From f28fce9cc432f1f447bd963d9e54e44bcf2c27dd Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> Date: Tue, 8 Aug 2023 10:43:21 +0200 Subject: [PATCH] rspamd: disable checks for authenticated users (#3440) Co-authored-by: Casper Co-authored-by: William Desportes --- docs/content/config/environment.md | 9 +++++++++ docs/content/config/security/rspamd.md | 11 ++++++----- mailserver.env | 7 +++++++ target/rspamd/local.d/settings.conf | 12 ++++++++++++ .../scripts/startup/setup.d/security/rspamd.sh | 18 +++++++++++++++++- target/scripts/startup/variables-stack.sh | 1 + .../parallel/set1/spam_virus/rspamd_full.bats | 17 +++++++++++++++-- .../set1/spam_virus/rspamd_partly.bats | 10 ++++++++++ 8 files changed, 77 insertions(+), 8 deletions(-) create mode 100644 target/rspamd/local.d/settings.conf diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md index ab9171ac..b81cef12 100644 --- a/docs/content/config/environment.md +++ b/docs/content/config/environment.md @@ -338,6 +338,15 @@ The purpose of this setting is to opt-out of starting an internal Redis instance - 0 => Disabled - 1 => Enabled +##### RSPAMD_CHECK_AUTHENTICATED + +This settings controls whether checks should be performed on emails coming from authenticated users (i.e. most likely outgoing emails). The default value is `0` in order to align better with SpamAssassin. **We recommend** reading through [the Rspamd documentation on scanning outbound emails][rspamd-scanning-outbound] though to decide for yourself whether you need and want this feature. + +- **0** => No checks will be performed for authenticated users +- 1 => All default checks will be performed for authenticated users + +[rspamd-scanning-outbound]: https://rspamd.com/doc/tutorials/scanning_outbound.html + ##### RSPAMD_GREYLISTING Controls whether the [Rspamd Greylisting module][rspamd-greylisting-module] is enabled. This module can further assist in avoiding spam emails by [greylisting] e-mails with a certain spam score. diff --git a/docs/content/config/security/rspamd.md b/docs/content/config/security/rspamd.md index 44674e9e..d1d0987e 100644 --- a/docs/content/config/security/rspamd.md +++ b/docs/content/config/security/rspamd.md @@ -21,11 +21,12 @@ The following environment variables are related to Rspamd: 1. [`ENABLE_RSPAMD`](../environment.md#enable_rspamd) 2. [`ENABLE_RSPAMD_REDIS`](../environment.md#enable_rspamd_redis) -3. [`RSPAMD_GREYLISTING`](../environment.md#rspamd_greylisting) -4. [`RSPAMD_HFILTER`](../environment.md#rspamd_hfilter) -5. [`RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE`](../environment.md#rspamd_hfilter_hostname_unknown_score) -6. [`RSPAMD_LEARN`](../environment.md#rspamd_learn) -7. [`MOVE_SPAM_TO_JUNK`](../environment.md#move_spam_to_junk) +3. [`RSPAMD_CHECK_AUTHENTICATED`](../environment.md#rspamd_check_authenticated) +4. [`RSPAMD_GREYLISTING`](../environment.md#rspamd_greylisting) +5. [`RSPAMD_HFILTER`](../environment.md#rspamd_hfilter) +6. [`RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE`](../environment.md#rspamd_hfilter_hostname_unknown_score) +7. [`RSPAMD_LEARN`](../environment.md#rspamd_learn) +8. [`MOVE_SPAM_TO_JUNK`](../environment.md#move_spam_to_junk) With these variables, you can enable Rspamd itself and you can enable / disable certain features related to Rspamd. diff --git a/mailserver.env b/mailserver.env index 038e23b1..cb040b9f 100644 --- a/mailserver.env +++ b/mailserver.env @@ -142,6 +142,13 @@ ENABLE_RSPAMD_REDIS= # 1 => enabled RSPAMD_LEARN=0 +# This settings controls whether checks should be performed on emails coming +# from authenticated users (i.e. most likely outgoing emails). The default value +# is `0` in order to align better with SpamAssassin. We recommend reading +# through https://rspamd.com/doc/tutorials/scanning_outbound.html though to +# decide for yourself whether you need and want this feature. +RSPAMD_CHECK_AUTHENTICATED=0 + # Controls whether the Rspamd Greylisting module is enabled. # This module can further assist in avoiding spam emails by greylisting # e-mails with a certain spam score. diff --git a/target/rspamd/local.d/settings.conf b/target/rspamd/local.d/settings.conf new file mode 100644 index 00000000..4f635e74 --- /dev/null +++ b/target/rspamd/local.d/settings.conf @@ -0,0 +1,12 @@ +# documentation: https://rspamd.com/doc/configuration/settings.html + +# DMS::SED_TAG::1::START +# Disable all checks for authenticated users +authenticated { + priority = high; + authenticated = yes; + apply { + groups_enabled = []; + } +} +# DMS::SED_TAG::1::END diff --git a/target/scripts/startup/setup.d/security/rspamd.sh b/target/scripts/startup/setup.d/security/rspamd.sh index 400e1a82..4ece646b 100644 --- a/target/scripts/startup/setup.d/security/rspamd.sh +++ b/target/scripts/startup/setup.d/security/rspamd.sh @@ -14,6 +14,7 @@ function _setup_rspamd() { __rspamd__setup_learning __rspamd__setup_greylisting __rspamd__setup_hfilter_group + __rspamd__setup_check_authenticated __rspamd__handle_user_modules_adjustments # must run last __rspamd__log 'trace' '---------- Setup finished ----------' @@ -250,7 +251,8 @@ function __rspamd__setup_hfilter_group() { if _env_var_expect_zero_or_one 'RSPAMD_HFILTER' && [[ ${RSPAMD_HFILTER} -eq 1 ]]; then __rspamd__log 'debug' 'Hfilter (group) module is enabled' # Check if we received a number first - if _env_var_expect_integer 'RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE' && [[ ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE} -ne 6 ]]; then + if _env_var_expect_integer 'RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE' \ + && [[ ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE} -ne 6 ]]; then __rspamd__log 'trace' "Adjusting score for 'HFILTER_HOSTNAME_UNKNOWN' in Hfilter group module to ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE}" sed -i -E \ "s|(.*score =).*(# __TAG__HFILTER_HOSTNAME_UNKNOWN)|\1 ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE}; \2|g" \ @@ -264,6 +266,20 @@ function __rspamd__setup_hfilter_group() { fi } +function __rspamd__setup_check_authenticated() { + local MODULE_FILE="${RSPAMD_LOCAL_D}/settings.conf" + if _env_var_expect_zero_or_one 'RSPAMD_CHECK_AUTHENTICATED' \ + && [[ ${RSPAMD_CHECK_AUTHENTICATED} -eq 0 ]] + then + __rspamd__log 'debug' 'Content checks for authenticated users are disabled' + else + __rspamd__log 'debug' 'Enabling content checks for authenticated users' + sed -i -E \ + '/DMS::SED_TAG::1::START/{:a;N;/DMS::SED_TAG::1::END/!ba};/authenticated/d' \ + "${MODULE_FILE}" + fi +} + # Parses `RSPAMD_CUSTOM_COMMANDS_FILE` and executed the directives given by the file. # To get a detailed explanation of the commands and how the file works, visit # https://docker-mailserver.github.io/docker-mailserver/edge/config/security/rspamd/#with-the-help-of-a-custom-file diff --git a/target/scripts/startup/variables-stack.sh b/target/scripts/startup/variables-stack.sh index c2a52d5c..d6c5453c 100644 --- a/target/scripts/startup/variables-stack.sh +++ b/target/scripts/startup/variables-stack.sh @@ -51,6 +51,7 @@ function __environment_variables_general_setup() { VARS[POSTGREY_MAX_AGE]="${POSTGREY_MAX_AGE:=35}" VARS[POSTGREY_TEXT]="${POSTGREY_TEXT:=Delayed by Postgrey}" VARS[POSTSCREEN_ACTION]="${POSTSCREEN_ACTION:=enforce}" + VARS[RSPAMD_CHECK_AUTHENTICATED]="${RSPAMD_CHECK_AUTHENTICATED:=0}" VARS[RSPAMD_GREYLISTING]="${RSPAMD_GREYLISTING:=0}" VARS[RSPAMD_HFILTER]="${RSPAMD_HFILTER:=1}" VARS[RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE]="${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE:=6}" diff --git a/test/tests/parallel/set1/spam_virus/rspamd_full.bats b/test/tests/parallel/set1/spam_virus/rspamd_full.bats index 536ce43d..3fbf59d2 100644 --- a/test/tests/parallel/set1/spam_virus/rspamd_full.bats +++ b/test/tests/parallel/set1/spam_virus/rspamd_full.bats @@ -25,6 +25,7 @@ function setup_file() { --env LOG_LEVEL=trace --env MOVE_SPAM_TO_JUNK=1 --env RSPAMD_LEARN=1 + --env RSPAMD_CHECK_AUTHENTICATED=0 --env RSPAMD_GREYLISTING=1 --env RSPAMD_HFILTER=1 --env RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE=7 @@ -292,10 +293,22 @@ function teardown_file() { _default_teardown ; } } @test 'hfilter group module is configured correctly' { - _run_in_container_bash '[[ -f /etc/rspamd/local.d/hfilter_group.conf ]]' + local MODULE_FILE='/etc/rspamd/local.d/hfilter_group.conf' + _run_in_container_bash "[[ -f ${MODULE_FILE} ]]" assert_success - _run_in_container grep '__TAG__HFILTER_HOSTNAME_UNKNOWN' /etc/rspamd/local.d/hfilter_group.conf + _run_in_container grep '__TAG__HFILTER_HOSTNAME_UNKNOWN' "${MODULE_FILE}" assert_success assert_output --partial 'score = 7;' } + +@test 'checks on authenticated users are disabled' { + local MODULE_FILE='/etc/rspamd/local.d/settings.conf' + _run_in_container_bash "[[ -f ${MODULE_FILE} ]]" + assert_success + + _run_in_container grep -E -A 6 'authenticated \{' "${MODULE_FILE}" + assert_success + assert_output --partial 'authenticated = yes;' + assert_output --partial 'groups_enabled = [];' +} diff --git a/test/tests/parallel/set1/spam_virus/rspamd_partly.bats b/test/tests/parallel/set1/spam_virus/rspamd_partly.bats index 0c7983f8..9fc8af31 100644 --- a/test/tests/parallel/set1/spam_virus/rspamd_partly.bats +++ b/test/tests/parallel/set1/spam_virus/rspamd_partly.bats @@ -24,6 +24,7 @@ function setup_file() { --env LOG_LEVEL=trace --env MOVE_SPAM_TO_JUNK=0 --env RSPAMD_LEARN=0 + --env RSPAMD_CHECK_AUTHENTICATED=1 --env RSPAMD_GREYLISTING=0 --env RSPAMD_HFILTER=0 ) @@ -85,3 +86,12 @@ function teardown_file() { _default_teardown ; } _run_in_container_bash '[[ -f /etc/rspamd/local.d/hfilter_group.conf ]]' assert_failure } + +@test 'checks on authenticated users are enabled' { + local MODULE_FILE='/etc/rspamd/local.d/settings.conf' + _run_in_container_bash "[[ -f ${MODULE_FILE} ]]" + assert_success + + _run_in_container grep -E 'authenticated \{' "${MODULE_FILE}" + assert_failure +}