rspamd not DKIM signing messages
2,637 views
Skip to first unread message
David Mehler
Jul 24, 2018, 11:26:06 AM7/24/18
to rspamd
Hello,
I'm using rspamd 1.7.8 with Postfix 3.3. Postfix is set up to talk to
rspamd via milter via smtpd_milters in main.cf. This is working as I'm
seeing rspamd headers in received messages.
What is not working is rspamd appears not to be signing messages with
my DKIM key. This is on a webmail interface, so it should be showing
up from the localhost as webmail, web server, email server, and rspamd
are all on the same machine. It's also showing up with remote clients
just sent a message through with Android's AquaMail. In neither case
do I see anything to do with DKIM in the full headers of either
message. I do see that both spf and DMARC both pass if that helps.
If this matters the webmail which is roundcube is handling multiple
domains so I have a domain-specific configuration that puts in the
correct domain if a username is only entered as username and not an
fqdn domain, so rspamd should be seeing fqdn us...@domain.com names.
Second issue is selective whitelisting of MSA clients.
Thanks.
Dave.
I'm using rspamd 1.7.8 with Postfix 3.3. Postfix is set up to talk to
rspamd via milter via smtpd_milters in main.cf. This is working as I'm
seeing rspamd headers in received messages.
What is not working is rspamd appears not to be signing messages with
my DKIM key. This is on a webmail interface, so it should be showing
up from the localhost as webmail, web server, email server, and rspamd
are all on the same machine. It's also showing up with remote clients
just sent a message through with Android's AquaMail. In neither case
do I see anything to do with DKIM in the full headers of either
message. I do see that both spf and DMARC both pass if that helps.
If this matters the webmail which is roundcube is handling multiple
domains so I have a domain-specific configuration that puts in the
correct domain if a username is only entered as username and not an
fqdn domain, so rspamd should be seeing fqdn us...@domain.com names.
Second issue is selective whitelisting of MSA clients.
Thanks.
Dave.
Ralf Hildebrandt
Jul 24, 2018, 11:40:56 AM7/24/18
to dave....@gmail.com, rsp...@googlegroups.com
Do you get rspamd logging for mails submitted by the webmail interface?
--
You received this message because you are subscribed to the Google Groups "rspamd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rspamd+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/rspamd.
David Mehler
Jul 24, 2018, 12:06:48 PM7/24/18
to Ralf Hildebrandt, rsp...@googlegroups.com
Hello,
Yes rspamd adds headers when sending via the webmail interface, but in
neither case phone or webmail do I get anything having to do with
DKIM.
Thanks.
Dave.
Yes rspamd adds headers when sending via the webmail interface, but in
neither case phone or webmail do I get anything having to do with
DKIM.
Thanks.
Dave.
peter lees
Jul 25, 2018, 4:12:33 AM7/25/18
to rspamd
On Wednesday, 25 July 2018 00:56:06 UTC+9:30, David Mehler wrote:
Hello,
I'm using rspamd 1.7.8 with Postfix 3.3. Postfix is set up to talk to
rspamd via milter via smtpd_milters in main.cf. This is working as I'm
seeing rspamd headers in received messages.
I'm also seeing problems with rspamd 1.7.8 and sendmail -- messages that should be being signed are not.
I can provide log info here or LMK if i should start a separate thread.
David Mehler
Jul 26, 2018, 1:12:07 PM7/26/18
to Ralf Hildebrandt, rsp...@googlegroups.com
Hi,
Still trying to figure this out, unfortunately I am out of ideas.
Everything i'm seeing looks right.
I know a configdump would be very large, but would it help?
Still trying to figure this out, unfortunately I am out of ideas.
Everything i'm seeing looks right.
I know a configdump would be very large, but would it help?
peter lees
Jul 27, 2018, 7:32:08 PM7/27/18
to rspamd
I feel like it's some problem introduced in 1.7.8 - i was on 1.7.6 before & it was working ok... after the update my same config stopped working.
David Mehler
Jul 28, 2018, 3:51:20 AM7/28/18
to peter lees, rspamd
Hello,
I also downgraded to 1.7.6 and my configuration began working again.
There's definitely something up with 1.7.8.
Thanks.
Dave.
On 7/27/18, peter lees <peter...@yseda.com> wrote:
> I feel like it's some problem introduced in 1.7.8 - i was on 1.7.6 before &
>
> it was working ok... after the update my same config stopped working.
>
> On Friday, 27 July 2018 02:42:07 UTC+9:30, David Mehler wrote:
>>
>> Hi,
>>
>> Still trying to figure this out, unfortunately I am out of ideas.
>> Everything i'm seeing looks right.
>>
>> I know a configdump would be very large, but would it help?
>>
>> Thanks.
>> Dave.
>>
>>
>> On 7/24/18, Ralf Hildebrandt <ralf.hil...@gmail.com <javascript:>> wrote:
>>
>> > Do you get rspamd logging for mails submitted by the webmail interface?
>> >
>> >
>> >
>> > Am Di., 24. Juli 2018 um 17:26 Uhr schrieb David Mehler <
>> > dave....@gmail.com <javascript:>>:
I also downgraded to 1.7.6 and my configuration began working again.
There's definitely something up with 1.7.8.
Thanks.
Dave.
On 7/27/18, peter lees <peter...@yseda.com> wrote:
> I feel like it's some problem introduced in 1.7.8 - i was on 1.7.6 before &
>
> it was working ok... after the update my same config stopped working.
>
> On Friday, 27 July 2018 02:42:07 UTC+9:30, David Mehler wrote:
>>
>> Hi,
>>
>> Still trying to figure this out, unfortunately I am out of ideas.
>> Everything i'm seeing looks right.
>>
>> I know a configdump would be very large, but would it help?
>>
>> Thanks.
>> Dave.
>>
>>
>> On 7/24/18, Ralf Hildebrandt <ralf.hil...@gmail.com <javascript:>> wrote:
>>
>> > Do you get rspamd logging for mails submitted by the webmail interface?
>> >
>> >
>> >
>> > Am Di., 24. Juli 2018 um 17:26 Uhr schrieb David Mehler <
>> >
>> >> Hello,
>> >>
>> >> I'm using rspamd 1.7.8 with Postfix 3.3. Postfix is set up to talk to
>> >> rspamd via milter via smtpd_milters in main.cf. This is working as I'm
>> >>
>> >> seeing rspamd headers in received messages.
>> >>
>> >> What is not working is rspamd appears not to be signing messages with
>> >> my DKIM key. This is on a webmail interface, so it should be showing
>> >> up from the localhost as webmail, web server, email server, and rspamd
>> >>
>> >> are all on the same machine. It's also showing up with remote clients
>> >> just sent a message through with Android's AquaMail. In neither case
>> >> do I see anything to do with DKIM in the full headers of either
>> >> message. I do see that both spf and DMARC both pass if that helps.
>> >>
>> >> If this matters the webmail which is roundcube is handling multiple
>> >> domains so I have a domain-specific configuration that puts in the
>> >> correct domain if a username is only entered as username and not an
>> >> fqdn domain, so rspamd should be seeing fqdn us...@domain.com
>> <javascript:> names.
>> >> Hello,
>> >>
>> >> I'm using rspamd 1.7.8 with Postfix 3.3. Postfix is set up to talk to
>> >> rspamd via milter via smtpd_milters in main.cf. This is working as I'm
>> >>
>> >> seeing rspamd headers in received messages.
>> >>
>> >> What is not working is rspamd appears not to be signing messages with
>> >> my DKIM key. This is on a webmail interface, so it should be showing
>> >> up from the localhost as webmail, web server, email server, and rspamd
>> >>
>> >> are all on the same machine. It's also showing up with remote clients
>> >> just sent a message through with Android's AquaMail. In neither case
>> >> do I see anything to do with DKIM in the full headers of either
>> >> message. I do see that both spf and DMARC both pass if that helps.
>> >>
>> >> If this matters the webmail which is roundcube is handling multiple
>> >> domains so I have a domain-specific configuration that puts in the
>> >> correct domain if a username is only entered as username and not an
>> >> fqdn domain, so rspamd should be seeing fqdn us...@domain.com
>> >>
>> >> Second issue is selective whitelisting of MSA clients.
>> >>
>> >> Thanks.
>> >> Dave.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google
>> Groups
>> >> "rspamd" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send
>> >>
>> an
>> >> email to rspamd+un...@googlegroups.com <javascript:>.
>> >> Second issue is selective whitelisting of MSA clients.
>> >>
>> >> Thanks.
>> >> Dave.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google
>> Groups
>> >> "rspamd" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send
>> >>
>> an
Vsevolod Stakhov
Jul 28, 2018, 4:15:58 AM7/28/18
to David Mehler, peter lees, rspamd
rspamadm configdump dkim_signing +
https://rspamd.com/doc/faq.html#how-to-debug-some-module-in-rspamd
https://rspamd.com/doc/faq.html#how-to-debug-some-module-in-rspamd
David Mehler
Jul 28, 2018, 11:18:44 AM7/28/18
to Vsevolod Stakhov, peter lees, rspamd
Hello,
Thanks. The identical files configuration works on the downgrade but
fails to sign on 1.7.8.
Thanks.
Dave.
Thanks. The identical files configuration works on the downgrade but
fails to sign on 1.7.8.
Thanks.
Dave.
Vsevolod Stakhov
Jul 28, 2018, 1:08:39 PM7/28/18
to David Mehler, peter lees, rspamd
It doesn't help me at all I'm afraid. There were no changes in this
module for quite a long time (around 1.7.5). That's why I need that
information I've asked for.
module for quite a long time (around 1.7.5). That's why I need that
information I've asked for.
David Mehler
Jul 28, 2018, 5:24:32 PM7/28/18
to Vsevolod Stakhov, peter lees, rspamd
Hi,
I do not know why or how but 1.7.8 is now working for me both with
webmail and with remote tls authenticated clients. I did not change my
configuration, just reverted to 1.7.0 which was in my system's ports,
the configuration then started working, so I went back to 1.7.8 and it
still does. I sent several messages both via remote client and
webmail, the first had an arc authentication failed, but dkim, dmarc,
and spf passed. All other messages arc passed along with the other
options.
I do not know why or how but 1.7.8 is now working for me both with
webmail and with remote tls authenticated clients. I did not change my
configuration, just reverted to 1.7.0 which was in my system's ports,
the configuration then started working, so I went back to 1.7.8 and it
still does. I sent several messages both via remote client and
webmail, the first had an arc authentication failed, but dkim, dmarc,
and spf passed. All other messages arc passed along with the other
options.
Marco Pizzoli
Aug 1, 2018, 12:17:19 PM8/1/18
to David Mehler, Vsevolod Stakhov, peter lees, rspamd
Hi,
I have seen I have maybe the same problem.
What I see is rspamd saying (dkim_signing logs set in debug mode) it can't find the a specific key file.
Problem is that the key file it is searching is the **default** selector as specified in the dkim_signing.conf file... BUT for that very specific sending @domain, i configured a different key, with a different name.
In my case, it seems rspamd is no longer able to read the "mydomain.tld {}" section in the dkim_signing.conf configuration file.
For now, my work-around was to duplicate both the key file and the public key entry in DNS, so to make it available via the default name as set in the dkim_signing.conf file.
Marco
>>>>> email to rspamd+unsubscribe@googlegroups.com.
>>>>> Visit this group at https://groups.google.com/group/rspamd.
>>>>>
>>>>
>>>
>>>
>>
>
>
--
You received this message because you are subscribed to the Google Groups "rspamd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rspamd+unsubscribe@googlegroups.com.
peter lees
Aug 13, 2018, 2:12:17 AM8/13/18
to rspamd
I'm still seeing problems with 1.7.9. DKIM signature is not being added.
I'm also continuing to have my previous problem where ARC signing doesn't appear to be working.
Anyway - let's try to get normal DKIM for mail originating from me working first...
config dump:
# rspamadm configdump dkim_signing logging arc
*** Section dkim_signing ***
use_esld = true;
symbol = "DKIM_SIGNED";
allow_envfrom_empty = true;
allow_username_mismatch = true;
sign_local = true;
allow_hdrfrom_mismatch = false;
selector = "mail";
auth_only = true;
try_fallback = true;
path = "/var/lib/opendkim/keys/$domain/$selector.private";
sign_headers = "(o)from:(o)sender:(o)reply-to:(o)subject:(o)date:(o)message-id:(o)to:(o)cc:(o)mime-version:(o)content-type:(o)content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:(o)in-reply-to:(o)references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post";
use_redis = false;
use_domain_sign_local = "header";
key_prefix = "DKIM_KEYS";
enabled = true;
use_domain = "header";
allow_hdrfrom_multiple = false;
*** End of section dkim_signing ***
*** Section logging ***
filename = "/var/log/rspamd/rspamd.log";
log_format = <<EOD
id: <$mid>,$if_qid{ qid: <$>,}$if_ip{ ip: $,}$if_user{ user: $,}$if_smtp_from{ from: <$>,}
(default: $is_spam ($action): [$scores] [$symbols_scores_params]),
len: $len, time: $time_real real, $time_virtual virtual, dns req: $dns_req,
digest: <$digest>$if_smtp_rcpts{, rcpts: <$>}$if_mime_rcpts{, mime_rcpts: <$>}$if_filename{, file: $}
EOD;
debug_modules [
"dkim_signing",
]
systemd = true;
type = "console";
color = false;
log_re_cache = true;
level = "info";
*** End of section logging ***
*** Section arc ***
use_esld = false;
key_prefix = "DKIM_PRIV_KEYS";
allow_envfrom_empty = false;
symbol_sign = "ARC_SIGNED";
allow_username_mismatch = true;
sign_local = false;
allow_hdrfrom_mismatch = true;
selector = "mail";
auth_only = false;
try_fallback = true;
path = "/var/lib/opendkim/keys/$domain/$selector.private";
sign_headers = "from:sender:reply-to:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:in-reply-to:references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post:dkim-signature";
use_redis = false;
selector_prefix = "DKIM_SELECTORS";
sign_inbound = true;
symbol = "ARC_SIGNED";
use_domain = "recipient";
allow_hdrfrom_multiple = true;
*** End of section arc ***
# rspamadm configdump -m
Modules enabled: dkim_signing, regexp, arc, maillist, metadata_exporter, multimap, surbl, dmarc, milter_headers, whitelist, neural, trie, hfilter, phishing, emails, asn, settings, chartable, bayes_expiry, rspamd_update, replies, mid, url_redirector, rbl, once_received, fuzzy_check, ratelimit, history_redis, greylist, mime_types, forged_recipients, dkim, ip_score, force_actions, spf
Modules disabled (explicitly): spamtrap, url_tags, mx_check, url_reputation
Modules disabled (unconfigured): spamassassin, clickhouse, metric_exporter, dynamic_conf, reputation, antivirus, fuzzy_collect, dcc, maps_stats, elastic
Modules disabled (no Redis):
Modules disabled (experimental):
Modules disabled (failed):
Aug 13 14:42:17 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; proxy; proxy_accept_socket: accepted milter connection from /run/rspamd/worker-proxy.socket port 0
Aug 13 14:42:17 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; milter; rspamd_milter_process_command: got connection from X.X.X.X:27882
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; proxy; rspamd_message_parse: loaded message; id: <05D0223E-83CE-400A-B7F8-1BBE18E37F5A@yseda.com>; queue-id: <w7D5CHKO005306>; size: 1778; checksum: <f4d4116fe4847cea70db836330075a44>
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; proxy; rspamd_mime_part_detect_language: detected part language: fr
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; proxy; spf_symbol_callback: skip SPF checks for local networks and authorized users
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; lua; once_received.lua:95: Skipping once_received for authenticated user or local network
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; lua; dmarc.lua:220: skip DMARC checks for local networks and authorized users
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; dkim_signing; lua_dkim_tools.lua:34: user is authenticated
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; dkim_signing; lua_dkim_tools.lua:107: use domain(header) for signature: yseda.com
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; dkim_signing; lua_dkim_tools.lua:126: final DKIM domain: yseda.com
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) lua; dkim_signing.lua:159: dkim_signing
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; proxy; fuzzy_generate_commands: <05D0223E-83CE-400A-B7F8-1BBE18E37F5A@yseda.com>, part is shorter than 1000 bytes: 46 (23 * 2.00 bytes), use direct hash
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; lua; ip_score.lua:318: skip IP Score for local networks and authorized users
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; proxy; bayes_classify: skip classification as ham class has not enough learns: 3, 200 required
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; lua; greylist.lua:258: Score too low - skip greylisting
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; proxy; rspamd_stat_check_autolearn: <05D0223E-83CE-400A-B7F8-1BBE18E37F5A@yseda.com>: autolearn ham for classifier 'bayes' as message's score is negative: -1.70
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; proxy; rspamd_redis_cache_timeout: connection to redis server /var/run/redis/rspamd.sock timed out
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; proxy; rspamd_redis_cache_timeout: connection to redis server /var/run/redis/rspamd.sock timed out
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; proxy; rspamd_task_write_log: id: <05D0223E-83CE-400A...@yseda.com>, qid: <w7D5CHKO005306>, ip: 45.124.203.14, user: pwl, from: <p...@yseda.com>, (default: F (no action): [-1.70/20.00] [SIGNED_PGP(-2.00){},MV_CASE(0.50){},MIME_GOOD(-0.20){multipart/signed;text/plain;},ARC_NA(0.00){},ASN(0.00){asn:134067, ipnet:X.X.X.X/22, country:AU;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},MID_RHS_MATCH_FROM(0.00){},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},RCVD_TLS_ALL(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 1778, time: 271.479ms real, 11.638ms virtual, dns req: 0, digest: <f4d4116fe4847cea70db836330075a44>, rcpts: <m4rU0kV...@dkimvalidator.com>, mime_rcpts: <m4rU0kV...@dkimvalidator.com>
Aug 13 14:42:30 outpost rspamd[5278]: (rspamd_proxy) <409f2f>; proxy; rspamd_protocol_http_reply: regexp statistics: 58 pcre regexps scanned, 1 regexps matched, 175 regexps total, 11 regexps cached, 2.15k bytes scanned using pcre, 2.15k bytes scanned total... it seems like dkim_signing.lua includes a lot of debug logging for failures, but nothing for success, so I assume the lack of info here means everything is going OK.
example of message as received by recipient:
Vsevolod Stakhov
Aug 13, 2018, 10:17:09 AM8/13/18
to peter lees, rspamd
On 13/08/2018 07:12, peter lees wrote:
> I'm still seeing problems with 1.7.9. DKIM signature is not being added.
>
> I'm also continuing to have my previous problem where ARC signing
> doesn't appear to be working.
>
> Anyway - let's try to get normal DKIM for mail originating from me
> working first...
>
>
> config dump:
>
> |
> # rspamadm configdump dkim_signing logging arc
<skipped>
> I'm still seeing problems with 1.7.9. DKIM signature is not being added.
>
> I'm also continuing to have my previous problem where ARC signing
> doesn't appear to be working.
>
> Anyway - let's try to get normal DKIM for mail originating from me
> working first...
>
>
> config dump:
>
> |
> # rspamadm configdump dkim_signing logging arc
> |
>
>
I was unable to reproduce this issue when using Rspamd master branch. I
have also added some more logging on debug level for it.
Reply all
Reply to author
Forward
0 new messages