Thanks for looking into this. I'm sorry to admit that I unfortunately mixed up two apparently unrelated issues. The first of these was some problem, where my mailman-installation was unable to send mails to some subscribers. The mails were rejected with SPOOFED_UNAUTH messages - I will not deal with this here. My installation is based on Debian 12 (Bookworm), with dockerized versions of Mailcow and Mailman 3 as described here: https://docs.mailcow.email/third_party/mailman3/third_party-mailman3/ The server is a VM, running on Proxmox. Mailcow and Mailman are on the same VM. It took a little time for me to setup things correctly, but mostly it seemed to work nicely. But a week ago it stopped working - I guess because I upgraded Mailcow to 2025-09b. The problem for me right now is that Rspamd rejects all messages, coming from Mailman. Postfix receives mails coming to the mailing lists, but when Mailman tries to forward the mails to the subscribers, Postfix/Rspamd block all of them. Postfix/Rspamd also block mails sent directly from Mailman, such as Welcome-messages - see an example below. In Mailcow, I have under "Options" added 172.19.199.1/24 as a "Forwarding Host" with no spam filter. I hoped this would make Rspamd happy, but apparently not. All messages, sent directly from Mailcow, pass various on-line tests of SSL, SPF, DKIM, and DMARC, and are accepted by other servers (Gmail, Hotmail etc.). All web-interfaces to Mailcow and Mailman work fine. Messages to the various lists are archived, but not sent to the subscribers. Any help appreciated :-) Jesper Example of rspamd rejecting a welcome message from Mailman:
HFILTER_HOSTNAME_UNKNOWN (8.5) DMARC_POLICY_QUARANTINE (8) [mydomain.dk : No valid SPF, No valid DKIM, quarantine] R_SPF_FAIL (8) [-all] HFILTER_HELO_BADIP (4.5) [172.19.199.4, 1] VIOLATED_DIRECT_SPF (3.5) FORGED_W_BAD_POLICY (3) RDNS_NONE (2) SUBJ_EXCESS_QP (1.2) MIME_BASE64_TEXT_BOGUS (1) MID_RHS_NOT_FQDN (0.5) MIME_BASE64_TEXT (0.1) RBL_SENDERSCORE_REPUT_9 (-1) [172.19.199.1:from] MAILLIST (-0.2) [mailman] MIME_GOOD (-0.1) [text/plain] HAS_LIST_UNSUB (-0.01) BAYES_HAM (-0.005474) [42.14%] BCC (0) FORGED_SENDER_MAILLIST (0) ARC_SIGNED (0) [mydomain.dk:s=dkim:i=1] TO_DOM_EQ_FROM_DOM (0) FORGED_SENDER (0) [mylist-request@mydomain.dk, mylist-bounces@mydomain.dk] RCPT_COUNT_ONE (0) [1] FROM_NEQ_ENVFROM (0) [mylist-request@mydomain.dk, mylist-bounces@mydomain.dk] MISSING_XM_UA (0) R_DKIM_NA (0) FROM_NO_DN (0) ARC_NA (0) TO_DN_ALL (0) RCVD_COUNT_ZERO (0) [0] TO_MATCH_ENVRCPT_ALL (0) MIME_TRACE (0) [0:+] PRECEDENCE_BULK (0) I don't know how to see the exact contains, including headers, of this message, unfortunately. My understanding is that e.g. DKIM-headers should be provided my Mailcow, not by Mailman itself. Below are contents of various files that may be relevant: Contents of /opt/docker-mailman/docker-compose.yaml: version: '2' services: mailman-core: image: maxking/mailman-core:0.4 # Use a specific version tag (tag latest is not published) container_name: mailman-core hostname: mailman-core restart: unless-stopped volumes: - /opt/mailman/core:/opt/mailman/ stop_grace_period: 30s links: - database:database depends_on: database: condition: service_healthy environment: - DATABASE_URL=postgresql://mailman:mailmanpass@database/mailmandb - DATABASE_TYPE=postgres - DATABASE_CLASS=mailman.database.postgresql.PostgreSQLDatabase - HYPERKITTY_API_KEY=someapikey ports: - "127.0.0.1:8001:8001" # API - "127.0.0.1:8024:8024" # LMTP - incoming emails networks: mailman: (lines cut here) networks: mailman: driver: bridge ipam: driver: default config: - subnet: 172.19.199.0/24 Contents of /opt/docker-mailman/docker-compose.override.yaml: version: '2' services: mailman-core: environment: - DATABASE_URL=postgresql://mailman:vbxsV0Rx7Srqyirc6HzfX6H4qRjo1s@database/mailmandb - HYPERKITTY_API_KEY=3lKR1K6eLuuTA5vxhjQbUGZus8WioQ - TZ=Europe/Berlin - MTA=postfix restart: always networks: - mailman (lines cut here) Contents of /opt/mailcow-dockerized/docker-compose.yml: services: (lines cut here) rspamd-mailcow: image: ghcr.io/mailcow/rspamd:2.3 stop_grace_period: 30s depends_on: - dovecot-mailcow - clamd-mailcow environment: - TZ=${TZ} - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1} - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64} - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-} - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-} - REDISPASS=${REDISPASS} - SPAMHAUS_DQS_KEY=${SPAMHAUS_DQS_KEY:-} volumes: - ./data/hooks/rspamd:/hooks:Z - ./data/conf/rspamd/custom/:/etc/rspamd/custom:z - ./data/conf/rspamd/override.d/:/etc/rspamd/override.d:Z - ./data/conf/rspamd/local.d/:/etc/rspamd/local.d:Z - ./data/conf/rspamd/plugins.d/:/etc/rspamd/plugins.d:Z - ./data/conf/rspamd/lua/:/etc/rspamd/lua/:ro,Z - ./data/conf/rspamd/rspamd.conf.local:/etc/rspamd/rspamd.conf.local:Z - ./data/conf/rspamd/rspamd.conf.override:/etc/rspamd/rspamd.conf.override:Z - rspamd-vol-1:/var/lib/rspamd restart: always hostname: rspamd dns: - ${IPV4_NETWORK:-172.22.1}.254 networks: mailcow-network: aliases: - rspamd (lines cut here) postfix-mailcow: image: ghcr.io/mailcow/postfix:1.81 depends_on: mysql-mailcow: condition: service_started unbound-mailcow: condition: service_healthy postfix-tlspol-mailcow: condition: service_started volumes: - ./data/hooks/postfix:/hooks:Z - ./data/conf/postfix:/opt/postfix/conf:z - ./data/assets/ssl:/etc/ssl/mail/:ro,z - postfix-vol-1:/var/spool/postfix - crypt-vol-1:/var/lib/zeyple - rspamd-vol-1:/var/lib/rspamd - mysql-socket-vol-1:/var/run/mysqld/:z environment: - LOG_LINES=${LOG_LINES:-9999} - TZ=${TZ} - DBNAME=${DBNAME} - DBUSER=${DBUSER} - DBPASS=${DBPASS} - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-} - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-} - REDISPASS=${REDISPASS} - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} - SPAMHAUS_DQS_KEY=${SPAMHAUS_DQS_KEY:-} cap_add: - NET_BIND_SERVICE ports: - "${SMTP_PORT:-25}:25" - "${SMTPS_PORT:-465}:465" - "${SUBMISSION_PORT:-587}:587" restart: always dns: - ${IPV4_NETWORK:-172.22.1}.254 networks: mailcow-network: ipv4_address: ${IPV4_NETWORK:-172.22.1}.253 aliases: - postfix (lines cut here) netfilter-mailcow: image: ghcr.io/mailcow/netfilter:1.62 stop_grace_period: 30s restart: always privileged: true environment: - TZ=${TZ} - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1} - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64} - SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n} - SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n} - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-} - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-} - REDISPASS=${REDISPASS} - MAILCOW_REPLICA_IP=${MAILCOW_REPLICA_IP:-} - DISABLE_NETFILTER_ISOLATION_RULE=${DISABLE_NETFILTER_ISOLATION_RULE:-n} network_mode: "host" volumes: - /lib/modules:/lib/modules:ro (lines cut here) networks: mailcow-network: driver: bridge driver_opts: com.docker.network.bridge.name: br-mailcow enable_ipv6: ${ENABLE_IPV6:-true} ipam: driver: default config: - subnet: ${IPV4_NETWORK:-172.22.1}.0/24 - subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64} (lines cut here) Contents of /opt/mailcow-dockerized/docker-compose.override.yml: services: postfix-mailcow: volumes: - /opt/mailman:/opt/mailman networks: - docker-mailman_mailman rspamd-mailcow: # https://docs.mailcow.email/post_installation/firststeps-dmarc_reporting/ environment: - MASTER=${MASTER:-y} labels: ofelia.enabled: "true" ofelia.job-exec.rspamd_dmarc_reporting_yesterday.schedule: "@every 24h" ofelia.job-exec.rspamd_dmarc_reporting_yesterday.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/bin/rspamadm dmarc_report $(date --date yesterday '+%Y%m%d') > /var/lib/rspamd/dmarc_reports_last_log 2>&1 || exit 0\"" ofelia-mailcow: depends_on: - rspamd-mailcow networks: docker-mailman_mailman: external: true
On Monday, September 15, 2025 10:23 CEST, "Stephen J. Turnbull" <steve@turnbull.jp> wrote:
jesper.holck--- via Mailman-users writes:
My problem is not related to anonymous lists. But messages from my lists are blocked by mailcow/rspamd, unless I set "DMARC mitigation action" to "Wrap the message in an outer message From: the list". Here is an example:
We really need to see the corresponding headers. We also need to know more about the configuration of your network (including VMs and containers), and where you're sending mail from. If you are going to substitute IP addresses, I recommend you do that consistently, and with a convention that it makes is easy to identify the public Internet (I use 10/8 addresses for this), your internal network (I use 172.16/12), and the Mailman host(s) (I use 192.168/16 addresses -- these are all just suggestions, and I've never had a problem ignoring the effect of netmasks on routing).[1]
I'm going to reorder the list for clarity.
HFILTER_HOSTNAME_UNKNOWN (8.5) HFILTER_HELO_BADIP (4.5) [172.19.199.3, 1] RDNS_NONE (2)
I guess "HFILTER" refers to the HELO command sent by Mailman to mailcow. "host 172.19.199.3" is a private IP address, so I suspect you are using Docker with multiple containers (different hosts as far as the mail software is concerned). I suspect you need to set up or reconfigure an internal DNS, or configure some kind of host list in Mailcow, to clear this. IIRC rspamd defaults to "reject on >= 15" so if RDNS is part of this group (I'm just guessing), this message is already rejected.
DMARC_POLICY_QUARANTINE (8) [mydomain.dk : No valid SPF, quarantine]
Apparently you have p=quarantine for mydomain.dk. Mail from mydomain.dk will need to have DMARC mitigation of some kind.
R_SPF_FAIL (8) [-all] R_DKIM_REJECT (8) [anotherdomain.dk:s=selector1]
I'd say these are normal, except that between them "reject > 15" is going to reject your message. I would guess that's an rspamd misconfiguration. Also, nothing in your description explains why anotherdomain.dk is signing the message. Is that your personal email provider where you send test messages?
VIOLATED_DIRECT_SPF (3.5) FORGED_W_BAD_POLICY (3)
Not sure what these mean, but the numbers are too big to ignore. Perhaps they'll be fixed in passing if you fix the issues above.
HTML_SHORT_LINK_IMG_1 (2)
You can't do much about this, but if your posters are using short links you might see if you can adjust that deduction down in rspamd.
Everything below is either favorable or you can ignore it as normal.
ARC_REJECT (0.1) [signature check failed: fail, {[1] = sig:mydomain.dk:reject}] RCVD_NO_TLS_LAST (0.1) MIME_BASE64_TEXT (0.1) BAYES_SPAM (0.00002) [21.41%] RBL_SENDERSCORE_REPUT_9 (-1) [172.19.199.1:from] MAILLIST (-0.2) [mailman] MIME_GOOD (-0.1) [multipart/mixed, multipart/related, multipart/alternative, text/plain] HAS_LIST_UNSUB (-0.01) FROM_HAS_DN (0) RCPT_COUNT_ONE (0) [1] FROM_NEQ_ENVFROM (0) [test@mydomain.dk, test-bounces@mydomain.dk] TO_EQ_FROM (0) FORGED_SENDER_MAILLIST (0) RCVD_COUNT_THREE (0) [3] HAS_REPLYTO (0) [Jesper.Holck@anotherdomain.dk] PREVIOUSLY_DELIVERED (0) [test@mydomain.dk] REPLYTO_DOM_NEQ_FROM_DOM (0) REPLYTO_DOM_NEQ_TO_DOM (0) TO_DN_EQ_ADDR_ALL (0) FORGED_RECIPIENTS_MAILLIST (0) DKIM_TRACE (0) [anotherdomain.dk:-] MISSING_XM_UA (0) FORGED_SENDER (0) [test@mydomain.dk, test-bounces@mydomain.dk] MIME_TRACE (0) [0:+, 1:+, 2:+, 3:+, 4:~, 5:~, 6:+] TAGGED_RCPT (0) BCC (0)
Footnotes: [1] I use 10/8, 172.16/12), and 192.168/16 addresses, respectively, for public, internal, and Mailman nodes. I've never had a problem ignoring the effect of netmasks on routing, it's all directly addressable. This works because when you've got a Docker network or similar, you can have network problems, but you'd never get to rspamd. These are all just suggestions, of course.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan