| View previous topic :: View next topic |
| Author |
Message |
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
 Posted: Tue Jul 25, 2023 11:16 pm Post subject: [solved] rspamd blocks sending mails |
 |
|
After updating my (mail-)server, when hitting send button in roundcube, I get
| Code: | | smtp error [451] 4.7.1 ratelimit "some_limit" exceeded. |
In /var/log/messages I see: smtp error [451] 4.7.1 ratelimit error
Any hint on where this could come from and how to fix?
Edit - tried to send mail from email app SnappyMail within nextcloud which worked fine.
Found in /var/log/messages:
| Code: | Jul 26 01:26:17 host postfix/smtps/smtpd[8426]: connect from host.domain.tld[1.2.3.4]
Jul 26 01:26:17 host postfix/smtps/smtpd[8426]: Anonymous TLS connection established from host.domain.tld[1.2.3.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
Jul 26 01:26:18 host postfix/smtps/smtpd[8426]: 1016A1C002C: client=host.domain.tld[1.2.3.4], sasl_method=CRAM-MD5, sasl_username=user@domain.tld
Jul 26 01:26:18 host postfix/cleanup[8429]: 1016A1C002C: message-id=<c941d83aee75d92b7c9235005f54fc56@domain.tld>
Jul 26 01:26:18 host postfix/cleanup[8429]: 1016A1C002C: milter-reject: END-OF-MESSAGE from host.domain.tld[1.2.3.4]: 4.7.1 Ratelimit "some_limit" exceeded; from=<user@domain.tld> to=<name@otherdomain.tld> proto=ESMTP helo=<mail.domain.tld>
Jul 26 01:26:18 itsrv2 postfix/smtps/smtpd[8426]: disconnect from host.domain.tld[1.2.3.4] ehlo=1 auth=1 mail=1 rcpt=1 data=0/1 rset=1 quit=1 commands=6/7 |
emerge --info: | Code: | Portage 3.0.49 (python 3.11.4-final-0, default/linux/amd64/17.1/no-multilib/hardened, gcc-12, glibc-2.37-r3, 6.1.41-gentoo x86_64)
=================================================================
System uname: Linux-6.1.41-gentoo-x86_64-AMD_EPYC_Processor_-with_IBPB-with-glibc2.37
KiB Mem: 6091168 total, 1996508 free
KiB Swap: 6291452 total, 6290676 free
Timestamp of repository gentoo: Tue, 25 Jul 2023 21:30:01 +0000
Head commit of repository gentoo: 69d313b4a7b041c6487a21e4154b8e8b6ebbf1c6
sh bash 5.1_p16-r6
ld GNU ld (Gentoo 2.40 p5) 2.40.0
app-misc/pax-utils: 1.3.5::gentoo
app-shells/bash: 5.1_p16-r6::gentoo
dev-lang/perl: 5.36.1-r3::gentoo
dev-lang/python: 3.11.4::gentoo
dev-lang/rust: 1.69.0-r1::gentoo
dev-util/cmake: 3.26.4-r1::gentoo
dev-util/meson: 1.1.1::gentoo
sys-apps/baselayout: 2.13-r1::gentoo
sys-apps/openrc: 0.47.1::gentoo
sys-apps/sandbox: 2.37::gentoo
sys-devel/autoconf: 2.71-r6::gentoo
sys-devel/automake: 1.16.5-r1::gentoo
sys-devel/binutils: 2.40-r5::gentoo
sys-devel/binutils-config: 5.5::gentoo
sys-devel/gcc: 12.3.1_p20230526::gentoo
sys-devel/gcc-config: 2.11::gentoo
sys-devel/libtool: 2.4.7-r1::gentoo
sys-devel/llvm: 16.0.6::gentoo
sys-devel/make: 4.4.1-r1::gentoo
sys-kernel/linux-headers: 6.1::gentoo (virtual/os-headers)
sys-libs/glibc: 2.37-r3::gentoo
Repositories:
gentoo
location: /var/db/repos/gentoo
sync-type: rsync
sync-uri: rsync://rsync.gentoo.org/gentoo-portage
priority: -1000
volatile: True
sync-rsync-verify-max-age: 24
sync-rsync-verify-jobs: 1
sync-rsync-extra-opts:
sync-rsync-verify-metamanifest: yes
local_overlay
location: /usr/local/portage
masters: gentoo
priority: 0
volatile: True
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/easy-rsa /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.4/ext-active/ /etc/php/apache2-php8.0/ext-active/ /etc/php/apache2-php8.1/ext-active/ /etc/php/cgi-php7.4/ext-active/ /etc/php/cgi-php8.0/ext-active/ /etc/php/cgi-php8.1/ext-active/ /etc/php/cli-php7.4/ext-active/ /etc/php/cli-php8.0/ext-active/ /etc/php/cli-php8.1/ext-active/ /etc/php/fpm-php7.4/ext-active/ /etc/php/fpm-php8.0/ext-active/ /etc/php/fpm-php8.1/ext-active/ /etc/php/phpdbg-php7.4/ext-active/ /etc/php/phpdbg-php8.0/ext-active/ /etc/php/phpdbg-php8.1/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME"
FCFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg-live candy config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=native -O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="de_CH.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LEX="flex"
LINGUAS="de de_DE el en fr fr_FR it"
MAKEOPTS="-j5"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
SHELL="/bin/bash"
USE="3dnow 3dnowext acl amd64 apache2 authdaemond berkdb bzip2 caps cet cgi clamav clamdtop cli crypt cryptsetup curl device-mapper dkim dovecot-sasl dri exif fam fontconfig fortran fpm gd gdbm geoip hardened iconv imap jpeg libmysqlclient libtirpc maildir managesieve mmx mmxext mysql mysqli ncurses nls nptl openmp pam pcntl pcre pdo pie png popcnt readline seccomp sieve sockets spell split-usr sqlite sse sse2 sse3 sse4_1 sse4a ssl ssp symlink test-rust truetype udev unicode vhosts xattr xmlwriter xslt xtpax zip zlib" ABI_X86="64" ADA_TARGET="gnat_2021" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_core authn_dbm authn_file authz_core authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation proxy proxy_http proxy_wstunnel rewrite setenvif socache_shmcb speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" L10N="de el en fr it" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4" POSTGRES_TARGETS="postgres15" PYTHON_SINGLE_TARGET="python3_11" PYTHON_TARGETS="python3_11" RUBY_TARGETS="ruby31" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EMERGE_DEFAULT_OPTS, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS |
I also have a problem to connect an email client from my mobile. The corresponding error in /var/log/messages is:
| Code: | | Jul 26 06:24:37 host dovecot[2055]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher (no auth attempts in 0 secs): user=<>, rip=1.2.3.4, lip=5.6.7.8, TLS handshaking: SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher, session=<tV+9OVwBzqJSwO0z> |
As I could add the account to thunderbird on my computer, I tried different mail apps on the phone, but its always the same, no shared cipher, so I start to think it might have to do with my mail configs? I have to admit, that I hesitate in replacing / modifying the config files after updates, as it was difficult for me to get a working configuration for email server postfix and dovecot, so I rather keep the old configs, maybe my problems come from there? What informations would be needed in order to fix this? dovecot.conf, master.cf and or main.cf? Or other?
Last edited by Elleni on Tue Aug 15, 2023 4:34 pm; edited 4 times in total |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Wed Jul 26, 2023 9:30 am Post subject: |
|
|
What does
| Code: |
grep -iE "ssl_min_protocol|cipher|_tls_mandatory_protocols|sasl" /etc/dovecot/conf.d/10-ssl.conf /etc/postfix/main.cf
|
say?
I think for some reason dovecot keeps failing to connect to postfix because of some weird ssl/tls error.
Thats why you exceed the limit.
| Quote: |
After updating my (mail-)server, when hitting send button in roundcube, I get
|
Did maybe dispatch-conf replace your main.cf or your 10-ssl.conf?
_________________
 |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
| Posted: Wed Jul 26, 2023 12:11 pm Post subject: |
|
|
| Code: | | grep -iE "ssl_min_protocol|cipher|_tls_mandatory_protocols|sasl" /etc/dovecot/conf.d/10-ssl.conf /etc/postfix/main.cf |
/etc/dovecot/conf.d/10-ssl.conf:# SSL ciphers to use
| Code: | /etc/dovecot/conf.d/10-ssl.conf:# You are encouraged to change the cipher list to
/etc/dovecot/conf.d/10-ssl.conf:#ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
/etc/dovecot/conf.d/10-ssl.conf:#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
/etc/dovecot/conf.d/10-ssl.conf:ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
/etc/dovecot/conf.d/10-ssl.conf:ssl_min_protocol = TLSv1
/etc/dovecot/conf.d/10-ssl.conf:# Prefer the server's order of ciphers over client's.
/etc/dovecot/conf.d/10-ssl.conf:#ssl_prefer_server_ciphers = no
/etc/dovecot/conf.d/10-ssl.conf:ssl_prefer_server_ciphers = yes
/etc/postfix/main.cf:smtpd_sasl_auth_enable = yes
/etc/postfix/main.cf:smtpd_sasl_type = dovecot
/etc/postfix/main.cf:smtpd_sasl_path = private/auth
/etc/postfix/main.cf:smtpd_recipient_restrictions = permit_mynetworks,reject_non_fqdn_recipient,permit_sasl_authenticated,reject_unauth_destination
/etc/postfix/main.cf:#tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
/etc/postfix/main.cf:tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
/etc/postfix/main.cf:smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
/etc/postfix/main.cf:smtp_tls_mandatory_ciphers=high
/etc/postfix/main.cf:#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
/etc/postfix/main.cf:#smtpd_tls_mandatory_ciphers=high
/etc/postfix/main.cf:tls_preempt_cipherlist = yes
/etc/postfix/main.cf:# smtpd_helo_restrictions = permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname
/etc/postfix/main.cf:###smtpd_helo_restrictions = permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname
/etc/postfix/main.cf:###smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
/etc/postfix/main.cf: #permit_sasl_authenticated
/etc/postfix/main.cf: permit_sasl_authenticated
/etc/postfix/main.cf:###mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
/etc/postfix/main.cf:###mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
/etc/postfix/main.cf:###mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject |
I was under the impression to have hit zap new all the time, but fortunatelly I did copy /etc/ recursively before performing the upgrade. I'll check and come back to you. Thanks |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Wed Jul 26, 2023 12:57 pm Post subject: |
|
|
Maybe try
| Code: |
#smtpd_tls_ciphers = medium
smtp_tls_ciphers = medium
smtp_tls_mandatory_ciphers=medium
#smtpd_tls_mandatory_ciphers=medium
|
instead of high in main.cf
?
_________________
|
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
| Posted: Sun Jul 30, 2023 11:31 am Post subject: |
|
|
Hi,
unfortunatelly this doesnt help. Checked first by re-copying all the content from /etc/ backup back to be sure there is no default config overwritten problem. then changed the two mentioned smtp_lts_ciphers and smtp_tls_mandatory_ciphers to medium but I still get the same milter error of some_limit exceeded.
So possibly something changed with new postfix / smtp which is incompatible with the config I had before?
Unfortunatelly there is no older version than the newly installed 3.8.1 anymore, so I cannot downgrade to see if the problem is fixed, so I am out of ideas on howto proceed...
I see those versions in distfiles though:
| Code: |
ls -l /var/cache/distfiles/postfix*
-rw-rw-r-- 1 portage portage 4825380 11. Okt 2022 /var/cache/distfiles/postfix-3.7.3.tar.gz
-rw-rw-r-- 1 portage portage 4833834 24. Jan 2023 /var/cache/distfiles/postfix-3.7.4.tar.gz
-rw-rw-r-- 1 portage portage 4848293 6. Jun 12:52 /var/cache/distfiles/postfix-3.8.1.tar.gz |
But the ebuilds are gone. Where can I find ebuilds for 3.7.3 and 3.7.4 ?
Last edited by Elleni on Sun Jul 30, 2023 11:37 am; edited 1 time in total |
|
| Back to top |
|
|
grknight
Retired Dev
Joined: 20 Feb 2015
Posts: 1994
|
| Posted: Sun Jul 30, 2023 11:36 am Post subject: |
|
|
You do realize that postfix is just the messenger here and that your milter, whatever it is, says deny this message to postfix.
Check your milter's configuration. |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
| Posted: Sun Jul 30, 2023 11:57 am Post subject: |
|
|
Thanks for your comment, and no I didn't. Have to first find out what a milter is 
For now, I am trying to downgrade postfix by the last working version, as I found ebuild here:
https://github.com/gentoo/gentoo/commit/06bcb09cc3ce69d5bbcc2360a506253d1e7d0b7e?diff=unified
However thanks again, so I suppose downgrading postfix wont do the trick. I will try to learn about which package providing milter functinality then |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
| Posted: Sun Jul 30, 2023 12:10 pm Post subject: |
|
|
ok, by try and error found out that I can send mails stopping the rspamd service. Problem is, that rsamd.log doesnt have much info.
But when starting rspamd, I get the following in the console:
| Code: | /etc/init.d/rspamd start
init of /usr/share/rspamd/plugins/dmarc.lua failed: /usr/share/rspamd/plugins/dmarc.lua:503: attempt to index field 'reporting' (a boolean value); trace: [1]:{/usr/share/rspamd/plugins/dmarc.lua:503 - <unknown> [main]};
cannot find dependency on symbol DMARC_CHECK for symbol ARC_SIGNED
cannot find dependency on symbol DMARC_CHECK for symbol PHISHING
cannot find dependency on symbol DMARC_CALLBACK for symbol WHITELIST_DMARC
* Starting rspamd ...
2023-07-30 14:10:08 #3614(main) <b902e0>; main; main: rspamd 3.5 is loading configuration, build id: release [ ok ]
|
What can I provide for infos for finding the source and fixing it? How would I enable debug logging on rspamd?
Edit: Changed /etc/rspamd/logging.inc from info to debug, and tried to send mail again. I got this in rspamd.log (/var/log/messages still not showing more than ratelimit some_limit
| Code: | 2023-07-30 14:25:07 #3954(main) <bsb1q6>; cfg; rspamd_init_lua_filters: init of /usr/share/rspamd/plugins/dmarc.lua failed: /usr/share/rspamd/plugins/dmarc.lua:503: attempt to index field 'reporting' (a boolean value); trace: [1]:{/usr/share/rspamd/plugins/dmarc.lua:503 - <unknown> [main]};
2023-07-30 14:25:31 #3954(main) <bsb1q6>; symcache; process_deps: cannot find dependency on symbol DMARC_CHECK for symbol ARC_SIGNED
2023-07-30 14:25:31 #3954(main) <bsb1q6>; symcache; process_deps: cannot find dependency on symbol DMARC_CHECK for symbol PHISHING
2023-07-30 14:25:31 #3954(main) <bsb1q6>; symcache; process_deps: cannot find dependency on symbol DMARC_CALLBACK for symbol WHITELIST_DMARC
2023-07-30 14:27:42 #3957(controller) <k8f914>; map; http_map_error: error reading https://maps.rspamd.com/freemail/disposable.txt.zst(151.115.41.123:443): connection with http server terminated incorrectly: ssl connect error: syscall fail: Die Wartezeit für die Verbindung ist abgelaufen |
|
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
| Posted: Sun Aug 06, 2023 9:18 am Post subject: |
|
|
anyone an idea on howto fix rspamd or how to debug this please? Can this be of any help to debug this issue?
| Code: | rspamadm configdump dkim
init of /usr/share/rspamd/plugins/dmarc.lua failed: /usr/share/rspamd/plugins/dmarc.lua:503: attempt to index field 'reporting' (a boolean value); trace: [1]:{/usr/share/rspamd/plugins/dmarc.lua:503 - <unknown> [main]};
cannot find dependency on symbol DMARC_CHECK for symbol ARC_SIGNED
cannot find dependency on symbol DMARC_CHECK for symbol PHISHING
cannot find dependency on symbol DMARC_CALLBACK for symbol WHITELIST_DMARC
*** Section dkim ***
dkim_cache_size = 2000;
dkim_cache_expire = 86400;
time_jitter = 21600;
trusted_only = false;
skip_multi = false;
enabled = true;
*** End of section dkim *** |
|
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1048
Location: Somewhere in Denmark
|
| Posted: Sun Aug 06, 2023 6:39 pm Post subject: |
|
|
Have you tried re-emerging rspamd? - I don't like that it throws that error on dmarc.lua init
Checked it's config-files in /etc/rspamd/ ?
| Code: | mail /etc/rspamd # rspamadm configdump dkim
*** Section dkim ***
dkim_cache_expire = 86400;
skip_multi = false;
time_jitter = 21600;
trusted_only = false;
dkim_cache_size = 2000;
*** End of section dkim ***
mail /etc/rspamd # rspamadm configdump dmarc
*** Section dmarc ***
actions {
reject = "reject";
quarantine = "add_header";
}
reporting {
enabled = false;
org_name = "vlh.dk";
helo = "mail.vlh.dk";
smtp_port = 25;
smtp = "mail.vlh.dk";
domain = "vlh.dk";
email = "dmarc@vlh.dk";
}
*** End of section dmarc ***
|
|
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
| Posted: Sun Aug 06, 2023 7:42 pm Post subject: |
|
|
Hi freke,
thanks for your post. I re-emerged rspamd and it wanted to replace arc.conf which I allowed this time. Comparing the files I see the following differences:
new file: | Code: | arc {
# If false, messages with empty envelope from are not signed
allow_envfrom_empty = true;
# If true, envelope/header domain mismatch is ignored
allow_hdrfrom_mismatch = true;
# If true, multiple from headers are allowed (but only first is used)
allow_hdrfrom_multiple = false;
# If true, username does not need to contain matching domain
allow_username_mismatch = false;
# Default path to key, can include '$domain' and '$selector' variables
#path = "${DBDIR}/arc/$domain.$selector.key";
# Default selector to use
selector = "arc";
# If false, messages from authenticated users are not selected for signing
sign_authenticated = false;
# If false, inbound messages are not selected for signing
sign_inbound = true;
# If false, messages from local networks are not selected for signing
sign_local = false;
# Symbol to add when message is signed
sign_symbol = "ARC_SIGNED";
# Whether to fallback to global config
try_fallback = true;
# Domain to use for ARC signing: can be "header", "envelope" or "recipient"
use_domain = "recipient";
# Whether to normalise domains to eSLD
use_esld = true;
# Whether to get keys from Redis
use_redis = false;
# Hash for ARC keys in Redis
key_prefix = "ARC_KEYS"; |
my old arc.conf:
| Code: | arc {
# If false, messages with empty envelope from are not signed
allow_envfrom_empty = true;
# If true, envelope/header domain mismatch is ignored
allow_hdrfrom_mismatch = true;
# If true, multiple from headers are allowed (but only first is used)
allow_hdrfrom_multiple = false;
# If true, username does not need to contain matching domain
### Enable DKIM signing for alias sender addresses
allow_username_mismatch = true;
# If false, messages from authenticated users are not selected for signing
auth_only = false;
# Default path to key, can include '$domain' and '$selector' variables
#path = "${DBDIR}/arc/$domain.$selector.key";
path = "/var/lib/rspamd/dkim/$selector.key";
# Default selector to use
selector = "mail";
# If false, inbound messages are not selected for signing
sign_inbound = true;
# If false, messages from local networks are not selected for signing
sign_local = false;
# Symbol to add when message is signed
symbol_sign = "ARC_SIGNED";
# Whether to fallback to global config
try_fallback = true;
# Domain to use for ARC signing: can be "header", "envelope" or "recipient"
use_domain = "recipient";
# Whether to normalise domains to eSLD
use_esld = true;
# Whether to get keys from Redis
use_redis = false;
# Hash for ARC keys in Redis
key_prefix = "ARC_KEYS";
# Domain specific settings
#domain {
# example.com {
# # Private key path
# path = "${DBDIR}/arc/example.key";
# # Selector
# selector = "ds";
# }
#}
.include(try=true,priority=5) "${DBDIR}/dynamic/arc.conf"
.include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/arc.conf"
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/arc.conf" |
Sending some testmails seemed to be successfully, but only for a couple of mails, with the old or with the new config. With both arc.conf some mails coudd sent successfully, but all of a sudden I got those blockers again...
When starting rspamd service it takes quite a while and still gives those messages:
init of /usr/share/rspamd/plugins/dmarc.lua failed: /usr/share/rspamd/plugins/dmarc.lua:503: attempt to index field 'reporting' (a boolean value); trace: [1]:{/usr/share/rspamd/plugins/dmarc.lua:503 - <unknown> [main]};
cannot find dependency on symbol DMARC_CHECK for symbol ARC_SIGNED
cannot find dependency on symbol DMARC_CHECK for symbol PHISHING
cannot find dependency on symbol DMARC_CALLBACK for symbol WHITELIST_DMARC
* Stopping rspamd ... [ ok ]
* Starting rspamd ...
2023-08-06 21:33:39 #4418(main) <f91604>; main; main: rspamd 3.5 is loading configuration, build id: release
These are the lines 502-504 on the /usr/share/rspamd/plugins/dmarc files mentioned above:
| Code: | -- Legacy...
if settings.reporting and not settings.reporting.exclude_domains and settings.no_reporting_domains >
settings.reporting.exclude_domains = settings.no_reporting_domains |
I still get | Code: | rspamadm configdump dkim
init of /usr/share/rspamd/plugins/dmarc.lua failed: /usr/share/rspamd/plugins/dmarc.lua:503: attempt to index field 'reporting' (a boolean value); trace: [1]:{/usr/share/rspamd/plugins/dmarc.lua:503 - <unknown> [main]};
cannot find dependency on symbol DMARC_CHECK for symbol ARC_SIGNED
cannot find dependency on symbol DMARC_CHECK for symbol PHISHING
cannot find dependency on symbol DMARC_CALLBACK for symbol WHITELIST_DMARC
*** Section dkim ***
dkim_cache_expire = 86400;
time_jitter = 21600;
trusted_only = false;
skip_multi = false;
enabled = true;
dkim_cache_size = 2000;
*** End of section dkim *** |
with both arc.conf files, so something with my dkim konfiguration is wrong ? Speaking of dkim. Do I still need opendkim? Or is this done from rspamd thus obsolete? I am asking as I have /etc/init.d/opendkim service and
| Code: | * mail-filter/opendkim
Latest version available: 2.10.3-r30
Latest version installed: 2.10.3-r30
Size of files: 1’182 KiB
Homepage: http://opendkim.org/
Description: A milter providing DKIM signing and verification
License: BSD GPL-2 Sendmail-Open-Source
|
installed, so I dont know if this is still needed or obsolete and should be removed? In everycase I testet rspamd with and without opendkim service startet and it made no difference.
Finally - could something with the useflags rspamd is emerged be wrong?
| Code: | emerge rspamd -pv
These are the packages that would be merged, in order:
Calculating dependencies ... done!
Dependency resolution took 3.04 s.
[ebuild R ] mail-filter/rspamd-3.5-r1::gentoo USE="jit -blas (-jemalloc) (-selinux) -test" CPU_FLAGS_X86="ssse3" LUA_SINGLE_TARGET="luajit -lua5-1" 0 KiB
|
What files we have to look at to check if dkim config is ok? and how those dmarc_check arc_signed and phishing symbol and dmarc_callback for symbol whitelist_messages can be fixed ? |
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1048
Location: Somewhere in Denmark
|
| Posted: Sun Aug 06, 2023 8:17 pm Post subject: |
|
|
| Code: | mail ~ # emerge -pv rspamd
Local copy of remote index is up-to-date and will be used.
These are the packages that would be merged, in order:
Calculating dependencies... done!
Dependency resolution took 1.05 s.
[ebuild R ] mail-filter/rspamd-3.5-r1::gentoo USE="-blas (-jemalloc) -jit (-selinux) -test" CPU_FLAGS_X86="ssse3" LUA_SINGLE_TARGET="lua5-1 -luajit" 0 KiB |
I'm using lua5-1 instead of luajit, dunno if that could cause something?
rspamd should be able to handle the dkim (and dmarc) rendering opendkim/opendmarc obsolete.
Here are some of my configuration
/etc/rspamd/local.d/arc.conf - http://0x0.st/H_ZZ.txt
/etc/rspamd/local.d/dkim_signing.conf - http://0x0.st/H_ZN.txt
/etc/rspamd/local.d/dmarc.conf - http://0x0.st/H_Zq.txt |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
| Posted: Sun Aug 06, 2023 8:27 pm Post subject: |
|
|
| Thaks freke, I will emerge with lua5 then and also check the provided configs and adapt if different. I will then report back. |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
| Posted: Tue Aug 08, 2023 6:01 pm Post subject: |
|
|
emerge with lua instead of luajit but that did not fix it: | Code: | * Caching service dependencies ... [ ok ]
init of /usr/share/rspamd/plugins/dmarc.lua failed: /usr/share/rspamd/plugins/dmarc.lua:503: attempt to index field 'reporting' (a boolean value); trace: [1]:{/usr/share/rspamd/plugins/dmarc.lua:503 - <unknown> [main]};
init of /usr/share/rspamd/plugins/ratelimit.lua failed: /usr/share/rspamd/plugins/ratelimit.lua:807: bad argument #2 to 'format' (string expected, got nil); trace: [1]:{[C]:-1 - format [C]}; [2]:{/usr/share/rspamd/plugins/ratelimit.lua:807 - fun [Lua]}; [3]:{/usr/share/rspamd/lualib/fun.lua:34 - <unknown> [Lua]}; [4]:{(tail call):-1 - [tail]}; [5]:{/usr/share/rspamd/lualib/fun.lua:796 - <unknown> [Lua]}; [6]:{(tail call):-1 - [tail]}; [7]:{/usr/share/rspamd/plugins/ratelimit.lua:806 - fun [Lua]}; [8]:{/usr/share/rspamd/lualib/fun.lua:34 - <unknown> [Lua]}; [9]:{(tail call):-1 - [tail]}; [10]:{/usr/share/rspamd/lualib/fun.lua:192 - <unknown> [Lua]}; [11]:{(tail call):-1 - [tail]}; [12]:{/usr/share/rspamd/plugins/ratelimit.lua:802 - <unknown> [main]};
cannot find dependency on symbol DMARC_CHECK for symbol ARC_SIGNED
cannot find dependency on symbol DMARC_CHECK for symbol PHISHING
cannot find dependency on symbol DMARC_CALLBACK for symbol WHITELIST_DMARC
* Starting rspamd ...
2023-08-08 19:57:37 #30647(main) <c15609>; main; main: rspamd 3.5 is loading configuration, build id: release |
Also tried removing /usr/share/rspamd and re-emerge it in case something in that folder was wrong, but it didnt help either.
My configs are:
| Code: | cat /etc/rspamd/local.d/arc.conf
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/dkim_selectors.map";
### Enable DKIM signing for alias sender addresses
#allow_username_mismatch = true; |
| Code: | cat /etc/rspamd/local.d/dkim_signing.conf
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/dkim_selectors.map";
### Enable DKIM signing for alias sender addresses
#allow_username_mismatch = true; |
| Code: | servers = "127.0.0.1";
# Enables storing reporting information to redis
reporting = true;
# If Redis server is not configured below, settings from redis {} will be used
#servers = "127.0.0.1:6379"; # Servers to use for reads and writes (can be a list)
# Alternatively set read_servers / write_servers to split reads and writes
# To set custom prefix for redis keys:
#key_prefix = "dmarc_";
# Actions to enforce based on DMARC disposition (empty by default)
actions = {
quarantine = "add_header";
reject = "reject";
}
# Ignore "pct" setting for some domains
# no_sampling_domains = "/etc/rspamd/dmarc_no_sampling.domains";
report_settings {
# The following elements MUST be present
# organisation name to use for reports
org_name = "domain1.tld & domain2.tld Mailserver";
# organisation domain
domain = "domain1.tld";
# sender address to use for reports
email = "postmaster@domain1.tld";
# The following elements MAY be present
# sender name to use for reports ("Rspamd" if unset)
# from_name = "Rspamd";
# SMTP host to send reports to ("127.0.0.1" if unset)
# smtp = "127.0.0.1";
# TCP port to use for SMTP (25 if unset)
# smtp_port = 25;
# HELO to use for SMTP ("rspamd" if unset)
# helo = "rspamd";
# Number of retries on temporary errors (2 if unset)
# retries = 2;
# Send DMARC reports here instead of domain owners
# override_address = "postmaster@example.net";
# Send DMARC reports here in addition to domain owners
additional_address = "postmaster@domain1.tld";
# Number of records to request with HSCAN
# hscan_count = 200
|
| Code: | rspamadm configdump dkim
init of /usr/share/rspamd/plugins/dmarc.lua failed: /usr/share/rspamd/plugins/dmarc.lua:503: attempt to index field 'reporting' (a boolean value); trace: [1]:{/usr/share/rspamd/plugins/dmarc.lua:503 - <unknown> [main]};
init of /usr/share/rspamd/plugins/ratelimit.lua failed: /usr/share/rspamd/plugins/ratelimit.lua:807: bad argument #2 to 'format' (string expected, got nil); trace: [1]:{[C]:-1 - format [C]}; [2]:{/usr/share/rspamd/plugins/ratelimit.lua:807 - fun [Lua]}; [3]:{/usr/share/rspamd/lualib/fun.lua:34 - <unknown> [Lua]}; [4]:{(tail call):-1 - [tail]}; [5]:{/usr/share/rspamd/lualib/fun.lua:796 - <unknown> [Lua]}; [6]:{(tail call):-1 - [tail]}; [7]:{/usr/share/rspamd/plugins/ratelimit.lua:806 - fun [Lua]}; [8]:{/usr/share/rspamd/lualib/fun.lua:34 - <unknown> [Lua]}; [9]:{(tail call):-1 - [tail]}; [10]:{/usr/share/rspamd/lualib/fun.lua:192 - <unknown> [Lua]}; [11]:{(tail call):-1 - [tail]}; [12]:{/usr/share/rspamd/plugins/ratelimit.lua:802 - <unknown> [main]};
cannot find dependency on symbol DMARC_CHECK for symbol ARC_SIGNED
cannot find dependency on symbol DMARC_CHECK for symbol PHISHING
cannot find dependency on symbol DMARC_CALLBACK for symbol WHITELIST_DMARC
*** Section dkim ***
enabled = true;
dkim_cache_expire = 86400;
skip_multi = false;
time_jitter = 21600;
trusted_only = false;
dkim_cache_size = 2000;
*** End of section dkim ***
|
I dont know if my configs are too old thus not supported anymore, will try to adapt to the ones you provided to see wether it changes something. |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
| Posted: Tue Aug 15, 2023 1:59 pm Post subject: |
|
|
I found some time to look into this and one error seemed to be in /etc/lrspamd/local.d/dmarc.conf
the following line is deprecated and must not be active. from official documentation: If you’re upgrading from a previous version, make sure that you remove the reporting = true; setting from rspamadm configdump dmarc. This setting has been intentionally converted to the new options schema to prevent misconfiguration. The line reporting = true; must be removed from the local.d/dmarc.conf if it is there.
Now part of the error is gone. The remaining part I am still looking into it and would be glad if someone could assist me while searching is:
| Code: | /etc/init.d/rspamd start
init of /usr/share/rspamd/plugins/ratelimit.lua failed: /usr/share/rspamd/plugins/ratelimit.lua:712: bad argument #2 to 'format' (string expected, got nil); trace: [1]:{[C]:-1 - format [C]}; [2]:{/usr/share/rspamd/plugins/ratelimit.lua:712 - fun [Lua]}; [3]:{/usr/share/rspamd/lualib/fun.lua:34 - <unknown> [Lua]}; [4]:{(tail call):-1 - [tail]}; [5]:{/usr/share/rspamd/lualib/fun.lua:796 - <unknown> [Lua]}; [6]:{(tail call):-1 - [tail]}; [7]:{/usr/share/rspamd/plugins/ratelimit.lua:711 - fun [Lua]}; [8]:{/usr/share/rspamd/lualib/fun.lua:34 - <unknown> [Lua]}; [9]:{(tail call):-1 - [tail]}; [10]:{/usr/share/rspamd/lualib/fun.lua:192 - <unknown> [Lua]}; [11]:{(tail call):-1 - [tail]}; [12]:{/usr/share/rspamd/plugins/ratelimit.lua:707 - <unknown> [main]};
* Starting rspamd ...
2023-08-15 15:53:37 #13030(main) <c5d113>; main; main: rspamd 3.6 is loading configuration, build id: release |
Obviously it must have to do with the /etc/rspamd/local.d/ratelimit.conf file as removing it, the error is gone. Maybe you can share yours freke, or tell me the difference. Heres my old one which looks pretty much like the default one in rpamd docs:
| Code: | rates {
# Selector based ratelimit
some_limit = {
selector = 'user.lower';
# You can define more than one bucket, however, you need to use array syntax only
bucket = [
{
burst = 100;
rate = "10 / 1min";
},
{
burst = 10;
rate = "100 / 1min";
}]
}
# Predefined ratelimit
to = {
bucket = {
burst = 100;
rate = 0.01666666666666666666; # leak 1 message per minute
}
}
# or define it with selector
other_limit_alt = {
selector = 'rcpts:addr.take_n(5)';
bucket = {
burst = 100;
rate = "1 / 1m"; # leak 1 message per minute
}
}
}
|
frankly - I dont really understand the concept of ratelimit rspamd module, all I know I never had a problem with it and lately the (outgoing) messages rejected were reflected in history tab with a ratelimit tag, and the lua errors message printed above came up when starting rspamd service. So I can live with that module inactivated but would rather like to find out and learn how to re-enable it without it turning the mailserver unusuable by blocking legit sending mails now and then.. Maybe there is some related setting which needs some attention?
As a sidenote - how can I re-enable modification of the lists under configuration tab of the webinterface of rspamd? I had this active somehow I changed the accessrights while trying to troubleshooting the above issue. I see that if changing the corresponding files with chown rspamd:rspamd I get the write tag besides the read tag, but hitting safe gives me access denied. Slightly remember it has to do with the filepermissions, tried to change ownership to rspamd:rspamd and to apache:apache and also gave 664 with chmod, but was not successfull yet.
Last edited by Elleni on Tue Aug 15, 2023 4:12 pm; edited 1 time in total |
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1048
Location: Somewhere in Denmark
|
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
| Posted: Tue Aug 15, 2023 4:17 pm Post subject: |
|
|
Mine is similarly small, so I guess I am good with removing the ratelimit.conf from local.d folder. Thats ok for me too
only remaining issue the access rights in order to be able to modify white and blacklists from within webinterface configuration tab then.
Works now with chown rspamd:rspamd /etc/rspamd/local.d |
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1048
Location: Somewhere in Denmark
|
| Posted: Tue Aug 15, 2023 5:01 pm Post subject: |
|
|
Yet another thing I haven't actually tried; I've maintained my list via SSH/console on the mail-server.
But yes - it seems changing /etc/rspamd/maps.d and /etc/rspamd/local.d to rspamd:rspamd seems to fix that issue, that should probably be bug-reported?
(Especially as that is the user:group applied if creating any of the files from the WEB-ui if it doesn't exists) |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
