Rspamd: ISPC configuration prevents DKIM-signing under certain condition

Hi there

Sorry yesterday I wrote about a possible bug in Rspamd behavior in ISPC but my conclusions were all wrong. After thorough review I found out why, under a certain condition, Rspamd will not DKIM sign messages coming from the same server.

This behavior can be reproduced with PHPMailer in the same server with SMTP AUTHENTICATION ENFORCED. Of course if mail wasn't authenticated it wouldn't be DKIM-signed at all. The easiest way to test it is by installing WordPress, an SMTP enforcing plugin, I tried several, for simplicity I use SMTP Mailer, and do some test mail sendings.


ISPC installation creates a file /etc/rspamd/local.d/users.conf with some contents, including this declaration:

whitelist-ip {
priority = 10;
ip = "1.2.3.4";
ip = "1234:1234:1234:1234::";

want_spam = yes;
}

Template file for this declaration is at ispconfig3_install/server/conf/rspamd_users.conf.master

Those IPs are the system's IPs. I understand this declaration tells Rspamd that mail coming from these IPs should be whitelisted, since they're local. It probably makes sense unless you have a shared hosting web server running in the same server. This declaration also prevents mail from being DKIM-signed as shown in this log:

2021-02-05 21:23:39 #4175(normal) <473566>; task; rspamd_task_write_log: id: <[email protected]>, qid: <B2437CF00068>, ip: 1234:1234:1234:1234::, user: [email protected], from: <[email protected]>, (default: S (no action): [0.00/15.00] []), len: 338, time: 635.887ms, dns req: 0, digest: <73196bcedfe1f5686d1046f5e165970d>, rcpts: <[email protected]>, mime_rcpts: <[email protected]>, settings_id: whitelist-ip


However, if I comment out those ip declarations, outgoing authenticated mail coming from a script from the web server it gets DKIM-signed as you can see in the logs:

2021-02-05 21:17:39 #3868(normal) <cb5907>; task; rspamd_task_write_log: id: <[email protected]>, qid: <A1223CF00068>, ip: 1234:1234:1234:1234::, user: [email protected], from: <[email protected]>, (default: F (no action): [-0.10/15.00] [MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},ASN(0.00){asn:16276, ipnet:2001:41d0::/32, country:FR;},DKIM_SIGNED(0.00){cibernetik.com:s=default;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_PHPMAILER_SIG(0.00){},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 338, time: 586.218ms, dns req: 1, digest: <461ffdbea5c9265783f3050df6af014f>, rcpts: <[email protected]>, mime_rcpts: <[email protected]>, settings_id: authenticated


I'm not too familiar with RSpamd yet. In fact, all our server still use Amavis and work beautifully (this problem never happened), this comes from a test server previous to our planned migration to Rspamd. So I don't know if deleting the whitelist-ip declaration is a good idea. I've tried keeping it and force dkim-signing following the guidelines at https://rspamd.com/doc/modules/force_actions.html and https://rspamd.com/doc/modules/dkim_signing.html without any success at all. Also, I'm not sure that for those having a shared hosting web server having this declaration this is a good idea.

Can anybody with more experience with Rspamd recommend any proper course of action here? I'm afraid of deleting it and break other things.

Thanks so very much in advance for your help

Ignacio

 

Hi Jesse. First of all I want to thank you again for your reply. I see that you're the master of Rspamd in these forums. I hope I can learn from you, because I'm really interested in migrating from amavis. I'm reading its official documentation, but sometimes it is hard to understand.

For instance, you've told me to change the groups_disabled line which I did, and it worked!!! But I need confirmation from you on how and why it did, if you can spare some minutes with me and confirm my assumptions:

1.- In the official documentation it states that line disables some checks for authenticated users. So I guess it just disables rbl and spf checks for outgoing authenticated email, which makes all the sense in the world.

2.- Since priority is higher I guess it means go ahead with this, and don't bother with the whitelist-ip declaration since this one matches and priority is higher.

3.- Then System IPs are still whitelisted, but now only for unauthenticated email (since authenticated email priority is now higher) coming from both my IPv4 and IPv6. Isn't a little bit wild to allow any php script or console user, since they can send unauthenticated email, to do so? Isn't there a way to allow it up to a certain uid, for instance, so we make sure system accounts are the only ones that can send email freely?

Thanks so much again for your help

Ignacio

 

I noticed that, but Rspamd integration looks very promising. In the past I've had to tweak very much my ISPC setups to tune them to my needs (mostly the mail server part, where I had to add 3rd party programs). That made ISPC and OS version upgrades quite cumbersome. Rspamd pletora of features is going to help now.

Yes, it's just that seeing that in Rspamd makes me feel uncomfortable. In fact, I have a way in postfix to prevent all ISPC users to send unauthenticated email, and it works perfectly. I'm sharing it in case someone has a need for it:

In root's crontab

Code:

*/2 * * * * awk -F":" '$6 ~ "/clients/" {print $1}' /etc/passwd > /etc/postfix/reject_these_senders

And in /etc/postfix/main.cf

Code:

authorized_submit_users = !www-data , !/etc/postfix/reject_these_senders , static:all

Thanks again for your help

 

Hi there. I just changed those settings as you suggested. I'll keep you posted

 

Hello there,
I'm still stumped at how to force Rspamd to sign all outgoing messages with DKIM. I have checked and the configuration I have — from ISPConfig 3.2.6 — already incorporate (by default, I guess) all the above suggestions, as well as those on the Git repository.
Nevertheless, I still can't get my setup to sign outgoing DKIM messages... but I guess I'll open a new forum thread after a few more tests...

 

Hi there

I'm planning on updating to 3.2.6 on a test server later this week probably. Let me see how it works and I'll post my results.

Cheers,

Ignacio

 

When you say you cannot sign outgoing DKIM messages, do you mean all outgoing DKIM messages (including those that are authenticated), or only locally generated messages?

 

Mostly 'all' to be honest, but it's actually a bit more complex than I thought. Eventually, I managed to figure out a solution (stumbling upon it by sheer chance) — here's a new thread detailing what I wanted to achieve, why it didn't work, and that solution I just happened to find that actually works...

 

Good you found your solution. Already read it and it definitely is what you need

 

Replying to myself... Initial tests with Rspamd in 3.2.6 work beautifully. Jesse Norell has done a super job in configuring Rspamd for ispconfig

 

Indeed, kudos to Jesse!