Hi everyone. And here we go again... I have a setup with Debian 10, multiserver and I recently converted it to run to rspamd instead of amavis, but it simply won't sign outgoing e-mail with dkim... There are no errors in /var/log/rspamd/rspamd.conf and I have double checked the configs and that the files are there plus that _rspamd is part of the amavis group... I would apreciate some help here... It's kind of needed if I want to upgrade to debian 11... Cheers!
What does /etc/rspamd/local.d/dkim_signing.conf contain? Are there entries for your domains in /etc/rspamd/local.d/dkim_domains.map and /etc/rspamd/local.d/dkim_selectors.map? What shows up if you run "tail -f /var/log/rspamd/rspamd.log | grep -Ei 'error|dkim'" and reststart rspamd?
Hi Jesse Code: try_fallback = false; use_esld = false; path_map = "/etc/rspamd/local.d/dkim_domains.map"; selector_map = "/etc/rspamd/local.d/dkim_selectors.map"; Yep all domains are located here. Code: 2022-02-09 15:56:18 #30974(main) <618xx7>; cfg; dkim_module_config: init internal dkim module 2022-02-09 15:56:18 #30974(main) <shcpo7>; map; rspamd_map_add: added map /etc/rspamd/local.d/dkim_domains.map 2022-02-09 15:56:18 #30974(main) <ddwbu4>; map; rspamd_map_add: added map /etc/rspamd/local.d/dkim_selectors.map 2022-02-09 15:56:18 #30974(main) <618xx7>; lua; lua_maps.lua:127: reuse url for /etc/rspamd/local.d/dkim_domains.map(map) 2022-02-09 15:56:18 #30974(main) <618xx7>; lua; lua_maps.lua:149: reuse url for complex map definition chqbixcj: DKIM signing networks 2022-02-09 15:56:18 #30974(main) <618xx7>; lua; lua_maps.lua:127: reuse url for /etc/rspamd/local.d/dkim_selectors.map(map) 2022-02-09 15:56:18 #30974(main) <618xx7>; cfg; rspamd_init_lua_filters: init lua module dkim_signing from /usr/share/rspamd/plugins/dkim_signing.lua; digest: 7aa5d5d09d 2022-02-09 15:56:18 #30974(main) <618xx7>; lua; rbl.lua:1043: added rbl rule SEM_URIBL_UNKNOWN: checks: alive,dkim,emails,urls 2022-02-09 15:56:18 #30974(main) <618xx7>; lua; rbl.lua:1043: added rbl rule SEM_URIBL_FRESH15_UNKNOWN: checks: alive,dkim,emails,urls 2022-02-09 15:56:18 #30974(main) <618xx7>; lua; rbl.lua:1043: added rbl rule RSPAMD_URIBL: checks: alive,dkim,emails,urls 2022-02-09 15:56:18 #30974(main) <618xx7>; lua; rbl.lua:1043: added rbl rule SURBL_MULTI: checks: alive,dkim,emails,urls 2022-02-09 15:56:18 #30974(main) <618xx7>; lua; rbl.lua:1043: added rbl rule URIBL_MULTI: checks: alive,dkim,emails,urls 2022-02-09 15:56:18 #30974(main) <618xx7>; lua; rbl.lua:1043: added rbl rule DWL_DNSWL: checks: alive,user,local,dkim 2022-02-09 15:56:18 #30974(main) <618xx7>; lua; rbl.lua:1043: added rbl rule DBL: checks: alive,dkim,emails,urls 2022-02-09 15:56:18 #30974(main) <618xx7>; cfg; rspamd_map_parse_backend: map '/etc/rspamd/local.d/maps.d/spf_dkim_whitelist.inc.local' is not found, but it can be loaded automatically later 2022-02-09 15:56:18 #30974(main) <618xx7>; cfg; rspamd_map_parse_backend: map '/var/lib/rspamd/spf_dkim_whitelist.inc.local' is not found, but it can be loaded automatically later 2022-02-09 15:56:18 #30974(main) <618xx7>; cfg; rspamd_map_parse_backend: map '/etc/rspamd/local.d/maps.d/dkim_whitelist.inc.local' is not found, but it can be loaded automatically later 2022-02-09 15:56:18 #30974(main) <618xx7>; cfg; rspamd_map_parse_backend: map '/var/lib/rspamd/dkim_whitelist.inc.local' is not found, but it can be loaded automatically later 2022-02-09 15:56:18 #30974(main) <618xx7>; cfg; rspamd_map_parse_backend: map '/etc/rspamd/maps.d/dkim_whitelist.inc' is not found, but it can be loaded automatically later 2022-02-09 15:56:19 #30974(main) <8m79ek>; map; read_map_file: /etc/rspamd/local.d/maps.d/dkim_whitelist.inc.local: map file is not found; it will be read automatically if created 2022-02-09 15:56:19 #30974(main) <8m79ek>; map; read_map_file: /var/lib/rspamd/dkim_whitelist.inc.local: map file is not found; it will be read automatically if created 2022-02-09 15:56:19 #30974(main) <dyatkr>; map; rspamd_map_read_http_cached_file: read cached data for https://maps.rspamd.com/rspamd/spf_dkim_whitelist.inc.zst from /var/lib/rspamd/2368c73b937d98513ed72c4b04f4247bda43fdb5.map, 2871 bytes; next check at: 2022-02-09 16:47:02; last modified on: 2021-10-11 22:07:01; etag: (NULL) 2022-02-09 15:56:19 #30974(main) <dyatkr>; map; read_map_file: /etc/rspamd/local.d/maps.d/spf_dkim_whitelist.inc.local: map file is not found; it will be read automatically if created 2022-02-09 15:56:19 #30974(main) <dyatkr>; map; read_map_file: /var/lib/rspamd/spf_dkim_whitelist.inc.local: map file is not found; it will be read automatically if created 2022-02-09 15:56:19 #30974(main) <dyatkr>; map; rspamd_kv_list_fin: read hash of 237 elements from https://maps.rspamd.com/rspamd/spf_dkim_whitelist.inc.zst 2022-02-09 15:56:19 #30974(main) <ddwbu4>; map; rspamd_kv_list_fin: read hash of 7 elements from /etc/rspamd/local.d/dkim_selectors.map 2022-02-09 15:56:19 #30974(main) <shcpo7>; map; rspamd_kv_list_fin: read hash of 7 elements from /etc/rspamd/local.d/dkim_domains.map Thanks for your help
Does your DKIM key exist in DNS as seen by rspamd on your server? It seems rspamd did some dns lookup and didn't perform some action (which I am thinking may have been DKIM and ARC signing) if the dns record for the domain wasn't found.
Hi Jessse. Yes all DNS records are there. They are also found by amavis, which will happily sign mails.
Code: 2022-02-10 19:23:27 #31198(normal) <099c6d>; task; rspamd_worker_body_handler: accepted connection from 127.0.0.1 port 48198, task ptr: 00007FBD9B6960A0 2022-02-10 19:23:27 #31198(normal) <099c6d>; task; rspamd_message_parse: loaded message; id: <[email protected]>; queue-id: <132353E900>; size: 3022; checksum: <e5634c595a7e01ef58891767c8ed6574> 2022-02-10 19:23:27 #31198(normal) <099c6d>; task; rspamd_mime_part_detect_language: detected part language: nl 2022-02-10 19:23:27 #31198(normal) <099c6d>; task; rspamd_mime_part_detect_language: detected part language: nl 2022-02-10 19:23:27 #31198(normal) <099c6d>; lua; settings.lua:367: <[email protected]> apply static settings authenticated (id = 1937017268); authenticated matched; priority high 2022-02-10 19:23:27 #31198(normal) <099c6d>; lua; greylist.lua:204: skip greylisting for local networks and/or authorized users 2022-02-10 19:23:27 #31198(normal) <099c6d>; task; rspamd_add_passthrough_result: <[email protected]>: set pre-result to 'no action' (no score): 'Matched map: IP_WHITELIST' from multimap(1) 2022-02-10 19:23:27 #31198(normal) <099c6d>; task; rspamd_task_write_log: id: <[email protected]>, qid: <132353E900>, ip: 178.155.248.84, user: [email protected], from: <[email protected]>, (default: F (no action): [0.00/15.00] [ASN(0.00){asn:197288, ipnet:178.155.128.0/17, country:DK;},IP_WHITELIST(0.00){178.155.248.84;}]), len: 3022, time: 207.525ms, dns req: 1, digest: <e5634c595a7e01ef58891767c8ed6574>, rcpts: <[email protected]>, mime_rcpts: <[email protected]>, forced: no action "Matched map: IP_WHITELIST"; score=nan (set by multimap), settings_id: authenticated 2022-02-10 19:23:27 #31198(normal) <099c6d>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 0 regexps matched, 176 regexps total, 0 regexps cached, 0B scanned using pcre, 0B scanned total
You setup the multimap module and whitelisted your ip address; the "pre-result" might indicate you used prefilter="true", perhaps that bypasses signing? In a quick test it does seem to be the case that signing is bypassed with that, but removing the prefilter setting did the same thing. I'll have to dig into that more, particularly as it will need addressed for https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1437 - if you do find anything on that, feel free to post it here.
Hi Jesse Thanks for working on this problem. I will keep digging a bit in to it and will post it in the link you mentioned. If you find anything as well, do post it in this thread as I don't often look at the ispconfig git repository
Doing a bit more testing, I find that a type="ip" whitelist will bypass signing, but whitelisting by sender addr (type="selector") does not. I tested changing type="ip" to type="selector" with selector="ip" .. still does not sign. tried postfilters, priority, flags, everything I can find to try and no workable config, I'll search and take it up on the rspamd list if needed.
This was a mis-diagnosis, whitelisting by sender addr also disables dkim signing. I haven't found any other discussion on this in a fair bit of searching, and am attempting to bring it up on the rspamd users list.
Looks like the issue should be fixed in next rspamd release: https://github.com/rspamd/rspamd/issues/4202
