[Postfix/Rspamd] Do not reject unauthenticated sender mismatches but rewrite their subject and assign symbol SPOOFED_SENDER with score 1.0
parent
405c49fb0a
commit
073c6c6e73
|
@ -62,7 +62,7 @@ smtpd_sasl_authenticated_header = yes
|
||||||
smtpd_sasl_path = inet:dovecot:10001
|
smtpd_sasl_path = inet:dovecot:10001
|
||||||
smtpd_sasl_type = dovecot
|
smtpd_sasl_type = dovecot
|
||||||
smtpd_sender_login_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_sender_acl.cf
|
smtpd_sender_login_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_sender_acl.cf
|
||||||
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unlisted_sender, reject_unknown_sender_domain
|
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_mynetworks, permit_sasl_authenticated, reject_unlisted_sender, reject_unknown_sender_domain
|
||||||
smtpd_soft_error_limit = 3
|
smtpd_soft_error_limit = 3
|
||||||
smtpd_tls_auth_only = yes
|
smtpd_tls_auth_only = yes
|
||||||
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
|
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
|
||||||
|
|
|
@ -2,7 +2,7 @@ rules {
|
||||||
DKIM_FAIL {
|
DKIM_FAIL {
|
||||||
action = "add header";
|
action = "add header";
|
||||||
expression = "R_DKIM_REJECT & !MAILLIST & !MAILCOW_WHITE & !MAILCOW_BLACK";
|
expression = "R_DKIM_REJECT & !MAILLIST & !MAILCOW_WHITE & !MAILCOW_BLACK";
|
||||||
require_action = ["no action", "greylist"];
|
require_action = ["no action", "greylist", "soft reject"];
|
||||||
}
|
}
|
||||||
VIRUS_FOUND {
|
VIRUS_FOUND {
|
||||||
action = "reject";
|
action = "reject";
|
||||||
|
@ -19,4 +19,9 @@ rules {
|
||||||
expression = "WHITELISTED_FWD_HOST";
|
expression = "WHITELISTED_FWD_HOST";
|
||||||
require_action = ["greylist", "soft reject"];
|
require_action = ["greylist", "soft reject"];
|
||||||
}
|
}
|
||||||
|
ADD_UNAUTH_SUBJ {
|
||||||
|
action = "rewrite subject";
|
||||||
|
subject = "[Unauth] %s";
|
||||||
|
expression = "SPOOFED_SENDER";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,3 +34,7 @@ group "MX" {
|
||||||
one_shot = "true";
|
one_shot = "true";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
symbol "SPOOFED_SENDER" {
|
||||||
|
description = "Sender is not authenticated but part of mailcow managed domains";
|
||||||
|
score = 1.0;
|
||||||
|
}
|
||||||
|
|
|
@ -1,22 +1,29 @@
|
||||||
RCPT_MAILCOW_DOMAIN {
|
RCPT_MAILCOW_DOMAIN {
|
||||||
type = "rcpt";
|
type = "rcpt";
|
||||||
filter = "email:domain"
|
filter = "email:domain";
|
||||||
map = "redis://DOMAIN_MAP"
|
map = "redis://DOMAIN_MAP";
|
||||||
}
|
}
|
||||||
|
|
||||||
RCPT_WANTS_SUBJECT_TAG {
|
RCPT_WANTS_SUBJECT_TAG {
|
||||||
type = "rcpt";
|
type = "rcpt";
|
||||||
filter = "email:addr"
|
filter = "email:addr"
|
||||||
map = "redis://RCPT_WANTS_SUBJECT_TAG"
|
map = "redis://RCPT_WANTS_SUBJECT_TAG";
|
||||||
}
|
}
|
||||||
|
|
||||||
WHITELISTED_FWD_HOST {
|
WHITELISTED_FWD_HOST {
|
||||||
type = "ip";
|
type = "ip";
|
||||||
map = "redis://WHITELISTED_FWD_HOST"
|
map = "redis://WHITELISTED_FWD_HOST";
|
||||||
}
|
}
|
||||||
|
|
||||||
KEEP_SPAM {
|
KEEP_SPAM {
|
||||||
type = "ip";
|
type = "ip";
|
||||||
map = "redis://KEEP_SPAM"
|
map = "redis://KEEP_SPAM";
|
||||||
action = "accept";
|
action = "accept";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
SPOOFED_SENDER {
|
||||||
|
type = "rcpt";
|
||||||
|
filter = "email:domain";
|
||||||
|
map = "redis://DOMAIN_MAP";
|
||||||
|
require_symbols = "AUTH_NA | !RCVD_VIA_SMTP_AUTH";
|
||||||
|
}
|
||||||
|
|
|
@ -58,6 +58,9 @@ rspamd_config:register_symbol({
|
||||||
local redis_params = rspamd_parse_redis_server('dyn_rl')
|
local redis_params = rspamd_parse_redis_server('dyn_rl')
|
||||||
local rspamd_logger = require "rspamd_logger"
|
local rspamd_logger = require "rspamd_logger"
|
||||||
local envfrom = task:get_from(1)
|
local envfrom = task:get_from(1)
|
||||||
|
if not envfrom then
|
||||||
|
return false
|
||||||
|
end
|
||||||
local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case
|
local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case
|
||||||
local env_from_addr = envfrom[1].addr:lower() -- get smtp from addr in lower case
|
local env_from_addr = envfrom[1].addr:lower() -- get smtp from addr in lower case
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue