git subrepo commit (merge) mailcow/src/mailcow-dockerized
subrepo: subdir: "mailcow/src/mailcow-dockerized"
merged: "02ae5285"
upstream: origin: "https://github.com/mailcow/mailcow-dockerized.git"
branch: "master"
commit: "649a5c01"
git-subrepo: version: "0.4.3"
origin: "???"
commit: "???"
Change-Id: I870ad468fba026cc5abf3c5699ed1e12ff28b32b
diff --git a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/composites.conf b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/composites.conf
index 13c977c..337a2eb 100644
--- a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/composites.conf
+++ b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/composites.conf
@@ -11,6 +11,11 @@
expression = "-g+:policies & !DMARC_POLICY_ALLOW & !MAILLIST & ( FREEMAIL_ENVFROM | FREEMAIL_FROM ) & !WHITELISTED_FWD_HOST";
score = 16.0;
}
+# Applies to freemail with undisclosed recipients
+FREEMAIL_TO_UNDISC_RCPT {
+ expression = "FREEMAIL_FROM & ( MISSING_TO | R_UNDISC_RCPT | TO_EQ_FROM )";
+ score = 5.0;
+}
# Bad policy from non-whitelisted senders
# Remove SOGO_CONTACT symbol for fwd hosts and senders with broken policy
SOGO_CONTACT_EXCLUDE {
@@ -29,23 +34,37 @@
}
# Applies to a content filter map
BAD_WORD_BAD_TLD {
- expression = "FISHY_TLD & ( BAD_WORDS | BAD_WORDS_DE )"
+ expression = "FISHY_TLD & ( BAD_WORDS | BAD_WORDS_DE )";
score = 10.0;
}
# Forged with bad policies and not fwd host, keep bad policy symbols
FORGED_W_BAD_POLICY {
- expression = "( -g+:policies | -R_SPF_NA) & ( ~FROM_NEQ_ENVFROM | ~FORGED_SENDER ) & !WHITELISTED_FWD_HOST & !DMARC_POLICY_ALLOW"
+ expression = "( -g+:policies | -R_SPF_NA) & ( ~FROM_NEQ_ENVFROM | ~FORGED_SENDER ) & !WHITELISTED_FWD_HOST & !DMARC_POLICY_ALLOW";
score = 3.0;
}
# Keep negative (good) scores for rbl, policies and hfilter, disable neural group
WL_FWD_HOST {
- expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)"
+ expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)";
}
# Exclude X-Spam like flags from scoring from fwd and sieve hosts
UPSTREAM_CHECKS_EXCLUDE_FWD_HOST {
- expression = "(-SIEVE_HOST | -WHITELISTED_FWD_HOST) & (^UNITEDINTERNET_SPAM | ^SPAM_FLAG | ^KLMS_SPAM | ^AOL_SPAM | ^MICROSOFT_SPAM)"
+ expression = "(-SIEVE_HOST | -WHITELISTED_FWD_HOST) & (^UNITEDINTERNET_SPAM | ^SPAM_FLAG | ^KLMS_SPAM | ^AOL_SPAM | ^MICROSOFT_SPAM)";
}
# Remove fuzzy group from bounces
BOUNCE_FUZZY {
expression = "-BOUNCE & ^g+:fuzzy";
}
+# Remove bayes ham if fuzzy denied
+FUZZY_HAM_MISMATCH {
+ expression = "( -FUZZY_DENIED | -MAILCOW_FUZZY_DENIED | -LOCAL_FUZZY_DENIED ) & ( ^BAYES_HAM | ^NEURAL_HAM_LONG | ^NEURAL_HAM_SHORT )";
+}
+# Remove bayes spam if local fuzzy white
+FUZZY_SPAM_MISMATCH {
+ expression = "( -LOCAL_FUZZY_WHITE ) & ( ^BAYES_SPAM | ^NEURAL_SPAM_LONG | ^NEURAL_SPAM_SHORT )";
+}
+WL_FWD_HOST {
+ expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)";
+}
+ENCRYPTED_CHAT {
+ expression = "CHAT_VERSION_HEADER & ENCRYPTED_PGP";
+}
diff --git a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/dkim_signing.conf b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/dkim_signing.conf
index 13eb094..4fac27f 100644
--- a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/dkim_signing.conf
+++ b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/dkim_signing.conf
@@ -32,4 +32,4 @@
# forwards are arc signed, rejects are dkim signed
sign_networks = "/etc/rspamd/custom/dovecot_trusted.map";
use_domain_sign_networks = "header";
-sign_headers = "from:sender:reply-to:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:in-reply-to:references:list-id:list-help:list-owner:list-unsubscribe:list-subscribe:list-post:openpgp:autocrypt";
+sign_headers = "from:sender:reply-to:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:content-language:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:in-reply-to:references:list-id:list-help:list-owner:list-unsubscribe:list-subscribe:list-post:list-unsubscribe-post:disposition-notification-to:disposition-notification-options:original-recipient:openpgp:autocrypt";
diff --git a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/external_services.conf b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/external_services.conf
index f05314b..2b091ff 100644
--- a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/external_services.conf
+++ b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/external_services.conf
@@ -6,4 +6,7 @@
# mime-part regex matching in content-type or filename
# block all macros
extended = true;
+ max_size = 3145728;
+ timeout = 20.0;
+ retransmits = 1;
}
diff --git a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/groups.conf b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/groups.conf
index ef599ef..9ca3409 100644
--- a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/groups.conf
+++ b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/groups.conf
@@ -9,9 +9,15 @@
"BAD_REP_POLICIES" {
score = 2.0;
}
+ "BAD_HEADER" {
+ score = 10.0;
+ }
"BULK_HEADER" {
score = 4.0;
}
+ "ENCRYPTED_CHAT" {
+ score = -20.0;
+ }
}
group "MX" {
diff --git a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/metadata_exporter.conf b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/metadata_exporter.conf
index f29f480..b6aa150 100644
--- a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/metadata_exporter.conf
+++ b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/metadata_exporter.conf
@@ -51,6 +51,7 @@
and not task:has_symbol('GLOBAL_MIME_FROM_BL')
and not task:has_symbol('LOCAL_BL_ASN')
and not task:has_symbol('GLOBAL_RCPT_BL')
+ and not task:has_symbol('BAD_SUBJECT_00')
and not task:has_symbol('MAILCOW_BLACK') then
local action = task:get_metric_action('default')
if action == 'reject' or action == 'add header' or action == 'rewrite subject' then
diff --git a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/multimap.conf b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/multimap.conf
index 0f05bb5..17ada99 100644
--- a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/multimap.conf
+++ b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/multimap.conf
@@ -19,6 +19,22 @@
symbols_set = ["BULK_HEADER"];
}
+CHAT_VERSION_HEADER {
+ type = "header";
+ header = "Chat-Version";
+ map = "${LOCAL_CONFDIR}/custom/chat_versions.map";
+ regexp = true;
+ symbols_set = ["CHAT_VERSION_HEADER"];
+}
+
+BAD_HEADER {
+ type = "content";
+ map = "${LOCAL_CONFDIR}/custom/bad_header.map";
+ filter = "headers"
+ regexp = true;
+ symbols_set = ["BAD_HEADER"];
+}
+
LOCAL_BL_ASN {
require_symbols = "!MAILCOW_WHITE";
type = "asn";
@@ -80,7 +96,6 @@
type = "ip";
map = "${LOCAL_CONFDIR}/custom/dovecot_trusted.map";
symbols_set = ["SIEVE_HOST"];
- score = -15;
}
RSPAMD_HOST {
@@ -136,7 +151,7 @@
score = 5.0;
}
-BAZAR_ABUSE_CH {
+BAZAAR_ABUSE_CH {
type = "selector";
selector = "attachments(hex,md5)";
map = "https://bazaar.abuse.ch/export/txt/md5/recent/";
@@ -155,3 +170,12 @@
map = "redis://SMTP_LIMITED_ACCESS";
symbols_set = ["SMTP_LIMITED_ACCESS"];
}
+
+BAD_SUBJECT_00 {
+ type = "header";
+ header = "subject";
+ regexp = true;
+ map = "http://nullnull.org/bad-subject-regex.txt";
+ score = 6.0;
+ symbols_set = ["BAD_SUBJECT_00"];
+}
diff --git a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/options.inc b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/options.inc
index 4fbdfba..fcf499d 100644
--- a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/options.inc
+++ b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/options.inc
@@ -2,8 +2,7 @@
enable_dnssec = true;
}
map_watch_interval = 30s;
-dns {
- timeout = 4s;
- retransmits = 2;
-}
disable_monitoring = true;
+# In case a task times out (like DNS lookup), soft reject the message
+# instead of silently accepting the message without further processing.
+soft_reject_on_timeout = true;
diff --git a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/policies_group.conf b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/policies_group.conf
index 8799db1..954deac 100644
--- a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/policies_group.conf
+++ b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/policies_group.conf
@@ -1,6 +1,6 @@
symbols = {
"ARC_REJECT" {
- score = 0.01;
+ score = 0.1;
}
"R_SPF_FAIL" {
score = 8.0;
@@ -8,6 +8,9 @@
"R_SPF_PERMFAIL" {
score = 8.0;
}
+ "R_SPF_SOFTFAIL" {
+ score = 0.1;
+ }
"R_DKIM_REJECT" {
score = 8.0;
}
@@ -18,6 +21,6 @@
weight = 8.0;
}
"DMARC_POLICY_SOFTFAIL" {
- weight = 0.0;
+ weight = 0.1;
}
}
diff --git a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/rbl.conf b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/rbl.conf
index c44b9ef..f132b4d 100644
--- a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/rbl.conf
+++ b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/rbl.conf
@@ -1,12 +1,4 @@
rbls {
- uceprotect1 {
- symbol = "RBL_UCEPROTECT_LEVEL1";
- rbl = "dnsbl-1.uceprotect.net";
- }
- uceprotect2 {
- symbol = "RBL_UCEPROTECT_LEVEL2";
- rbl = "dnsbl-2.uceprotect.net";
- }
sorbs {
symbol = "RBL_SORBS";
rbl = "dnsbl.sorbs.net";
diff --git a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/reputation.conf b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/reputation.conf
index 0e3d03e..c9600b7 100644
--- a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/reputation.conf
+++ b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/reputation.conf
@@ -3,7 +3,6 @@
selector "ip" {
}
backend "redis" {
- servers = "redis";
}
symbol = "IP_REPUTATION";
}
diff --git a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/statistics_group.conf b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/statistics_group.conf
index 7ed35b1..cf40583 100644
--- a/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/statistics_group.conf
+++ b/mailcow/src/mailcow-dockerized/data/conf/rspamd/local.d/statistics_group.conf
@@ -1,6 +1,6 @@
symbols = {
"BAYES_SPAM" {
- weight = 2.5;
+ weight = 4.5;
description = "Message probably spam, probability: ";
}
"BAYES_HAM" {