Admins

La doc de postfix indique que le protocole Milter a été initialement développé pour filtrer les messages indésirables arrivant du réseau. Pour les messages qui n'arrivent pas via le serveur smtpd(8), Postfix utilise les applications Milter qui sont listées avec le paramètre cleanup_milters.

Ça explique la différence entre les deux premiers tests.

https://postfix.traduc.org/index.php/MILTER_README.html

Avec une version plus récente de la doc ça exige non_smtpd_milters. :)

Ça marche. Reste à comprendre pk madix contourne le milter.

Nov 22 12:26:10 mail postfix/submission/smtpd[1222]: connect from ...
Nov 22 12:26:10 mail postfix/submission/smtpd[1222]: Anonymous TLS connection established from ...: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Nov 22 12:26:10 mail postfix/submission/smtpd[1222]: CD9A3CC1: client=..., sasl_method=LOGIN, sasl_username=mad
Nov 22 12:26:10 mail postfix/cleanup[1203]: CD9A3CC1: message-id=<87sfvo77ou.fsf@april.org>
Nov 22 12:26:11 mail postfix/qmgr[1126]: CD9A3CC1: from=<fcouchet@april.org>, size=1188, nrcpt=1 (queue active)
Nov 22 12:26:12 mail postfix/smtp[1225]: CD9A3CC1: to=<fpoulain@metrodore.fr>, relay=spool.mail.gandi.net[217.70.178.1]:25, delay=1.5, delays=0.64/0.02/0.71/0.16, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 39A1FAC096C)
Nov 22 12:26:12 mail postfix/qmgr[1126]: CD9A3CC1: removed

Non il ne le contourne pas.

2021-11-22 12:26:10 #1478(rspamd_proxy) <a2f022>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 39686
2021-11-22 12:26:10 #1478(rspamd_proxy) <a2f022>; milter; rspamd_milter_process_command: got connection from ...:60486
2021-11-22 12:26:10 #1478(rspamd_proxy) <a2f022>; proxy; rspamd_message_parse: loaded message; id: <87sfvo77ou.fsf@april.org>; queue-id: <CD9A3CC1>; size: 722; checksum: <28bb585131d9979dca82375abf8ed2eb>
2021-11-22 12:26:10 #1478(rspamd_proxy) <a2f022>; proxy; rspamd_mime_part_detect_language: detected part language: fr
2021-11-22 12:26:10 #1478(rspamd_proxy) <a2f022>; lua; greylist.lua:204: skip greylisting for local networks and/or authorized users
2021-11-22 12:26:10 #1478(rspamd_proxy) <a2f022>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
2021-11-22 12:26:10 #1478(rspamd_proxy) <a2f022>; lua; spf.lua:185: skip SPF checks for local networks and authorized users
2021-11-22 12:26:10 #1478(rspamd_proxy) <a2f022>; lua; dmarc.lua:596: skip DMARC checks as either SPF or DKIM were not checked
2021-11-22 12:26:10 #1478(rspamd_proxy) <a2f022>; lua; once_received.lua:99: Skipping once_received for authenticated user or local network
2021-11-22 12:26:11 #1478(rspamd_proxy) <a2f022>; lua; greylist.lua:318: Score too low - skip greylisting
2021-11-22 12:26:11 #1478(rspamd_proxy) <a2f022>; proxy; rspamd_task_process: skip learning: <87sfvo77ou.fsf@april.org> is skipped for bayes classifier: already in class ham; probability 99.96%
2021-11-22 12:26:11 #1478(rspamd_proxy) <a2f022>; lua; neural.lua:311: skip ham sample to keep spam/ham balance; probability 0.8; 2 spam and 9 ham vectors stored
2021-11-22 12:26:11 #1478(rspamd_proxy) <a2f022>; proxy; rspamd_task_write_log: id: <87sfvo77ou.fsf@april.org>, qid: <CD9A3CC1>, ip: ..., user: mad, from: <fcouchet@april.org>, (default: F (no action): [-3.09/15.00] [BAYES_HAM(-2.99){99.96%;},MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},ASN(0.00){asn:3215, ipnet:81.249.128.0/17, country:FR;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ORG_HEADER(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;},NEURAL_HAM(-0.00){-1.000;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 722, time: 403.450ms, dns req: 8, digest: <28bb585131d9979dca82375abf8ed2eb>, rcpts: <fpoulain@metrodore.fr>, mime_rcpts: <fpoulain@metrodore.fr>
2021-11-22 12:26:11 #1478(rspamd_proxy) <a2f022>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 5 regexps matched, 174 regexps total, 53 regexps cached, 0B scanned using pcre, 1.28KiB scanned total

Ceci me déplait car ce n'est pas ce qui est sencé être en conf.

2021-11-22 12:26:10 #1478(rspamd_proxy) <a2f022>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users

modules.d/dkim_signing.conf:  sign_authenticated = true;
modules.d/dkim_signing.conf:  sign_local = true;

A priori c'est ce bug : https://github.com/rspamd/rspamd/issues/1593

https://rspamd.com/rmilter/configuration.html
strict_auth: strict checks for mails from authenticated senders (if it is no then messages originated from authenticated users and our_networks are NOT checked - that’s a default value)

Non je confonds signature et vérification. Rollback. La conf actuelle pour la signature dkim :

dkim_signing {
    use_esld = true;
    allow_hdrfrom_mismatch = false;
    selector = "dkim";
    symbol = "DKIM_SIGNED";
    allow_envfrom_empty = true;
    try_fallback = true;
    sign_authenticated = true;
    sign_networks [
        "127.2.4.7",
    ]
    use_redis = false;
    allow_username_mismatch = false;
    sign_local = true;
    key_prefix = "DKIM_KEYS";
    use_domain = "header";
    allow_hdrfrom_multiple = false;
}

Ce message ci est signé mais le log de rspamd ne le mentionne pas (sauf coté score).

2021-11-22 12:11:53 #1478(rspamd_proxy) <249712>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 38802
2021-11-22 12:11:53 #1478(rspamd_proxy) <249712>; milter; rspamd_milter_process_command: got connection from 172.16.0.11:49580
2021-11-22 12:11:53 #1478(rspamd_proxy) <249712>; proxy; rspamd_message_parse: loaded message; id: <20211122111151.9919E362@lamp.april.org>; queue-id: <0EE99C74>; size: 376; checksum: <2fac72d84ec879620eff2ec8d9ebebee>
2021-11-22 12:11:53 #1478(rspamd_proxy) <249712>; lua; greylist.lua:204: skip greylisting for local networks and/or authorized users
2021-11-22 12:11:53 #1478(rspamd_proxy) <249712>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
2021-11-22 12:11:53 #1478(rspamd_proxy) <249712>; lua; spf.lua:185: skip SPF checks for local networks and authorized users
2021-11-22 12:11:53 #1478(rspamd_proxy) <249712>; lua; dmarc.lua:596: skip DMARC checks as either SPF or DKIM were not checked
2021-11-22 12:11:53 #1478(rspamd_proxy) <249712>; lua; once_received.lua:99: Skipping once_received for authenticated user or local network
2021-11-22 12:11:53 #1478(rspamd_proxy) <249712>; proxy; bayes_classify: skipped classification as there are no text tokens. Total tokens: 12
2021-11-22 12:11:53 #1478(rspamd_proxy) <249712>; lua; greylist.lua:318: Score too low - skip greylisting
2021-11-22 12:11:53 #1478(rspamd_proxy) <249712>; proxy; rspamd_task_write_log: id: <20211122111151.9919E362@lamp.april.org>, qid: <0EE99C74>, ip: 172.16.0.11, from: <fpoulain@april.org>, (default: F (no action): [-0.10/15.00] [MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},DKIM_SIGNED(0.00){april.org:s=dkim;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},MID_RHS_MATCH_FROMTLD(0.00){},MIME_TRACE(0.00){0:+;},NEURAL_HAM(-0.00){-1.000;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 376, time: 3.186ms, dns req: 0, digest: <2fac72d84ec879620eff2ec8d9ebebee>, rcpts: <fpoulain@metrodore.fr>, mime_rcpts: <fpoulain@metrodore.fr>
2021-11-22 12:11:53 #1478(rspamd_proxy) <249712>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 1 regexps matched, 174 regexps total, 61 regexps cached, 0B scanned using pcre, 432B scanned total

Avec verbose logs.

Un mail signé :

2021-11-22 14:06:33 #10906(rspamd_proxy) <72be62>; dkim_signing; lua_dkim_tools.lua:166: mail is from local address
2021-11-22 14:06:33 #10906(rspamd_proxy) <72be62>; dkim_signing; lua_dkim_tools.lua:382: use domain(header) for signature: april.org
2021-11-22 14:06:33 #10906(rspamd_proxy) <72be62>; dkim_signing; lua_dkim_tools.lua:402: final DKIM domain: april.org
2021-11-22 14:06:33 #10906(rspamd_proxy) <72be62>; dkim_signing; lua_dkim_tools.lua:46: add key "/var/lib/rspamd/dkim/$domain.$selector.key" using default path
2021-11-22 14:06:33 #10906(rspamd_proxy) <72be62>; dkim_signing; lua_dkim_tools.lua:51: set selector to "dkim" using default selector
2021-11-22 14:06:33 #10906(rspamd_proxy) <72be62>; dkim_signing; lua_dkim_tools.lua:51: set domain to "april.org" using dkim_domain
2021-11-22 14:06:33 #10906(rspamd_proxy) <72be62>; dkim_signing; dkim_signing.lua:128: using key "/var/lib/rspamd/dkim/april.org.dkim.key", use selector "dkim" for domain "april.org" 

Un mail pas signé :

2021-11-22 14:07:17 #10906(rspamd_proxy) <0d89e1>; dkim_signing; lua_dkim_tools.lua:160: user is authenticated
2021-11-22 14:07:17 #10906(rspamd_proxy) <0d89e1>; dkim_signing; lua_dkim_tools.lua:382: use domain(header) for signature: april.org
2021-11-22 14:07:17 #10906(rspamd_proxy) <0d89e1>; dkim_signing; lua_dkim_tools.lua:402: final DKIM domain: april.org
2021-11-22 14:07:17 #10906(rspamd_proxy) <0d89e1>; dkim_signing; lua_dkim_tools.lua:422: couldnt find domain in username

Le code concerné est

  if auser and not settings.allow_username_mismatch then
    if not udom then
      lua_util.debugm(N, task, 'couldnt find domain in username')
      return false,{}
    end
    if settings.use_esld then
      udom = rspamd_util.get_tld(udom)
    end
    if udom ~= dkim_domain then
      lua_util.debugm(N, task, 'user domain mismatch')
      return false,{}
    end
  end

Je suppose est que le soucis est que nos users sont ivanni, fcouchet et n'ont pas le domaine inclut.

Finalement l'astuce va être de mettre allow_username_mismatch = false;

# If true, username does not need to contain matching domain
allow_username_mismatch = false;

J'ai partagé nos investigations ici : https://github.com/rspamd/rspamd/issues/1593#issuecomment-975540515