Rspamd not rejecting but bouncing

v7
mailserver
rspamd

(Tom Böhm) #1

This is my 1st posting - please forgive if wrong formatted

From my maillog:

> postfix/smtpd: qid: client=localhost[127.0.0.1]
> postfix/cleanup: qid: message-id=<ID>
> rspamd: <d38e47>; proxy; rspamd_message_parse: loaded message; id: <ID>; queue-id: < qid >; size: 28939; checksum: <3..8>
> rspamd: <d38e47>; proxy; rspamd_task_write_log: id: <ID>, qid: < qid >, ip: 127.0.0.1, from: <FROMADRESS>, (default: F (no action): [3.50/6.00] [FROM_EXCESS_BASE64(1.50){},TO_EXCESS_BASE64(1.50){},MID_RHS_NOT_FQDN(0.50){},MIME_BASE64_TEXT(0.10){},MIME_GOOD(-0.10){multipart/alternative;text/plain;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},RCPT_COUNT_TWO(0.00){2;},RCVD_COUNT_ZERO(0.00){0;},RCVD_TLS_ALL(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_SOME(0.00){}]), len: 28939, time: 72.093ms real, 12.262ms virtual, dns req: 0, digest: <3..8>, rcpts: < TOADRESS >, mime_rcpt: <=?utf-8?B?aGFuZA==?=@MY.SERVER:DNS>
> postfix/qmgr: qid: from=< FROMADRESS >, size=29151, nrcpt=1 (queue active)
> postfix/smtp: 8033A3 qid 032EAF: to=< TOADRESS >, relay=MY.RELAY.DNS:587, delay=1.5, delays=0.76/0.01/0.33/0.44, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 81A326F61C4)
> postfix/qmgr: qid: removed

That means my server is active sending out mails.
And this mails might get me on blacklists.

My question:
Can rejecting be disabled?


(Davide Principi) #2

Sorry I don’t understand… A reject code is better than sending back a bounce. Do you see bounce messages originating from NethServer? Can you attach one of them? What’s in maillog from Postfix?


(Tom Böhm) #3

Yes (if I understand that correct) my nethserver bounces => sent in the above example a message with FROMADRESS someone@mail.ru to TOADRESS someone@melnikovmd.ru

And I think my server only handled that because it was sent to
mime_rcpt: =?utf-8?B?aGFuZA==?=@MY.SERVER.DNS

I’d like to have reject, but if behaves in the above way I’d rather like to disable it


(Stéphane de Labrusse) #4

Not really time today, really sorry for that but in the example above I read a no action (score under 6)…normally we set it to 15…your mail was accepted by rspamd. I could misunderstood of course

I do not understand why you spoke about reject ?


(Tom Böhm) #5

Sorry - I think that I posted to fast… will study my logs in deep.
And if I understand what happened respond back


(Stéphane de Labrusse) #6

this is a full transaction log (on my server) of a message rejected because the score was higher than the spam level

please check and comment @davidep and @PerpetuumMobile


(Tom Böhm) #7

I misinterpreted the log
Because of the last lines in the maillog
smtp: to=<children@ aDomain>, … status=sent
and having from=<caefisfelltranun@ bDomain> (none of my domains)
=> i thought that is bouncing an incoming message

Than I recogniced:
18:29:41 inuit postfix/smtpd[]: connect from localhost[127.0.0.1]

“why from localhost” ?
At the same time in other logs

/var/log/messages
May 11 18:29:41 inuit sshd[14926]: error: connect_to 185.26.123.232 port 25: failed.

und in httpd/error_log a huge number of this entries at the same time:
Fri May 11 18:29:41…PHP Fatal error: require_once(): Failed opening required ‘/var/lib/nethserver/vhost/ixpert.at/cloud/conf/bootstrap_context.php’ (include_path=’.:/usr/share/pear:/usr/share/php’) in /var/lib/nethserver/vhost/ixpert.at/cloud/base.conf.php on line 27

The folder “cloud” was an old pydio instance that I did not use for a long time
Never on nethserver => was transferred from my macOS machine with the other vhost content

I deleted that => No such pattern as before since that

before:
cat /var/log/maillog | grep “<=?utf-8?” | wc -l
327

cat /var/log/maillog | grep “ru>” | grep “rcpts:” | wc -l
327

in that mime_rcpt Part:
mime_rcpt: <=?utf-8?B?aW5mbw==?=@ myserverDNS>
mime_rcpt: <=?utf-8?B?cnM=?=@ myserverDNS>
mime_rcpt: <=?utf-8?B?cmVjZXA=?=@ myserverDNS> … usw

The complete section of such an issue:

/var/log/maillog

Summary

May 11 18:29:41 inuit postfix/smtpd[16699]: connect from localhost[127.0.0.1]
May 11 18:29:41 inuit rspamd[2528]: ; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
May 11 18:29:42 inuit postfix/smtpd[16699]: 99A4530032E97: client=localhost[127.0.0.1]
May 11 18:29:42 inuit rspamd[2528]: ; milter; rspamd_milter_process_command: got connection from 127.0.0.1:35492
May 11 18:29:42 inuit postfix/cleanup[16685]: 99A4530032E97: message-id=
May 11 18:29:43 inuit rspamd[2528]: ; proxy; rspamd_mime_part_detect_language: detected part language: ru
May 11 18:29:43 inuit rspamd[2528]: ; proxy; rspamd_message_parse: loaded message; id: ; queue-id: <99A4530032E97>; size: 22281; checksum:
May 11 18:29:43 inuit rspamd[2528]: ; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
May 11 18:29:43 inuit rspamd[2528]: ; proxy; spf_symbol_callback: skip SPF checks for local networks and authorized users
May 11 18:29:43 inuit rspamd[2528]: ; lua; once_received.lua:84: Skipping once_received for authenticated user or local network
May 11 18:29:43 inuit rspamd[2528]: ; lua; dmarc.lua:218: skip DMARC checks for local networks and authorized users
May 11 18:29:43 inuit rspamd[2528]: ; lua; ip_score.lua:312: skip IP Score for local networks and authorized users
May 11 18:29:43 inuit rspamd[2528]: ; lua; replies.lua:113: storing message-id for replies check
May 11 18:29:43 inuit rspamd[2528]: ; proxy; rspamd_task_write_log: id: , qid: <99A4530032E97>, ip: 127.0.0.1, from: <caefisfelltranun@ bDomain>, (default: F (rewrite subject): [7.06/6.00] [BAYES_SPAM(3.56){98.56%;},FROM_EXCESS_BASE64(1.50){},TO_EXCESS_BASE64(1.50){},MID_RHS_NOT_FQDN(0.50){},MIME_BASE64_TEXT(0.10){},MIME_GOOD(-0.10){multipart/alternative;text/plain;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},RCPT_COUNT_TWO(0.00){2;},RCVD_COUNT_ZERO(0.00){0;},RCVD_TLS_ALL(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_SOME(0.00){}]), len: 22281, time: 110.548ms real, 7.291ms virtual, dns req: 0, digest: , rcpts: <children@ aDomain>, mime_rcpt: <=?utf-8?B?Y2hpbGRyZW4=?=@ myserverDNS>
May 11 18:29:43 inuit rspamd[2528]: ; proxy; rspamd_protocol_http_reply: regexp statistics: 46 pcre regexps scanned, 6 regexps matched, 172 regexps total, 9 regexps cached, 71.24k bytes scanned using pcre, 71.24k bytes scanned total
May 11 18:29:43 inuit postfix/qmgr[1811]: 99A4530032E97: from=<caefisfelltranun@ bDomain>, size=22491, nrcpt=1 (queue active)
May 11 18:29:43 inuit postfix/smtp[16786]: Untrusted TLS connection established to asmtp.drei.at[213.94.80.8]:587: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
May 11 18:29:43 inuit postfix/smtpd[16699]: disconnect from localhost[127.0.0.1]
May 11 18:29:43 inuit rspamd[2528]: <8af855>; proxy; proxy_milter_finish_handler: finished milter connection
May 11 18:29:44 inuit postfix/smtp[16786]: 99A4530032E97: to=<children@ aDomain>, relay=asmtp.drei.at[213.94.80.8]:587, delay=1.7, delays=0.7/0.01/0.39/0.63, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as C5F876F61C4)
May 11 18:29:44 inuit postfix/qmgr[1811]: 99A4530032E97: removed