Sending of DMARC reports not working as described, lastlog contains lua Errors.

schmueller commented 2 months ago

Contribution guidelines

[X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

[X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
[X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
[X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
[X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

The configured DMARC Reporting as described here: https://docs.mailcow.email/post_installation/firststeps-dmarc_reporting/ is not working as expected. There doesen't seem to be any data recorded and the troubleshooting call: docker compose exec rspamd-mailcow cat /var/lib/rspamd/dmarc_reports_last_log prints a log that reports lua errors. See below.

Logs:

root@intern:/opt/mailcow-dockerized# docker compose exec rspamd-mailcow cat /var/lib/rspamd/dmarc_reports_last_log
call to rspamadm lua script failed (2): /usr/share/rspamd/lualib/rspamadm//dmarc_report.lua:386: bad argument #1 to 'ipairs' (table expected, got string); trace: [1]:{/usr/share/rspamd/lualib/rspamadm//dmarc_report.lua:386 - rcpt_list [Lua]}; [2]:{/usr/share/rspamd/lualib/rspamadm//dmarc_report.lua:522 - prepare_report [Lua]}; [3]:{/usr/share/rspamd/lualib/rspamadm//dmarc_report.lua:607 - process_report_date [Lua]}; [4]:{/usr/share/rspamd/lualib/rspamadm//dmarc_report.lua:703 - <unknown> [Lua]};

Steps to reproduce:

1. Configure dmarc reporting as documented
2. wait for some mails to arrive from big providers
3. call: docker compose exec rspamd-mailcow cat /var/lib/rspamd/dmarc_reports_last_log

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Debian 12.5

Server/VM specifications:

16 GB RAM, 4 Cores

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

VMWare

Docker version:

26.1.3

docker-compose version or docker compose version:

v2.27.0

mailcow version:

2024-08a

Reverse proxy:

nginx

Logs of git diff:

diff --git a/create_cold_standby.sh b/create_cold_standby.sh
index 924339af..f245b036 100755
--- a/create_cold_standby.sh
+++ b/create_cold_standby.sh
@@ -1,7 +1,7 @@
 #!/bin/bash

-export REMOTE_SSH_KEY=/root/.ssh/id_rsa
+export REMOTE_SSH_KEY=/root/.ssh/id_ed25519
 export REMOTE_SSH_PORT=22
-export REMOTE_SSH_HOST=my.remote.host
+export REMOTE_SSH_HOST=192.168.1.81

 /opt/mailcow-dockerized/helper-scripts/_cold-standby.sh
diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index c230c349..7e7d891c 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -203,7 +203,7 @@ plugin {
   sieve_redirect_envelope_from = recipient
   # From elsewhere to Spam folder
   imapsieve_mailbox1_name = Junk
-  imapsieve_mailbox1_causes = COPY
+  imapsieve_mailbox1_causes = COPY APPEND
   imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve
   # END
   # From Spam folder to elsewhere
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 6a87f2ec..e3c95da8 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -173,3 +173,37 @@ parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks

 # DO NOT EDIT ANYTHING BELOW #
 # Overrides #
+
+postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
+  hostkarma.junkemailfilter.com=127.0.0.1*-2
+  list.dnswl.org=127.0.[0..255].0*-2
+  list.dnswl.org=127.0.[0..255].1*-4
+  list.dnswl.org=127.0.[0..255].2*-6
+  list.dnswl.org=127.0.[0..255].3*-8
+  ix.dnsbl.manitu.net*2
+  bl.spamcop.net*2
+  bl.suomispam.net*2
+  hostkarma.junkemailfilter.com=127.0.0.2*3
+  hostkarma.junkemailfilter.com=127.0.0.4*2
+  hostkarma.junkemailfilter.com=127.0.1.2*1
+  backscatter.spameatingmonkey.net*2
+  bl.ipv6.spameatingmonkey.net*2
+  bl.spameatingmonkey.net*2
+  b.barracudacentral.org=127.0.0.2*7
+  bl.mailspike.net=127.0.0.2*5
+  bl.mailspike.net=127.0.0.[10;11;12]*4
+  dnsbl.sorbs.net=127.0.0.10*8
+  dnsbl.sorbs.net=127.0.0.5*6
+  dnsbl.sorbs.net=127.0.0.7*3
+  dnsbl.sorbs.net=127.0.0.8*2
+  dnsbl.sorbs.net=127.0.0.6*2
+  dnsbl.sorbs.net=127.0.0.9*2
+  zen.spamhaus.org=127.0.0.[10;11]*8
+  zen.spamhaus.org=127.0.0.[4..7]*6
+  zen.spamhaus.org=127.0.0.3*4
+  zen.spamhaus.org=127.0.0.2*3
+
+# User Overrides
+myhostname = intern.proris.com
+always_bcc = archive@archiv.proris.com
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.168.1.0/24
diff --git a/data/conf/rspamd/custom/global_mime_from_blacklist.map b/data/conf/rspamd/custom/global_mime_from_blacklist.map
index 3c872889..bfedc053 100644
--- a/data/conf/rspamd/custom/global_mime_from_blacklist.map
+++ b/data/conf/rspamd/custom/global_mime_from_blacklist.map
@@ -1 +1,3 @@
-# /.+example\.com/i
+# /.+example\.com/i
+/.+@afulsola\.com/i
+/.+@fangerless\.com/i
diff --git a/data/conf/rspamd/custom/global_mime_from_whitelist.map b/data/conf/rspamd/custom/global_mime_from_whitelist.map
index 3c872889..d7dee838 100644
--- a/data/conf/rspamd/custom/global_mime_from_whitelist.map
+++ b/data/conf/rspamd/custom/global_mime_from_whitelist.map
@@ -1 +1,3 @@
-# /.+example\.com/i
+# /.+example\.com/i
+/.+proris\.com/i
+/.+intern\.+proris\.com/i
diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index d3165b8a..532dcbc7 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -118,7 +118,7 @@ $AVAILABLE_LANGUAGES = array(
 $UI_THEME = "lumen";

 // Show DKIM private keys - false by default
-$SHOW_DKIM_PRIV_KEYS = false;
+$SHOW_DKIM_PRIV_KEYS = true;

 // mailcow Apps - buttons on login screen
 $MAILCOW_APPS = array(
diff --git a/docker-compose.yml b/docker-compose.yml
index cf0a028f..d776c406 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -231,6 +231,10 @@ services:
         - ${IPV4_NETWORK:-172.22.1}.254
       cap_add:
         - NET_BIND_SERVICE
+      logging:
+        driver: syslog
+        options: 
+          tag: mail/dovecot
       volumes:
         - ./data/hooks/dovecot:/hooks:Z
         - ./data/conf/dovecot:/etc/dovecot:z
@@ -345,6 +349,10 @@ services:
           ipv4_address: ${IPV4_NETWORK:-172.22.1}.253
           aliases:
             - postfix
+      logging:
+        driver: syslog
+        options:
+          tag: mail/postfix

     memcached-mailcow:
       image: memcached:alpine
@@ -613,36 +621,6 @@ services:
           aliases:
             - ofelia

-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-        - solr-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-
 networks:
   mailcow-network:
     driver: bridge

Logs of iptables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 121K   68M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
 374K  486M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
 374K  486M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
 243K  375M ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 5979  389K DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
 125K  111M ACCEPT     0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
 5283  351K ACCEPT     0    --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:3306
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.6           tcp dpt:8983
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    9   468 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
  138  7184 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
   26  1695 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
   50  2680 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:443
   10   635 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:80
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    5   300 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    4   240 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 125K  111M DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
 500M  831G RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
 169M  126G RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 500M  831G RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  149  8860 DROP       0    --  *      *       194.169.175.65       0.0.0.0/0           
    0     0 DROP       0    --  *      *       46.148.40.0/24       0.0.0.0/0           
    0     0 DROP       0    --  *      *       194.169.175.10       0.0.0.0/0           
    0     0 DROP       6    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */

Logs of ip6tables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
12368   24M MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
30763   45M DOCKER-USER  0    --  *      *       ::/0                 ::/0                
30763   45M DOCKER-ISOLATION-STAGE-1  0    --  *      *       ::/0                 ::/0                
21980   44M ACCEPT     0    --  *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 8783  602K DOCKER     0    --  *      br-mailcow  ::/0                 ::/0                
    0     0 ACCEPT     0    --  br-mailcow !br-mailcow  ::/0                 ::/0                
 8783  602K ACCEPT     0    --  br-mailcow br-mailcow  ::/0                 ::/0                
    0     0 ACCEPT     0    --  *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  ::/0                 ::/0                
    0     0 ACCEPT     0    --  docker0 !docker0  ::/0                 ::/0                
    0     0 ACCEPT     0    --  docker0 docker0  ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:995
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:993
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:110
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::c  tcp dpt:443
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::c  tcp dpt:80
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:587
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:25

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  ::/0                 ::/0                
  36M   52G RETURN     0    --  *      *       ::/0                 ::/0                

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      br-mailcow  ::/0                 ::/0                
    0     0 DROP       0    --  *      docker0  ::/0                 ::/0                
    0     0 RETURN     0    --  *      *       ::/0                 ::/0                

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  36M   52G RETURN     0    --  *      *       ::/0                 ::/0                

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.22.1.0/24        anywhere            
MASQUERADE  all  --  172.17.0.0/16        anywhere            
MASQUERADE  tcp  --  172.22.1.249         172.22.1.249         tcp dpt:redis
MASQUERADE  tcp  --  172.22.1.5           172.22.1.5           tcp dpt:mysql
MASQUERADE  tcp  --  172.22.1.6           172.22.1.6           tcp dpt:8983
MASQUERADE  tcp  --  172.22.1.250         172.22.1.250         tcp dpt:12345
MASQUERADE  tcp  --  172.22.1.250         172.22.1.250         tcp dpt:sieve
MASQUERADE  tcp  --  172.22.1.250         172.22.1.250         tcp dpt:pop3s
MASQUERADE  tcp  --  172.22.1.250         172.22.1.250         tcp dpt:imaps
MASQUERADE  tcp  --  172.22.1.250         172.22.1.250         tcp dpt:imap2
MASQUERADE  tcp  --  172.22.1.250         172.22.1.250         tcp dpt:pop3
MASQUERADE  tcp  --  172.22.1.8           172.22.1.8           tcp dpt:https
MASQUERADE  tcp  --  172.22.1.8           172.22.1.8           tcp dpt:http
MASQUERADE  tcp  --  172.22.1.253         172.22.1.253         tcp dpt:submission
MASQUERADE  tcp  --  172.22.1.253         172.22.1.253         tcp dpt:submissions
MASQUERADE  tcp  --  172.22.1.253         172.22.1.253         tcp dpt:smtp

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
DNAT       tcp  --  anywhere             localhost            tcp dpt:7654 to:172.22.1.249:6379
DNAT       tcp  --  anywhere             localhost            tcp dpt:13306 to:172.22.1.5:3306
DNAT       tcp  --  anywhere             localhost            tcp dpt:18983 to:172.22.1.6:8983
DNAT       tcp  --  anywhere             localhost            tcp dpt:19991 to:172.22.1.250:12345
DNAT       tcp  --  anywhere             anywhere             tcp dpt:sieve to:172.22.1.250:4190
DNAT       tcp  --  anywhere             anywhere             tcp dpt:pop3s to:172.22.1.250:995
DNAT       tcp  --  anywhere             anywhere             tcp dpt:imaps to:172.22.1.250:993
DNAT       tcp  --  anywhere             anywhere             tcp dpt:imap2 to:172.22.1.250:143
DNAT       tcp  --  anywhere             anywhere             tcp dpt:pop3 to:172.22.1.250:110
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:172.22.1.8:443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:172.22.1.8:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:submission to:172.22.1.253:587
DNAT       tcp  --  anywhere             anywhere             tcp dpt:submissions to:172.22.1.253:465
DNAT       tcp  --  anywhere             anywhere             tcp dpt:smtp to:172.22.1.253:25

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !localhost            ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  fd4d:6169:6c63:6f77::/64  anywhere            
MASQUERADE  all  --  fd00:dead:beef:c0::/80  anywhere            
MASQUERADE  tcp  --  fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:sieve
MASQUERADE  tcp  --  fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:pop3s
MASQUERADE  tcp  --  fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:imaps
MASQUERADE  tcp  --  fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:imap2
MASQUERADE  tcp  --  fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:pop3
MASQUERADE  tcp  --  fd4d:6169:6c63:6f77::c  fd4d:6169:6c63:6f77::c  tcp dpt:https
MASQUERADE  tcp  --  fd4d:6169:6c63:6f77::c  fd4d:6169:6c63:6f77::c  tcp dpt:http
MASQUERADE  tcp  --  fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:submission
MASQUERADE  tcp  --  fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:submissions
MASQUERADE  tcp  --  fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:smtp

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
DNAT       tcp  --  anywhere             anywhere             tcp dpt:sieve to:[fd4d:6169:6c63:6f77::b]:4190
DNAT       tcp  --  anywhere             anywhere             tcp dpt:pop3s to:[fd4d:6169:6c63:6f77::b]:995
DNAT       tcp  --  anywhere             anywhere             tcp dpt:imaps to:[fd4d:6169:6c63:6f77::b]:993
DNAT       tcp  --  anywhere             anywhere             tcp dpt:imap2 to:[fd4d:6169:6c63:6f77::b]:143
DNAT       tcp  --  anywhere             anywhere             tcp dpt:pop3 to:[fd4d:6169:6c63:6f77::b]:110
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:[fd4d:6169:6c63:6f77::c]:443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:[fd4d:6169:6c63:6f77::c]:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:submission to:[fd4d:6169:6c63:6f77::f]:587
DNAT       tcp  --  anywhere             anywhere             tcp dpt:submissions to:[fd4d:6169:6c63:6f77::f]:465
DNAT       tcp  --  anywhere             anywhere             tcp dpt:smtp to:[fd4d:6169:6c63:6f77::f]:25

DNS check:

172.64.155.249
104.18.32.7

DerLinkman commented 2 months ago

Can not confirm that. DMARC reporting is working on my maschines (testing + prod).

Can you try manually triggering the DMARC reports by running:

docker compose exec rspamd-mailcow bash

rspamadm dmarc_report

schmueller commented 2 months ago

This is the result:

root@intern:~# cd /opt/mailcow-dockerized/ root@intern:/opt/mailcow-dockerized# docker compose exec rspamd-mailcow bash root@rspamd:/# rspamadm dmarc_report call to rspamadm lua script failed (2): /usr/share/rspamd/lualib/rspamadm//dmarc_report.lua:386: bad argument #1 to 'ipairs' (table expected, got string); trace: [1]:{/usr/share/rspamd/lualib/rspamadm//dmarc_report.lua:386 - rcpt_list [Lua]}; [2]:{/usr/share/rspamd/lualib/rspamadm//dmarc_report.lua:522 - prepare_report [Lua]}; [3]:{/usr/share/rspamd/lualib/rspamadm//dmarc_report.lua:607 - process_report_date [Lua]}; [4]:{/usr/share/rspamd/lualib/rspamadm//dmarc_report.lua:703 - [Lua]};

DerLinkman commented 2 months ago

Can you show me your dmarc.conf?

schmueller commented 2 months ago

reporting { enabled = true; email = 'dmarc@xxx.com'; bcc_addrs = 'root@xxx.com'; domain = 'xxx.com'; org_name = 'Muster'; helo = 'rspamd'; smtp = 'postfix'; smtp_port = 25; from_name = 'Muster DMARC Report'; msgid_from = 'rspamd.mail.xxx.com'; max_entries = 2k; keys_expire = 2d; }

w64 commented 2 months ago

When mailcow send DMARC Aggregate Reports, some of them are not scored in rspamd and not signed. In rspamd web interface> History, column "Pass-through module" shows "Unknown lua". This happens not every day, but a few times on a week. This behavior start after the last update to 2024-08a.

When the receiving mta analise the message it responds with "554 5.7.1 rejected by SPF policy for mail.moohooooooo.com and DMARC policy for moohooooooo.com with invalid ARC result. postmaster@receivingserver.com: Recipient address rejected: Message rejected due to: SPF fail - not authorized."

DerLinkman commented 2 months ago

@dragoangel Opinion on that? Or any idea why this is happening?

dragoangel commented 2 months ago

Mailcows instructions are okay, problem is somewhere in new Rspamd. I would recommend open issue at upstream. And provide redis dump with only dmarc related records in it if possible for easier debug.

UPD: actually user not follow configuration instructions, and Rspamd works as expected.

dragoangel commented 2 months ago

When mailcow send DMARC Aggregate Reports, some of them are not scored in rspamd and not signed. In rspamd web interface> History, column "Pass-through module" shows "Unknown lua". This happens not every day, but a few times on a week. This behavior start after the last update to 2024-08a.

When the receiving mta analise the message it responds with "554 5.7.1 rejected by SPF policy for mail.moohooooooo.com and DMARC policy for moohooooooo.com with invalid ARC result. postmaster@receivingserver.com: Recipient address rejected: Message rejected due to: SPF fail - not authorized."

Are you using force actions? Or you speaking about outgoing dmarc report being rejected?

If about outgoing one, not sure how issue with lua & redis related to wrong spf

w64 commented 2 months ago

Are you using force actions? Or you speaking about outgoing dmarc report being rejected? If about outgoing one, not sure how issue with lua & redis related to wrong spf

I'm not using forced actions - just default configuration with a few rspamd scores changed, for more accurate SPAM recognition. I'm speaking about outgoing DMARC records, yes. But they are rejected not from my own rspamd in mailcow, but from the receiving mail server (because of message not signed), for which domain this DMARC report i s about.

dragoangel commented 2 months ago

@schmueller you config is wrong 😅

bcc_addrs = 'root@xxx.com';

While it should be:

bcc_addrs = ["root@xxx.com"];

You lost array. Even if there is 1 email - it still should be array and not string. Please follow docs properly: https://docs.mailcow.email/post_installation/firststeps-dmarc_reporting/?h=dmarc#send-a-copy-reports-to-yourself

dragoangel commented 2 months ago

@w64 your issue also sounds like configuration issue, not like something wrong in Mailcow or Rspamd. Better write in community telegram to properly check the case.

schmueller commented 2 months ago

@dragoangel Sorry, I didn't spot that. Thanks for pointing me into the right direction. Now it is working

mailcow / mailcow-dockerized