SMTP Config - postfix/amavis - Missing Header Date

ktim · April 28, 2021, 11:32am

Hi,

I’m trying to setup a GitLab Server but the current SMTP Configuration is not working. GitLab is able to communicate with the Mailserver (postfix and amavis on a different host), but amavis quarantines the emails due to a Missing Date Header. Does this need to be added manually in the GitLab Config? If so, how?

This is the gitlab.rb Config:

 gitlab_rails['smtp_enable'] = true
 gitlab_rails['smtp_address'] = "mailserver-ip"
 gitlab_rails['smtp_port'] = 25
 gitlab_rails['smtp_user_name'] = "username"
 gitlab_rails['smtp_password'] = "password"
 gitlab_rails['smtp_authentication'] = "login"
 gitlab_rails['smtp_enable_starttls_auto'] = false
 gitlab_rails['smtp_tls'] = false
 gitlab_rails['smtp_ssl'] = false
 gitlab_rails['smtp_force_ssl'] = false
 gitlab_rails['gitlab_email_from'] = 'gitlab@host.tld'
 gitlab_rails['gitlab_email_display_name'] = 'GitLab'
 gitlab_rails['gitlab_email_reply_to'] = 'noreply@host.tld'

This is the gitlab-rails console output which results in a timeout but does seem to have a Date:

irb(main):017:0> Notify.test_email('mail@host.tld', 'Subject', 'Content').deliver_now
Notify#test_email: processed outbound mail in 1.1ms
Delivered mail 60894a126dfad_1384e958ac882d@hostname.mail (30002.5ms)
Date: Wed, 28 Apr 2021 11:42:10 +0000
From: GitLab <gitlab@host.tld>
Reply-To: GitLab <noreply@host.tld>
To: mail@host.tld
Message-ID: <60894a126dfad_1384e958ac882d@hostname.mail>
Subject: Subject
Mime-Version: 1.0
Content-Type: text/html;
 charset=UTF-8
Content-Transfer-Encoding: 7bit
Auto-Submitted: auto-generated
X-Auto-Response-Suppress: All

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>Content</p></body></html>

Traceback (most recent call last):
        2: from (irb):16
        1: from (irb):17:in `rescue in irb_binding'
Net::OpenTimeout (execution expired)

Here’s the amavis output for a specific Test-Email generated via the gitlab-rails console:

Return-Path: gitlab@host.tld
Delivered-To: bad-header-quarantine
X-Envelope-From: gitlab@host.tld
X-Envelope-To: mail@host.tld
X-Envelope-To-Blocked:
X-Quarantine-ID: <AURQ4L_NXvyg>
X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: “Date”
X-Spam-Flag: NO
X-Spam-Score: 4.51
X-Spam-Level: ****
X-Spam-Status: No, score=4.51 tag=-999 tag2=6 kill=21 tests=[ALL_TRUSTED=-1,
MISSING_DATE=1.396, MISSING_FROM=1, MISSING_HEADERS=1.207,
MISSING_MID=0.14, MISSING_SUBJECT=1.767]
autolearn=no autolearn_force=no
Received: from host.tld ([127.0.0.1])
by localhost (smtp.mediabrandsww.de [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id AURQ4L_NXvyg for mail@host.tld;
Fri, 23 Apr 2021 10:53:02 +0200 (CEST)
Received: from host.tld (unknown [10.72.192.50])
by host.tld (Postfix) with SMTP id 3837AE06C0
for mail@host.tld; Fri, 23 Apr 2021 10:52:22 +0200 (CEST)
Test

Has anyone had the same issue? Is this an issue within gitlab or something else?

Thanks.

iwalker · April 28, 2021, 11:51am

Hi,

For debugging purposes, I would whitelist it so that it doesn’t quarantine the bad header for that particular email address, or just allow amavisd to do something else instead of quarantine, eg: mark subject as spam or something for emails with bad headers. Once you get the email delivered to your mailbox, check the headers there and see what it looks like. If the date field is in the headers, then that would suggest the format is fine.

I used to make anti-spam solutions with amavisd, generally it’s great, but it does generate these false-positives sometimes, even when the headers as you see here are correct. Amavisd unfortunately doesn’t always get it right. I always allowed amavisd to pass bad header emails, since it was just being picky, and flagging legitimate emails as spam.

ktim · April 30, 2021, 8:08am

Hi,

We’ll try that. I’m just not sure as to why amavis would complain about a missing header. Especially the Date Header is one of the only required headers so I’d wonder why GitLab wouldn’t include it by default.
Also wouldn’t Postfix add the missing headers, so that I’d see them in the final email? So I don’t really know if the hader has been added by GitLab or by Postfix.

iwalker · April 30, 2021, 8:23am

Postfix accepts the emails, it injects it into amavisd to scan it for spam/viruses, and then returns it back into postfix for delivery usually on port 10024 and 10025 (depending on your server config). Sometimes amavisd gets it wrong, but ideally whitelist it to bypass amavisd and then check the headers yourself. I basically let amavisd deliver emails that it thought had bad headers, and to be honest, legitimate emails can also get flagged incorrectly despite there not being that much wrong with them. But it’s up to you to choose how you deal with such messages. I much prefer a few spam emails getting through than legitimate emails being blocked incorrectly.

I’ve had plenty of problems since 10 - 15 years with amavisd marking emails as spam incorrectly. You may wish to look into rspamd instead, much better solution, and has a graphical web interface also and will learn emails also based on user-input as to what is spam, and what is legitimate (ham).

ktim · April 30, 2021, 11:05am

Okay, we’ve whitelisted the approriate gitlab Emails so that amavis will just pass them on. This kind of works. If I manually send an email using that sender address the mailserver will just send it.
However, gitlab won’t send anything. My Notify.Test_Email will return the same connection timeout error as it did before, but it does not appear as if the gitlab host actually connects to the mailserver since the maillogs are empty.

iwalker · April 30, 2021, 11:22am

So you’ll need to check /etc/gitlab/gitlab.rb and make sure it’s configured properly. Because if you aren’t getting anything, then that means it’s not communicating with your mailserver properly due to incorrect settings.

ktim · April 30, 2021, 12:05pm

The Config has not changed compared to the last time at which the gitlab host was still available to establish a connection.
But a bit of troubleshooting later reveals that something about the overall configuration was causing the issues, I’m just not yet sure what.

The Mailserver is in DMZ, while the gitlab host is not. Connecting to it using the internal IP worked at first but resulted in the amavis complaints. This is now not working anymore for some reason.
After inserting the Mailserver DMZ IP or rather its Hostname in the gitlab.rb everything works as expected. Mails are delivered immediately and amavis gives them a clean pass instead of complaining about a bad header.

Thank you for your help!