Gitiles
Code Review Sign In
gerrit.benkard.de / kubeia / 53457f79a834952eac370806a4076d13808a521c / . / mailcow / src / mailcow-dockerized / data / conf / rspamd / lua / rspamd.local.lua
blob: b007f097e476d4d25a98f78a07e4c58b37a9ee29 [file] [log] [blame]
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]1-- Load sendgrid ID validator, thanks to https://github.com/fatalbanana
2local rspamd_util = require 'rspamd_util'
3local f = '/etc/rspamd/lua/ivm-sg.lua'
4if rspamd_util.file_exists(f) then
5 dofile(f)
6end
7
8rspamd_config.MAILCOW_AUTH = {
9 callback = function(task)
10 local uname = task:get_user()
11 if uname then
12 return 1
13 end
14 end
15}
16
17local monitoring_hosts = rspamd_config:add_map{
18 url = "/etc/rspamd/custom/monitoring_nolog.map",
19 description = "Monitoring hosts",
20 type = "regexp"
21}
22
23rspamd_config:register_symbol({
24 name = 'SMTP_ACCESS',
25 type = 'postfilter',
26 callback = function(task)
27 local util = require("rspamd_util")
28 local rspamd_logger = require "rspamd_logger"
29 local rspamd_ip = require 'rspamd_ip'
30 local uname = task:get_user()
31 local limited_access = task:get_symbol("SMTP_LIMITED_ACCESS")
32
33 if not uname then
34 return false
35 end
36
37 if not limited_access then
38 return false
39 end
40
41 local hash_key = 'SMTP_ALLOW_NETS_' .. uname
42
43 local redis_params = rspamd_parse_redis_server('smtp_access')
44 local ip = task:get_from_ip()
45
46 if ip == nil or not ip:is_valid() then
47 return false
48 end
49
50 local from_ip_string = tostring(ip)
51 smtp_access_table = {from_ip_string}
52
53 local maxbits = 128
54 local minbits = 32
55 if ip:get_version() == 4 then
56 maxbits = 32
57 minbits = 8
58 end
59 for i=maxbits,minbits,-1 do
60 local nip = ip:apply_mask(i):to_string() .. "/" .. i
61 table.insert(smtp_access_table, nip)
62 end
63 local function smtp_access_cb(err, data)
64 if err then
65 rspamd_logger.infox(rspamd_config, "smtp_access query request for ip %s returned invalid or empty data (\"%s\") or error (\"%s\")", ip, data, err)
66 return false
67 else
68 rspamd_logger.infox(rspamd_config, "checking ip %s for smtp_access in %s", from_ip_string, hash_key)
69 for k,v in pairs(data) do
70 if (v and v ~= userdata and v == '1') then
71 rspamd_logger.infox(rspamd_config, "found ip in smtp_access map")
72 task:insert_result(true, 'SMTP_ACCESS', 0.0, from_ip_string)
73 return true
74 end
75 end
76 rspamd_logger.infox(rspamd_config, "couldnt find ip in smtp_access map")
77 task:insert_result(true, 'SMTP_ACCESS', 999.0, from_ip_string)
78 return true
79 end
80 end
81 table.insert(smtp_access_table, 1, hash_key)
82 local redis_ret_user = rspamd_redis_make_request(task,
83 redis_params, -- connect params
84 hash_key, -- hash key
85 false, -- is write
86 smtp_access_cb, --callback
87 'HMGET', -- command
88 smtp_access_table -- arguments
89 )
90 if not redis_ret_user then
91 rspamd_logger.infox(rspamd_config, "cannot check smtp_access redis map")
92 end
93 end,
94 priority = 10
95})
96
97rspamd_config:register_symbol({
98 name = 'POSTMASTER_HANDLER',
99 type = 'prefilter',
100 callback = function(task)
101 local rcpts = task:get_recipients('smtp')
102 local rspamd_logger = require "rspamd_logger"
103 local lua_util = require "lua_util"
104 local from = task:get_from(1)
105
106 -- not applying to mails with more than one rcpt to avoid bypassing filters by addressing postmaster
107 if rcpts and #rcpts == 1 then
108 for _,rcpt in ipairs(rcpts) do
109 local rcpt_split = rspamd_str_split(rcpt['addr'], '@')
110 if #rcpt_split == 2 then
111 if rcpt_split[1] == 'postmaster' then
112 task:set_pre_result('accept', 'whitelisting postmaster smtp rcpt')
113 return
114 end
115 end
116 end
117 end
118
119 if from then
120 for _,fr in ipairs(from) do
121 local fr_split = rspamd_str_split(fr['addr'], '@')
122 if #fr_split == 2 then
123 if fr_split[1] == 'postmaster' and task:get_user() then
124 -- no whitelist, keep signatures
125 task:insert_result(true, 'POSTMASTER_FROM', -2500.0)
126 return
127 end
128 end
129 end
130 end
131
132 end,
133 priority = 10
134})
135
136rspamd_config:register_symbol({
137 name = 'KEEP_SPAM',
138 type = 'prefilter',
139 callback = function(task)
140 local util = require("rspamd_util")
141 local rspamd_logger = require "rspamd_logger"
142 local rspamd_ip = require 'rspamd_ip'
143 local uname = task:get_user()
144
145 if uname then
146 return false
147 end
148
149 local redis_params = rspamd_parse_redis_server('keep_spam')
150 local ip = task:get_from_ip()
151
152 if ip == nil or not ip:is_valid() then
153 return false
154 end
155
156 local from_ip_string = tostring(ip)
157 ip_check_table = {from_ip_string}
158
159 local maxbits = 128
160 local minbits = 32
161 if ip:get_version() == 4 then
162 maxbits = 32
163 minbits = 8
164 end
165 for i=maxbits,minbits,-1 do
166 local nip = ip:apply_mask(i):to_string() .. "/" .. i
167 table.insert(ip_check_table, nip)
168 end
169 local function keep_spam_cb(err, data)
170 if err then
171 rspamd_logger.infox(rspamd_config, "keep_spam query request for ip %s returned invalid or empty data (\"%s\") or error (\"%s\")", ip, data, err)
172 return false
173 else
174 for k,v in pairs(data) do
175 if (v and v ~= userdata and v == '1') then
176 rspamd_logger.infox(rspamd_config, "found ip in keep_spam map, setting pre-result")
177 task:set_pre_result('accept', 'ip matched with forward hosts')
178 end
179 end
180 end
181 end
182 table.insert(ip_check_table, 1, 'KEEP_SPAM')
183 local redis_ret_user = rspamd_redis_make_request(task,
184 redis_params, -- connect params
185 'KEEP_SPAM', -- hash key
186 false, -- is write
187 keep_spam_cb, --callback
188 'HMGET', -- command
189 ip_check_table -- arguments
190 )
191 if not redis_ret_user then
192 rspamd_logger.infox(rspamd_config, "cannot check keep_spam redis map")
193 end
194 end,
195 priority = 19
196})
197
198rspamd_config:register_symbol({
199 name = 'TLS_HEADER',
200 type = 'postfilter',
201 callback = function(task)
202 local rspamd_logger = require "rspamd_logger"
203 local tls_tag = task:get_request_header('TLS-Version')
204 if type(tls_tag) == 'nil' then
205 task:set_milter_reply({
206 add_headers = {['X-Last-TLS-Session-Version'] = 'None'}
207 })
208 else
209 task:set_milter_reply({
210 add_headers = {['X-Last-TLS-Session-Version'] = tostring(tls_tag)}
211 })
212 end
213 end,
214 priority = 12
215})
216
217rspamd_config:register_symbol({
218 name = 'TAG_MOO',
219 type = 'postfilter',
220 callback = function(task)
221 local util = require("rspamd_util")
222 local rspamd_logger = require "rspamd_logger"
223 local redis_params = rspamd_parse_redis_server('taghandler')
224 local rspamd_http = require "rspamd_http"
225 local rcpts = task:get_recipients('smtp')
226 local lua_util = require "lua_util"
227
228 local tagged_rcpt = task:get_symbol("TAGGED_RCPT")
229 local mailcow_domain = task:get_symbol("RCPT_MAILCOW_DOMAIN")
230
231 if tagged_rcpt and tagged_rcpt[1].options and mailcow_domain then
232 local tag = tagged_rcpt[1].options[1]
233 rspamd_logger.infox("found tag: %s", tag)
234 local action = task:get_metric_action('default')
235 rspamd_logger.infox("metric action now: %s", action)
236
237 if action ~= 'no action' and action ~= 'greylist' then
238 rspamd_logger.infox("skipping tag handler for action: %s", action)
239 return true
240 end
241
242 local function http_callback(err_message, code, body, headers)
243 if body ~= nil and body ~= "" then
244 rspamd_logger.infox(rspamd_config, "expanding rcpt to \"%s\"", body)
245
246 local function tag_callback_subject(err, data)
247 if err or type(data) ~= 'string' then
248 rspamd_logger.infox(rspamd_config, "subject tag handler rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying subfolder tag handler...", body, data, err)
249
250 local function tag_callback_subfolder(err, data)
251 if err or type(data) ~= 'string' then
252 rspamd_logger.infox(rspamd_config, "subfolder tag handler for rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\")", body, data, err)
253 else
254 rspamd_logger.infox("Add X-Moo-Tag header")
255 task:set_milter_reply({
256 add_headers = {['X-Moo-Tag'] = 'YES'}
257 })
258 end
259 end
260
261 local redis_ret_subfolder = rspamd_redis_make_request(task,
262 redis_params, -- connect params
263 body, -- hash key
264 false, -- is write
265 tag_callback_subfolder, --callback
266 'HGET', -- command
267 {'RCPT_WANTS_SUBFOLDER_TAG', body} -- arguments
268 )
269 if not redis_ret_subfolder then
270 rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt")
271 end
272
273 else
274 rspamd_logger.infox("user wants subject modified for tagged mail")
275 local sbj = task:get_header('Subject')
276 new_sbj = '=?UTF-8?B?' .. tostring(util.encode_base64('[' .. tag .. '] ' .. sbj)) .. '?='
277 task:set_milter_reply({
278 remove_headers = {['Subject'] = 1},
279 add_headers = {['Subject'] = new_sbj}
280 })
281 end
282 end
283
284 local redis_ret_subject = rspamd_redis_make_request(task,
285 redis_params, -- connect params
286 body, -- hash key
287 false, -- is write
288 tag_callback_subject, --callback
289 'HGET', -- command
290 {'RCPT_WANTS_SUBJECT_TAG', body} -- arguments
291 )
292 if not redis_ret_subject then
293 rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt")
294 end
295
296 end
297 end
298
299 if rcpts and #rcpts == 1 then
300 for _,rcpt in ipairs(rcpts) do
301 local rcpt_split = rspamd_str_split(rcpt['addr'], '@')
302 if #rcpt_split == 2 then
303 if rcpt_split[1] == 'postmaster' then
304 rspamd_logger.infox(rspamd_config, "not expanding postmaster alias")
305 else
306 rspamd_http.request({
307 task=task,
308 url='http://nginx:8081/aliasexp.php',
309 body='',
310 callback=http_callback,
311 headers={Rcpt=rcpt['addr']},
312 })
313 end
314 end
315 end
316 end
317
318 end
319 end,
320 priority = 19
321})
322
323rspamd_config:register_symbol({
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200[diff] [blame]324 name = 'BCC',
325 type = 'postfilter',
326 callback = function(task)
327 local util = require("rspamd_util")
328 local rspamd_http = require "rspamd_http"
329 local rspamd_logger = require "rspamd_logger"
330
331 local from_table = {}
332 local rcpt_table = {}
333
334 if task:has_symbol('ENCRYPTED_CHAT') then
335 return -- stop
336 end
337
338 local send_mail = function(task, bcc_dest)
339 local lua_smtp = require "lua_smtp"
340 local function sendmail_cb(ret, err)
341 if not ret then
342 rspamd_logger.errx(task, 'BCC SMTP ERROR: %s', err)
343 else
344 rspamd_logger.infox(rspamd_config, "BCC SMTP SUCCESS TO %s", bcc_dest)
345 end
346 end
347 if not bcc_dest then
348 return -- stop
349 end
350 lua_smtp.sendmail({
351 task = task,
352 host = os.getenv("IPV4_NETWORK") .. '.253',
353 port = 591,
354 from = task:get_from(stp)[1].addr,
355 recipients = bcc_dest,
356 helo = 'bcc',
357 timeout = 10,
358 }, task:get_content(), sendmail_cb)
359 end
360
361 -- determine from
362 local from = task:get_from('smtp')
363 if from then
364 for _, a in ipairs(from) do
365 table.insert(from_table, a['addr']) -- add this rcpt to table
366 table.insert(from_table, '@' .. a['domain']) -- add this rcpts domain to table
367 end
368 else
369 return -- stop
370 end
371
372 -- determine rcpts
373 local rcpts = task:get_recipients('smtp')
374 if rcpts then
375 for _, a in ipairs(rcpts) do
376 table.insert(rcpt_table, a['addr']) -- add this rcpt to table
377 table.insert(rcpt_table, '@' .. a['domain']) -- add this rcpts domain to table
378 end
379 else
380 return -- stop
381 end
382
383 local action = task:get_metric_action('default')
384 rspamd_logger.infox("metric action now: %s", action)
385
386 local function rcpt_callback(err_message, code, body, headers)
387 if err_message == nil and code == 201 and body ~= nil then
388 if action == 'no action' or action == 'add header' or action == 'rewrite subject' then
389 send_mail(task, body)
390 end
391 end
392 end
393
394 local function from_callback(err_message, code, body, headers)
395 if err_message == nil and code == 201 and body ~= nil then
396 if action == 'no action' or action == 'add header' or action == 'rewrite subject' then
397 send_mail(task, body)
398 end
399 end
400 end
401
402 if rcpt_table then
403 for _,e in ipairs(rcpt_table) do
404 rspamd_logger.infox(rspamd_config, "checking bcc for rcpt address %s", e)
405 rspamd_http.request({
406 task=task,
407 url='http://nginx:8081/bcc.php',
408 body='',
409 callback=rcpt_callback,
410 headers={Rcpt=e}
411 })
412 end
413 end
414
415 if from_table then
416 for _,e in ipairs(from_table) do
417 rspamd_logger.infox(rspamd_config, "checking bcc for from address %s", e)
418 rspamd_http.request({
419 task=task,
420 url='http://nginx:8081/bcc.php',
421 body='',
422 callback=from_callback,
423 headers={From=e}
424 })
425 end
426 end
427
428 return true
429 end,
430 priority = 20
431})
432
433rspamd_config:register_symbol({
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]434 name = 'DYN_RL_CHECK',
435 type = 'prefilter',
436 callback = function(task)
437 local util = require("rspamd_util")
438 local redis_params = rspamd_parse_redis_server('dyn_rl')
439 local rspamd_logger = require "rspamd_logger"
440 local envfrom = task:get_from(1)
441 local uname = task:get_user()
442 if not envfrom or not uname then
443 return false
444 end
445 local uname = uname:lower()
446
447 local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case
448
449 local function redis_cb_user(err, data)
450
451 if err or type(data) ~= 'string' then
452 rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for user %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying dynamic ratelimit for domain...", uname, data, err)
453
454 local function redis_key_cb_domain(err, data)
455 if err or type(data) ~= 'string' then
456 rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for domain %s returned invalid or empty data (\"%s\") or error (\"%s\")", env_from_domain, data, err)
457 else
458 rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for domain %s with value %s", env_from_domain, data)
459 task:insert_result('DYN_RL', 0.0, data, env_from_domain)
460 end
461 end
462
463 local redis_ret_domain = rspamd_redis_make_request(task,
464 redis_params, -- connect params
465 env_from_domain, -- hash key
466 false, -- is write
467 redis_key_cb_domain, --callback
468 'HGET', -- command
469 {'RL_VALUE', env_from_domain} -- arguments
470 )
471 if not redis_ret_domain then
472 rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for domain")
473 end
474 else
475 rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for user %s with value %s", uname, data)
476 task:insert_result('DYN_RL', 0.0, data, uname)
477 end
478
479 end
480
481 local redis_ret_user = rspamd_redis_make_request(task,
482 redis_params, -- connect params
483 uname, -- hash key
484 false, -- is write
485 redis_cb_user, --callback
486 'HGET', -- command
487 {'RL_VALUE', uname} -- arguments
488 )
489 if not redis_ret_user then
490 rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for user")
491 end
492 return true
493 end,
494 flags = 'empty',
495 priority = 20
496})
497
498rspamd_config:register_symbol({
499 name = 'NO_LOG_STAT',
500 type = 'postfilter',
501 callback = function(task)
502 local from = task:get_header('From')
503 if from and monitoring_hosts:get_key(from) then
504 task:set_flag('no_log')
505 task:set_flag('no_stat')
506 end
507 end
508})