Header about spoofed or improperly forwarded mail, `X-AnonAddy-Authentication-Results` looks fine

[JensSpanier]

Hi! I'm hosting my own instance with anonaddy/docker Since the Update to 1.0.9 some mails show this header (not all):

But when I look to the X-AnonAddy-Authentication-Results header, it looks good for me. Here are two examples:

• X-AnonAddy-Authentication-Results: mail.[MYDOMAIN].de; dkim=pass header.d=newsletter.swr3.de header.s=default header.b=icw5taZZ; dmarc=pass (policy=reject) header.from=newsletter.swr3.de; spf=pass (mail.[MYDOMAIN].de: domain of postmaster@mailer-service.de designates 151.106.66.59 as permitted sender) smtp.mailfrom=postmaster@mailer-service.de
• X-AnonAddy-Authentication-Results: mail.[MYDOMAIN].de; dkim=pass header.d=grnk.shop header.s=kl header.b=nE7J31Mf; dmarc=pass (policy=none) header.from=grnk.shop; spf=pass (mail.[MYDOMAIN].de: domain of "bounces+26241038-791e-yuhuf9bv28=konto.[MYDOMAIN].de@postvon.grnk.shop" designates 167.89.100.91 as permitted sender) smtp.mailfrom="bounces+26241038-791e-yuhuf9bv28=konto.[MYDOMAIN].de@postvon.grnk.shop"

Before updating to 1.0.9 I've never seen this warning.

[willbrowningme]

Is Rspamd active and running?

[JensSpanier]

I've set

RSPAMD_ENABLE=true
RSPAMD_NO_LOCAL_ADDRS=true

in my env file. How can I check if rspamd is running inside the container?

It seems like it's only happening when all three (spf, dkim and dmarc) pass.

[willbrowningme]

Rspamd must be adding the X-AnonAddy-Spam header to the incoming message then:

https://github.com/anonaddy/anonaddy/blob/master/app/Console/Commands/ReceiveEmail.php#L214

This can be added by Rspamd if the email fails DMARC checks but also if the message contents is deemed spam etc.

I don't know how to access the Rspamd dasboard in Docker as I haven't used it myself but if you can do that then you can see the headers that have been added by Rspamd to the incoming message.

[JensSpanier]

These are all headers starting with X-AnonAddy:

X-AnonAddy-Authentication-Results: mail.[MYDOMAIN].de; dkim=pass header.d=newsletter.swr3.de header.s=default header.b=s5qGc7Bc; dmarc=pass (policy=reject) header.from=newsletter.swr3.de; spf=pass (mail.[MYDOMAIN].de: domain of postmaster@mailer-service.de designates 151.106.66.57 as permitted sender) smtp.mailfrom=postmaster@mailer-service.de
X-AnonAddy-Original-Sender: swr3@newsletter.swr3.de
X-AnonAddy-Original-Envelope-From: postmaster@mailer-service.de
X-AnonAddy-Original-From-Header: SWR3 <swr3@newsletter.swr3.de>
X-AnonAddy-Original-Reply-To-Header: SWR3 <info@swr3.de>
X-AnonAddy-Original-To: Jens Spanier <swr3@konto.[MYDOMAIN].de>

X-AnonAddy-Spam is missing.

I've also subscribed to this newsletter with an alias hosted at addy.io. This newsletter comes quite often (every day). So I'll check if this also happens there. Or is addy.io not using Rspamd?

[willbrowningme]

Those are the headers of the email that is actually forwarded to you. I am talking about the incoming email from the sender that Rspamd adds some headers to when it processes it.

addy.io actually forwards the email on to you as an entirely new email which is why the X-AnonAddy-Spam header doesn't appear there.

Yes addy.io also uses Rspamd.

[JensSpanier]

I now received a mail from this newsletter via addy.io, too. But this mail doesn't show the warning. The header X-AnonAddy-Authentication-Results seems to be the same.

addy.io: X-AnonAddy-Authentication-Results: mail.anonaddy.me; dkim=pass header.d=newsletter.swr3.de header.s=default header.b=TTcUoyyi; spf=pass (mail.anonaddy.me: domain of postmaster@mailer-service.de designates 151.106.66.58 as permitted sender) smtp.mailfrom=postmaster@mailer-service.de; dmarc=pass (policy=reject) header.from=newsletter.swr3.de

selfhosted: X-AnonAddy-Authentication-Results: mail.[MYDOMAIN].de; dkim=pass header.d=newsletter.swr3.de header.s=default header.b="ssD/Gdb7"; spf=pass (mail.[MYDOMAIN].de: domain of postmaster@mailer-service.de designates 151.106.66.58 as permitted sender) smtp.mailfrom=postmaster@mailer-service.de; dmarc=pass (policy=reject) header.from=newsletter.swr3.de

Do you have any idea how I can debug this? Or should I open an issue at anonaddy/docker?

[willbrowningme]

I can only assume that Rspamd is marking that email's content as "spam" hence why that warning is being added.

Ideally you need to view the symbols added by Rspamd for the original incoming message using the webUI.

[JensSpanier]

Ok, found the reason: PH_SURBL_MULTI (5.5) [srv6058.mailer-service.de:rdns,srv6058.mailer-service.de:helo] I already wrote a mail to the company behind mailer-service.de so they can request a delisting at SURBL.

Thanks for your help and sorry for thinking it was addy's fault. Will close this issue.