getmail & rspamc

[tilllt]

Another question regarding the integration of rspamd / rspamc with getmail.

Do i need to add the necessary filter to the Getmail config, like from the getmail6 described here for spamassassin or where is rspamd integrated into the process when i use getmail for retrieval and /dovecot/deliver for local delivery?

[filter]
type = Filter_external
path = /usr/local/bin/spamc
arguments = ("-s 10000", )

[polarathene]

I think @casperklein uses Amavis + SpamAssassin, and @georglauterbach uses rspamd.

Not sure if either maintainer uses Getmail, as that was a community contributed alternative to fetchmail motivated by xoauth2 support I think.

If the getmail docs cover it, it may be possible to have it deliver mail to Postfix instead of directly handing off to Dovecot. There would be three options there I think.

• Port 25 like any other mail, but without PERMIT_DOCKER=container it'll likely fail due to enforced security checks unless the sender address is rewritten, probably needs the recipient address rewritten too for proper delivery to avoid sending it back to the original MTA.
• Port 587/465 would be similar if Getmail supports such, except these skip the extra security checks on port 25. I'm not entirely sure about spam processing running on these submission(s) ports since they're authenticated they're meant to be trusted. It's possible one anti-spam service is configured to still run in this case while the other isn't, it's also possible to create a specialized port with any needed adjustments to handle this traffic specifically.
• Postfix has a mail drop folder IIRC. There's also a mail command that delivers mail this way instead of through a port. This likewise skips some initial processing that would run with traffic from the ports (some security checks + authentication I think), but might still support anti-spam processing.

Getmail docs may refer to a relay option where you can provide a mail server to connect to and deliver mail to port 25 or 587/465, which I assume like the MDA delivery allows for changing the recipient address. With DMS port 587/465 will allow you to have any sender address provided you don't have SPOOF_PROTECTION=1, thus it should work fine that way, you'd just need to ensure that still runs through anti-spam.

Alternatively instead of handing off to Postfix and using the existing anti-spam integration we have, you could try integrate getmail with the anti-spam service directly (as you're requesting with filter), but I'm not familiar enough to advise there.

[tilllt]

"in theory" I understand that
"rspamc --mime" is supposed to add spam classification headers to a mail, so it could later be filtered with sieve. In practice I couldn't get it to work (yet).

The documentation and community chatter about getmail is rather scarce, maybe I should change to fetchmail after all if I don't need oauth?

[polarathene]

You could try fetchmail if it's any easier/simpler for you to get this functionality?

I assume the best solution for both though is to deliver via Postfix to try use the DMS anti-spam integration, but I'm not able to allocate time into investigating that for you atm, so it might require some trial and error until you find something that works 😅

[georglauterbach]

To be honest, I have no idea as I am not using getmail. Where did you get the information about the configuration you posted? I may be able to quickly read up on it (no promises though).

[georglauterbach]

I would actually open an issue on the Rspamd repo, they can probably help you better than we can.

[tilllt]

Ok, i will try!

[polarathene]

As mentioned by @polarathene, the other option would be "resending" the mail via sendmail (yuck) or postfix (dont know how) so it gets handled as regular incoming mail... i cannot find docs on that but it seems possible,

sendmail command would do roughly the same as what I had in mind I think regarding bypassing ports to hand over to Postfix.

That command AFAIK creates a mail like swaks would, but then instead of sending it to a port, it drops it in a specific folder Postfix monitors.

• This folder is the maildrop queue
• Amavis + SpamAssassin in DMS is configured (main.cf + master.cf) with a Postfix content filter. I'm not sure if it's related but we also have the pickup service clearing/unsetting any content filter it'd inherit (as per that main.cf linked change for Amavis).
• As the Postfix docs on Content Filter show, both postdrop (responsible for /var/spool/postfix/maildrop) + sendmail commands are after the content filter, to use it requires Postfix delivery agents (local/smtp/pipe), thus I don't think these commands or directly storing mail at the maildrop folder will get processed through Amavis.
• pickup (maildrop queue) and smtpd services both take mail they receive and put that through a cleanup service. For ports 587 + 465, DMS assigns a separate cleanup service which has a filter on headers to strip.

EDIT: This lengthy discussion seems to touch on a fetchmail vs getmail difference and the user inquiring how to have getmail hand mail off to Postfix for delivering through content filter (DMS only uses this for Amavis, not rspamd).

Rspamd in DMS is configured in Postfix a bit differently by using an smtpd milter instead, which as the Postfix milter docs state.. smtpd milters are only available for incoming mail through the smtpd service (master.cf), effectively the mailserver ports. sendmail likewise will skip this.

Per the EDIT above that discussion noted some differences between fetchmail and getmail, one being that fetchmail can deliver via SMTP while getmail only supports handing mail off to mail storage locations or programs that are responsible for that (MDA's, like Dovecot). The discussion seems to point out that sending the mail retrieved through SMTP is a bad idea and gives fetchmail some flack about that due to various issues it is said to cause.

---

I may have skimped through the linked resources too much and be mistaken btw. The content filter docs describe an advanced pattern with using two ports as we've got Amavis configured with, that ingests incoming mail, then sends it back through to Postfix on a separate port (10025) for smtpd (with content_filter unset, like we have with pickup). Those docs also describe something about before/after content filter queuing.

Someone with more time and motivation would need to dig further into that, but hopefully the linked resources provide a good starting point for that.

I'm not sure how much of the rspamd configuration we have is tied to Postfix, or if that's just the milter config setting only, in which case you could probably find the equivalent rspamd binary for getmail to call in the filter config.

[polarathene]

Just a heads-up I looked into this for you and the getmail config appears to be quite simple if you use rspamc as an external MDA that then delivers to Dovecot via --exec.

I don't think the command leverages exit codes or stderr to convey a difference for getmail filter configuration to work, but that's probably ok in this case as the retrieved mail would always be delivered and just delivered through Dovecot with our sieve scripts for junk mail being triggered (this can store it in a junk folder or discard it).

---

I'll provide a proper answer write-up tomorrow, but basically you should be good with this:

Old getmail config to deliver via Dovecot:

[destination]
type = MDA_external
allow_root_commands = true
path = /usr/lib/dovecot/deliver
arguments = ("-d","[email protected]")

New getmail config that uses rspamc to rewrite the mail with spam headers and send to dovecot:

[destination]
type = MDA_external
allow_root_commands = true
path = /usr/bin/rspamc
arguments = ("--mime", "--exec", "/usr/lib/dovecot/deliver -d [email protected]")

You'll probably need to add another argument --hostname mail.example.com (split it into two double quoted values like the --exec arg is shown above).

This is only required with the default DMS rspamd config to use a hostname check which you may still want for any other incoming mail to Postfix. With getmail calling rspamdc directly instead of the Postfix milter handling hostname, if you don't use --hostname arg you'd not have any hostname provided to rspamc and thus always get our modified spam score (+6) that adds the X-SPAM: yes header.

If the score is high enough the rspamd action change to reject, it'll still be delivered (which may be an issue for virus content?), if you don't want that I think you'd need to get something sorted for the getmail filter config instead, perhaps a wrapper script with grep on the rspamc stdout output.

[tilllt]

I was so blind trying to get rspamc into the filter section of getmail while this is the obvious better solution. and it works!

Thanks AGAIN!

X-getmail-retrieved-from-mailbox: INBOX
X-Spam-Scanner: rspamc 3.11.0
X-Spam-Scan-Time: 0.072
X-Spam-Action: no action
X-Spam-Score: 2.00 / 11.00
X-Spam-Level: **
X-Spam-Symbols: FROM_EQ_ENVFROM,
	RCVD_COUNT_FIVE,
	TO_DN_NONE,
	PREVIOUSLY_DELIVERED,
	MIME_GOOD,
	HTML_SHORT_LINK_IMG_1,
	MID_RHS_MATCH_FROM,
	RCVD_VIA_SMTP_AUTH,
	ARC_NA,
	FROM_NO_DN,
	MISSING_XM_UA,
	MIME_TRACE,
	RCVD_NO_TLS_LAST,
	RCPT_COUNT_ONE

[polarathene]

Solution

The easiest approach is adjusting the Getmail config for [destination], not bothering with any of the alternative filter config (which would be more cumbersome in this case).

This will always have the retrieved mail delivered to Dovecot regardless of rspamd scan results, but you can use Sieve rules on the rspamd added headers if you need more than automatic migration to mailbox Junk folder (triggered by X-Spam: yes).

---

Adapting from the example I gave in the related getmail discussion, this one modifies dms-getmail to use rspamd + clamav, and I disregard the TLS setup, so all a single compose.yaml:

services:
  dms-getmail:
    image: ghcr.io/docker-mailserver/docker-mailserver:edge # (will become :15.0)
    hostname: mail.example.test
    environment:
      ENABLE_GETMAIL: 1
      # We only change this setting to 1 minute for quicker testing:
      GETMAIL_POLL: 1
      # Enable Rspamd + Disable equivalent default services it replaces:
      ENABLE_RSPAMD: 1
      ENABLE_AMAVIS: 0
      ENABLE_OPENDKIM: 0
      ENABLE_OPENDMARC: 0
      ENABLE_POLICYD_SPF: 0
      # Anti-virus support (rspamd integrated),
      # NOTE: that rspamc command may fail early into container startup until clamav is actually ready.
      ENABLE_CLAMAV: 1
    # You'd normally use `volumes` here but for simplicity of the example, all config is contained within `compose.yaml`:
    configs:
      - source: dms-accounts-getmail
        target: /tmp/docker-mailserver/postfix-accounts.cf
      - source: getmail-jane
        target: /tmp/docker-mailserver/getmail/jane.cf

  dms-remote:
    image: ghcr.io/docker-mailserver/docker-mailserver:edge
    hostname: mail.remote.test
    environment:
      # Allows for us send a test mail easily by trusting any mail client run within this container (`swaks`):
      PERMIT_DOCKER: container
    configs:
      - source: dms-accounts-remote
        target: /tmp/docker-mailserver/postfix-accounts.cf

# Using the Docker Compose `configs.content` feature instead of volume mounting separate files.
# NOTE: This feature requires Docker Compose v2.23.1 (Nov 2023) or newer:
# https://github.com/compose-spec/compose-spec/pull/446
configs:
  # Basic getmail config to retrieve mail from an account at another mail server via IMAP credentials:
  getmail-jane:
    content: |
      [retriever]
      # To minimize config, this example will instead use port 143 without TLS verification:
      #type = SimpleIMAPSSLRetriever
      type = SimpleIMAPRetriever
      server = mail.remote.test
      username = [email protected]
      password = secret

      [destination]
      type = MDA_external
      allow_root_commands = true
      path = /usr/bin/rspamc
      arguments = ("--mime", "--hostname", "localhost", "--exec", "/usr/lib/dovecot/deliver -d [email protected]")

  # DMS requires an account to complete setup, provide one for each DMS instance:
  # NOTE:
  # - Both accounts are configured with the same password `secret` (SHA512-CRYPT hashed).
  # - To opt-out of Docker Compose variable interpolation, `$` must be escaped as `$$`.
  dms-accounts-getmail:
    content: |
      [email protected]|{SHA512-CRYPT}$$6$$sbgFRCmQ.KWS5ryb$$EsWrlYosiadgdUOxCBHY0DQ3qFbeudDhNMqHs6jZt.8gmxUwiLVy738knqkHD4zj4amkb296HFqQ3yDq4UXt8.

  dms-accounts-remote:
    content: |
      [email protected]|{SHA512-CRYPT}$$6$$sbgFRCmQ.KWS5ryb$$EsWrlYosiadgdUOxCBHY0DQ3qFbeudDhNMqHs6jZt.8gmxUwiLVy738knqkHD4zj4amkb296HFqQ3yDq4UXt8.

NOTE: By default if SSL_TYPE ENV is not configured, you'll find a warning log about insecure setup. This adjusts Postfix and Dovecot to support plain-text connections instead of enforcing TLS, which is why type = SimpleIMAPRetriever works in this case.

---

Testing example and breakdown

You can use swaks to send a test email with the EICAR anti-virus test file as an attachment:

docker compose exec dms-remote swaks \
  --server mail.remote.test \
  --port 25 \
  --from [email protected] \
  --to [email protected] \
  --attach 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'

Which delivers a mail like this:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.remote.test
        by mail.remote.test with LMTP
        id fWUSFyyHpmcYBAAA88HVfQ
        (envelope-from <[email protected]>)
        for <[email protected]>; Fri, 07 Feb 2025 22:20:28 +0000
Received: from localhost (localhost [127.0.0.1])
        by mail.remote.test (Postfix) with ESMTP id 4905B182940
        for <[email protected]>; Fri,  7 Feb 2025 22:20:28 +0000 (UTC)
Received: from mail.remote.test (mail.remote.test [172.19.0.2])
        by mail.remote.test (Postfix) with ESMTP id A710B181CEE
        for <[email protected]>; Fri,  7 Feb 2025 22:20:27 +0000 (UTC)
Date: Fri, 07 Feb 2025 22:20:27 +0000
To: [email protected]
From: [email protected]
Subject: test Fri, 07 Feb 2025 22:20:27 +0000
Message-Id: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_1031"

------=_MIME_BOUNDARY_000_1031
Content-Type: text/plain

This is a test mailing
------=_MIME_BOUNDARY_000_1031
Content-Type: application/octet-stream
Content-Disposition: attachment
Content-Transfer-Encoding: BASE64

WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNU
LUZJTEUhJEgrSCo=

------=_MIME_BOUNDARY_000_1031--

When getmail in the dms-getmail container retrieves it from dms-remote container, it'll be the same content but stored into [email protected] mailbox, with the only change in content being an extra header added:

X-getmail-retrieved-from-mailbox: INBOX

For reference if set the general options received = true + delivered_to = true (upstream defaults that DMS defaults to false instead), then getmail will prepend content like this to the mail file (not that useful):

Delivered-To: unknown
Received: from mail.remote.test (172.19.0.3:143) by mail.example.test with
  IMAP4 getmail6 msgid:1738968703/1; 07 Feb 2025 22:52:44 -0000

With the getmail [destination] config change to process through rspamd, when getmail hands it off to rspamc we also get the following headers added (without --hostname localhost arg):

X-Spam-Scanner: rspamc 3.11.0
X-Spam-Scan-Time: 0.59
X-Spam: yes
X-Spam-Action: reject
X-Spam-Score: 9.00 / 11.00
X-Spam-Level: *********
X-Spam-Symbols: HFILTER_HOSTNAME_UNKNOWN,
        FROM_EQ_ENVFROM,
        HFILTER_FROMHOST_NORES_A_OR_MX,
        TO_DN_NONE,
        PREVIOUSLY_DELIVERED,
        CLAM_VIRUS,
        RECEIVED_HELO_LOCALHOST,
        MIME_GOOD,
        RCVD_COUNT_THREE,
        DMARC_NA,
        R_DKIM_NA,
        ARC_NA,
        FROM_NO_DN,
        MISSING_XM_UA,
        MIME_TRACE,
        RCVD_NO_TLS_LAST,
        RCPT_COUNT_ONE,
        HAS_ATTACHMENT

With the --hostname localhost this would not have HFILTER_HOSTNAME_UNKNOWN, reducing the X-Spam-Score to 6. The CLAM_VIRUS symbol will ensure that the X-Spam-Action is reject, but since we've only configured for [destination] with Getmail config, this will still be delivered to Dovecot, where the X-Spam: yes header will have sieve move it into the Junk folder of the mailbox (due to default MOVE_SPAM_TO_JUNK=1).

We could probably add a sieve rule for X-Spam-Action: reject mail received to delete the mail, or check X-Spam-Symbols for CLAM_VIRUS to quarantine instead 🤷‍♂️ (normally such mail wouldn't make it to Dovecot as the Postfix smtpd milter for rspamd should prevent that, so this is only really relevant for getmail/fetchmail?) It seems that rspamd also supports quarantine and discard for actions, but seem to rely upon an MTA / integration to hint assignment?

---

Troubleshooting

Reference: rspamc docs (roughly equivalent to running rspamc --help).

This may be more convenient for testing rspamc directly instead of relying on swaks to create and send mail (more useful for testing rspamd milter within DMS, which differs a bit in behaviour vs getmail + rspamc)

We can create a file similar to the email content swaks generated (nano /tmp/example-eicar.eml):

From: Docker Mail Server <[email protected]>
To: Existing Local User <[email protected]>
Date: Sat, 22 May 2010 01:23:45 -0000
Subject: Test Message
Message-Id: <[email protected]>

MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="emailboundary"

This is a multi-part message in MIME format with the EICAR virus.
--emailboundary
Content-Type: text/plain

This is the body of the message.
--emailboundary
Content-Type: application/octet-stream
Content-Disposition: attachment
Content-Transfer-Encoding: BASE64

H4sIAAAAAAAAA4sw9VcMUHVwDIg2iQmIijA10QiI0zR3dtY0r1Vx9XR2DNINDnH0c3EMctF19Avx
DPMMCg3WDXENDtF18/RxVVTx0PbQ4gIA2yvQHUUAAAA=

--emailboundary--

Now you can run rspamc against that mail content:

$ rspamc --hostname localhost /tmp/example-eicar.eml

Results for file: stdin (0.625 seconds)
[Metric: default]
Action: reject
Spam: true
Score: 2.50 / 11.00
Symbol: ARC_NA (0.00)
Symbol: CLAM_VIRUS (0.00)[Eicar-Signature]
Symbol: DATE_IN_PAST (1.00)[129045]
Symbol: DMARC_NA (0.50)[remote.test]
Symbol: FROM_HAS_DN (0.00)
Symbol: MIME_GOOD (-0.10)[text/plain]
Symbol: MIME_TRACE (0.00)[0:+]
Symbol: MISSING_XM_UA (0.00)
Symbol: ONCE_RECEIVED (0.10)
Symbol: RCPT_COUNT_ONE (0.00)[1]
Symbol: RCVD_COUNT_ZERO (0.00)[0]
Symbol: R_DKIM_NA (1.00)
Symbol: TO_DN_ALL (0.00)
Message-ID: [email protected]
Message - smtp_message: ClamAV FOUND VIRUS "Eicar-Signature"

Without --mime, you get to see only the relevant rspamd scan info. Otherwise you can get the modified mail, which is what the --exec arg to send to Dovecot would receive.

# You can also provide the mail content via STDIN like shown here,
# `--mime` will output the mail with updated headers to STDOUT:
$ rspamc --mime --hostname localhost < /tmp/example-eicar.eml

From: Docker Mail Server <[email protected]>
To: Existing Local User <[email protected]>
Date: Sat, 22 May 2010 01:23:45 -0000
Subject: Test Message
Message-Id: <[email protected]>
X-Spam-Scanner: rspamc 3.11.0
X-Spam-Scan-Time: 0.647
X-Spam: yes
X-Spam-Action: reject
X-Spam-Score: 2.50 / 11.00
X-Spam-Level: ***
X-Spam-Symbols: DATE_IN_PAST,
        FROM_HAS_DN,
        TO_DN_ALL,
        CLAM_VIRUS,
        DMARC_NA,
        MIME_GOOD,
        R_DKIM_NA,
        RCVD_COUNT_ZERO,
        ONCE_RECEIVED,
        ARC_NA,
        RCPT_COUNT_ONE,
        MISSING_XM_UA,
        MIME_TRACE

MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="emailboundary"

This is a multi-part message in MIME format with the EICAR virus.
--emailboundary
Content-Type: text/plain

This is the body of the message.
--emailboundary
Content-Type: application/octet-stream
Content-Disposition: attachment
Content-Transfer-Encoding: BASE64

H4sIAAAAAAAAA4sw9VcMUHVwDIg2iQmIijA10QiI0zR3dtY0r1Vx9XR2DNINDnH0c3EMctF19Avx
DPMMCg3WDXENDtF18/RxVVTx0PbQ4gIA2yvQHUUAAAA=

--emailboundary--

So despite X-Spam-Score: 2.50 we can see that we still have X-Spam: yes + X-Spam-Action: reject.

So we configure Getmail with the extra --exec arg to send an rspamd scanned email through Dovecot (like we originally had in the [destination] config). If you need to try this on a mail that Dovecot already stored, you can do the following (with/without the --exec arg):

rspamc --mime --exec '/usr/lib/dovecot/deliver -d [email protected]' < /var/mail/example.test/john.doe/new/1738966841.M905144P2104.mail.example.test,S=1298,W=1335

Without the EICAR content

Just for additional reference:

From: Docker Mail Server <[email protected]>
To: Existing Local User <[email protected]>
Date: Sat, 22 May 2010 01:23:45 -0000
Subject: Test Message
Message-Id: <[email protected]>

MIME-Version: 1.0
Content-Type: text/plain

This is the body of the message.

No virus will be flagged now, nor is the hostname an issue, so the score is low enough for the action to be set as no action:

$ rspamc --hostname localhost /tmp/example.eml

Results for file: stdin (1.02 seconds)
[Metric: default]
Action: no action
Spam: false
Score: 2.50 / 11.00
Symbol: ARC_NA (0.00)
Symbol: DATE_IN_PAST (1.00)[129046]
Symbol: DBL_BLOCKED_OPENRESOLVER (0.00)[localhost:rdns, mail.remote.test:mid]
Symbol: DMARC_NA (0.50)[remote.test]
Symbol: FROM_HAS_DN (0.00)
Symbol: MIME_GOOD (-0.10)[text/plain]
Symbol: MIME_TRACE (0.00)[0:+]
Symbol: MISSING_XM_UA (0.00)
Symbol: ONCE_RECEIVED (0.10)
Symbol: RCPT_COUNT_ONE (0.00)[1]
Symbol: RCVD_COUNT_ZERO (0.00)[0]
Symbol: R_DKIM_NA (1.00)
Symbol: TO_DN_ALL (0.00)
Message-ID: [email protected]

Without the hostname arg, the HFILTER_HOSTNAME_UNKNOWN score of +6 we have changes the action to add header, which adds X-Spam: yes:

$ rspamc /tmp/example.eml

Results for file: stdin (0.025 seconds)
[Metric: default]
Action: add header
Spam: true
Score: 8.50 / 11.00
Symbol: ARC_NA (0.00)
Symbol: DATE_IN_PAST (1.00)[129046]
Symbol: DBL_BLOCKED_OPENRESOLVER (0.00)[mail.remote.test:mid]
Symbol: DMARC_NA (0.50)[remote.test]
Symbol: FROM_HAS_DN (0.00)
Symbol: HFILTER_HOSTNAME_UNKNOWN (6.00)
Symbol: MIME_GOOD (-0.10)[text/plain]
Symbol: MIME_TRACE (0.00)[0:+]
Symbol: MISSING_XM_UA (0.00)
Symbol: ONCE_RECEIVED (0.10)
Symbol: RCPT_COUNT_ONE (0.00)[1]
Symbol: RCVD_COUNT_ZERO (0.00)[0]
Symbol: R_DKIM_NA (1.00)
Symbol: TO_DN_ALL (0.00)
Message-ID: [email protected]

[polarathene]

Regarding HFILTER_HOSTNAME_UNKNOWN / rspamc --hostname localhost

DMS increases the score for the rspamd symbol HFILTER_HOSTNAME_UNKNOWN to 6 (from this PR) to match a similar feature from Postfix (reject_unknown_client_hostname).

The adjusted score ensures the rspamd action will add the X-Spam: yes header (regardless it'll still add these headers: X-Spam-Scan-Time, X-Spam-Action, X-Spam-Score, X-Spam-Level). I do not see much documentation for rspamd HFILTER_ symbols beyond this minimal docs page, so logic there isn't really clarified (EDIT: Seems to be handled here in Lua).

• Rspamd repo conf/scores.d/hfilter_group.conf: "Unknown client hostname (PTR or FCrDNS verification failed)"
• 2018 article was a search result with the prior symbol description (also changed in 2018): "Unknown hostname (no PTR or no resolve PTR to hostname)"

However the Lua appears to retrieve the hostname (provided via rspamc --hostname or from the rspamd integration like Postfix smtpd milter) which then is used as a key into a map object to check if the hostname matches any regex pattern and if so assign a max weight of 1-5 (used as suffix to the HFILTER_HOSTNAME_ symbol). Similar is done for other checks like HELO (can provide via --helo) that forbid some other values like having .local or .localdomain as the TLD (or a single DNS label, no . present).

• Assignment of checks_hellohost to checks_hellohost_map
• Actual checks_hellohost map

HFILTER_UNKNOWN_HOSTNAME is only emitted when rspamd lacks the hostname (value is nil) to query checks_hellohost_map:get_key(hostname). With rspamc that's why --hostname needs to be explicitly provided but this problem can also happen with some mail servers (as this discussion thread details, with an attempt to fix via PR to rspamd that was rejected). The linked discussion thread also points out the definition of task:get_hostname().

Thus no actual "PTR or FCrDNS verification" performed by Rspamd for HFILTER_UNKNOWN_HOSTNAME even with milters AFAIK. That functionality is delegated to the service integrating with rspamd to provide the hostname, otherwise we get this failure.

Since this post is already a top result for getmail + rspamc keywords, hopefully this helps others looking for more information / insights on HFILTER_UNKNOWN_HOSTNAME too since that info is a bit scarce.

[tilllt]

@polarathene

thanks to your guidance i am running DMS / RSpam now "in real life" deployment, with Snappymail as webmailer on top and soon a borg / borgmatic container in the stack for backup. For me this is the perfect setup, since i dont want the hassle of directly receiving and sending the mail but using getmail and smtp relay.

Thanks again and when i have some time i will try to make a writeup on the complete "DMS Mailcollector" setup.