Whitelisting a server on rspamd

spam
mail
rspamd

(Juan Carlos Fernandez) #1

NethServer Version: 7.6.1810
Module: mail 2.4.4-1 | rspam 1.8.2-2

I have 2 mail servers, one’s acting as a relay (NS 7.6 mail server) while the other’s acting as a local delivery agent (MDaemon). I’ve noticed through rspam page (Email -> Filter -> Rspamd -> History) that all mails send from my MDaemon mail server IP get scores for the following symbols:

HFILTER_HELO_IP_A (1) [mail.myserver.local]
R_SPF_FAIL (1) [-all]
MID_RHS_NOT_FQDN (0.5)
HFILTER_HELO_NORES_A_OR_MX (0.3) [mail.myserver.local]
RCVD_NO_TLS_LAST (0.1)

How can I solve this issue?


(Federico Ballarini) #2

If it’s an email address that you use only for “local communications” and it is a secure address you can add this email address to whitelist in Email -> Filter (see the photo) and click on “New Allow From”.

If you want to solve issue to send to external server we can debug further the problem.

Wait for feedback.

Regards.


(Federico Ballarini) #3

But with this score I think there are not problem, or not?


(Juan Carlos Fernandez) #4

Is not just one email address, I’m talking about all mails sent from my local delivery agent (MDaemon) to my relay mail server (NS 7.6 mail server).

Looking at those Rspamd Symbol Description:

HFILTER_HELO_IP_A means that [ Helo A IP != hostname IP ]
HFILTER_HELO_NORES_A_OR_MX means that [ Helo no resolve to A or MX ]
MID_RHS_NOT_FQDN means that [ Message-ID RHS is not a fully-qualified domain name ]


(Juan Carlos Fernandez) #5

I had to low “Deny message spam threshold” from 20 to 3 since I’m receiving a lot of malware/spam. I also put this values higher:

[
    {
        "metric": "default",
        "actions": [

        ],
        "symbols": [
            {
                "name": "RBL_VIRUSFREE_BOTNET",
                "value": 20.0
            },
            {
                "name": "RECEIVED_BLOCKLISTDE",
                "value": 20.0
            },
            {
                "name": "RBL_MAILSPIKE_BAD",
                "value": 20.0
            },
            {
                "name": "RBL_SPAMHAUS_DROP",
                "value": 20.0
            },
            {
                "name": "RBL_SPAMHAUS_CSS",
                "value": 20.0
            },
            {
                "name": "RBL_SEM",
                "value": 20.0
            },
            {
                "name": "RBL_MAILSPIKE_WORST",
                "value": 20.0
            },
            {
                "name": "RBL_SPAMHAUS_PBL",
                "value": 20.0
            },
            {
                "name": "RBL_ABUSECH",
                "value": 20.0
            },
            {
                "name": "RBL_NIXSPAM",
                "value": 20.0
            },
            {
                "name": "RBL_SENDERSCORE",
                "value": 20.0
            },
            {
                "name": "RBL_MAILSPIKE_VERYBAD",
                "value": 20.500000
            },
            {
                "name": "RBL_SPAMHAUS_XBL_ANY",
                "value": 20.0
            },
            {
                "name": "RBL_SPAMHAUS_SBL",
                "value": 20.0
            },
            {
                "name": "RBL_SEM_IPV6",
                "value": 20.0
            },
            {
                "name": "RBL_SPAMHAUS_XBL",
                "value": 20.0
            },
            {
                "name": "RBL_BLOCKLISTDE",
                "value": 20.0
            }
        ]
    }
]

(Federico Ballarini) #6

You can add in that page also the hostname of the sender server and all email from that server will be accepted.
I suggest you to left Deny message spam threshold to 20 and Spam threshold to 6 (default values).
In this mode I think you can solve your problem.

Update me. Thanks.


(Juan Carlos Fernandez) #7

You mean like this ?

As you can see I put this rule [ allow From mail.myserver.local ]

Another question, I add my MDaemon server IP in here:

Fixing%20HELO%20-%20EHLO%201

Yet, rspamd keeps putting score this scores:

HFILTER_HELO_IP_A (1) [mail.myserver.local]
R_SPF_FAIL (1) [-all]
MID_RHS_NOT_FQDN (0.5)
HFILTER_HELO_NORES_A_OR_MX (0.3) [mail.myserver.local]
RCVD_NO_TLS_LAST (0.1)

Is there a way to fix this? Since my MDaemon has a local IP, can I some how add a correct HELO (EHLO) and an MX record into dnsmasq on my NS mail ? Wouldn’t that fix the problem ?


(Federico Ballarini) #8

This allow to the server 192.168.100.4 to send email without authentication.

Try to insert mail.myserver.local into “Rules by mail address”. Any email from this server will be in whitelist and you have to see something like this in Rspamd:
Symbols FROM_WHITELIST (0) [noreply@domain.it]

Remember to click save near the value insert into Allow From and then Submit button. Update the page and see if modify are applied.

Check also that NS it’s resolving correctly server name: if not add a DNS record in DNS page.
To check this, use “nslookup” command from SSH
nslookup mail.myserver.local
If all it’s working properly I think it will be return 192.168.100.4.

Then try to send an email and see if it result in whitelist: if not, try to insert an email address in whitelist and send from it. Then check if it works.

If nothing it’s working try to insert also in this page Allow From “IP address of your server”


(Saito Benkei) #9

Have you tried with this?


(Juan Carlos Fernandez) #10

There is not FROM_WHITELIST in Email -> Filter -> Rspamd -> Symbols

ssh root@relay.myserver.local -p 2222 nslookup mail.myserver.local
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	mail.myserver.local
Address: 192.168.100.4

I also this did [ allow From 192.168.100.4 ] to no avail

While looking for a solution, I found that rspamd uses unbound for dns request. Since my problem comes from this Symbols:

HFILTER_HELO_IP_A
R_SPF_FAIL
MID_RHS_NOT_FQDN
HFILTER_HELO_NORES_A_OR_MX

What about creating an A record and a MX record for my local mail server in unbound, this will solve the problem right ?


(Federico Ballarini) #11

This is not into Server Manager but in Rspamd.
Please post the screenshot of Email->Filter.
Thank you.


(Juan Carlos Fernandez) #12

This also a screenshot of Rspamd -> Symbols


(Federico Ballarini) #13

Try to send an email from MD to NS and post screenshot of rspamd entry.

But what is md hostname? It’s correct mail.myserver.local?


(Juan Carlos Fernandez) #14

I’m using mail.myserver.local as a replacement of my MDaemon real FQDN.


(Juan Carlos Fernandez) #15

Also BAYES_SPAM (2.965427) [93.45%] is due to my own fault, I just send a mail with an attachment, completely forgot to write something on mail’s body. :sweat_smile:

However, as you can see HFILTER_HELO_NORES_A_OR_MX is in there because NS server has no A nor MX record of my MDaemon


(Federico Ballarini) #16

We have to do some test: try add jfernandez@durerocaribe.cu in Rspamd Whitelist (allow from) and try send email. We can check that whitelist works.


(Juan Carlos Fernandez) #17

I solved, after searching on how-to create A record and MX record on unbound, I did this:

nano /etc/unbound/local.d/myMDaemon.conf
local-data: "mail.myserver.local. IN MX 5 192.168.100.4"
local-data: "mail.myserver.local. IN A 192.168.100.4"

Saved this file and then restarted unbound

systemctl restart unbound.service

After this I stopped having scores on Rspamd for:
HFILTER_HELO_IP_A
HFILTER_HELO_NORES_A_OR_MX

I don’t know if I have to create a template for this


(Federico Ballarini) #18

Ok. Remove test did into Email->Filter page.
I think you don’t have to create a template, because it’s not a file overwritten by NethServer config.
The only thing you have to remember is that

Entries in this file override toe global DNS
Example blocking email going out to example.com
local-data: "example.com. 3600 IN MX 5 127.0.0.1"
local-data: "example.com. 3600 IN A 127.0.0.1"

This file it’s not automatically included in backup config. You can backup manually one time this file or configure an “inclusion” in backup-data.
Mark your answer as solution to close this topic.
Good job.
Regards.


(Juan Carlos Fernandez) #19

One question, should this be a default setup when you accept a relay server?


(Michael Kicks) #20

Nice question. Maybe a specific howto should be created…
@jfernandez did you consider to add to mDaemon an username and password for NethServer?