[Postfix/Rspamd] Do not reject unauthenticated sender mismatches but rewrite their subject and assign symbol SPOOFED_SENDER with score 1.0

master
andryyy 2017-10-04 23:16:39 +02:00
parent 405c49fb0a
commit 073c6c6e73
5 changed files with 26 additions and 7 deletions

View File

@ -62,7 +62,7 @@ smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = inet:dovecot:10001 smtpd_sasl_path = inet:dovecot:10001
smtpd_sasl_type = dovecot smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_sender_acl.cf smtpd_sender_login_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_sender_acl.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unlisted_sender, reject_unknown_sender_domain smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_mynetworks, permit_sasl_authenticated, reject_unlisted_sender, reject_unknown_sender_domain
smtpd_soft_error_limit = 3 smtpd_soft_error_limit = 3
smtpd_tls_auth_only = yes smtpd_tls_auth_only = yes
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem

View File

@ -2,7 +2,7 @@ rules {
DKIM_FAIL { DKIM_FAIL {
action = "add header"; action = "add header";
expression = "R_DKIM_REJECT & !MAILLIST & !MAILCOW_WHITE & !MAILCOW_BLACK"; expression = "R_DKIM_REJECT & !MAILLIST & !MAILCOW_WHITE & !MAILCOW_BLACK";
require_action = ["no action", "greylist"]; require_action = ["no action", "greylist", "soft reject"];
} }
VIRUS_FOUND { VIRUS_FOUND {
action = "reject"; action = "reject";
@ -19,4 +19,9 @@ rules {
expression = "WHITELISTED_FWD_HOST"; expression = "WHITELISTED_FWD_HOST";
require_action = ["greylist", "soft reject"]; require_action = ["greylist", "soft reject"];
} }
ADD_UNAUTH_SUBJ {
action = "rewrite subject";
subject = "[Unauth] %s";
expression = "SPOOFED_SENDER";
}
} }

View File

@ -34,3 +34,7 @@ group "MX" {
one_shot = "true"; one_shot = "true";
} }
} }
symbol "SPOOFED_SENDER" {
description = "Sender is not authenticated but part of mailcow managed domains";
score = 1.0;
}

View File

@ -1,22 +1,29 @@
RCPT_MAILCOW_DOMAIN { RCPT_MAILCOW_DOMAIN {
type = "rcpt"; type = "rcpt";
filter = "email:domain" filter = "email:domain";
map = "redis://DOMAIN_MAP" map = "redis://DOMAIN_MAP";
} }
RCPT_WANTS_SUBJECT_TAG { RCPT_WANTS_SUBJECT_TAG {
type = "rcpt"; type = "rcpt";
filter = "email:addr" filter = "email:addr"
map = "redis://RCPT_WANTS_SUBJECT_TAG" map = "redis://RCPT_WANTS_SUBJECT_TAG";
} }
WHITELISTED_FWD_HOST { WHITELISTED_FWD_HOST {
type = "ip"; type = "ip";
map = "redis://WHITELISTED_FWD_HOST" map = "redis://WHITELISTED_FWD_HOST";
} }
KEEP_SPAM { KEEP_SPAM {
type = "ip"; type = "ip";
map = "redis://KEEP_SPAM" map = "redis://KEEP_SPAM";
action = "accept"; action = "accept";
} }
SPOOFED_SENDER {
type = "rcpt";
filter = "email:domain";
map = "redis://DOMAIN_MAP";
require_symbols = "AUTH_NA | !RCVD_VIA_SMTP_AUTH";
}

View File

@ -58,6 +58,9 @@ rspamd_config:register_symbol({
local redis_params = rspamd_parse_redis_server('dyn_rl') local redis_params = rspamd_parse_redis_server('dyn_rl')
local rspamd_logger = require "rspamd_logger" local rspamd_logger = require "rspamd_logger"
local envfrom = task:get_from(1) local envfrom = task:get_from(1)
if not envfrom then
return false
end
local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case
local env_from_addr = envfrom[1].addr:lower() -- get smtp from addr in lower case local env_from_addr = envfrom[1].addr:lower() -- get smtp from addr in lower case