Rspamd 4.1.0 dropped on June 5 — a major release tagged “recommended upgrade for all users” by the development team. There’s enough in it that’s immediately relevant to anyone running a mail server to warrant reading the changelog before blindly upgrading.

The security fixes

This release addresses several memory-safety issues that can be triggered by crafted incoming mail.

S/MIME DoS via recursive PKCS7: A deeply nested application/pkcs7-mime message re-entered the parser without incrementing the nesting counter. In practice this means a malicious sender could craft a message that exhausts your rspamd worker’s stack. The fix gates S/MIME re-entry against the existing max_nested limit.

S/MIME NULL dereference: A zero-length pkcs7-data OCTET STRING inside an S/MIME signed message crashed the parser outright. This one doesn’t require a deeply nested structure — just a malformed but syntactically plausible signed message.

URL query nesting DoS: A crafted message with a few levels of percent-escaped nested query URLs exhausted the multipattern hyperscan scratch pool and aborted the worker via assertion. Fixed; scratch exhaustion is now non-fatal.

DNS label overrun: rdns_parse_labels never verified that label data fit within the packet. A malicious DNS reply could cause a memcpy to read past the buffer. Both plain and compressed labels are now validated, with an off-by-one fix in offset decompression.

None of these have CVE identifiers yet, but the crash-on-receipt nature of the S/MIME issues is the kind of thing that gets weaponized. Upgrade soon.

The breaking change: MX check symbol rename

If you’ve tuned custom scores around MX_NXDOMAIN or MX_MISSING, those symbols are gone. Version 4.1.0 replaces them with a single MX_NONE. The module also reworks its Redis cache from a single domain-keyed entry to three layers (d:, m:, i: prefixes), so domains sharing an MX host — every Google Workspace tenant, every Microsoft 365 customer, every ESP sharing an IP pool — now reuse cached entries instead of repeating lookups.

Before upgrading: audit any custom composite rules or score overrides that reference the old symbol names.

ARC and DKIM fixes worth knowing about

ARC header ordering: rspamd was emitting ARC sets in hash order rather than the conventional ARC-Seal / ARC-Message-Signature / ARC-Authentication-Results sequence. Microsoft 365 validates header order strictly; if your server is forwarding mail through an ARC chain to O365 recipients, some of that mail may have been rejected or mis-routed. This is now fixed.

DKIM permfail mapping: An invalid DKIM record was mapping to dkim=none in Authentication-Results headers instead of dkim=permerror. This matters because dkim=none (“no signature found”) and dkim=permerror (“record exists but is broken”) have different semantics for downstream DMARC evaluation. A misconfigured DNS record was being silently treated as an absent one.

Other useful additions

A few items worth noting for ISPConfig or cPanel operators who also manage rspamd:

  • Stalled-scan diagnostics: Timeouts now log which specific rules hung the scan (DNS, Redis, fuzzy, Lua HTTP) and which symbols started but never finished — replacing the opaque “forced processing” line with something actually actionable.
  • Container-friendly config: RSPAMD_LOG_TYPE=console and RSPAMD_PIDFILE env vars let you run rspamd as PID 1 in Docker without touching config files.
  • Ratelimit multi-bucket tracking fix: A rate-limit rule with multiple buckets (e.g., 200/1h plus 30/1m) was only tracking the last bucket; the others were silently ignored. If you rely on multi-bucket rate limiting for outbound queue control, this silent failure has been present for a while.

What this means for kalfaoglu.net customers

We run rspamd as part of our spam filtering stack. The S/MIME and URL parsing security fixes in 4.1.0 are not theoretical — crafted mail can reach any inbox, and these bugs affect the filtering layer, not just the end client. We’ll be rolling out the update shortly.

If you’re self-hosting a mail stack and manage your own rspamd instance, upgrade to 4.1.0 and check your mx_check symbol names before you do.