mirror of
https://github.com/mailcow/mailcow-dockerized.git
synced 2024-12-14 10:52:49 +02:00
399 lines
13 KiB
Lua
399 lines
13 KiB
Lua
-- Load sendgrid ID validator, thanks to https://github.com/fatalbanana
|
|
local rspamd_util = require 'rspamd_util'
|
|
local f = '/etc/rspamd/lua/ivm-sg.lua'
|
|
if rspamd_util.file_exists(f) then
|
|
dofile(f)
|
|
end
|
|
|
|
rspamd_config.MAILCOW_AUTH = {
|
|
callback = function(task)
|
|
local uname = task:get_user()
|
|
if uname then
|
|
return 1
|
|
end
|
|
end
|
|
}
|
|
|
|
local monitoring_hosts = rspamd_config:add_map{
|
|
url = "/etc/rspamd/custom/monitoring_nolog.map",
|
|
description = "Monitoring hosts",
|
|
type = "regexp"
|
|
}
|
|
|
|
rspamd_config:register_symbol({
|
|
name = 'SMTP_ACCESS',
|
|
type = 'postfilter',
|
|
callback = function(task)
|
|
local util = require("rspamd_util")
|
|
local rspamd_logger = require "rspamd_logger"
|
|
local rspamd_ip = require 'rspamd_ip'
|
|
local uname = task:get_user()
|
|
local limited_access = task:get_symbol("SMTP_LIMITED_ACCESS")
|
|
|
|
if not uname then
|
|
return false
|
|
end
|
|
|
|
if not limited_access then
|
|
return false
|
|
end
|
|
|
|
local hash_key = 'SMTP_ALLOW_NETS_' .. uname
|
|
|
|
local redis_params = rspamd_parse_redis_server('smtp_access')
|
|
local ip = task:get_from_ip()
|
|
|
|
if ip == nil or not ip:is_valid() then
|
|
return false
|
|
end
|
|
|
|
local from_ip_string = tostring(ip)
|
|
smtp_access_table = {from_ip_string}
|
|
|
|
local maxbits = 128
|
|
local minbits = 32
|
|
if ip:get_version() == 4 then
|
|
maxbits = 32
|
|
minbits = 8
|
|
end
|
|
for i=maxbits,minbits,-1 do
|
|
local nip = ip:apply_mask(i):to_string() .. "/" .. i
|
|
table.insert(smtp_access_table, nip)
|
|
end
|
|
local function smtp_access_cb(err, data)
|
|
if err then
|
|
rspamd_logger.infox(rspamd_config, "smtp_access query request for ip %s returned invalid or empty data (\"%s\") or error (\"%s\")", ip, data, err)
|
|
return false
|
|
else
|
|
rspamd_logger.infox(rspamd_config, "checking ip %s for smtp_access in %s", from_ip_string, hash_key)
|
|
for k,v in pairs(data) do
|
|
if (v and v ~= userdata and v == '1') then
|
|
rspamd_logger.infox(rspamd_config, "found ip in smtp_access map")
|
|
task:insert_result(true, 'SMTP_ACCESS', 0.0, from_ip_string)
|
|
return true
|
|
end
|
|
end
|
|
rspamd_logger.infox(rspamd_config, "couldnt find ip in smtp_access map")
|
|
task:insert_result(true, 'SMTP_ACCESS', 999.0, from_ip_string)
|
|
return true
|
|
end
|
|
end
|
|
table.insert(smtp_access_table, 1, hash_key)
|
|
local redis_ret_user = rspamd_redis_make_request(task,
|
|
redis_params, -- connect params
|
|
hash_key, -- hash key
|
|
false, -- is write
|
|
smtp_access_cb, --callback
|
|
'HMGET', -- command
|
|
smtp_access_table -- arguments
|
|
)
|
|
if not redis_ret_user then
|
|
rspamd_logger.infox(rspamd_config, "cannot check smtp_access redis map")
|
|
end
|
|
end,
|
|
priority = 10
|
|
})
|
|
|
|
rspamd_config:register_symbol({
|
|
name = 'POSTMASTER_HANDLER',
|
|
type = 'prefilter',
|
|
callback = function(task)
|
|
local rcpts = task:get_recipients('smtp')
|
|
local rspamd_logger = require "rspamd_logger"
|
|
local lua_util = require "lua_util"
|
|
local from = task:get_from(1)
|
|
|
|
-- not applying to mails with more than one rcpt to avoid bypassing filters by addressing postmaster
|
|
if rcpts and #rcpts == 1 then
|
|
for _,rcpt in ipairs(rcpts) do
|
|
local rcpt_split = rspamd_str_split(rcpt['addr'], '@')
|
|
if #rcpt_split == 2 then
|
|
if rcpt_split[1] == 'postmaster' then
|
|
task:set_pre_result('accept', 'whitelisting postmaster smtp rcpt')
|
|
return
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
if from then
|
|
for _,fr in ipairs(from) do
|
|
local fr_split = rspamd_str_split(fr['addr'], '@')
|
|
if #fr_split == 2 then
|
|
if fr_split[1] == 'postmaster' and task:get_user() then
|
|
-- no whitelist, keep signatures
|
|
task:insert_result(true, 'POSTMASTER_FROM', -2500.0)
|
|
return
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
end,
|
|
priority = 10
|
|
})
|
|
|
|
rspamd_config:register_symbol({
|
|
name = 'KEEP_SPAM',
|
|
type = 'prefilter',
|
|
callback = function(task)
|
|
local util = require("rspamd_util")
|
|
local rspamd_logger = require "rspamd_logger"
|
|
local rspamd_ip = require 'rspamd_ip'
|
|
local uname = task:get_user()
|
|
|
|
if uname then
|
|
return false
|
|
end
|
|
|
|
local redis_params = rspamd_parse_redis_server('keep_spam')
|
|
local ip = task:get_from_ip()
|
|
|
|
if ip == nil or not ip:is_valid() then
|
|
return false
|
|
end
|
|
|
|
local from_ip_string = tostring(ip)
|
|
ip_check_table = {from_ip_string}
|
|
|
|
local maxbits = 128
|
|
local minbits = 32
|
|
if ip:get_version() == 4 then
|
|
maxbits = 32
|
|
minbits = 8
|
|
end
|
|
for i=maxbits,minbits,-1 do
|
|
local nip = ip:apply_mask(i):to_string() .. "/" .. i
|
|
table.insert(ip_check_table, nip)
|
|
end
|
|
local function keep_spam_cb(err, data)
|
|
if err then
|
|
rspamd_logger.infox(rspamd_config, "keep_spam query request for ip %s returned invalid or empty data (\"%s\") or error (\"%s\")", ip, data, err)
|
|
return false
|
|
else
|
|
for k,v in pairs(data) do
|
|
if (v and v ~= userdata and v == '1') then
|
|
rspamd_logger.infox(rspamd_config, "found ip in keep_spam map, setting pre-result")
|
|
task:set_pre_result('accept', 'ip matched with forward hosts')
|
|
end
|
|
end
|
|
end
|
|
end
|
|
table.insert(ip_check_table, 1, 'KEEP_SPAM')
|
|
local redis_ret_user = rspamd_redis_make_request(task,
|
|
redis_params, -- connect params
|
|
'KEEP_SPAM', -- hash key
|
|
false, -- is write
|
|
keep_spam_cb, --callback
|
|
'HMGET', -- command
|
|
ip_check_table -- arguments
|
|
)
|
|
if not redis_ret_user then
|
|
rspamd_logger.infox(rspamd_config, "cannot check keep_spam redis map")
|
|
end
|
|
end,
|
|
priority = 19
|
|
})
|
|
|
|
rspamd_config:register_symbol({
|
|
name = 'TLS_HEADER',
|
|
type = 'postfilter',
|
|
callback = function(task)
|
|
local rspamd_logger = require "rspamd_logger"
|
|
local tls_tag = task:get_request_header('TLS-Version')
|
|
if type(tls_tag) == 'nil' then
|
|
task:set_milter_reply({
|
|
add_headers = {['X-Last-TLS-Session-Version'] = 'None'}
|
|
})
|
|
else
|
|
task:set_milter_reply({
|
|
add_headers = {['X-Last-TLS-Session-Version'] = tostring(tls_tag)}
|
|
})
|
|
end
|
|
end,
|
|
priority = 12
|
|
})
|
|
|
|
rspamd_config:register_symbol({
|
|
name = 'TAG_MOO',
|
|
type = 'postfilter',
|
|
callback = function(task)
|
|
local util = require("rspamd_util")
|
|
local rspamd_logger = require "rspamd_logger"
|
|
local redis_params = rspamd_parse_redis_server('taghandler')
|
|
local rspamd_http = require "rspamd_http"
|
|
local rcpts = task:get_recipients('smtp')
|
|
local lua_util = require "lua_util"
|
|
|
|
local tagged_rcpt = task:get_symbol("TAGGED_RCPT")
|
|
local mailcow_domain = task:get_symbol("RCPT_MAILCOW_DOMAIN")
|
|
|
|
if tagged_rcpt and tagged_rcpt[1].options and mailcow_domain then
|
|
local tag = tagged_rcpt[1].options[1]
|
|
rspamd_logger.infox("found tag: %s", tag)
|
|
local action = task:get_metric_action('default')
|
|
rspamd_logger.infox("metric action now: %s", action)
|
|
|
|
if action ~= 'no action' and action ~= 'greylist' then
|
|
rspamd_logger.infox("skipping tag handler for action: %s", action)
|
|
return true
|
|
end
|
|
|
|
local function http_callback(err_message, code, body, headers)
|
|
if body ~= nil and body ~= "" then
|
|
rspamd_logger.infox(rspamd_config, "expanding rcpt to \"%s\"", body)
|
|
|
|
local function tag_callback_subject(err, data)
|
|
if err or type(data) ~= 'string' then
|
|
rspamd_logger.infox(rspamd_config, "subject tag handler rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying subfolder tag handler...", body, data, err)
|
|
|
|
local function tag_callback_subfolder(err, data)
|
|
if err or type(data) ~= 'string' then
|
|
rspamd_logger.infox(rspamd_config, "subfolder tag handler for rcpt %s returned invalid or empty data (\"%s\") or error (\"%s\")", body, data, err)
|
|
else
|
|
rspamd_logger.infox("Add X-Moo-Tag header")
|
|
task:set_milter_reply({
|
|
add_headers = {['X-Moo-Tag'] = 'YES'}
|
|
})
|
|
end
|
|
end
|
|
|
|
local redis_ret_subfolder = rspamd_redis_make_request(task,
|
|
redis_params, -- connect params
|
|
body, -- hash key
|
|
false, -- is write
|
|
tag_callback_subfolder, --callback
|
|
'HGET', -- command
|
|
{'RCPT_WANTS_SUBFOLDER_TAG', body} -- arguments
|
|
)
|
|
if not redis_ret_subfolder then
|
|
rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt")
|
|
end
|
|
|
|
else
|
|
rspamd_logger.infox("user wants subject modified for tagged mail")
|
|
local sbj = task:get_header('Subject')
|
|
new_sbj = '=?UTF-8?B?' .. tostring(util.encode_base64('[' .. tag .. '] ' .. sbj)) .. '?='
|
|
task:set_milter_reply({
|
|
remove_headers = {['Subject'] = 1},
|
|
add_headers = {['Subject'] = new_sbj}
|
|
})
|
|
end
|
|
end
|
|
|
|
local redis_ret_subject = rspamd_redis_make_request(task,
|
|
redis_params, -- connect params
|
|
body, -- hash key
|
|
false, -- is write
|
|
tag_callback_subject, --callback
|
|
'HGET', -- command
|
|
{'RCPT_WANTS_SUBJECT_TAG', body} -- arguments
|
|
)
|
|
if not redis_ret_subject then
|
|
rspamd_logger.infox(rspamd_config, "cannot make request to load tag handler for rcpt")
|
|
end
|
|
|
|
end
|
|
end
|
|
|
|
if rcpts and #rcpts == 1 then
|
|
for _,rcpt in ipairs(rcpts) do
|
|
local rcpt_split = rspamd_str_split(rcpt['addr'], '@')
|
|
if #rcpt_split == 2 then
|
|
if rcpt_split[1] == 'postmaster' then
|
|
rspamd_logger.infox(rspamd_config, "not expanding postmaster alias")
|
|
else
|
|
rspamd_http.request({
|
|
task=task,
|
|
url='http://nginx:8081/aliasexp.php',
|
|
body='',
|
|
callback=http_callback,
|
|
headers={Rcpt=rcpt['addr']},
|
|
})
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
end
|
|
end,
|
|
priority = 19
|
|
})
|
|
|
|
rspamd_config:register_symbol({
|
|
name = 'DYN_RL_CHECK',
|
|
type = 'prefilter',
|
|
callback = function(task)
|
|
local util = require("rspamd_util")
|
|
local redis_params = rspamd_parse_redis_server('dyn_rl')
|
|
local rspamd_logger = require "rspamd_logger"
|
|
local envfrom = task:get_from(1)
|
|
local uname = task:get_user()
|
|
if not envfrom or not uname then
|
|
return false
|
|
end
|
|
local uname = uname:lower()
|
|
|
|
local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case
|
|
|
|
local function redis_cb_user(err, data)
|
|
|
|
if err or type(data) ~= 'string' then
|
|
rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for user %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying dynamic ratelimit for domain...", uname, data, err)
|
|
|
|
local function redis_key_cb_domain(err, data)
|
|
if err or type(data) ~= 'string' then
|
|
rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for domain %s returned invalid or empty data (\"%s\") or error (\"%s\")", env_from_domain, data, err)
|
|
else
|
|
rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for domain %s with value %s", env_from_domain, data)
|
|
task:insert_result('DYN_RL', 0.0, data, env_from_domain)
|
|
end
|
|
end
|
|
|
|
local redis_ret_domain = rspamd_redis_make_request(task,
|
|
redis_params, -- connect params
|
|
env_from_domain, -- hash key
|
|
false, -- is write
|
|
redis_key_cb_domain, --callback
|
|
'HGET', -- command
|
|
{'RL_VALUE', env_from_domain} -- arguments
|
|
)
|
|
if not redis_ret_domain then
|
|
rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for domain")
|
|
end
|
|
else
|
|
rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for user %s with value %s", uname, data)
|
|
task:insert_result('DYN_RL', 0.0, data, uname)
|
|
end
|
|
|
|
end
|
|
|
|
local redis_ret_user = rspamd_redis_make_request(task,
|
|
redis_params, -- connect params
|
|
uname, -- hash key
|
|
false, -- is write
|
|
redis_cb_user, --callback
|
|
'HGET', -- command
|
|
{'RL_VALUE', uname} -- arguments
|
|
)
|
|
if not redis_ret_user then
|
|
rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for user")
|
|
end
|
|
return true
|
|
end,
|
|
flags = 'empty',
|
|
priority = 20
|
|
})
|
|
|
|
rspamd_config:register_symbol({
|
|
name = 'NO_LOG_STAT',
|
|
type = 'postfilter',
|
|
callback = function(task)
|
|
local from = task:get_header('From')
|
|
if from and monitoring_hosts:get_key(from) then
|
|
task:set_flag('no_log')
|
|
task:set_flag('no_stat')
|
|
end
|
|
end
|
|
})
|