Docs

2017-03-02 11:23:23 +01:00
parent 5f7fb2e7c2
commit d891bc8894
155 changed files with 26539 additions and 2916 deletions
--- a/data/conf/rspamd/dynmaps/authoritative.php
+++ b/data/conf/rspamd/dynmaps/authoritative.php
@@ -0,0 +1,22 @@
+<?php
+ini_set('error_reporting', 0);
+header('Content-Type: text/plain');
+require_once "vars.inc.php";
+$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name;
+$opt = [
+    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+    PDO::ATTR_EMULATE_PREPARES   => false,
+];
+$pdo = new PDO($dsn, $database_user, $database_pass, $opt);
+$stmt = $pdo->query("SELECT `domain` FROM `domain`");
+$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+while ($row = array_shift($rows)) {
+  echo strtolower(trim($row['domain'])) . PHP_EOL;
+}
+$stmt = $pdo->query("SELECT `alias_domain` FROM `alias_domain`");
+$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+while ($row = array_shift($rows)) {
+  echo strtolower(trim($row['alias_domain'])) . PHP_EOL;
+}
+?>
--- a/data/conf/rspamd/dynmaps/settings.php
+++ b/data/conf/rspamd/dynmaps/settings.php
@@ -0,0 +1,224 @@
+<?php
+/*
+The match section performs AND operation on different matches: for example, if you have from and rcpt in the same rule,
+then the rule matches only when from AND rcpt match. For similar matches, the OR rule applies: if you have multiple rcpt matches,
+then any of these will trigger the rule. If a rule is triggered then no more rules are matched.
+*/
+ini_set('error_reporting', '0');
+
+header('Content-Type: text/plain');
+require_once "vars.inc.php";
+
+$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name;
+$opt = [
+    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+    PDO::ATTR_EMULATE_PREPARES   => false,
+];
+$pdo = new PDO($dsn, $database_user, $database_pass, $opt);
+?>
+settings {
+<?php
+$stmt = $pdo->query("SELECT DISTINCT `object` FROM `filterconf` WHERE `option` = 'highspamlevel' OR `option` = 'lowspamlevel'");
+$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+
+while ($row = array_shift($rows)) {
+	$username_sane = preg_replace("/[^a-zA-Z0-9]+/", "", $row['object']);
+?>
+	score_<?=$username_sane;?> {
+		priority = low;
+<?php
+	$stmt = $pdo->prepare("SELECT `option`, `value` FROM `filterconf` 
+		WHERE (`option` = 'highspamlevel' OR `option` = 'lowspamlevel')
+			AND `object`= :object");
+	$stmt->execute(array(':object' => $row['object']));
+	$spamscore = $stmt->fetchAll(PDO::FETCH_COLUMN|PDO::FETCH_GROUP);
+
+	$stmt = $pdo->prepare("SELECT GROUP_CONCAT(REPLACE(`value`, '*', '.*') SEPARATOR '|') AS `value` FROM `filterconf`
+		WHERE (`object`= :object OR `object`= :object_domain)
+			AND (`option` = 'blacklist_from' OR `option` = 'whitelist_from')");
+	$stmt->execute(array(':object' => $row['object'], ':object_domain' => substr(strrchr($row['object'], "@"), 1)));
+	$grouped_lists = $stmt->fetchAll(PDO::FETCH_COLUMN);
+	$value_sane = preg_replace("/\.\./", ".", (preg_replace("/\*/", ".*", $grouped_lists[0])));
+?>
+		from = "/^((?!<?=$value_sane;?>).)*$/";
+		rcpt = "<?=$row['object'];?>";
+<?php
+	$stmt = $pdo->prepare("SELECT `address` FROM `alias` WHERE `goto` = :object_goto AND `address` NOT LIKE '@%' AND `address` != :object_address");
+	$stmt->execute(array(':object_goto' => $row['object'], ':object_address' => $row['object']));
+	$rows_aliases_1 = $stmt->fetchAll(PDO::FETCH_ASSOC);
+	while ($row_aliases_1 = array_shift($rows_aliases_1)) {
+?>
+		rcpt = "<?=$row_aliases_1['address'];?>";
+<?php
+	}
+	$stmt = $pdo->prepare("SELECT CONCAT(`local_part`, '@', `alias_domain`.`alias_domain`) AS `aliases` FROM `mailbox` 
+		LEFT OUTER JOIN `alias_domain` on `mailbox`.`domain` = `alias_domain`.`target_domain`
+		WHERE `mailbox`.`username` = :object");
+	$stmt->execute(array(':object' => $row['object']));
+	$rows_aliases_2 = $stmt->fetchAll(PDO::FETCH_ASSOC);
+  array_filter($rows_aliases_2);
+	while ($row_aliases_2 = array_shift($rows_aliases_2)) {
+    if (!empty($row_aliases_2['aliases'])) {
+?>
+		rcpt = "<?=$row_aliases_2['aliases'];?>";
+<?php
+    }
+	}
+?>
+		apply "default" {
+			actions {
+				reject = <?=$spamscore['highspamlevel'][0];?>;
+				greylist = <?=$spamscore['lowspamlevel'][0] - 1;?>;
+				"add header" = <?=$spamscore['lowspamlevel'][0];?>;
+			}
+		}
+	}
+<?php
+}
+
+/*
+// Start whitelist
+*/
+
+$stmt = $pdo->query("SELECT DISTINCT `object` FROM `filterconf` WHERE `option` = 'whitelist_from'");
+$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+while ($row = array_shift($rows)) {
+	$username_sane = preg_replace("/[^a-zA-Z0-9]+/", "", $row['object']);
+?>
+	whitelist_<?=$username_sane;?> {
+<?php
+	$stmt = $pdo->prepare("SELECT GROUP_CONCAT(REPLACE(`value`, '*', '.*') SEPARATOR '|') AS `value` FROM `filterconf`
+		WHERE `object`= :object
+			AND `option` = 'whitelist_from'");
+	$stmt->execute(array(':object' => $row['object']));
+	$grouped_lists = $stmt->fetchAll(PDO::FETCH_COLUMN);
+	$value_sane = preg_replace("/\.\./", ".", (preg_replace("/\*/", ".*", $grouped_lists[0])));
+?>
+		from = "/(<?=$value_sane;?>)/";
+<?php
+	if (!filter_var(trim($row['object']), FILTER_VALIDATE_EMAIL)) {
+?>
+		priority = medium;
+		rcpt = "/.*@<?=$row['object'];?>/";
+<?php
+		$stmt = $pdo->prepare("SELECT `alias_domain` FROM `alias_domain`
+			WHERE `target_domain` = :object");
+		$stmt->execute(array(':object' => $row['object']));
+		$rows_domain_aliases = $stmt->fetchAll(PDO::FETCH_ASSOC);
+    array_filter($rows_domain_aliases);
+		while ($row_domain_aliases = array_shift($rows_domain_aliases)) {
+?>
+		rcpt = "/.*@<?=$row_domain_aliases['alias_domain'];?>/";
+<?php
+		}
+	}
+	else {
+?>
+		priority = high;
+		rcpt = "<?=$row['object'];?>";
+<?php
+	}
+	$stmt = $pdo->prepare("SELECT `address` FROM `alias` WHERE `goto` = :object_goto AND `address` NOT LIKE '@%' AND `address` != :object_address");
+	$stmt->execute(array(':object_goto' => $row['object'], ':object_address' => $row['object']));
+	$rows_aliases_wl_1 = $stmt->fetchAll(PDO::FETCH_ASSOC);
+  array_filter($rows_aliases_wl_1);
+	while ($row_aliases_wl_1 = array_shift($rows_aliases_wl_1)) {
+?>
+		rcpt = "<?=$row_aliases_wl_1['address'];?>";
+<?php
+	}
+	$stmt = $pdo->prepare("SELECT CONCAT(`local_part`, '@', `alias_domain`.`alias_domain`) AS `aliases` FROM `mailbox` 
+		LEFT OUTER JOIN `alias_domain` on `mailbox`.`domain` = `alias_domain`.`target_domain`
+		WHERE `mailbox`.`username` = :object");
+	$stmt->execute(array(':object' => $row['object']));
+	$rows_aliases_wl_2 = $stmt->fetchAll(PDO::FETCH_ASSOC);
+  array_filter($rows_aliases_wl_2);
+	while ($row_aliases_wl_2 = array_shift($rows_aliases_wl_2)) {
+    if (!empty($row_aliases_wl_2['aliases'])) {
+?>
+		rcpt = "<?=$row_aliases_wl_2['aliases'];?>";
+<?php
+    }
+	}
+?>
+		apply "default" {
+			MAILCOW_MOO = -999.0;
+		}
+	}
+<?php
+}
+
+/*
+// Start blacklist
+*/
+
+$stmt = $pdo->query("SELECT DISTINCT `object` FROM `filterconf` WHERE `option` = 'blacklist_from'");
+$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+while ($row = array_shift($rows)) {
+	$username_sane = preg_replace("/[^a-zA-Z0-9]+/", "", $row['object']);
+?>
+	blacklist_<?=$username_sane;?> {
+<?php
+	$stmt = $pdo->prepare("SELECT GROUP_CONCAT(REPLACE(`value`, '*', '.*') SEPARATOR '|') AS `value` FROM `filterconf`
+		WHERE `object`= :object
+			AND `option` = 'blacklist_from'");
+	$stmt->execute(array(':object' => $row['object']));
+	$grouped_lists = $stmt->fetchAll(PDO::FETCH_COLUMN);
+	$value_sane = preg_replace("/\.\./", ".", (preg_replace("/\*/", ".*", $grouped_lists[0])));
+?>
+		from = "/(<?=$value_sane;?>)/";
+<?php
+	if (!filter_var(trim($row['object']), FILTER_VALIDATE_EMAIL)) {
+?>
+		priority = medium;
+		rcpt = "/.*@<?=$row['object'];?>/";
+<?php
+		$stmt = $pdo->prepare("SELECT `alias_domain` FROM `alias_domain`
+			WHERE `target_domain` = :object");
+		$stmt->execute(array(':object' => $row['object']));
+		$rows_domain_aliases = $stmt->fetchAll(PDO::FETCH_ASSOC);
+    array_filter($rows_domain_aliases);
+		while ($row_domain_aliases = array_shift($rows_domain_aliases)) {
+?>
+		rcpt = "/.*@<?=$row_domain_aliases['alias_domain'];?>/";
+<?php
+		}
+	}
+	else {
+?>
+		priority = high;
+		rcpt = "<?=$row['object'];?>";
+<?php
+	}
+	$stmt = $pdo->prepare("SELECT `address` FROM `alias` WHERE `goto` = :object_goto AND `address` NOT LIKE '@%' AND `address` != :object_address");
+	$stmt->execute(array(':object_goto' => $row['object'], ':object_address' => $row['object']));
+	$rows_aliases_bl_1 = $stmt->fetchAll(PDO::FETCH_ASSOC);
+  array_filter($rows_aliases_bl_1);
+	while ($row_aliases_bl_1 = array_shift($rows_aliases_bl_1)) {
+?>
+		rcpt = "<?=$row_aliases_bl_1['address'];?>";
+<?php
+	}
+	$stmt = $pdo->prepare("SELECT CONCAT(`local_part`, '@', `alias_domain`.`alias_domain`) AS `aliases` FROM `mailbox` 
+		LEFT OUTER JOIN `alias_domain` on `mailbox`.`domain` = `alias_domain`.`target_domain`
+		WHERE `mailbox`.`username` = :object");
+	$stmt->execute(array(':object' => $row['object']));
+	$rows_aliases_bl_2 = $stmt->fetchAll(PDO::FETCH_ASSOC);
+  array_filter($rows_aliases_bl_2);
+	while ($row_aliases_bl_2 = array_shift($rows_aliases_bl_2)) {
+    if (!empty($row_aliases_bl_2['aliases'])) {
+?>
+		rcpt = "<?=$row_aliases_bl_2['aliases'];?>";
+<?php
+    }
+	}
+?>
+		apply "default" {
+			MAILCOW_MOO = 999.0;
+		}
+	}
+<?php
+}
+?>
+}
--- a/data/conf/rspamd/dynmaps/tags.php
+++ b/data/conf/rspamd/dynmaps/tags.php
@@ -0,0 +1,22 @@
+<?php
+ini_set('error_reporting', 0);
+header('Content-Type: text/plain');
+require_once "vars.inc.php";
+$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name;
+$opt = [
+    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+    PDO::ATTR_EMULATE_PREPARES   => false,
+];
+$pdo = new PDO($dsn, $database_user, $database_pass, $opt);
+$stmt = $pdo->query("SELECT `username` FROM `mailbox` WHERE `wants_tagged_subject` = '1'");
+$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+while ($row = array_shift($rows)) {
+  echo strtolower(trim($row['username'])) . PHP_EOL;
+}
+$stmt = $pdo->query("SELECT CONCAT(mailbox.local_part, '@', alias_domain.alias_domain) as `tag_ad` FROM `mailbox` INNER JOIN `alias_domain` ON mailbox.domain = alias_domain.target_domain WHERE mailbox.wants_tagged_subject='1';");
+$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+while ($row = array_shift($rows)) {
+  echo strtolower(trim($row['tag_ad'])) . PHP_EOL;
+}
+?>
--- a/data/conf/rspamd/dynmaps/vars.inc.php
+++ b/data/conf/rspamd/dynmaps/vars.inc.php
@@ -0,0 +1 @@
+../../../web/inc/vars.inc.php
--- a/data/conf/rspamd/local.d/dkim.conf
+++ b/data/conf/rspamd/local.d/dkim.conf
@@ -0,0 +1,34 @@
+sign_condition =<<EOD
+return function(task)
+  local smtp_from = task:get_from('smtp')
+  local mime_from = task:get_from('mime')
+  local rspamd_logger = require "rspamd_logger"
+  if smtp_from[1]['domain'] ~= nil and smtp_from[1]['domain'] ~= '' then
+    domain = smtp_from[1]['domain']
+    rspamd_logger.infox(task, "set domain found in smtp from field to %s", domain)
+    if not task:get_user() then
+      rspamd_logger.infox(task, "found domain in smtp header field, but user is not authenticated - skipped")
+      return false
+    end
+  elseif mime_from[1]['domain'] ~= nil and mime_from[1]['domain'] ~= '' then
+    domain = mime_from[1]['domain']
+    rspamd_logger.infox(task, "set domain found in mime from field to %s", domain)
+  else
+    rspamd_logger.infox(task, "cannot determine domain for dkim signing")
+    return false
+  end
+  local keyfile = io.open("/data/dkim/keys/" .. domain .. ".dkim")
+  if keyfile then
+    rspamd_logger.infox(task, "found dkim key file for domain %s", domain)
+    keyfile:close()
+    return {
+      key = "/data/dkim/keys/" .. domain .. ".dkim",
+      domain = domain,
+      selector = "dkim"
+    }
+  else
+    rspamd_logger.infox(task, "no key file for domain %s - skipped", domain)
+  end
+  return false
+end
+EOD;
--- a/data/conf/rspamd/local.d/metrics.conf
+++ b/data/conf/rspamd/local.d/metrics.conf
@@ -0,0 +1,19 @@
+actions {
+	reject = 15;
+	add_header = 5;
+	greylist = 4;
+}
+symbol "MAILCOW_AUTH" {
+	description = "mailcow authenticated";
+	score = -20.0;
+}
+group "bayes" {
+	symbol "BAYES_SPAM" {
+		weight = 7.5;
+		description = "Message probably spam, probability: ";
+	}
+	symbol "BAYES_HAM" {
+		weight = -2.5;
+		description = "Message probably ham, probability: ";
+	}
+}
--- a/data/conf/rspamd/local.d/options.inc
+++ b/data/conf/rspamd/local.d/options.inc
@@ -0,0 +1,3 @@
+dns {
+    enable_dnssec = true;
+}
--- a/data/conf/rspamd/local.d/redis.conf
+++ b/data/conf/rspamd/local.d/redis.conf
@@ -0,0 +1 @@
+servers = "redis:6379";
--- a/data/conf/rspamd/local.d/rspamd.conf.local
+++ b/data/conf/rspamd/local.d/rspamd.conf.local
@@ -0,0 +1 @@
+# rspamd.conf.local
--- a/data/conf/rspamd/local.d/statistic.conf
+++ b/data/conf/rspamd/local.d/statistic.conf
@@ -0,0 +1,59 @@
+classifier "bayes" {
+    tokenizer {
+    name = "osb";
+    }
+
+    backend = "redis";
+    servers = "redis:6379";
+    min_tokens = 11;
+    min_learns = 20;
+    autolearn = true;
+
+    per_user = <<EOD
+return function(task)
+    local rcpt = task:get_recipients(1)
+
+if rcpt then
+    one_rcpt = rcpt[1]
+    if one_rcpt['domain'] then
+        return one_rcpt['domain']
+    end
+end
+
+return nil
+end
+EOD
+
+    statfile {
+        symbol = "BAYES_HAM";
+        spam = false;
+    }
+    statfile {
+        symbol = "BAYES_SPAM";
+        spam = true;
+    }
+    learn_condition =<<EOD
+return function(task, is_spam, is_unlearn)
+    local prob = task:get_mempool():get_variable('bayes_prob', 'double')
+
+    if prob then
+        local in_class = false
+        local cl
+        if is_spam then
+            cl = 'spam'
+            in_class = prob >= 0.95
+        else
+            cl = 'ham'
+            in_class = prob <= 0.05
+        end
+
+        if in_class then
+            return false,string.format('already in class %s; probability %.2f%%',
+            cl, math.abs((prob - 0.5) * 200.0))
+        end
+    end
+
+    return true
+end
+EOD
+}
--- a/data/conf/rspamd/lua/rspamd.local.lua
+++ b/data/conf/rspamd/lua/rspamd.local.lua
@@ -0,0 +1,75 @@
+rspamd_config.MAILCOW_AUTH = {
+	callback = function(task)
+		local uname = task:get_user()
+		if uname then
+			return 1
+		end
+	end
+}
+
+rspamd_config.MAILCOW_MOO = function (task)
+	return true
+end
+
+local modify_subject_map = rspamd_config:add_map({
+  url = 'http://nginx:8081/tags.php',
+  type = 'map',
+  description = 'Map of users to use subject tags for'
+})
+
+local auth_domain_map = rspamd_config:add_map({
+  url = 'http://nginx:8081/authoritative.php',
+  type = 'map',
+  description = 'Map of domains we are authoritative for'
+})
+
+rspamd_config.ADD_DELIMITER_TAG = {
+  callback = function(task)
+    local util = require("rspamd_util")
+    local rspamd_logger = require "rspamd_logger"
+
+    local user_env_tagged = task:get_recipients(1)[1]['user']
+    local user_to_tagged = task:get_recipients(2)[1]['user']
+
+    local domain = task:get_recipients(1)[1]['domain']
+
+    local user_env, tag_env = user_env_tagged:match("([^+]+)+(.*)")
+    local user_to, tag_to = user_to_tagged:match("([^+]+)+(.*)")
+
+    local authdomain = auth_domain_map:get_key(domain)
+
+    if tag_env then
+      tag = tag_env
+      user = user_env
+    elseif tag_to then
+      tag = tag_to
+      user = user_env
+    end
+
+    if tag and authdomain then
+      rspamd_logger.infox("Domain %s is part of mailcow, start reading tag settings", domain)
+      local user_untagged = user .. '@' .. domain
+      rspamd_logger.infox("Querying tag settings for user %1", user_untagged)
+      if modify_subject_map:get_key(user_untagged) then
+        rspamd_logger.infox("User wants subject modified for tagged mail")
+        local sbj = task:get_header('Subject')
+        if tag then
+          rspamd_logger.infox("Found tag %1, will modify subject header", tag)
+          new_sbj = '=?UTF-8?B?' .. tostring(util.encode_base64('[' .. tag .. '] ' .. sbj)) .. '?='
+          task:set_rmilter_reply({
+            remove_headers = {['Subject'] = 1},
+            add_headers = {['Subject'] = new_sbj}
+          })
+        end
+      else
+        rspamd_logger.infox("Add X-Moo-Tag header")
+        task:set_rmilter_reply({
+          add_headers = {['X-Moo-Tag'] = 'YES'}
+        })
+      end
+    else
+      rspamd_logger.infox("Skip delimiter handling for untagged message or authenticated user")
+    end
+    return false
+  end
+}
--- a/data/conf/rspamd/override.d/logging.inc
+++ b/data/conf/rspamd/override.d/logging.inc
@@ -0,0 +1,3 @@
+type = "console";
+systemd = false;
+.include "$CONFDIR/logging.inc"
--- a/data/conf/rspamd/override.d/worker-controller.inc
+++ b/data/conf/rspamd/override.d/worker-controller.inc
@@ -0,0 +1,7 @@
+bind_socket = "*:11334";
+enable_password = "$2$pppq86q9uns51zd5ekfxecj7bxwaefo3$p7f9xdhamydjhtypcr639it3kqeiknx3dk9on7skjypyi8uwwcmy";
+secure_ip = "192.168.0.0/16";
+secure_ip = "172.16.0.0/12";
+secure_ip = "10.0.0.0/8";
+secure_ip = "127.0.0.1";
+secure_ip = "::1";
--- a/data/conf/rspamd/override.d/worker-normal.inc
+++ b/data/conf/rspamd/override.d/worker-normal.inc
@@ -0,0 +1 @@
+bind_socket = "*:11333";