/smtpd[12031]: 76BD020713C6: client=localhost[127.0.0.1]
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; milter; rspamd_milter_process_command: got connection from 127.0.0.1:50778
Jan 20 12:03:00 server postfix/cleanup[12034]: 76BD020713C6: message-id=<kcEE.H4x6dNsgQP64cGAjQ2bV2Q.AArJ0Bvv1gE@server.mydomain.nl>
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; proxy; rspamd_message_parse: loaded message; id: <kcEE.H4x6dNsgQP64cGAjQ2bV2Q.AArJ0Bvv1gE@server.mydomain.nl>; queue-id: <76BD020713C6>; size: 646; checksum: <9814fdb319075d9e19fc604ad5846bc7>
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; proxy; rspamd_mime_part_detect_language: detected part language: en
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; lua; spf.lua:185: skip SPF checks for local networks and authorized users
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; lua; dmarc.lua:596: skip DMARC checks as either SPF or DKIM were not checked
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; lua; once_received.lua:98: Skipping once_received for authenticated user or local network
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 0; 200 required
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 2; 200 required
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; proxy; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; proxy; rspamd_task_write_log: id: <kcEE.H4x6dNsgQP64cGAjQ2bV2Q.AArJ0Bvv1gE@server.mydomain.nl>, qid: <76BD020713C6>, ip: 127.0.0.1, from: <mark@mydomain.nl>, (default: F (no action): [2.59/20.00] [TO_EXCESS_QP(1.20){},FAKE_REPLY(1.00){},MV_CASE(0.50){},MIME_GOOD(-0.10){text/plain;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},GENERIC_REPUTATION(0.00){-0.42705053780306;},HAS_X_PRIO_THREE(0.00){3;},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_EQ_ADDR_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 646, time: 172.030ms, dns req: 8, digest: <9814fdb319075d9e19fc604ad5846bc7>, rcpts: <mark@mydomain.lan>, mime_rcpts: <mark@mydomain.lan>
Jan 20 12:03:00 server rspamd[9650]: <71bfd2>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 3 regexps matched, 184 regexps total, 80 regexps cached, 0B scanned using pcre, 1.01KiB scanned total
Jan 20 12:03:00 server postfix/qmgr[29671]: 76BD020713C6: from=<mark@mydomain.nl>, size=857, nrcpt=1 (queue active)
Jan 20 12:03:00 server postfix/smtpd[12031]: disconnect from localhost[127.0.0.1]
Jan 20 12:03:00 server rspamd[9650]: <1d4387>; proxy; proxy_milter_finish_handler: finished milter connection
Jan 20 12:03:00 server postfix/smtp[12035]: Untrusted TLS connection established to 10.0.0.213[10.0.0.213]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 20 12:03:00 server postfix/smtp[12035]: 76BD020713C6: to=<mark@mydomain.lan>, relay=10.0.0.213[10.0.0.213]:25, delay=0.3, delays=0.23/0.02/0.04/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BC99813C2E3)
Jan 20 12:03:00 server postfix/qmgr[29671]: 76BD020713C6: removed

Without mod: with rspamadm configdump local_addrs expands to:

local_addrs = "127.0.0.1 10.0.0.0/24 10.0.2.0/24";

Log

Jan 20 12:08:11 server postfix/smtpd[13400]: connect from localhost[127.0.0.1]
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Jan 20 12:08:11 server postfix/smtpd[13400]: 6596220713C6: client=localhost[127.0.0.1]
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; milter; rspamd_milter_process_command: got connection from 127.0.0.1:50882
Jan 20 12:08:11 server postfix/cleanup[13403]: 6596220713C6: message-id=<kcEE.I2/pGYz6Q7WjO51i4yS+FQ.gN8nihzv1gE@server.mydomain.nl>
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; proxy; rspamd_message_parse: loaded message; id: <kcEE.I2/pGYz6Q7WjO51i4yS+FQ.gN8nihzv1gE@server.mydomain.nl>; queue-id: <6596220713C6>; size: 646; checksum: <9814fdb319075d9e19fc604ad5846bc7>
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; proxy; rspamd_mime_part_detect_language: detected part language: en
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; lua; spf.lua:185: skip SPF checks for local networks and authorized users
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; lua; dmarc.lua:596: skip DMARC checks as either SPF or DKIM were not checked
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; lua; once_received.lua:98: Skipping once_received for authenticated user or local network
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 0; 200 required
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 2; 200 required
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; proxy; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; proxy; rspamd_task_write_log: id: <kcEE.I2/pGYz6Q7WjO51i4yS+FQ.gN8nihzv1gE@server.mydomain.nl>, qid: <6596220713C6>, ip: 127.0.0.1, from: <mark@mydomain.nl>, (default: F (no action): [2.59/20.00] [TO_EXCESS_QP(1.20){},FAKE_REPLY(1.00){},MV_CASE(0.50){},MIME_GOOD(-0.10){text/plain;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},GENERIC_REPUTATION(0.00){-0.42702659931268;},HAS_X_PRIO_THREE(0.00){3;},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_EQ_ADDR_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 646, time: 173.946ms, dns req: 8, digest: <9814fdb319075d9e19fc604ad5846bc7>, rcpts: <mark@mydomain.lan>, mime_rcpts: <mark@mydomain.lan>
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 3 regexps matched, 184 regexps total, 80 regexps cached, 0B scanned using pcre, 1.01KiB scanned total
Jan 20 12:08:11 server postfix/qmgr[29671]: 6596220713C6: from=<mark@mydomain.nl>, size=857, nrcpt=1 (queue active)
Jan 20 12:08:11 server postfix/smtpd[13400]: disconnect from localhost[127.0.0.1]
Jan 20 12:08:11 server rspamd[13318]: <9338db>; proxy; proxy_milter_finish_handler: finished milter connection
Jan 20 12:08:11 server postfix/smtp[13404]: Untrusted TLS connection established to 10.0.0.213[10.0.0.213]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 20 12:08:11 server postfix/smtp[13404]: 6596220713C6: to=<mark@mydomain.lan>, relay=10.0.0.213[10.0.0.213]:25, delay=0.3, delays=0.23/0.02/0.04/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as AB33413C2E3)
Jan 20 12:08:11 server postfix/qmgr[29671]: 6596220713C6: removed

Have to amid thought to see differences yesterday which which i can see now.
other than this, but that is expected because the lab has an internal domain name:

image1889×505 27.6 KB

With and without your mod I saw no differences, could highlight what you think something is different

in both I can read

Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; lua; spf.lua:185: skip SPF checks for local networks and authorized users
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; lua; dmarc.lua:596: skip DMARC checks as either SPF or DKIM were not checked
Jan 20 12:08:11 server rspamd[13318]: <6aaf21>; lua; once_received.lua:98: Skipping once_received for authenticated user or local network

EDIT : wait a minute

got it, @mark_nl could you make a pull request to nethserver-mail, we have room for an improvement

@_me could you try to describe the benefit you experience ?

Would help to better describe the issue and the validation before opening an PR.

My benefit is that trusted networks defined in the Cockpit interface are now recognized by rspamd. Mail relayed from trusted networks are no longer tagged with “X-Spam-Flag: Yes” because rspamd skips certain tests (like ONCE_RECEIVED_STRICT (4), HFILTER_HOSTNAME_UNKNOWN (2.5)).

Hi Michael:

opened an issue and will summit a PR to fix it, hope we can count on you for testing / validation:

Hi @_me,

Do know if you have a test environment / setup. If you do, you can test with:

yum --enablerepo=nethserver-testing update nethserver-mail*

Verified, thank a lot mate

Sorry i dont have a testing setup. The Nethserver instance is now in use and i dont wanna mess too much around there :).

Rooooooooohhhhhhh

Virtualbox on your laptop and go on