jesper.holck--- via Mailman-users writes:
My problem is not related to anonymous lists. But messages from my lists are blocked by mailcow/rspamd, unless I set "DMARC mitigation action" to "Wrap the message in an outer message From: the list". Here is an example:
We really need to see the corresponding headers. We also need to know more about the configuration of your network (including VMs and containers), and where you're sending mail from. If you are going to substitute IP addresses, I recommend you do that consistently, and with a convention that it makes is easy to identify the public Internet (I use 10/8 addresses for this), your internal network (I use 172.16/12), and the Mailman host(s) (I use 192.168/16 addresses -- these are all just suggestions, and I've never had a problem ignoring the effect of netmasks on routing).[1]
I'm going to reorder the list for clarity.
HFILTER_HOSTNAME_UNKNOWN (8.5) HFILTER_HELO_BADIP (4.5) [172.19.199.3, 1] RDNS_NONE (2)
I guess "HFILTER" refers to the HELO command sent by Mailman to mailcow. "host 172.19.199.3" is a private IP address, so I suspect you are using Docker with multiple containers (different hosts as far as the mail software is concerned). I suspect you need to set up or reconfigure an internal DNS, or configure some kind of host list in Mailcow, to clear this. IIRC rspamd defaults to "reject on >= 15" so if RDNS is part of this group (I'm just guessing), this message is already rejected.
DMARC_POLICY_QUARANTINE (8) [mydomain.dk : No valid SPF, quarantine]
Apparently you have p=quarantine for mydomain.dk. Mail from mydomain.dk will need to have DMARC mitigation of some kind.
R_SPF_FAIL (8) [-all] R_DKIM_REJECT (8) [anotherdomain.dk:s=selector1]
I'd say these are normal, except that between them "reject > 15" is going to reject your message. I would guess that's an rspamd misconfiguration. Also, nothing in your description explains why anotherdomain.dk is signing the message. Is that your personal email provider where you send test messages?
VIOLATED_DIRECT_SPF (3.5) FORGED_W_BAD_POLICY (3)
Not sure what these mean, but the numbers are too big to ignore. Perhaps they'll be fixed in passing if you fix the issues above.
HTML_SHORT_LINK_IMG_1 (2)
You can't do much about this, but if your posters are using short links you might see if you can adjust that deduction down in rspamd.
Everything below is either favorable or you can ignore it as normal.
ARC_REJECT (0.1) [signature check failed: fail, {[1] = sig:mydomain.dk:reject}] RCVD_NO_TLS_LAST (0.1) MIME_BASE64_TEXT (0.1) BAYES_SPAM (0.00002) [21.41%] RBL_SENDERSCORE_REPUT_9 (-1) [172.19.199.1:from] MAILLIST (-0.2) [mailman] MIME_GOOD (-0.1) [multipart/mixed, multipart/related, multipart/alternative, text/plain] HAS_LIST_UNSUB (-0.01) FROM_HAS_DN (0) RCPT_COUNT_ONE (0) [1] FROM_NEQ_ENVFROM (0) [test@mydomain.dk, test-bounces@mydomain.dk] TO_EQ_FROM (0) FORGED_SENDER_MAILLIST (0) RCVD_COUNT_THREE (0) [3] HAS_REPLYTO (0) [Jesper.Holck@anotherdomain.dk] PREVIOUSLY_DELIVERED (0) [test@mydomain.dk] REPLYTO_DOM_NEQ_FROM_DOM (0) REPLYTO_DOM_NEQ_TO_DOM (0) TO_DN_EQ_ADDR_ALL (0) FORGED_RECIPIENTS_MAILLIST (0) DKIM_TRACE (0) [anotherdomain.dk:-] MISSING_XM_UA (0) FORGED_SENDER (0) [test@mydomain.dk, test-bounces@mydomain.dk] MIME_TRACE (0) [0:+, 1:+, 2:+, 3:+, 4:~, 5:~, 6:+] TAGGED_RCPT (0) BCC (0)
Footnotes: [1] I use 10/8, 172.16/12), and 192.168/16 addresses, respectively, for public, internal, and Mailman nodes. I've never had a problem ignoring the effect of netmasks on routing, it's all directly addressable. This works because when you've got a Docker network or similar, you can have network problems, but you'd never get to rspamd. These are all just suggestions, of course.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan