-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug report: Rspamd dkim_signing module should have try_fallback = false ? #3433
Comments
I had to add this config in the file you mentioned. path = "/etc/opendkim/keys/$domain/$selector.private";
selector = "mail"; And it started to sign internal emails. It validated when I checked with https://www.appmaildev.com/en/dkimfile |
I think we may be talking about two different things. :) I'm coming into DMS fresh, so I never setup keys via OpenDKIM. Rather I just created them via What I was seeing is that inbound mail (from say gmail.com, linkedin.com, etc) that gets run through rspamd for filtering was also trying to be signed by rspamd (in addition to being verified). That's where the log entries about not being able to find keys for gmail.com, linkedin.com, etc were coming from. Apparently that's because the current conf has So I'm thinking that's just not the default that's wanted ? i'm still very new to DMS and rspamd though, so I could be confused. :) |
Well, yeah jumped in since you reported the errors I have the fix for. So apply my fix and it will fix the errors. That said I might be out of topic, but at least here is the fix. But DMS should fix this out of the box |
Well, I think the fix you mention would be for people who are/were using OpenDKIM to create their local keys and just want rspamd to know where those keys are located for signing outbound mail from local domains -- which would be a different issue. What I'm saying is that rspamd currently seems to be trying to sign all mail -- not just outbound mail from local domains you have keys for. For example, if an email comes in to your server from someone@gmail.com, rspamd will currently try to sign it using a key for gmail.com, which obviously you won't have :) , and will log that it can't find the key. Give this a shot on your Docker host some time and see what comes up:
I'm thinking you will see results from that and they will likely be from inbound email from remote domains which it shouldn't be trying to sign -- because |
Hmm, that's not what I concluded. The error happens when I try to write to some local user. Bur that's definitely interesting, until now I can not confirm I tries for other domains. |
You're probably going to have to wait on @georglauterbach when he has time to spare, as he's helming the rspamd feature integration. In the meantime, this can probably be reproduced offline with two DMS instances and a local DNS (eg: CoreDNS container) + certs (eg: Smallstep container/CLI) if it's helpful to simulate a third-party like gmail. The issue you linked seems to be convincing with the last comment though: rspamd/rspamd#2832 (comment) As does this section of the Rspamd DKIM docs. So defaulting to |
Thanks For clarification @Codelica you are sending |
@williamdes I think you hit on the right clue ! :) Basically I have DMS setup on the side to test before swapping out my current mail server. So I have my current mail server configured to also relay all incoming email to DMS for testing. However, apparently because that mail host is on the local network (mynetworks?), rspamd is trying to add DKIM signing on the mail even though it's "from" remote domains. As a quick test I changed port forwarding to DMS directly and send a couple from Gmail which didn't trigger the dkim key not found warning. I hope that's not too confusing! But basically once I move DMS into production I shouldn't see those signing issues as remote mail will all be from remote host connections. However that does seem to mean So I'm still not sure if that's what is wanted in the end? Obviously if there is a local relay feeding external email it will hit the situation I was seeing. And really a fall back doesn't seem necessary if all the local domains have their DKIM key info in Sorry for the confusion though, the situation is different than I originally thought. EDIT: FWIW |
After reading through all of this, and looking at the docs etc. I agree that Moreover, we can discuss using |
Sorry to drop the ball here, I was gone mountain biking with my son this weekend. Thanks for checking into this. 👍 |
No worries, I am currently very slow to respond, and it might take several days. |
One other thing I've run into (which I can definitely start a new issue for if needed) which is also DKIM related, is RSPAMD's |
Probably best to raise a separate issue for that, but if that's a bit of a hassle, wait until @georglauterbach responds as he might be happy to update the existing PR for this issue to include that fix too. Our ENV |
I'd like a bit more discussion about Either way, I am going to merge #3439 for now, which will close this issue. |
I state at the end that it's probably not necessary.
Virtual aliases can send as themselves when logging in via the virtual alias (and actual account recipient as login), however this is only because of the Dovecot dummy account workaround for Dovecot Quotas, may not work when the quota feature is disabled. The mentioned config file could allow aliases or any regex for an account to approved of more sender addresses. Rspamd TL;DR: EDIT: Unless I'm mistaken. I know Postfix is using the SASL login to compare with sender address, whereas rspamd wouldn't have that information and is presumably about a mismatch from the two mail headers of the sender address? (not sure if that changes on the Postfix end, might have some value 🤷♂️ ) |
📝 Preliminary Checks
👀 What Happened?
I'm not an rspamd expert by any means, but was noticing that rspamd seemed to be trying to sign (DKIM) every message -- not just outbound email from local domains. For example if an inbound email from Gmail came, I'd something like this would be logged:
After some Googling, I came across this issue which basically says that's the expected result if
try_fallback = true
which seems to be the default currently:rspamd/rspamd#2832
Perhaps that should be set to false ? I did so in my override.d/dikim_signing.conf and the issue seems to have dissapeared without any repercussions that I can tell.
👟 Reproduction Steps
🐋 DMS Version
v12.1.0
💻 Operating System and Architecture
Debian 11
⚙️ Container configuration files
N/A but can provided if needed
📜 Relevant log output
The text was updated successfully, but these errors were encountered: