Rspamd disables X-Spam-Status header when using "Rewrite Subject" method

Component: Mail / Rspamd Integration Severity: High ISPConfig Version: 3.2.x, 3.3.x (confirmed on 3.3.0p2) OS: Ubuntu 24.04 LTS Rspamd Version: 3.x

Summary

When a spamfilter policy uses "Rewrite Subject" as the spam tag method, the generated Rspamd user configuration sets "add header" = null. This prevents the X-Spam-Status header from being added to messages, breaking Sieve-based spam filtering for mail forwarding.

Problem Description

ISPConfig treats add_header and rewrite_subject as mutually exclusive options. When "Rewrite Subject" is selected:

  • Subject is rewritten with spam prefix ✓
  • X-Spam-Status header is NOT added

However, the Sieve template (sieve_filter.master) relies on X-Spam-Status: Yes to:

  1. Move spam to Junk folder
  2. Stop processing before redirect rules execute

Without this header, spam is forwarded to external addresses via CC/redirect rules.

Steps to Reproduce

  1. Create spamfilter policy with "Rewrite Subject" method (or use default)
  2. Create mailbox with this policy
  3. Configure CC to external address (e.g., info68@sunrise.ch)
  4. Send spam to the mailbox
  5. Result: Spam is forwarded to external address

Technical Analysis

Affected File: server/conf/rspamd_users.inc.conf.master

Lines 39-46 (current):

<tmpl_if name='rspamd_spam_tag_method' op='==' value='rewrite_subject'>
    "rewrite subject" =  <tmpl_var name='rspamd_spam_tag_level'>;
    "add header" = null;   // <-- BUG: Header disabled!
</tmpl_if>
<tmpl_if name='rspamd_spam_tag_method' op='==' value='add_header'>
    "add header" =  <tmpl_var name='rspamd_spam_tag_level'>;
    "rewrite subject" = null;
</tmpl_if>

Generated Config Example (k.abegg@metzgabegg.ch): 

actions {
    "rewrite subject" = 6;
    "add header" = null;    // X-Spam-Status NEVER set!
    reject = 10;
    greylist = 5;
}

Sieve Template: server/conf/sieve_filter.master 

# Move spam to Junk (Lines 8-15)
if anyof (header :is ["X-Spam", "X-Spam-Flag"] "Yes",
          header :matches "X-Spam-Status" "Yes, *") {
  fileinto :create "Junk";
  stop;   // <-- Never reached because header missing!
}

# CC forwarding (Lines 17-22)
redirect :copy "info68@sunrise.ch";  // <-- Spam forwarded!

Real-World Impact

From our mail queue:

0EED62C935CF  102975 Tue Jan 27 17:58:33  ykhiywc@mastells.gb.net
  -> info68@sunrise.ch (greylisted by Sunrise)

Subject: "Neoflorax - starke Wirkung gegen Parasiten"
X-Spam-Status: No, score=4.73   // <-- "No" because add_header=null!
X-Sieve-Redirected-From: k.abegg@metzgabegg.ch

Consequences:

  • Server IP reputation damage
  • Greylisting/rejection by recipient servers
  • Mail queue buildup with deferred spam
  • Potential blacklisting

Proposed Fix

Both add_header and rewrite_subject should be independent. The header is required for Sieve compatibility.

Fixed template (Lines 38-47):

	actions {
		"add header" = <tmpl_var name='rspamd_spam_tag_level'>;
	<tmpl_if name='rspamd_spam_tag_method' op='==' value='rewrite_subject'>
		"rewrite subject" = <tmpl_var name='rspamd_spam_tag_level'>;
	<tmpl_else>
		"rewrite subject" = null;
	</tmpl_if>
		reject = <tmpl_var name='rspamd_spam_kill_level'>;

Result:

  • X-Spam-Status header always added (Sieve works)
  • Subject rewriting still works when selected
  • Backward compatible

Patch 

--- a/server/conf/rspamd_users.inc.conf.master
+++ b/server/conf/rspamd_users.inc.conf.master
@@ -36,12 +36,12 @@
 		JUST_EICAR = <tmpl_var name='rspamd_virus_kill_level'>;
 	</tmpl_if>
 		actions {
+			"add header" = <tmpl_var name='rspamd_spam_tag_level'>;
 		<tmpl_if name='rspamd_spam_tag_method' op='==' value='rewrite_subject'>
 			"rewrite subject" = <tmpl_var name='rspamd_spam_tag_level'>;
-			"add header" = null;
-		</tmpl_if>
-		<tmpl_if name='rspamd_spam_tag_method' op='==' value='add_header'>
-			"add header" = <tmpl_var name='rspamd_spam_tag_level'>;
+		<tmpl_else>
 			"rewrite subject" = null;
 		</tmpl_if>
 			reject = <tmpl_var name='rspamd_spam_kill_level'>;

Workaround

Until officially patched:

Option 1: Custom template

cp /usr/local/ispconfig/server/conf/rspamd_users.inc.conf.master \
   /usr/local/ispconfig/server/conf-custom/rspamd_users.inc.conf.master
# Apply patch to conf-custom version

Option 2: Fix existing configs

sed -i 's/"add header" = null;/"add header" = 5;/g' /etc/rspamd/local.d/users/*.conf
systemctl reload rspamd

Additional Notes

  1. This bug likely exists since Rspamd integration was added
  2. Rspamd documentation confirms both actions can coexist
  3. The current design breaks the contract between Rspamd configs and Sieve filters
  4. All users with CC/redirect AND "Rewrite Subject" policy are affected

Environment Details 

ISPConfig:  3.3.0p2
OS:         Ubuntu 24.04.3 LTS
Kernel:     6.8.0-90-generic
Rspamd:     3.14.2
Dovecot:    2.3.21
Postfix:    3.8.6
Affected:   326 user configs on this server

Reporter: Cytracon Server Administration Date: 2026-01-28 Contact: bb@cytracon.info