Rspamd: ISPC configuration prevents DKIM-signing under certain condition

Discussion in 'Installation/Configuration' started by Ignacio Garcia, Feb 6, 2021.

  1. Hi there

    Sorry yesterday I wrote about a possible bug in Rspamd behavior in ISPC but my conclusions were all wrong. After thorough review I found out why, under a certain condition, Rspamd will not DKIM sign messages coming from the same server.

    This behavior can be reproduced with PHPMailer in the same server with SMTP AUTHENTICATION ENFORCED. Of course if mail wasn't authenticated it wouldn't be DKIM-signed at all. The easiest way to test it is by installing WordPress, an SMTP enforcing plugin, I tried several, for simplicity I use SMTP Mailer, and do some test mail sendings.


    ISPC installation creates a file /etc/rspamd/local.d/users.conf with some contents, including this declaration:

    whitelist-ip {
    priority = 10;
    ip = "1.2.3.4";
    ip = "1234:1234:1234:1234::";

    want_spam = yes;
    }

    Template file for this declaration is at ispconfig3_install/server/conf/rspamd_users.conf.master

    Those IPs are the system's IPs. I understand this declaration tells Rspamd that mail coming from these IPs should be whitelisted, since they're local. It probably makes sense unless you have a shared hosting web server running in the same server. This declaration also prevents mail from being DKIM-signed as shown in this log:

    2021-02-05 21:23:39 #4175(normal) <473566>; task; rspamd_task_write_log: id: <[email protected]>, qid: <B2437CF00068>, ip: 1234:1234:1234:1234::, user: [email protected], from: <[email protected]>, (default: S (no action): [0.00/15.00] []), len: 338, time: 635.887ms, dns req: 0, digest: <73196bcedfe1f5686d1046f5e165970d>, rcpts: <[email protected]>, mime_rcpts: <[email protected]>, settings_id: whitelist-ip


    However, if I comment out those ip declarations, outgoing authenticated mail coming from a script from the web server it gets DKIM-signed as you can see in the logs:

    2021-02-05 21:17:39 #3868(normal) <cb5907>; task; rspamd_task_write_log: id: <[email protected]>, qid: <A1223CF00068>, ip: 1234:1234:1234:1234::, user: [email protected], from: <[email protected]>, (default: F (no action): [-0.10/15.00] [MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},ASN(0.00){asn:16276, ipnet:2001:41d0::/32, country:FR;},DKIM_SIGNED(0.00){cibernetik.com:s=default;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_PHPMAILER_SIG(0.00){},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 338, time: 586.218ms, dns req: 1, digest: <461ffdbea5c9265783f3050df6af014f>, rcpts: <[email protected]>, mime_rcpts: <[email protected]>, settings_id: authenticated


    I'm not too familiar with RSpamd yet. In fact, all our server still use Amavis and work beautifully (this problem never happened), this comes from a test server previous to our planned migration to Rspamd. So I don't know if deleting the whitelist-ip declaration is a good idea. I've tried keeping it and force dkim-signing following the guidelines at https://rspamd.com/doc/modules/force_actions.html and https://rspamd.com/doc/modules/dkim_signing.html without any success at all. Also, I'm not sure that for those having a shared hosting web server having this declaration this is a good idea.

    Can anybody with more experience with Rspamd recommend any proper course of action here? I'm afraid of deleting it and break other things.

    Thanks so very much in advance for your help

    Ignacio
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Try changing the priority and groups_disabled for authenticated mail from this:
    Code:
            authenticated {
                    priority = 10;
                    authenticated = yes;
                    #apply "default" { groups_disabled = ["rbl", "spf"]; }
                    apply "default" {
                            #symbols_enabled = [];
                            symbols_disabled = [];
                            #groups_enabled = [];
                            groups_disabled = ["rbl"];
                    }
            }
    
    To:
    Code:
            authenticated {
                    priority = 20;
                    authenticated = yes;
                    apply "default" {
                            #symbols_enabled = [];
                            symbols_disabled = [];
                            #groups_enabled = [];
                            groups_disabled = ["rbl", "spf"];
                    }
            }
    
     
    Ignacio Garcia likes this.
  3. Hi Jesse. First of all I want to thank you again for your reply. I see that you're the master of Rspamd in these forums. I hope I can learn from you, because I'm really interested in migrating from amavis. I'm reading its official documentation, but sometimes it is hard to understand.

    For instance, you've told me to change the groups_disabled line which I did, and it worked!!! But I need confirmation from you on how and why it did, if you can spare some minutes with me and confirm my assumptions:

    1.- In the official documentation it states that line disables some checks for authenticated users. So I guess it just disables rbl and spf checks for outgoing authenticated email, which makes all the sense in the world.

    2.- Since priority is higher I guess it means go ahead with this, and don't bother with the whitelist-ip declaration since this one matches and priority is higher.

    3.- Then System IPs are still whitelisted, but now only for unauthenticated email (since authenticated email priority is now higher) coming from both my IPv4 and IPv6. Isn't a little bit wild to allow any php script or console user, since they can send unauthenticated email, to do so? Isn't there a way to allow it up to a certain uid, for instance, so we make sure system accounts are the only ones that can send email freely?

    Thanks so much again for your help

    Ignacio
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Hah, no, actually I'm quite new to rspamd, working through config issues on our first live rspamd installation, there are other folks around with at least few years experience (better than my few months). ISPConfig's support of rspamd is fairly new and not nearly as mature as amavis/spamassassin, so things like this still need to be noticed and fixed, new features added, etc.

    Yes, that sounds pretty accurate, and is what I hoped would happen, but I hadn't created a test setup for it.

    This whitelist is only relating to rspamd, there are additional sender restrictions in postfix that can/should help prevent some of the junk coming through, so that it is never even seen by rspamd; that's the territory in which I'd put your "any php script or consolue user" concern.

    Running your web and mail service on the same node becomes trickier to restrict things, as 127.0.0.1 is going to be in mynetworks, which is allowed quite early in all postfix restrictions - you could try taking localhost addrs out of mynetworks and see how things work; since you're using rspamd (a milter, not a content_filter) I'd imagine less problems than amavis, but it wouldn't surprise me that you need to make adjustments in places.

    I don't know if there's a way to limit local senders by uid specifically, but you can use authorized_submit_users to limit by lookup maps.
     
  5. I noticed that, but Rspamd integration looks very promising. In the past I've had to tweak very much my ISPC setups to tune them to my needs (mostly the mail server part, where I had to add 3rd party programs). That made ISPC and OS version upgrades quite cumbersome. Rspamd pletora of features is going to help now.


    Yes, it's just that seeing that in Rspamd makes me feel uncomfortable. In fact, I have a way in postfix to prevent all ISPC users to send unauthenticated email, and it works perfectly. I'm sharing it in case someone has a need for it:

    In root's crontab
    Code:
    */2 * * * * awk -F":" '$6 ~ "/clients/" {print $1}' /etc/passwd > /etc/postfix/reject_these_senders
    
    And in /etc/postfix/main.cf
    Code:
    authorized_submit_users = !www-data , !/etc/postfix/reject_these_senders , static:all
    
    Thanks again for your help
     
    Jesse Norell likes this.
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    A firewall rule to block port 25 connections on the loopback interface might fit your setup as well.
     
    Ignacio Garcia likes this.
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Ignacio Garcia likes this.
  8. Hi there. I just changed those settings as you suggested. I'll keep you posted
     

Share This Page