Merge branch 'master' of https://github.com/mailcow/mailcow-dockerized

data/conf/rspamd/local.d/antivirus.conf

@@ -0,0 +1,7 @@
+clamav {
+  attachments_only = false;
+  symbol = "CLAM_VIRUS";
+  type = "clamav";
+  log_clean = true;
+  servers = "clamd:3310";
+}

data/conf/rspamd/local.d/arc.conf

@@ -0,0 +1,30 @@
+# If false, messages with empty envelope from are not signed
+allow_envfrom_empty = false;
+# If true, envelope/header domain mismatch is ignored
+allow_hdrfrom_mismatch = false;
+# If true, multiple from headers are allowed (but only first is used)
+allow_hdrfrom_multiple = true;
+# If true, username does not need to contain matching domain
+allow_username_mismatch = false;
+# If false, messages from authenticated users are not selected for signing
+auth_only = true;
+# Default path to key, can include '$domain' and '$selector' variables
+path = "/data/dkim/keys/$domain.dkim";
+# Default selector to use
+selector = "dkim";
+# If false, messages from local networks are not selected for signing
+sign_local = true;
+# Symbol to add when message is signed
+symbol = "ARC_SIGNED";
+# Whether to fallback to global config
+try_fallback = true;
+# Domain to use for DKIM signing: can be "header" or "envelope"
+use_domain = "envelope";
+# Whether to normalise domains to eSLD
+use_esld = false;
+# Whether to get keys from Redis
+use_redis = true;
+# Hash for DKIM keys in Redis
+key_prefix = "DKIM_PRIV_KEYS";
+# Selector map
+selector_prefix = "DKIM_SELECTORS";

data/conf/rspamd/local.d/dkim.conf

@@ -1,34 +0,0 @@
-sign_condition =<<EOD
-return function(task)
-  local smtp_from = task:get_from('smtp')
-  local mime_from = task:get_from('mime')
-  local rspamd_logger = require "rspamd_logger"
-  if smtp_from[1]['domain'] ~= nil and smtp_from[1]['domain'] ~= '' then
-    domain = smtp_from[1]['domain']
-    rspamd_logger.infox(task, "set domain found in smtp from field to %s", domain)
-    if not task:get_user() then
-      rspamd_logger.infox(task, "found domain in smtp header field, but user is not authenticated - skipped")
-      return false
-    end
-  elseif mime_from[1]['domain'] ~= nil and mime_from[1]['domain'] ~= '' then
-    domain = mime_from[1]['domain']
-    rspamd_logger.infox(task, "set domain found in mime from field to %s", domain)
-  else
-    rspamd_logger.infox(task, "cannot determine domain for dkim signing")
-    return false
-  end
-  local keyfile = io.open("/data/dkim/keys/" .. domain .. ".dkim")
-  if keyfile then
-    rspamd_logger.infox(task, "found dkim key file for domain %s", domain)
-    keyfile:close()
-    return {
-      key = "/data/dkim/keys/" .. domain .. ".dkim",
-      domain = domain,
-      selector = "dkim"
-    }
-  else
-    rspamd_logger.infox(task, "no key file for domain %s - skipped", domain)
-  end
-  return false
-end
-EOD;

data/conf/rspamd/local.d/dkim_signing.conf

@@ -0,0 +1,30 @@
+# If false, messages with empty envelope from are not signed
+allow_envfrom_empty = false;
+# If true, envelope/header domain mismatch is ignored
+allow_hdrfrom_mismatch = false;
+# If true, multiple from headers are allowed (but only first is used)
+allow_hdrfrom_multiple = true;
+# If true, username does not need to contain matching domain
+allow_username_mismatch = true;
+# If false, messages from authenticated users are not selected for signing
+auth_only = true;
+# Default path to key, can include '$domain' and '$selector' variables
+path = "/data/dkim/keys/$domain.dkim";
+# Default selector to use
+selector = "dkim";
+# If false, messages from local networks are not selected for signing
+sign_local = true;
+# Symbol to add when message is signed
+symbol = "DKIM_SIGNED";
+# Whether to fallback to global config
+try_fallback = true;
+# Domain to use for DKIM signing: can be "header" or "envelope"
+use_domain = "envelope";
+# Whether to normalise domains to eSLD
+use_esld = false;
+# Whether to get keys from Redis
+use_redis = true;
+# Hash for DKIM keys in Redis
+key_prefix = "DKIM_PRIV_KEYS";
+# Selector map
+selector_prefix = "DKIM_SELECTORS";

data/conf/rspamd/local.d/force_actions.conf

@@ -0,0 +1,22 @@
+rules {
+  DKIM_FAIL {
+    action = "add header";
+    expression = "R_DKIM_REJECT & !MAILLIST & !MAILCOW_WHITE & !MAILCOW_BLACK";
+    require_action = ["no action", "greylist"];
+  }
+  VIRUS_FOUND {
+    action = "reject";
+    expression = "CLAM_VIRUS & !MAILCOW_WHITE";
+    honor_action = ["reject"];
+  }
+  WHITELIST_FORWARDING_HOST_NO_REJECT {
+    action = "add header";
+    expression = "WHITELISTED_FWD_HOST";
+    require_action = ["reject"];
+  }
+  WHITELIST_FORWARDING_HOST_NO_GREYLIST {
+    action = "no action";
+    expression = "WHITELISTED_FWD_HOST";
+    require_action = ["greylist", "soft reject"];
+  }
+}

data/conf/rspamd/local.d/milter_headers.conf

@@ -0,0 +1,39 @@
+use = ["spam-header", "x-spamd-result", "x-rspamd-queue-id", "authentication-results"];
+skip_local = false;
+skip_authenticated = true;
+routines {
+  spam-header {
+    header = "X-Spam-Flag";
+    value = "YES";
+    remove = 1;
+  }
+  authentication-results {
+    header = "Authentication-Results";
+    remove = 1;
+    spf_symbols {
+      pass = "R_SPF_ALLOW";
+      fail = "R_SPF_FAIL";
+      softfail = "R_SPF_SOFTFAIL";
+      neutral = "R_SPF_NEUTRAL";
+      temperror = "R_SPF_DNSFAIL";
+      none = "R_SPF_NA";
+      permerror = "R_SPF_PERMFAIL";
+    }
+    dkim_symbols {
+      pass = "R_DKIM_ALLOW";
+      fail = "R_DKIM_REJECT";
+      temperror = "R_DKIM_TEMPFAIL";
+      none = "R_DKIM_NA";
+      permerror = "R_DKIM_PERMFAIL";
+    }
+    dmarc_symbols {
+      pass = "DMARC_POLICY_ALLOW";
+      permerror = "DMARC_BAD_POLICY";
+      temperror = "DMARC_DNSFAIL";
+      none = "DMARC_NA";
+      reject = "DMARC_POLICY_REJECT";
+      softfail = "DMARC_POLICY_SOFTFAIL";
+      quarantine = "DMARC_POLICY_QUARANTINE";
+    }
+  }
+}

data/conf/rspamd/local.d/mime_types.conf

@@ -0,0 +1,34 @@
+# Extensions that are treated as 'bad'
+# Number is score multiply factor
+bad_extensions = {
+  scr = 4,
+  lnk = 4,
+  exe = 1,
+  jar = 2,
+  com = 4,
+  bat = 4,
+  ace = 4,
+  arj = 4,
+  cab = 3,
+};
+
+# Extensions that are particularly penalized for archives
+bad_archive_extensions = {
+  pptx = 0.5,
+  docx = 0.5,
+  xlsx = 0.5,
+  pdf = 1.0,
+  jar = 3,
+  js = 0.5,
+  vbs = 7,
+};
+
+# Used to detect another archive in archive
+archive_extensions = {
+  zip = 1,
+  arj = 1,
+  rar = 1,
+  ace = 1,
+  7z = 1,
+  cab = 1,
+};

data/conf/rspamd/local.d/multimap.conf

@@ -0,0 +1,22 @@
+RCPT_MAILCOW_DOMAIN {
+  type = "rcpt";
+  filter = "email:domain"
+  map = "redis://DOMAIN_MAP"
+}
+
+RCPT_WANTS_SUBJECT_TAG {
+  type = "rcpt";
+  filter = "email:addr"
+  map = "redis://RCPT_WANTS_SUBJECT_TAG"
+}
+
+WHITELISTED_FWD_HOST {
+  type = "ip";
+  map = "redis://WHITELISTED_FWD_HOST"
+}
+
+KEEP_SPAM {
+  type = "ip";
+  map = "redis://KEEP_SPAM"
+  action = "accept";
+}

data/conf/rspamd/local.d/mx_check.conf

@@ -0,0 +1,7 @@
+timeout = 1.0;
+symbol_bad_mx = "MX_INVALID";
+symbol_no_mx = "MX_MISSING";
+symbol_good_mx = "MX_GOOD";
+expire = 86400;
+key_prefix = "rmx";
+enabled = true;

data/conf/rspamd/local.d/options.inc

@@ -1,3 +1,9 @@
 dns {
-    enable_dnssec = true;
+  enable_dnssec = true;
 }
+map_watch_interval = 15s;
+dns {
+  timeout = 4s;
+  retransmits = 5;
+}
+disable_monitored = true;

data/conf/rspamd/local.d/rspamd.conf.local

@@ -1 +1,5 @@
 # rspamd.conf.local
+history_redis {}
+worker "log_helper" {
+  count = 1;
+}