rspamd: disable checks for authenticated users (#3440)

Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: William Desportes <williamdes@wdes.fr>
This commit is contained in:
Georg Lauterbach 2023-08-08 10:43:21 +02:00 committed by GitHub
parent b001f5a140
commit f28fce9cc4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 77 additions and 8 deletions

View file

@ -338,6 +338,15 @@ The purpose of this setting is to opt-out of starting an internal Redis instance
- 0 => Disabled
- 1 => Enabled
##### RSPAMD_CHECK_AUTHENTICATED
This settings controls whether checks should be performed on emails coming from authenticated users (i.e. most likely outgoing emails). The default value is `0` in order to align better with SpamAssassin. **We recommend** reading through [the Rspamd documentation on scanning outbound emails][rspamd-scanning-outbound] though to decide for yourself whether you need and want this feature.
- **0** => No checks will be performed for authenticated users
- 1 => All default checks will be performed for authenticated users
[rspamd-scanning-outbound]: https://rspamd.com/doc/tutorials/scanning_outbound.html
##### RSPAMD_GREYLISTING
Controls whether the [Rspamd Greylisting module][rspamd-greylisting-module] is enabled. This module can further assist in avoiding spam emails by [greylisting] e-mails with a certain spam score.

View file

@ -21,11 +21,12 @@ The following environment variables are related to Rspamd:
1. [`ENABLE_RSPAMD`](../environment.md#enable_rspamd)
2. [`ENABLE_RSPAMD_REDIS`](../environment.md#enable_rspamd_redis)
3. [`RSPAMD_GREYLISTING`](../environment.md#rspamd_greylisting)
4. [`RSPAMD_HFILTER`](../environment.md#rspamd_hfilter)
5. [`RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE`](../environment.md#rspamd_hfilter_hostname_unknown_score)
6. [`RSPAMD_LEARN`](../environment.md#rspamd_learn)
7. [`MOVE_SPAM_TO_JUNK`](../environment.md#move_spam_to_junk)
3. [`RSPAMD_CHECK_AUTHENTICATED`](../environment.md#rspamd_check_authenticated)
4. [`RSPAMD_GREYLISTING`](../environment.md#rspamd_greylisting)
5. [`RSPAMD_HFILTER`](../environment.md#rspamd_hfilter)
6. [`RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE`](../environment.md#rspamd_hfilter_hostname_unknown_score)
7. [`RSPAMD_LEARN`](../environment.md#rspamd_learn)
8. [`MOVE_SPAM_TO_JUNK`](../environment.md#move_spam_to_junk)
With these variables, you can enable Rspamd itself and you can enable / disable certain features related to Rspamd.

View file

@ -142,6 +142,13 @@ ENABLE_RSPAMD_REDIS=
# 1 => enabled
RSPAMD_LEARN=0
# This settings controls whether checks should be performed on emails coming
# from authenticated users (i.e. most likely outgoing emails). The default value
# is `0` in order to align better with SpamAssassin. We recommend reading
# through https://rspamd.com/doc/tutorials/scanning_outbound.html though to
# decide for yourself whether you need and want this feature.
RSPAMD_CHECK_AUTHENTICATED=0
# Controls whether the Rspamd Greylisting module is enabled.
# This module can further assist in avoiding spam emails by greylisting
# e-mails with a certain spam score.

View file

@ -0,0 +1,12 @@
# documentation: https://rspamd.com/doc/configuration/settings.html
# DMS::SED_TAG::1::START
# Disable all checks for authenticated users
authenticated {
priority = high;
authenticated = yes;
apply {
groups_enabled = [];
}
}
# DMS::SED_TAG::1::END

View file

@ -14,6 +14,7 @@ function _setup_rspamd() {
__rspamd__setup_learning
__rspamd__setup_greylisting
__rspamd__setup_hfilter_group
__rspamd__setup_check_authenticated
__rspamd__handle_user_modules_adjustments # must run last
__rspamd__log 'trace' '---------- Setup finished ----------'
@ -250,7 +251,8 @@ function __rspamd__setup_hfilter_group() {
if _env_var_expect_zero_or_one 'RSPAMD_HFILTER' && [[ ${RSPAMD_HFILTER} -eq 1 ]]; then
__rspamd__log 'debug' 'Hfilter (group) module is enabled'
# Check if we received a number first
if _env_var_expect_integer 'RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE' && [[ ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE} -ne 6 ]]; then
if _env_var_expect_integer 'RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE' \
&& [[ ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE} -ne 6 ]]; then
__rspamd__log 'trace' "Adjusting score for 'HFILTER_HOSTNAME_UNKNOWN' in Hfilter group module to ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE}"
sed -i -E \
"s|(.*score =).*(# __TAG__HFILTER_HOSTNAME_UNKNOWN)|\1 ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE}; \2|g" \
@ -264,6 +266,20 @@ function __rspamd__setup_hfilter_group() {
fi
}
function __rspamd__setup_check_authenticated() {
local MODULE_FILE="${RSPAMD_LOCAL_D}/settings.conf"
if _env_var_expect_zero_or_one 'RSPAMD_CHECK_AUTHENTICATED' \
&& [[ ${RSPAMD_CHECK_AUTHENTICATED} -eq 0 ]]
then
__rspamd__log 'debug' 'Content checks for authenticated users are disabled'
else
__rspamd__log 'debug' 'Enabling content checks for authenticated users'
sed -i -E \
'/DMS::SED_TAG::1::START/{:a;N;/DMS::SED_TAG::1::END/!ba};/authenticated/d' \
"${MODULE_FILE}"
fi
}
# Parses `RSPAMD_CUSTOM_COMMANDS_FILE` and executed the directives given by the file.
# To get a detailed explanation of the commands and how the file works, visit
# https://docker-mailserver.github.io/docker-mailserver/edge/config/security/rspamd/#with-the-help-of-a-custom-file

View file

@ -51,6 +51,7 @@ function __environment_variables_general_setup() {
VARS[POSTGREY_MAX_AGE]="${POSTGREY_MAX_AGE:=35}"
VARS[POSTGREY_TEXT]="${POSTGREY_TEXT:=Delayed by Postgrey}"
VARS[POSTSCREEN_ACTION]="${POSTSCREEN_ACTION:=enforce}"
VARS[RSPAMD_CHECK_AUTHENTICATED]="${RSPAMD_CHECK_AUTHENTICATED:=0}"
VARS[RSPAMD_GREYLISTING]="${RSPAMD_GREYLISTING:=0}"
VARS[RSPAMD_HFILTER]="${RSPAMD_HFILTER:=1}"
VARS[RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE]="${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE:=6}"

View file

@ -25,6 +25,7 @@ function setup_file() {
--env LOG_LEVEL=trace
--env MOVE_SPAM_TO_JUNK=1
--env RSPAMD_LEARN=1
--env RSPAMD_CHECK_AUTHENTICATED=0
--env RSPAMD_GREYLISTING=1
--env RSPAMD_HFILTER=1
--env RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE=7
@ -292,10 +293,22 @@ function teardown_file() { _default_teardown ; }
}
@test 'hfilter group module is configured correctly' {
_run_in_container_bash '[[ -f /etc/rspamd/local.d/hfilter_group.conf ]]'
local MODULE_FILE='/etc/rspamd/local.d/hfilter_group.conf'
_run_in_container_bash "[[ -f ${MODULE_FILE} ]]"
assert_success
_run_in_container grep '__TAG__HFILTER_HOSTNAME_UNKNOWN' /etc/rspamd/local.d/hfilter_group.conf
_run_in_container grep '__TAG__HFILTER_HOSTNAME_UNKNOWN' "${MODULE_FILE}"
assert_success
assert_output --partial 'score = 7;'
}
@test 'checks on authenticated users are disabled' {
local MODULE_FILE='/etc/rspamd/local.d/settings.conf'
_run_in_container_bash "[[ -f ${MODULE_FILE} ]]"
assert_success
_run_in_container grep -E -A 6 'authenticated \{' "${MODULE_FILE}"
assert_success
assert_output --partial 'authenticated = yes;'
assert_output --partial 'groups_enabled = [];'
}

View file

@ -24,6 +24,7 @@ function setup_file() {
--env LOG_LEVEL=trace
--env MOVE_SPAM_TO_JUNK=0
--env RSPAMD_LEARN=0
--env RSPAMD_CHECK_AUTHENTICATED=1
--env RSPAMD_GREYLISTING=0
--env RSPAMD_HFILTER=0
)
@ -85,3 +86,12 @@ function teardown_file() { _default_teardown ; }
_run_in_container_bash '[[ -f /etc/rspamd/local.d/hfilter_group.conf ]]'
assert_failure
}
@test 'checks on authenticated users are enabled' {
local MODULE_FILE='/etc/rspamd/local.d/settings.conf'
_run_in_container_bash "[[ -f ${MODULE_FILE} ]]"
assert_success
_run_in_container grep -E 'authenticated \{' "${MODULE_FILE}"
assert_failure
}