NethServer Version: NethServer release 7.6.1810
Module: nethserver-mail-filter-2.7.1-1 | nethserver-mail-server-2.7.1-1
I’m trying to whitelist a mail domain that is listed on RBL_SENDERSCORE to no avail. In order to do that, I went to Email -> Filter- > New allow Form -> confihar.alinet.cu -> Clic the button done button -> Clic the submit button
However I keep receiving mails from confihar.alinet.cu marked as rejected
What am I doing wrong ?
https://mxtoolbox.com/domain/confihar.alinet.cu/
Are you sure the problem is on NethServer?
Is rSpam installed?
rpm -qa | grep 'rspam'
rspamd-1.9.1-1.x86_64
By the way I’m referring to a mail domain
mx:confihar.alinet.cu
https://mxtoolbox.com/SuperTool.aspx?action=mx%3Aconfihar.alinet.cu&run=toolpage
We need the maillog transaction please
Thanks for helping out, here it is:
egrep '0493D207FDCB|TCgAAAEAAAANu3D19jzfhEhjnyttfmV6gBAAAAAA|4fffab' /var/log/maillog
Nov 12 15:40:20 hermod rspamd[12036]: <4fffab>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Nov 12 15:40:21 hermod postfix/smtpd[12486]: 0493D207FDCB: client=ns1.alinet.cu[190.92.127.32]
Nov 12 15:40:21 hermod rspamd[12036]: <4fffab>; milter; rspamd_milter_process_command: got connection from 190.92.127.32:2800
Nov 12 15:40:21 hermod postfix/cleanup[12254]: 0493D207FDCB: message-id=<!&!AAAAAAAAAAAYAAAAAAAAADeSeQUqOTRPjTljgGXKC/TCgAAAEAAAANu3D19jzfhEhjnyttfmV6gBAAAAAA==@confihar.alinet.cu>
Nov 12 15:42:38 hermod rspamd[12036]: <4fffab>; proxy; rspamd_message_parse: loaded message; id: <!&!AAAAAAAAAAAYAAAAAAAAADeSeQUqOTRPjTljgGXKC/TCgAAAEAAAANu3D19jzfhEhjnyttfmV6gBAAAAAA==@confihar.alinet.cu>; queue-id: <0493D207FDCB>; size: 2291163; checksum: <6a10bb1d899bdefb375c73ec88e716bf>
Nov 12 15:42:40 hermod rspamd[12036]: <4fffab>; proxy; rspamd_symcache_process_symbols: <!&!AAAAAAAAAAAYAAAAAAAAADeSeQUqOTRPjTljgGXKC/TCgAAAEAAAANu3D19jzfhEhjnyttfmV6gBAAAAAA==@confihar.alinet.cu> has already scored more than 19.99, so do not plan more checks
Nov 12 15:42:40 hermod rspamd[12036]: <4fffab>; lua; neural.lua:449: trained ANN rule RFANN, save spam vector, 147 bytes
Nov 12 15:42:40 hermod rspamd[12036]: <4fffab>; proxy; rspamd_task_write_log: id: <!&!AAAAAAAAAAAYAAAAAAAAADeSeQUqOTRPjTljgGXKC/TCgAAAEAAAANu3D19jzfhEhjnyttfmV6gBAAAAAA==@confihar.alinet.cu>, qid: <0493D207FDCB>, ip: 190.92.127.32, from: <andrea.mesa@confihar.alinet.cu>, (default: T (reject): [17.98/15.00] [RBL_SENDERSCORE(20.00){32.127.92.190.bl.score.senderscore.com;},IP_SCORE(-2.33){ip: (-0.06), ipnet: 190.92.112.0/20(-6.80), asn: 27725(-3.98), country: CU(-0.79);},BAYES_SPAM(0.32){70.85%;},MIME_GOOD(-0.10){multipart/mixed;multipart/related;multipart/alternative;text/plain;},RCVD_NO_TLS_LAST(0.10){},MX_GOOD(-0.01){cached: ns1.alinet.cu;},ASN(0.00){asn:27725, ipnet:190.92.112.0/20, country:CU;},DMARC_NA(0.00){alinet.cu;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},HAS_X_AS(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:+;3:+;4:~;5:~;6:~;7:~;...;},PREVIOUSLY_DELIVERED(0.00){ogonzalez@durerocaribe.cu;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_THREE(0.00){3;},RCVD_VIA_SMTP_AUTH(0.00){},R_DKIM_NA(0.00){},R_SPF_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 2291163, time: 1674.181ms real, 33.896ms virtual, dns req: 27, digest: <6a10bb1d899bdefb375c73ec88e716bf>, rcpts: <ogonzalez@durerocaribe.cu>, mime_rcpts: <ogonzalez@durerocaribe.cu>
Nov 12 15:42:40 hermod rspamd[12036]: <4fffab>; proxy; rspamd_protocol_http_reply: regexp statistics: 398 pcre regexps scanned, 2 regexps matched, 185 regexps total, 12 regexps cached, 50.80KiB scanned using pcre, 50.80KiB scanned total
Nov 12 15:42:40 hermod postfix/cleanup[12254]: 0493D207FDCB: milter-reject: END-OF-MESSAGE from ns1.alinet.cu[190.92.127.32]: 5.7.1 Spam message rejected; from=<andrea.mesa@confihar.alinet.cu> to=<ogonzalez@durerocaribe.cu> proto=ESMTP helo=<ns1.alinet.cu>
I think I found the cause, inside the file /etc/rspamd/local.d/multimap.conf the configuration regarding whitelist/blacklist from domains has the following configuration
#whitelist the domains of senders
FROM_DOMAINS_WHITELIST {
map = [
"${CONFDIR}/whitelist_from_domains.map",
];
type = "from";
prefilter = true;
action = "accept";
filter = "email:domain:tld";
description = "Accepted list of FROM domains";
symbol = "FROM_DOMAINS_WHITELIST";
}
#blacklist the domains of senders
FROM_DOMAINS_BLACKLIST {
map = [
"${CONFDIR}/blacklist_from_domains.map",
];
type = "from";
filter = "email:domain:tld";
description = "Refused list of FROM domains";
symbol = "FROM_DOMAINS_BLACKLIST";
action = "reject";
prefilter = true;
message = "Sender domain address rejected";
}
#whitelist the domain of recipients
TO_DOMAINS_WHITELIST {
map = [
"${CONFDIR}/whitelist_to_domains.map",
];
type = "rcpt";
prefilter = true;
action = "accept";
filter = "email:domain:tld";
description = "Accepted list SMTP TO domain";
symbol = "TO_DOMAINS_WHITELIST";
}
According to the documentation the email:domain:tld will parse header value as email address and extract effective second level domain from it ( Somebody <user@foo.example.com> -> example.com ).
Due to this config, the email domain confihar.alinet.cu effective second level domain is alinet.cu which is why is not getting whitelisted.
There is another setup, which is email:domain, this one will parse header value as email address and extract domain part from it ( Somebody <user@example.com> -> example.com ).
I modified the the template /etc/e-smith/templates/etc/rspamd/local.d/multimap.conf/10base to test this, and is working. I just received an email from confihar.alinet.cu and total score is 0.00.
I think this should be added to Nethserver configuration.
so in short if you whitelist the domain alinet.cu with the defaut config, it is supposed to work ???
Do I am wrong ?
I think it is something I would like, reject or whitelist any domain, whatever the subdomain
Yes, other domains such as bfi.cu are being whitelisted.
+1 to that thought
maybe we miss some doc, what do you think @filippo_carletti @davidep @giacomo , does the whitelist/blacklist must take care of the whole sub.domain.org or just domain.org
This is what the manual says about it:
It’s possible to create an ‘Allow’ or ‘Block’ rule even for a complete email domain, not just for a single email address : you just need to specify the desired domain (e.g. :
nethserver.org). – Admin Email manual
It seems reasonable to block also subdomains …but we must avoid changing the existing behavior.
More reason to change the current behavior, as right now it is not complaint with what the manual states, as it is not able to whitelist a complete email domain such as foo.example.com
yes…reading this : https://www.braze.com/blog/email-subdomains/
I understand now why subdomains email are done, actually we could only blacklist or whitelist domain, not subdomain, maybe we should do something
We could imagine to make two list blacklists
domain.org -> email:domain:tld
sub.domain.org -> email:domain
when we parse the the block_from, we could move to the good blacklist
According to the behavior I’m getting right now. There’s no need to add more add extra configuration.
Only by changing email:domain:tld to email:domain on file /etc/e-smith/templates/etc/rspamd/local.d/multimap.conf/10base, we can get the behavior stated on the manual. Which is:
If needed I could make a PR, I just need someone to point me out to the github repository.
Is done, waiting for approval
Thank you for your patch. I agree with you: it fixes the behavior as it is stated in the manual as we set that behavior from the times of Amavisd:
It’s possible to create an ‘Allow’ or ‘Block’ rule even for a complete email domain
However I also like the “new feature” proposal by @stephdl. If I want to block a 2nd level domain, probably I want to exclude any possible sub domain. But what if I want to whitelist any of them, as Juan is asking?
Is it possible to make the whitelist rule win over the blacklist “wildcard” one?
The multimap takes an order, so yes it would be possible to sort what we want to accept or reject
Can you start a new issue for this?
Yep It is a pleasure