Rspamd disables X-Spam-Status header when using "Rewrite Subject" method (#6979) · Issues · ISPConfig / ISPConfig 3

Rspamd disables X-Spam-Status header when using "Rewrite Subject" method

**Component:** Mail / Rspamd Integration **Severity:** High **ISPConfig Version:** 3.2.x, 3.3.x (confirmed on 3.3.0p2) **OS:** Ubuntu 24.04 LTS **Rspamd Version:** 3.x --- ## Summary When a spamfilter policy uses **"Rewrite Subject"** as the spam tag method, the generated Rspamd user configuration sets `"add header" = null`. This prevents the `X-Spam-Status` header from being added to messages, breaking Sieve-based spam filtering for mail forwarding. ## Problem Description ISPConfig treats `add_header` and `rewrite_subject` as mutually exclusive options. When "Rewrite Subject" is selected: - Subject is rewritten with spam prefix ✓ - **X-Spam-Status header is NOT added** ✗ However, the Sieve template (`sieve_filter.master`) relies on `X-Spam-Status: Yes` to: 1. Move spam to Junk folder 2. Stop processing before redirect rules execute Without this header, **spam is forwarded to external addresses** via CC/redirect rules. ## Steps to Reproduce 1. Create spamfilter policy with "Rewrite Subject" method (or use default) 2. Create mailbox with this policy 3. Configure CC to external address (e.g., `info68@sunrise.ch`) 4. Send spam to the mailbox 5. **Result:** Spam is forwarded to external address ## Technical Analysis ### Affected File: `server/conf/rspamd_users.inc.conf.master` **Lines 39-46 (current):** ```php <tmpl_if name='rspamd_spam_tag_method' op='==' value='rewrite_subject'> "rewrite subject" = <tmpl_var name='rspamd_spam_tag_level'>; "add header" = null; // <-- BUG: Header disabled! </tmpl_if> <tmpl_if name='rspamd_spam_tag_method' op='==' value='add_header'> "add header" = <tmpl_var name='rspamd_spam_tag_level'>; "rewrite subject" = null; </tmpl_if> ``` ### Generated Config Example (k.abegg@metzgabegg.ch): ```lua actions { "rewrite subject" = 6; "add header" = null; // X-Spam-Status NEVER set! reject = 10; greylist = 5; } ``` ### Sieve Template: `server/conf/sieve_filter.master` ```sieve # Move spam to Junk (Lines 8-15) if anyof (header :is ["X-Spam", "X-Spam-Flag"] "Yes", header :matches "X-Spam-Status" "Yes, *") { fileinto :create "Junk"; stop; // <-- Never reached because header missing! } # CC forwarding (Lines 17-22) redirect :copy "info68@sunrise.ch"; // <-- Spam forwarded! ``` ## Real-World Impact From our mail queue: ``` 0EED62C935CF 102975 Tue Jan 27 17:58:33 ykhiywc@mastells.gb.net -> info68@sunrise.ch (greylisted by Sunrise) Subject: "Neoflorax - starke Wirkung gegen Parasiten" X-Spam-Status: No, score=4.73 // <-- "No" because add_header=null! X-Sieve-Redirected-From: k.abegg@metzgabegg.ch ``` **Consequences:** - Server IP reputation damage - Greylisting/rejection by recipient servers - Mail queue buildup with deferred spam - Potential blacklisting ## Proposed Fix Both `add_header` and `rewrite_subject` should be independent. The header is required for Sieve compatibility. **Fixed template (Lines 38-47):** ```php actions { "add header" = <tmpl_var name='rspamd_spam_tag_level'>; <tmpl_if name='rspamd_spam_tag_method' op='==' value='rewrite_subject'> "rewrite subject" = <tmpl_var name='rspamd_spam_tag_level'>; <tmpl_else> "rewrite subject" = null; </tmpl_if> reject = <tmpl_var name='rspamd_spam_kill_level'>; ``` **Result:** - `X-Spam-Status` header always added (Sieve works) - Subject rewriting still works when selected - Backward compatible ## Patch ```diff --- a/server/conf/rspamd_users.inc.conf.master +++ b/server/conf/rspamd_users.inc.conf.master @@ -36,12 +36,12 @@ JUST_EICAR = <tmpl_var name='rspamd_virus_kill_level'>; </tmpl_if> actions { + "add header" = <tmpl_var name='rspamd_spam_tag_level'>; <tmpl_if name='rspamd_spam_tag_method' op='==' value='rewrite_subject'> "rewrite subject" = <tmpl_var name='rspamd_spam_tag_level'>; - "add header" = null; - </tmpl_if> - <tmpl_if name='rspamd_spam_tag_method' op='==' value='add_header'> - "add header" = <tmpl_var name='rspamd_spam_tag_level'>; + <tmpl_else> "rewrite subject" = null; </tmpl_if> reject = <tmpl_var name='rspamd_spam_kill_level'>; ``` ## Workaround Until officially patched: **Option 1:** Custom template ```bash cp /usr/local/ispconfig/server/conf/rspamd_users.inc.conf.master \ /usr/local/ispconfig/server/conf-custom/rspamd_users.inc.conf.master # Apply patch to conf-custom version ``` **Option 2:** Fix existing configs ```bash sed -i 's/"add header" = null;/"add header" = 5;/g' /etc/rspamd/local.d/users/*.conf systemctl reload rspamd ``` ## Additional Notes 1. This bug likely exists since Rspamd integration was added 2. Rspamd documentation confirms both actions can coexist 3. The current design breaks the contract between Rspamd configs and Sieve filters 4. All users with CC/redirect AND "Rewrite Subject" policy are affected ## Environment Details ``` ISPConfig: 3.3.0p2 OS: Ubuntu 24.04.3 LTS Kernel: 6.8.0-90-generic Rspamd: 3.14.2 Dovecot: 2.3.21 Postfix: 3.8.6 Affected: 326 user configs on this server ``` --- **Reporter:** Cytracon Server Administration **Date:** 2026-01-28 **Contact:** bb@cytracon.info

issue