Rspamd whitelist

Support
,
1

NethServer Version: 7.5.1804 (Core)
Module: rspamd 1.7.8

It seems that recent updates of my nethserver mail server changed the way rspamd manage outgoing mail.
Before this update, mails that come from LAN weren’t checked (no X-* headers), now They are checked and they are marked as spam:

X-Spam-Flag: Yes
X-Rspamd-Queue-Id: 8F1794B
X-Spamd-Result: default: False [11.99 / 20.00];
FROM_HAS_DN(0.00)[];
RCPT_COUNT_ONE(0.00)[1];
R_SPF_SOFTFAIL(0.00)[~all];
RDNS_NONE(1.00)[];
TO_DN_NONE(0.00)[];
RCVD_COUNT_ZERO(0.00)[0];
HFILTER_HOSTNAME_UNKNOWN(2.50)[];
TO_MATCH_ENVRCPT_ALL(0.00)[];
MX_GOOD(-0.01)[cached: mx.domain.tld];
HFILTER_HELO_BADIP(4.50)[192.168.2.223,1];
DMARC_NA(0.00)[domain.tld];
MID_RHS_MATCH_FROM(0.00)[];
R_DKIM_NA(0.00)[];
ONCE_RECEIVED(0.10)[];
RCVD_TLS_ALL(0.00)[];
ONCE_RECEIVED_STRICT(4.00)[];
FROM_EQ_ENVFROM(0.00)[];
DIRECT_TO_MX(0.00)[Mozilla/5.0 (Windows NT 6.1;
WOW64;
rv:52.0) Gecko/20100101 Thunderbird/52.9.1];
MIME_GOOD(-0.10)[multipart/alternative,text/plain]
X-Rspamd-Server: posta.domain.tld
X-Spam: Yes

Is there a simple way to whitelist the internal nets?

Thanks, P.

2

Hi @PaulVM,

Configuration -> Email -> Filter -> Rules by mail address -> New allow From: yourdomain.tld

Works for me.

Gabriel

2 Likes
3

Not so intuitive (IMHO), but it works. Thanks.

Now in the header I have:

X-Rspamd-Queue-Id: 39F91347
X-Spamd-Result: default: False [0.00 / 20.00];
FROM_DOMAINS_WHITELIST(0.00)[domain.tld]
X-Rspamd-Server: posta.domain.tld

But I suppose this implies that every incoming mail that claim to be from @domain.tld pass without check … not a good policy (these days lot of scam have the From: == To:).
Before the update, local outgoing mail didn’t pass through rspamd that (IMHO), is a better policy.
I suppose I can hack the rspamd config, but if there is a cleaner way … :slight_smile:

Thanks, P.

2 Likes
4

Well not sure, clients could be hacked and send email/viruse inside your lan, I prefer to not allow them even inside the lan. Now the question is why your email was taken as spam, this is the 1c issue

5

This should be investigated

1 Like
6

Check if in /etc/rspamd/rspamd.conf your local network is defined

Local_networks […]

1 Like
7

Yes, check out this:

Email — NethServer 7 Final

8

No Local_networks […] variable defined.

I have:
local_addrs = “127.0.0.1 192.168.2.0/24 192.168.67.0/24”;

May be it is what you were referring.
Otherwise it is missing :wink:

N.B.: I identified by myself the rules that rspamd applied to the messages , but can’t find how to manage them … :wink:
And found strange that after standard package update there was a so different management of mail flow.

Obviuosly I have already tried the suggested http://docs.nethserver.org/en/v7/mail.html#special-smtp-access-policies, that not works for my need and is really boring insert IP one by one :frowning:

9

you could try to add (not sure it changes something)

local_addrs = “127.0.0.1”;
local_networks = "192.168.2.0/24 192.168.67.0/24”;

systemctl restart rspamd

Watch what are the checks done, some tests are disabled Scanning outbound mail

10

The BADIP is out of your trusted networks: try to add its network address to trusted networks and enable “Allow relay from trusted networks” as explained in the docs

11

Exactly the settings I have… but;
HFILTER_HELO_BADIP(4.50)[192.168.124.126,1];

This is on the 7.6 that was upgraded from 6.9, it’s been rebooted a few times but it’s still scanning internal outgoing mail. A couple of local servers that relay through this mail-server had all their emails marked as spam, I added their ip’s to the allow relay from IP addresses box and that stopped the marking of their emails, this node has not been added to that field, so the individuals ip’s are being applied to the bypass but perhaps the selection box is not.
This is a different subnet than the mail server… but this subnet had been added to the trusted networks long ago. 192.168.124.0/24 & 192.168.148.0/24

I just checked another 7.6 mail server I’m running on a different domain and network… it has the same relay and trusted network settings, the node is on the same subnet and there’s no sign in the email that the email is being scanned by the server.