search

foxcpp / maddy

✉️ Composable all-in-one mail server.
https://maddy.email
GNU General Public License v3.0
4.95k stars 239 forks source link

Quarantined message discarded #627

Closed mmatous closed 12 months ago

mmatous commented 1 year ago

Describe the bug

Logs claim that a message was quarantined but it seems to have been discarded.

Junk folder in MUA is empty. sudo maddy imap-msgs list <mail> Junk is empty. greping for "yahoo"—part of spammer address—in /var/lib/maddy yields nothing.

Using sudo -u maddy for listing Junk results in ERROR 2023/08/25 00:23:02 could not discover absolute path: stat .: permission denied, but the same goes for listing INBOX and that gets listed and accepts mail just fine. Everything in /var/lib/maddy is owned by maddy ~so no idea what that's about~. Figured that out. Kinda. Maddy tries to mess with $CWD for some reason and gets denied when in my user's home dir. strace: getcwd("/home/user", 4096)

Steps to reproduce

Unknown.

Log files

smtp: incoming message    {"msg_id":"95ae9d1f","sender":"author.magnus@yahoo.com","src_host":"DESKTOPNGGQDAMhome","src_ip":"41.214.3.211:26113"}
smtp: RCPT ok     {"msg_id":"95ae9d1f","rcpt":"<mail>"}
smtp/pipeline: no check action    {"check":"check.dkim","msg_id":"95ae9d1f","reason":"No DKIM signatures","smtp_code":550,"smtp_enchcode":"5.7.20","smtp_msg":"No DKIM signatures"}
check.spf: deferring action due to a DMARC policy {"err":"matched all","msg_id":"95ae9d1f","result":"neutral"}
smtp/pipeline: no check action    {"check":"check.spf","msg_id":"95ae9d1f","reason":"matched all","smtp_code":550,"smtp_enchcode":"5.7.23","smtp_msg":"Neutral SPF result is not permitted"}
smtp/pipeline: quarantined        {"check":"milter","milter":"unix:///run/rspamd/milter.sock","msg_id":"95ae9d1f","reason":"Spam message quarantined"}
smtp: DATA error  {"check":"dmarc","dkim_domain":"","dkim_res":"none","msg_id":"95ae9d1f","reason":"No aligned identifiers","smtp_code":550,"smtp_enchcode":"5.7.1","smtp_msg":"DMARC check failed","spf_from":"yahoo.com","spf_res":"neutral"}

Configuration file

## Maddy Mail Server - default configuration file (2021-03-07)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddyctl utility.
#
# See tutorials at https://maddy.email for guidance on typical
# configuration changes.
#
# See manual pages (also available at https://maddy.email) for reference
# documentation.

# ----------------------------------------------------------------------------
# Base variables

$(hostname) = sub.domain1.tld
$(primary_domain) = domain1.tld
$(local_domains) = $(primary_domain) domain2.tld

tls file key1.pem cert1.pem key2.pem cert2.pem {
    protocols tls1.2 tls1.3
    curves X25519 p256
}

log stderr

# ----------------------------------------------------------------------------
# Local storage & authentication

# pass_table provides local hashed passwords storage for authentication of
# users. It can be configured to use any "table" module, in default
# configuration a table in SQLite DB is used.
# Table can be replaced to use e.g. a file for passwords. Or pass_table module
# can be replaced altogether to use some external source of credentials (e.g.
# PAM, /etc/shadow file).
#
# If table module supports it (sql_table does) - credentials can be managed
# using 'maddyctl creds' command.

auth.pass_table local_authdb {
    table sql_table {
        driver sqlite3
        dsn credentials.db
        table_name passwords
    }
}

# imapsql module stores all indexes and metadata necessary for IMAP using a
# relational database. It is used by IMAP endpoint for mailbox access and
# also by SMTP & Submission endpoints for delivery of local messages.
#
# IMAP accounts, mailboxes and all message metadata can be inspected using
# imap-* subcommands of maddyctl utility.

storage.imapsql local_mailboxes {
    driver sqlite3
    dsn imapsql.db
}

# ----------------------------------------------------------------------------
# SMTP endpoints + message routing

hostname $(hostname)

table.chain local_rewrites {
    optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
    optional_step static {
        entry postmaster postmaster@$(primary_domain)
    }
    optional_step file /etc/maddy/aliases
}

msgpipeline local_routing {
    # Insert handling for special-purpose local domains here.
    # e.g.
    # destination lists.example.org {
    #     deliver_to lmtp tcp://127.0.0.1:8024
    # }

    destination postmaster $(local_domains) {
        modify {
            replace_rcpt &local_rewrites
        }

        deliver_to &local_mailboxes
    }

    default_destination {
        reject 550 5.1.1 "User doesn't exist"
    }
}

smtp tcp://0.0.0.0:25 {
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections.
        all rate 20 1s
        all concurrency 10
    }

    dmarc yes
    check {
        require_mx_record
        dkim
        spf
    milter {
        endpoint unix:///run/rspamd/milter.sock
        fail_open true
    }
    }

    source $(local_domains) {
        reject 501 5.1.8 "Use Submission for outgoing SMTP"
    }
    default_source {
        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            reject 550 5.1.1 "User doesn't exist"
        }
    }
}

submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
    limits {
        # Up to 50 msgs/sec across any amount of SMTP connections.
        all rate 50 1s
    }

    auth &local_authdb

    source $(local_domains) {
        check {
            authorize_sender {
                prepare_email &local_rewrites
                user_to_email identity
            }
        }

        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            modify {
                dkim $(primary_domain) $(local_domains) default {
            newkey_algo ed25519
        }
            }
            deliver_to &remote_queue
        }
    }
    default_source {
        reject 501 5.1.8 "Non-local sender domain"
    }
}

target.remote outbound_delivery {
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections
        # for each recipient domain.
        destination rate 20 1s
        destination concurrency 10
    }
    mx_auth {
        dane
        mtasts {
            cache fs
            fs_dir mtasts_cache/
        }
        local_policy {
            min_tls_level encrypted
            min_mx_level none
        }
    }
    tls_client client_setup {
    protocols tls1.2 tls1.3
    curves X25519 p256
    }
}

target.queue remote_queue {
    target &outbound_delivery

    autogenerated_msg_domain $(primary_domain)
    bounce {
        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
        }
    }
}

# ----------------------------------------------------------------------------
# IMAP endpoints

imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
    auth &local_authdb
    storage &local_mailboxes
}

Environment information

mmatous commented 1 year ago

Persuaded rspamd to mark my test mails for quarantine with multimap and forced_action. Everything proceeded as expected and message got moved to Junk. Log:

smtp: incoming message    {"msg_id":"c90245b5","sender":"<sender>","src_host":"mail-4318.protonmail.ch","src_ip":"185.70.43.18:61643"}
smtp: RCPT ok     {"msg_id":"c90245b5","rcpt":"<rcpt>"}
smtp/pipeline: quarantined        {"check":"milter","milter":"unix:///run/rspamd/milter.sock","msg_id":"c90245b5","reason":"Spam message quarantined"}
smtp: accepted    {"msg_id":"c90245b5"}

The main difference is that the correctly handled message failed only milter check but not maddy's internal spf/dkim/dmarc checks.

foxcpp commented 12 months ago

yahoo.com domain has a strict DMARC policy that tells MTAs to reject messages that fail DMARC check.

Here is the policy: "v=DMARC1; p=reject; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com;". Note the "p=reject" part.

This is exactly what happens here:

smtp: DATA error  {"check":"dmarc","dkim_domain":"","dkim_res":"none","msg_id":"95ae9d1f","reason":"No aligned identifiers","smtp_code":550,"smtp_enchcode":"5.7.1","smtp_msg":"DMARC check failed","spf_from":"yahoo.com","spf_res":"neutral"}

check: dmarc DMARC check failed

DMARC fails for the message because it fails both SPF and DKIM checks. Probably because it is a message with spoofed sender address - something DMARC/SPF/DKIM are built to protect against.

mmatous commented 12 months ago

I see. The line

smtp/pipeline: quarantined        {"check":"milter","milter":"unix:///run/rspamd/milter.sock","msg_id":"95ae9d1f","reason":"Spam message quarantined"}

misled me. Apologies.