mailcow-dockerized
mailcow-dockerized copied to clipboard
Published
20 hours ago •
mailcow
mailcow
'whitelisting postmaster smtp rcpt'-Rule disables DKIM-signing outbound mails to postmaster recipients
Contribution guidelines
- [X] I've read the contribution guidelines and wholeheartedly agree
I've found a bug and checked that ...
- [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
- [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
- [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
- [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.
Description
When sending outbound mails from a mailcow instance to a postmaster recipient, the current whitelisting rule in rspamd skips DKIM signing the mail. This could lead to bad reputation of the outbound mail due to a missing signature.
Logs:
rspamd-mailcow-1 | 2024-04-02 12:06:37 #42(normal) <7129ae>; task; rspamd_task_write_log: id: <cefe5303-0299-44e5-b198-8e37a5d5b84e@[owndomain].info>, qid: <947D2102981>, ip: X.X.X.X, user: kevin@[owndomain].info, from: <kevin@[owndomain].info>, (default: F (no action): [0.00/15.00] [DYN_RL_CHECK(0.00){}]), len: 374, time: 2.275ms, dns req: 0, digest: <ea90c6d0f528db497e6093baea37e62b>, rcpts: <postmaster@[externaldomain].de>, mime_rcpts: <postmaster@[externaldomain].de>, forced: no action "whitelisting postmaster smtp rcpt"; score=nan (set by Unknown lua)
Steps to reproduce:
1. Sending a mail from a dkim-enabled domain from within mailcow (either by a client or via SoGo doesn't matter) to any external postmaster@... recipient.
2. rspamd skips this mail by "whitelisting postmaster smtp rcpt"
2. Check in external postmaster mailbox that mail has no DKIM signature
Which branch are you using?
master
Which architecture are you using?
x86
Operating System:
Ubuntu 22.04.4 LTS
Server/VM specifications:
VM, 8GB/6 Cores
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
KVM
Docker version:
26.0.0
docker-compose version or docker compose version:
v2.25.0
mailcow version:
2024-02
Reverse proxy:
Nginx
Logs of git diff:
None (except ssh-key and IP/port in create_cold_standby.sh)
Logs of iptables -L -vn:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18M 4956M MAILCOW all -- * * 0.0.0.0/0 0.0.0.0/0 /* mailcow */
18M 4956M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
18M 4956M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
14M 2166M ACCEPT all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1385K 87M DOCKER all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
3048K 2702M ACCEPT all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
1363K 86M ACCEPT all -- br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.4 tcp dpt:3306
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.249 tcp dpt:6379
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.7 tcp dpt:8983
5064 330K ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.9 tcp dpt:443
2212 122K ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.9 tcp dpt:80
10245 649K ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:587
505 29412 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:465
749 40504 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:25
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:12345
20 1088 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:4190
527 30716 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:995
1591 93411 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:993
322 18344 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:143
342 19656 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:110
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
3048K 2702M DOCKER-ISOLATION-STAGE-2 all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
18M 4956M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
3048K 2702M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
18M 4956M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MAILCOW (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- !br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0 /* mailcow isolation */
Logs of ip6tables -L -vn:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3210K 823M MAILCOW all * * ::/0 ::/0 /* mailcow */
3210K 823M DOCKER-USER all * * ::/0 ::/0
3044K 805M DOCKER all * br-mailcow ::/0 ::/0
2582K 769M ACCEPT all * br-mailcow ::/0 ::/0 ctstate RELATED,ESTABLISHED
165K 18M ACCEPT all br-mailcow !br-mailcow ::/0 ::/0
457K 33M ACCEPT all br-mailcow br-mailcow ::/0 ::/0
769 65700 DOCKER-ISOLATION-STAGE-1 all * * ::/0 ::/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
560 63498 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::c tcp dpt:443
445 39755 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::c tcp dpt:80
2835 345K ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::12 tcp dpt:993
148 19934 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::12 tcp dpt:995
34 3254 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::12 tcp dpt:110
31 3058 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::12 tcp dpt:143
7 492 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::12 tcp dpt:4190
1106 1872K ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::11 tcp dpt:25
247 31798 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::11 tcp dpt:465
365 415K ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::11 tcp dpt:587
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all br-mailcow !br-mailcow ::/0 ::/0
769 65700 RETURN all * * ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * br-mailcow ::/0 ::/0
0 0 RETURN all * * ::/0 ::/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
3210K 823M RETURN all * * ::/0 ::/0
Chain MAILCOW (1 references)
pkts bytes target prot opt in out source destination
Logs of iptables -L -vn -t nat:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
239K 12M DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
838K 62M MASQUERADE all -- * !br-mailcow 172.22.1.0/24 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.22.1.4 172.22.1.4 tcp dpt:3306
0 0 MASQUERADE tcp -- * * 172.22.1.249 172.22.1.249 tcp dpt:6379
0 0 MASQUERADE tcp -- * * 172.22.1.7 172.22.1.7 tcp dpt:8983
0 0 MASQUERADE tcp -- * * 172.22.1.9 172.22.1.9 tcp dpt:443
0 0 MASQUERADE tcp -- * * 172.22.1.9 172.22.1.9 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:587
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:465
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:25
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:12345
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:4190
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:995
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:993
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:143
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:110
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
26 1560 RETURN all -- br-mailcow * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:13306 to:172.22.1.4:3306
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:7654 to:172.22.1.249:6379
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:18983 to:172.22.1.7:8983
5061 330K DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.22.1.9:443
2212 122K DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.22.1.9:80
10241 648K DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:172.22.1.253:587
505 29412 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:172.22.1.253:465
752 40684 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:172.22.1.253:25
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:19991 to:172.22.1.250:12345
20 1088 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 to:172.22.1.250:4190
527 30716 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 to:172.22.1.250:995
1591 93411 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:172.22.1.250:993
322 18344 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:172.22.1.250:143
342 19656 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.22.1.250:110
Logs of ip6tables -L -vn -t nat:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1334 94472 DOCKER all * * ::/0 ::/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all * * ::/0 !::1 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all * br-mailcow ::/0 ::/0 ADDRTYPE match dst-type LOCAL
158K 15M MASQUERADE all * !br-mailcow fd4d:6169:6c63:6f77::/64 ::/0
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:443
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:80
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:993
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:995
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:110
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:143
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:4190
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::11 fd4d:6169:6c63:6f77::11 tcp dpt:25
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::11 fd4d:6169:6c63:6f77::11 tcp dpt:465
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::11 fd4d:6169:6c63:6f77::11 tcp dpt:587
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
35 2800 RETURN all br-mailcow * ::/0 ::/0
60 4684 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:443 to:[fd4d:6169:6c63:6f77::c]:443
56 4364 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:80 to:[fd4d:6169:6c63:6f77::c]:80
147 11728 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:993 to:[fd4d:6169:6c63:6f77::12]:993
24 1888 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:995 to:[fd4d:6169:6c63:6f77::12]:995
4 288 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:110 to:[fd4d:6169:6c63:6f77::12]:110
4 288 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:143 to:[fd4d:6169:6c63:6f77::12]:143
2 144 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::12]:4190
57 4464 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:25 to:[fd4d:6169:6c63:6f77::11]:25
36 2832 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:465 to:[fd4d:6169:6c63:6f77::11]:465
7 528 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:587 to:[fd4d:6169:6c63:6f77::11]:587
DNS check:
172.64.155.249
104.18.32.7
That does not only apply to postmaster recipient addresses, it applies also to all outgoing mails from any defined forwarding host, even when spamcheck is on. Thats a pity if you are operating services which send noreply mails, as those are not signed, and can lead even to being blocked.
@esackbauer and @gergernaut, if this turns out to be indeed a more widespread issue, then changing the subject of this ticket might be in order.
In our case, I can confirm that we're now running 2024-04 and that the last mail that has been signed that I have is from April 10th, whereas the first that is no longer signed is from April 23rd. This gives us only a rough idea when a possible change has happened, but none of the rspamd related commits in that time-span change anything about the current behavior for me.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
