[Rspamd] Apply ratelimit against authenticated user instead of envelope from

[PHP-FPM] Create PHP-FPM listeners 9001 (system) and 9002 (web), drop 9000 [Rspamd] Parse quarantine messages as utf8 [Rspamd] Use new schema for Rspamd bayes hashes and expire them in Redis [SOGo] Change default logo [SOGo] Use different keyserver by default in Dockerfile [Rspamd] Add bad ASN list (disabled by default) [Watchdog] Change the way we check PHP-FPM, change SOGo check [Nginx] Change ports according to new PHP-FPM listeners [Update] Fix PHP-FPM ports for existing non-mailcow Nginx sites
2018-04-26 13:51:55 +02:00
parent f53006f6ab
commit 7181ee4658
15 changed files with 193 additions and 230 deletions
--- a/data/conf/rspamd/custom/bad_asn.map
+++ b/data/conf/rspamd/custom/bad_asn.map
@@ -0,0 +1,27 @@
+# High spam networks, disabled by default
+#201942:5 #Soltia Consulting SL - ipinfo.io
+#16276:5 #OVH
+#12876:5 #ONLINE S.A.S
+#31034:5
+#12874:5
+#30823:5
+#197071:5
+#42831:5 #UK Dedicated Servers Ltd
+#29119:5 #Aire Networks del Mediterraneo S.L.U.
+#13335:5 #Cloudflare
+#28753:5 #Leaseweb
+#61272:5 #Informacines sistemos ir technologijos
+#53755:5 #Input Output Flood LLC
+#29422:5 #FICIX Helsinki
+#62255:4 #Asmunda New Media Ltd
+#14061:4 #Digitalocean
+#55293:4 #A2 Hosting
+#63018:4 #US Dedicated
+#197518:2
+#44493:2
+#46606:2
+#49505:2
+#21100:2
+#197695:2
+#198068:2
+#43146:2
--- a/data/conf/rspamd/local.d/multimap.conf
+++ b/data/conf/rspamd/local.d/multimap.conf
@@ -27,6 +27,14 @@ KEEP_SPAM {
  action = "accept";
 }

+LOCAL_BL_ASN {
+  require_symbols = "!MAILCOW_WHITE";
+  type = "asn";
+  map = "$LOCAL_CONFDIR/custom/bad_asn.map";
+  score = 5;
+  description = "Sender's ASN is on the local blacklist";
+}
+
 #SPOOFED_SENDER {
 #  type = "rcpt";
 #  filter = "email:domain:tld";
--- a/data/conf/rspamd/local.d/statistic.conf
+++ b/data/conf/rspamd/local.d/statistic.conf
@@ -8,6 +8,8 @@ classifier "bayes" {
    min_tokens = 11;
    min_learns = 20;
    autolearn = [-20, 50];
+    new_schema = true;
+    expiry = 50d;
    per_user = <<EOD
 return function(task)
    local rcpt = task:get_recipients(1)
--- a/data/conf/rspamd/lua/rspamd.local.lua
+++ b/data/conf/rspamd/lua/rspamd.local.lua
@@ -59,16 +59,16 @@ rspamd_config:register_symbol({
    local redis_params = rspamd_parse_redis_server('dyn_rl')
    local rspamd_logger = require "rspamd_logger"
    local envfrom = task:get_from(1)
-    if not envfrom then
+    local uname = task:get_user():lower()
+    if not envfrom or not uname then
      return false
    end
    local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case
-    local env_from_addr = envfrom[1].addr:lower() -- get smtp from addr in lower case

    local function redis_cb_user(err, data)

      if err or type(data) ~= 'string' then
-        rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for user %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying dynamic ratelimit for domain...", env_from_addr, data, err)
+        rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for user %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying dynamic ratelimit for domain...", uname, data, err)

        local function redis_key_cb_domain(err, data)
          if err or type(data) ~= 'string' then
@@ -91,7 +91,7 @@ rspamd_config:register_symbol({
          rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for domain")
        end
      else
-        rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for user %s with value %s", env_from_addr, data)
+        rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for user %s with value %s", uname, data)
        task:insert_result('DYN_RL', 0.0, data)
      end

@@ -99,11 +99,11 @@ rspamd_config:register_symbol({

    local redis_ret_user = rspamd_redis_make_request(task,
      redis_params, -- connect params
-      env_from_addr, -- hash key
+      uname, -- hash key
      false, -- is write
      redis_cb_user, --callback
      'HGET', -- command
-      {'RL_VALUE', env_from_addr} -- arguments
+      {'RL_VALUE', uname} -- arguments
    )
    if not redis_ret_user then
      rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for user")
--- a/data/conf/rspamd/meta_exporter/pipe.php
+++ b/data/conf/rspamd/meta_exporter/pipe.php
@@ -44,7 +44,8 @@ if (!function_exists('getallheaders'))  {
  }
 }

-$raw_data = file_get_contents('php://input');
+$raw_data_content = file_get_contents('php://input');
+$raw_data = mb_convert_encoding($raw_data_content, 'HTML-ENTITIES', "UTF-8");
 $headers = getallheaders();

 $qid      = $headers['X-Rspamd-Qid'];