From b5b193ca4ca114dd14e725ab4980cf011ed58633 Mon Sep 17 00:00:00 2001
From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Tue, 5 Mar 2024 10:48:49 +0100
Subject: [PATCH] Rspamd: minor tweaks and follow-up for SPF, DKIM and DMARC
 symbols (#3923)

* move `policies_group.conf` to correct location

I originally assumed the file had to be placed into `scores.d`, but I
now know that `local.d` is actually correct.

* add configuration for composite symbols

See updates to #3690:

Additional Rspamd Symbols

Rspamd has so-called composite symbols that trigger when a condition
is met. Especially AUTH_NA and AUTH_NA_OR_FAIL will adjust the scores
of various lines in the table above. This needs to be taken into account.

* update CHANGELOG
---
 CHANGELOG.md                                   |  2 +-
 Dockerfile                                     |  1 -
 target/rspamd/local.d/composites.conf          | 18 ++++++++++++++++++
 .../{scores.d => local.d}/policies_group.conf  |  0
 4 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 target/rspamd/local.d/composites.conf
 rename target/rspamd/{scores.d => local.d}/policies_group.conf (100%)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b60a7afa..1ec71ded 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -80,7 +80,7 @@ The most noteworthy change of this release is the update of the container's base
 - **Rspamd**:
   - The `rewrite_subject` action, is now disabled by default. It has been replaced with the new `SPAM_SUBJECT` environment variable, which implements the functionality via a Sieve script instead which is anti-spam service agnostic ([#3820](https://github.com/docker-mailserver/docker-mailserver/pull/3820))
   - `RSPAMD_NEURAL` was added and is disabled by default. If switched on it will enable the experimental Rspamd "Neural network" module to add a layer of analysis to spam detection ([#3833](https://github.com/docker-mailserver/docker-mailserver/pull/3833))
-  - The symbol weights of SPF, DKIM and DMARC have been adjusted again. Fixes a bug and includes more appropriate combinations of symbols ([#3913](https://github.com/docker-mailserver/docker-mailserver/pull/3913))
+  - The symbol weights of SPF, DKIM and DMARC have been adjusted again. Fixes a bug and includes more appropriate combinations of symbols ([#3913](https://github.com/docker-mailserver/docker-mailserver/pull/3913), [#3923](https://github.com/docker-mailserver/docker-mailserver/pull/3923))
 
 ### Fixes
 
diff --git a/Dockerfile b/Dockerfile
index 8110cebf..8b2a502c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -104,7 +104,6 @@ EOF
 # -----------------------------------------------
 
 COPY target/rspamd/local.d/ /etc/rspamd/local.d/
-COPY target/rspamd/scores.d/* /etc/rspamd/scores.d/
 
 # -----------------------------------------------
 # --- OAUTH2 ------------------------------------
diff --git a/target/rspamd/local.d/composites.conf b/target/rspamd/local.d/composites.conf
new file mode 100644
index 00000000..ab58f45d
--- /dev/null
+++ b/target/rspamd/local.d/composites.conf
@@ -0,0 +1,18 @@
+# In addition to `policies_group.conf`, this file contains
+# symbols that are applied when certain other symbols are
+# applied (or not applied).
+#
+# We are especially interested in the `policy` field, because
+# there are cases in which `remove_weight` is undesirable.
+
+# When neither SPF, DKIM, nor DMARC are available, we want
+# to increase the base score so we apply at least greylisting.
+AUTH_NA {
+  score = 2.5;
+  policy = "leave";
+}
+
+AUTH_NA_OR_FAIL {
+  score = 1;
+  policy = "leave";
+}
diff --git a/target/rspamd/scores.d/policies_group.conf b/target/rspamd/local.d/policies_group.conf
similarity index 100%
rename from target/rspamd/scores.d/policies_group.conf
rename to target/rspamd/local.d/policies_group.conf