Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 1 | -- Load sendgrid ID validator, thanks to https://github.com/fatalbanana |
| 2 | local rspamd_util = require 'rspamd_util' |
| 3 | local f = '/etc/rspamd/lua/ivm-sg.lua' |
| 4 | if rspamd_util.file_exists(f) then |
| 5 | dofile(f) |
| 6 | end |
| 7 | |
| 8 | rspamd_config.MAILCOW_AUTH = { |
| 9 | callback = function(task) |
| 10 | local uname = task:get_user() |
| 11 | if uname then |
| 12 | return 1 |
| 13 | end |
| 14 | end |
| 15 | } |
| 16 | |
| 17 | local monitoring_hosts = rspamd_config:add_map{ |
| 18 | url = "/etc/rspamd/custom/monitoring_nolog.map", |
| 19 | description = "Monitoring hosts", |
| 20 | type = "regexp" |
| 21 | } |
| 22 | |
| 23 | rspamd_config:register_symbol({ |
| 24 | name = 'SMTP_ACCESS', |
| 25 | type = 'postfilter', |
| 26 | callback = function(task) |
| 27 | local util = require("rspamd_util") |
| 28 | local rspamd_logger = require "rspamd_logger" |
| 29 | local rspamd_ip = require 'rspamd_ip' |
| 30 | local uname = task:get_user() |
| 31 | local limited_access = task:get_symbol("SMTP_LIMITED_ACCESS") |
| 32 | |
| 33 | if not uname then |
| 34 | return false |
| 35 | end |
| 36 | |
| 37 | if not limited_access then |
| 38 | return false |
| 39 | end |
| 40 | |
| 41 | local hash_key = 'SMTP_ALLOW_NETS_' .. uname |
| 42 | |
| 43 | local redis_params = rspamd_parse_redis_server('smtp_access') |
| 44 | local ip = task:get_from_ip() |
| 45 | |
| 46 | if ip == nil or not ip:is_valid() then |
| 47 | return false |
| 48 | end |
| 49 | |
| 50 | local from_ip_string = tostring(ip) |
| 51 | smtp_access_table = {from_ip_string} |
| 52 | |
| 53 | local maxbits = 128 |
| 54 | local minbits = 32 |
| 55 | if ip:get_version() == 4 then |
| 56 | maxbits = 32 |
| 57 | minbits = 8 |
| 58 | end |
| 59 | for i=maxbits,minbits,-1 do |
| 60 | local nip = ip:apply_mask(i):to_string() .. "/" .. i |
| 61 | table.insert(smtp_access_table, nip) |
| 62 | end |
| 63 | local function smtp_access_cb(err, data) |
| 64 | if err then |
| 65 | rspamd_logger.infox(rspamd_config, "smtp_access query request for ip %s returned invalid or empty data (\"%s\") or error (\"%s\")", ip, data, err) |
| 66 | return false |
| 67 | else |
| 68 | rspamd_logger.infox(rspamd_config, "checking ip %s for smtp_access in %s", from_ip_string, hash_key) |
| 69 | for k,v in pairs(data) do |
| 70 | if (v and v ~= userdata and v == '1') then |
| 71 | rspamd_logger.infox(rspamd_config, "found ip in smtp_access map") |
| 72 | task:insert_result(true, 'SMTP_ACCESS', 0.0, from_ip_string) |
| 73 | return true |
| 74 | end |
| 75 | end |
| 76 | rspamd_logger.infox(rspamd_config, "couldnt find ip in smtp_access map") |
| 77 | task:insert_result(true, 'SMTP_ACCESS', 999.0, from_ip_string) |
| 78 | return true |
| 79 | end |
| 80 | end |
| 81 | table.insert(smtp_access_table, 1, hash_key) |
| 82 | local redis_ret_user = rspamd_redis_make_request(task, |
| 83 | redis_params, -- connect params |
| 84 | hash_key, -- hash key |
| 85 | false, -- is write |
| 86 | smtp_access_cb, --callback |
| 87 | 'HMGET', -- command |
| 88 | smtp_access_table -- arguments |
| 89 | ) |
| 90 | if not redis_ret_user then |
| 91 | rspamd_logger.infox(rspamd_config, "cannot check smtp_access redis map") |
| 92 | end |
| 93 | end, |
| 94 | priority = 10 |
| 95 | }) |
| 96 | |
| 97 | rspamd_config:register_symbol({ |
| 98 | name = 'POSTMASTER_HANDLER', |
| 99 | type = 'prefilter', |
| 100 | callback = function(task) |
| 101 | local rcpts = task:get_recipients('smtp') |
| 102 | local rspamd_logger = require "rspamd_logger" |
| 103 | local lua_util = require "lua_util" |
| 104 | local from = task:get_from(1) |
| 105 | |
| 106 | -- not applying to mails with more than one rcpt to avoid bypassing filters by addressing postmaster |
| 107 | if rcpts and #rcpts == 1 then |
| 108 | for _,rcpt in ipairs(rcpts) do |
| 109 | local rcpt_split = rspamd_str_split(rcpt['addr'], '@') |
| 110 | if #rcpt_split == 2 then |
| 111 | if rcpt_split[1] == 'postmaster' then |
| 112 | task:set_pre_result('accept', 'whitelisting postmaster smtp rcpt') |
| 113 | return |
| 114 | end |
| 115 | end |
| 116 | end |
| 117 | end |
| 118 | |
| 119 | if from then |
| 120 | for _,fr in ipairs(from) do |
| 121 | local fr_split = rspamd_str_split(fr['addr'], '@') |
| 122 | if #fr_split == 2 then |
| 123 | if fr_split[1] == 'postmaster' and task:get_user() then |
| 124 | -- no whitelist, keep signatures |
| 125 | task:insert_result(true, 'POSTMASTER_FROM', -2500.0) |
| 126 | return |
| 127 | end |
| 128 | end |
| 129 | end |
| 130 | end |
| 131 | |
| 132 | end, |
| 133 | priority = 10 |
| 134 | }) |
| 135 | |
| 136 | rspamd_config:register_symbol({ |
| 137 | name = 'KEEP_SPAM', |
| 138 | type = 'prefilter', |
| 139 | callback = function(task) |
| 140 | local util = require("rspamd_util") |
| 141 | local rspamd_logger = require "rspamd_logger" |
| 142 | local rspamd_ip = require 'rspamd_ip' |
| 143 | local uname = task:get_user() |
| 144 | |
| 145 | if uname then |
| 146 | return false |
| 147 | end |
| 148 | |
| 149 | local redis_params = rspamd_parse_redis_server('keep_spam') |
| 150 | local ip = task:get_from_ip() |
| 151 | |
| 152 | if ip == nil or not ip:is_valid() then |
| 153 | return false |
| 154 | end |
| 155 | |
| 156 | local from_ip_string = tostring(ip) |
| 157 | ip_check_table = {from_ip_string} |
| 158 | |
| 159 | local maxbits = 128 |
| 160 | local minbits = 32 |
| 161 | if ip:get_version() == 4 then |
| 162 | maxbits = 32 |
| 163 | minbits = 8 |
| 164 | end |
| 165 | for i=maxbits,minbits,-1 do |
| 166 | local nip = ip:apply_mask(i):to_string() .. "/" .. i |
| 167 | table.insert(ip_check_table, nip) |
| 168 | end |
| 169 | local function keep_spam_cb(err, data) |
| 170 | if err then |
| 171 | rspamd_logger.infox(rspamd_config, "keep_spam query request for ip %s returned invalid or empty data (\"%s\") or error (\"%s\")", ip, data, err) |
| 172 | return false |
| 173 | else |
| 174 | for k,v in pairs(data) do |
| 175 | if (v and v ~= userdata and v == '1') then |
| 176 | rspamd_logger.infox(rspamd_config, "found ip in keep_spam map, setting pre-result") |
| 177 | task:set_pre_result('accept', 'ip matched with forward hosts') |
| 178 | end |
| 179 | end |
| 180 | end |
| 181 | end |
| 182 | table.insert(ip_check_table, 1, 'KEEP_SPAM') |
| 183 | local redis_ret_user = rspamd_redis_make_request(task, |
| 184 | redis_params, -- connect params |
| 185 | 'KEEP_SPAM', -- hash key |
| 186 | false, -- is write |
| 187 | keep_spam_cb, --callback |
| 188 | 'HMGET', -- command |
| 189 | ip_check_table -- arguments |
| 190 | ) |
| 191 | if not redis_ret_user then |
| 192 | rspamd_logger.infox(rspamd_config, "cannot check keep_spam redis map") |
| 193 | end |
| 194 | end, |
| 195 | priority = 19 |
| 196 | }) |
| 197 | |
| 198 | rspamd_config:register_symbol({ |
| 199 | name = 'TLS_HEADER', |
| 200 | type = 'postfilter', |
| 201 | callback = function(task) |
| 202 | local rspamd_logger = require "rspamd_logger" |
| 203 | local tls_tag = task:get_request_header('TLS-Version') |
| 204 | if type(tls_tag) == 'nil' then |
| 205 | task:set_milter_reply({ |
| 206 | add_headers = {['X-Last-TLS-Session-Version'] = 'None'} |
| 207 | }) |
| 208 | else |
| 209 | task:set_milter_reply({ |
| 210 | add_headers = {['X-Last-TLS-Session-Version'] = tostring(tls_tag)} |
| 211 | }) |
| 212 | end |
| 213 | end, |
| 214 | priority = 12 |
| 215 | }) |
| 216 | |
| 217 | rspamd_config:register_symbol({ |
| 218 | name = 'TAG_MOO', |
| 219 | type = 'postfilter', |
| 220 | callback = function(task) |
| 221 | local util = require("rspamd_util") |
| 222 | local rspamd_logger = require "rspamd_logger" |
| 223 | local redis_params = rspamd_parse_redis_server('taghandler') |
| 224 | local rspamd_http = require "rspamd_http" |
| 225 | local rcpts = task:get_recipients('smtp') |
| 226 | local lua_util = require "lua_util" |
| 227 | |
| 228 | local tagged_rcpt = task:get_symbol("TAGGED_RCPT") |
| 229 | local mailcow_domain = task:get_symbol("RCPT_MAILCOW_DOMAIN") |
| 230 | |
| 231 | if tagged_rcpt and tagged_rcpt[1].options and mailcow_domain then |
| 232 | local tag = tagged_rcpt[1].options[1] |
| 233 | rspamd_logger.infox("found tag: %s", tag) |
| 234 | local action = task:get_metric_action('default') |
| 235 | rspamd_logger.infox("metric action now: %s", action) |
| 236 | |
| 237 | if action ~= 'no action' and action ~= 'greylist' then |
| 238 | rspamd_logger.infox("skipping tag handler for action: %s", action) |
| 239 | return true |
| 240 | end |
| 241 | |
| 242 | local function http_callback(err_message, code, body, headers) |
| 243 | if body ~= nil and body ~= "" then |
| 244 | rspamd_logger.infox(rspamd_config, "expanding rcpt to \"%s\"", body) |
| 245 | |
| 246 | local function tag_callback_subject(err, data) |
| 247 | if err or type(data) ~= 'string' then |
| 248 | rspamd_logger.infox(rspamd_config, "subject tag handler rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying subfolder tag handler...", body, data, err) |
| 249 | |
| 250 | local function tag_callback_subfolder(err, data) |
| 251 | if err or type(data) ~= 'string' then |
| 252 | rspamd_logger.infox(rspamd_config, "subfolder tag handler for rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\")", body, data, err) |
| 253 | else |
| 254 | rspamd_logger.infox("Add X-Moo-Tag header") |
| 255 | task:set_milter_reply({ |
| 256 | add_headers = {['X-Moo-Tag'] = 'YES'} |
| 257 | }) |
| 258 | end |
| 259 | end |
| 260 | |
| 261 | local redis_ret_subfolder = rspamd_redis_make_request(task, |
| 262 | redis_params, -- connect params |
| 263 | body, -- hash key |
| 264 | false, -- is write |
| 265 | tag_callback_subfolder, --callback |
| 266 | 'HGET', -- command |
| 267 | {'RCPT_WANTS_SUBFOLDER_TAG', body} -- arguments |
| 268 | ) |
| 269 | if not redis_ret_subfolder then |
| 270 | rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt") |
| 271 | end |
| 272 | |
| 273 | else |
| 274 | rspamd_logger.infox("user wants subject modified for tagged mail") |
| 275 | local sbj = task:get_header('Subject') |
| 276 | new_sbj = '=?UTF-8?B?' .. tostring(util.encode_base64('[' .. tag .. '] ' .. sbj)) .. '?=' |
| 277 | task:set_milter_reply({ |
| 278 | remove_headers = {['Subject'] = 1}, |
| 279 | add_headers = {['Subject'] = new_sbj} |
| 280 | }) |
| 281 | end |
| 282 | end |
| 283 | |
| 284 | local redis_ret_subject = rspamd_redis_make_request(task, |
| 285 | redis_params, -- connect params |
| 286 | body, -- hash key |
| 287 | false, -- is write |
| 288 | tag_callback_subject, --callback |
| 289 | 'HGET', -- command |
| 290 | {'RCPT_WANTS_SUBJECT_TAG', body} -- arguments |
| 291 | ) |
| 292 | if not redis_ret_subject then |
| 293 | rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt") |
| 294 | end |
| 295 | |
| 296 | end |
| 297 | end |
| 298 | |
| 299 | if rcpts and #rcpts == 1 then |
| 300 | for _,rcpt in ipairs(rcpts) do |
| 301 | local rcpt_split = rspamd_str_split(rcpt['addr'], '@') |
| 302 | if #rcpt_split == 2 then |
| 303 | if rcpt_split[1] == 'postmaster' then |
| 304 | rspamd_logger.infox(rspamd_config, "not expanding postmaster alias") |
| 305 | else |
| 306 | rspamd_http.request({ |
| 307 | task=task, |
| 308 | url='http://nginx:8081/aliasexp.php', |
| 309 | body='', |
| 310 | callback=http_callback, |
| 311 | headers={Rcpt=rcpt['addr']}, |
| 312 | }) |
| 313 | end |
| 314 | end |
| 315 | end |
| 316 | end |
| 317 | |
| 318 | end |
| 319 | end, |
| 320 | priority = 19 |
| 321 | }) |
| 322 | |
| 323 | rspamd_config:register_symbol({ |
| 324 | name = 'DYN_RL_CHECK', |
| 325 | type = 'prefilter', |
| 326 | callback = function(task) |
| 327 | local util = require("rspamd_util") |
| 328 | local redis_params = rspamd_parse_redis_server('dyn_rl') |
| 329 | local rspamd_logger = require "rspamd_logger" |
| 330 | local envfrom = task:get_from(1) |
| 331 | local uname = task:get_user() |
| 332 | if not envfrom or not uname then |
| 333 | return false |
| 334 | end |
| 335 | local uname = uname:lower() |
| 336 | |
| 337 | local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case |
| 338 | |
| 339 | local function redis_cb_user(err, data) |
| 340 | |
| 341 | if err or type(data) ~= 'string' then |
| 342 | rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for user %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying dynamic ratelimit for domain...", uname, data, err) |
| 343 | |
| 344 | local function redis_key_cb_domain(err, data) |
| 345 | if err or type(data) ~= 'string' then |
| 346 | rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for domain %s returned invalid or empty data (\"%s\") or error (\"%s\")", env_from_domain, data, err) |
| 347 | else |
| 348 | rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for domain %s with value %s", env_from_domain, data) |
| 349 | task:insert_result('DYN_RL', 0.0, data, env_from_domain) |
| 350 | end |
| 351 | end |
| 352 | |
| 353 | local redis_ret_domain = rspamd_redis_make_request(task, |
| 354 | redis_params, -- connect params |
| 355 | env_from_domain, -- hash key |
| 356 | false, -- is write |
| 357 | redis_key_cb_domain, --callback |
| 358 | 'HGET', -- command |
| 359 | {'RL_VALUE', env_from_domain} -- arguments |
| 360 | ) |
| 361 | if not redis_ret_domain then |
| 362 | rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for domain") |
| 363 | end |
| 364 | else |
| 365 | rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for user %s with value %s", uname, data) |
| 366 | task:insert_result('DYN_RL', 0.0, data, uname) |
| 367 | end |
| 368 | |
| 369 | end |
| 370 | |
| 371 | local redis_ret_user = rspamd_redis_make_request(task, |
| 372 | redis_params, -- connect params |
| 373 | uname, -- hash key |
| 374 | false, -- is write |
| 375 | redis_cb_user, --callback |
| 376 | 'HGET', -- command |
| 377 | {'RL_VALUE', uname} -- arguments |
| 378 | ) |
| 379 | if not redis_ret_user then |
| 380 | rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for user") |
| 381 | end |
| 382 | return true |
| 383 | end, |
| 384 | flags = 'empty', |
| 385 | priority = 20 |
| 386 | }) |
| 387 | |
| 388 | rspamd_config:register_symbol({ |
| 389 | name = 'NO_LOG_STAT', |
| 390 | type = 'postfilter', |
| 391 | callback = function(task) |
| 392 | local from = task:get_header('From') |
| 393 | if from and monitoring_hosts:get_key(from) then |
| 394 | task:set_flag('no_log') |
| 395 | task:set_flag('no_stat') |
| 396 | end |
| 397 | end |
| 398 | }) |