From ccdb7fcd2693bd5f0e3929eec8daccb414403f47 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Fri, 10 Apr 2020 20:55:49 +0200
Subject: [PATCH] [Rspamd] Add metadata exporter for unauthed mail

---
 .../rspamd/local.d/metadata_exporter.conf     |  32 +++
 data/conf/rspamd/meta_exporter/pipe.php       |  31 +--
 data/conf/rspamd/meta_exporter/pushover.php   | 205 ++++++++++++++++++
 3 files changed, 253 insertions(+), 15 deletions(-)
 create mode 100644 data/conf/rspamd/meta_exporter/pushover.php

diff --git a/data/conf/rspamd/local.d/metadata_exporter.conf b/data/conf/rspamd/local.d/metadata_exporter.conf
index dcd0c011..4ce07df0 100644
--- a/data/conf/rspamd/local.d/metadata_exporter.conf
+++ b/data/conf/rspamd/local.d/metadata_exporter.conf
@@ -12,8 +12,31 @@ rules {
 		selector = "ratelimited";
 		formatter = "json";
 	}
+  UNAUTHMAIL {
+    backend = "http";
+    url = "http://nginx:9081/pushover.php";
+    selector = "unauth_mail";
+    # Only return msgid, do not parse the full message
+    formatter = "msgid";
+    meta_headers = true;
+  }
 }
+
 custom_select {
+  unauth_mail = <<EOD
+return function(task)
+  local action = task:get_metric_action('default')
+  if task:has_symbol('NO_LOG_STAT') or (action == 'reject' or action == 'add header' or action == 'rewrite subject') then
+    return false
+  else
+    local uname = task:get_user()
+    if not uname then
+      return true
+    end
+    return false
+  end
+end
+EOD;
   ratelimited = <<EOD
 return function(task)
   local ratelimited = task:get_symbol("RATELIMITED")
@@ -33,3 +56,12 @@ return function(task)
 end
 EOD;
 }
+
+custom_format {
+  msgid = <<EOD
+return function(task)
+  return task:get_message_id()
+end
+EOD;
+}
+
diff --git a/data/conf/rspamd/meta_exporter/pipe.php b/data/conf/rspamd/meta_exporter/pipe.php
index 24684473..77c66419 100644
--- a/data/conf/rspamd/meta_exporter/pipe.php
+++ b/data/conf/rspamd/meta_exporter/pipe.php
@@ -17,7 +17,7 @@ try {
   $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
 }
 catch (PDOException $e) {
-  error_log("QUARANTINE: " . $e);
+  error_log("QUARANTINE: " . $e . PHP_EOL);
   http_response_code(501);
   exit;
 }
@@ -63,14 +63,14 @@ $symbols  = $headers['X-Rspamd-Symbols'];
 $raw_size = (int)$_SERVER['CONTENT_LENGTH'];
 
 if (empty($sender)) {
-  error_log("QUARANTINE: Unknown sender, assuming empty-env-from@localhost");
+  error_log("QUARANTINE: Unknown sender, assuming empty-env-from@localhost" . PHP_EOL);
   $sender = 'empty-env-from@localhost';
 }
 
 try {
   $max_size = (int)$redis->Get('Q_MAX_SIZE');
   if (($max_size * 1048576) < $raw_size) {
-    error_log(sprintf("QUARANTINE: Message too large: %d b exceeds %d b", $raw_size, ($max_size * 1048576)));
+    error_log(sprintf("QUARANTINE: Message too large: %d b exceeds %d b", $raw_size, ($max_size * 1048576)) . PHP_EOL);
     http_response_code(505);
     exit;
   }
@@ -80,7 +80,7 @@ try {
   $retention_size = (int)$redis->Get('Q_RETENTION_SIZE');
 }
 catch (RedisException $e) {
-  error_log("QUARANTINE: " . $e);
+  error_log("QUARANTINE: " . $e . PHP_EOL);
   http_response_code(504);
   exit;
 }
@@ -102,14 +102,14 @@ foreach (json_decode($rcpts, true) as $rcpt) {
     }
   }
   catch (RedisException $e) {
-    error_log("QUARANTINE: " . $e);
+    error_log("QUARANTINE: " . $e . PHP_EOL);
     http_response_code(504);
     exit;
   }
 
   // Skip if domain is excluded
   if (in_array($parsed_rcpt['domain'], $exclude_domains)) {
-    error_log(sprintf("QUARANTINE: Skipped domain %s", $parsed_rcpt['domain']));
+    error_log(sprintf("QUARANTINE: Skipped domain %s", $parsed_rcpt['domain']) . PHP_EOL);
     continue;
   }
 
@@ -152,12 +152,12 @@ foreach (json_decode($rcpts, true) as $rcpt) {
 
       // Loop through all found gotos
       foreach ($gotos_array as $index => &$goto) {
-        error_log("QUARANTINE: quarantine pipe: query " . $goto . " as username from mailbox");
+        error_log("RCPT RESOVLER: http pipe: query " . $goto . " as username from mailbox" . PHP_EOL);
         $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :goto AND `active`= '1';");
         $stmt->execute(array(':goto' => $goto));
         $username = $stmt->fetch(PDO::FETCH_ASSOC)['username'];
         if (!empty($username)) {
-          error_log("QUARANTINE: quarantine pipe: mailbox found: " . $username);
+          error_log("RCPT RESOVLER: http pipe: mailbox found: " . $username . PHP_EOL);
           // Current goto is a mailbox, save to rcpt_final_mailboxes if not a duplicate
           if (!in_array($username, $rcpt_final_mailboxes)) {
             $rcpt_final_mailboxes[] = $username;
@@ -166,21 +166,21 @@ foreach (json_decode($rcpts, true) as $rcpt) {
         else {
           $parsed_goto = parse_email($goto);
           if (!$redis->hGet('DOMAIN_MAP', $parsed_goto['domain'])) {
-            error_log("QUARANTINE:" . $goto . " is not a mailcow handled mailbox or alias address");
+            error_log("RCPT RESOVLER:" . $goto . " is not a mailcow handled mailbox or alias address" . PHP_EOL);
           }
           else {
             $stmt = $pdo->prepare("SELECT `goto` FROM `alias` WHERE `address` = :goto AND `active` = '1'");
             $stmt->execute(array(':goto' => $goto));
             $goto_branch = $stmt->fetch(PDO::FETCH_ASSOC)['goto'];
             if ($goto_branch) {
-              error_log("QUARANTINE: quarantine pipe: goto address " . $goto . " is a alias branch for " . $goto_branch);
+              error_log("RCPT RESOVLER: http pipe: goto address " . $goto . " is a alias branch for " . $goto_branch . PHP_EOL);
               $goto_branch_array = explode(',', $goto_branch);
             } else {
               $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` AND '1'");
               $stmt->execute(array(':domain' => $parsed_goto['domain']));
               $goto_branch = $stmt->fetch(PDO::FETCH_ASSOC)['target_domain'];
               if ($goto_branch) {
-                error_log("QUARANTINE: quarantine pipe: goto domain " . $parsed_gto['domain'] . " is a domain alias branch for " . $goto_branch);
+                error_log("RCPT RESOVLER: http pipe: goto domain " . $parsed_gto['domain'] . " is a domain alias branch for " . $goto_branch . PHP_EOL);
                 $goto_branch_array = array($parsed_gto['local'] . '@' . $goto_branch);
               }
             }
@@ -202,18 +202,19 @@ foreach (json_decode($rcpts, true) as $rcpt) {
       // Force exit if loop cannot be solved
       // Postfix does not allow for alias loops, so this should never happen.
       $loop_c++;
-      error_log("QUARANTINE: quarantine pipe: goto array count on loop #". $loop_c . " is " . count($gotos_array));
+      error_log("RCPT RESOVLER: http pipe: goto array count on loop #". $loop_c . " is " . count($gotos_array) . PHP_EOL);
     }
+    return $rcpt_final_mailboxes;
   }
   catch (PDOException $e) {
-    error_log("QUARANTINE: " . $e->getMessage());
+    error_log("RCPT RESOVLER: " . $e->getMessage() . PHP_EOL);
     http_response_code(502);
     exit;
   }
 }
 
 foreach ($rcpt_final_mailboxes as $rcpt) {
-  error_log("QUARANTINE: quarantine pipe: processing quarantine message for rcpt " . $rcpt);
+  error_log("QUARANTINE: quarantine pipe: processing quarantine message for rcpt " . $rcpt . PHP_EOL);
   try {
     $stmt = $pdo->prepare("INSERT INTO `quarantine` (`qid`, `subject`, `score`, `sender`, `rcpt`, `symbols`, `user`, `ip`, `msg`, `action`)
       VALUES (:qid, :subject, :score, :sender, :rcpt, :symbols, :user, :ip, :msg, :action)");
@@ -246,7 +247,7 @@ foreach ($rcpt_final_mailboxes as $rcpt) {
     ));
   }
   catch (PDOException $e) {
-    error_log("QUARANTINE: " . $e->getMessage());
+    error_log("QUARANTINE: " . $e->getMessage() . PHP_EOL);
     http_response_code(503);
     exit;
   }
diff --git a/data/conf/rspamd/meta_exporter/pushover.php b/data/conf/rspamd/meta_exporter/pushover.php
new file mode 100644
index 00000000..60a890cf
--- /dev/null
+++ b/data/conf/rspamd/meta_exporter/pushover.php
@@ -0,0 +1,205 @@
+<?php
+// File size is limited by Nginx site to 10M
+// To speed things up, we do not include prerequisites
+header('Content-Type: text/plain');
+require_once "vars.inc.php";
+// Do not show errors, we log to using error_log
+ini_set('error_reporting', 0);
+// Init database
+//$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name;
+$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
+$opt = [
+    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+    PDO::ATTR_EMULATE_PREPARES   => false,
+];
+try {
+  $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
+}
+catch (PDOException $e) {
+  error_log("NOTIFY: " . $e . PHP_EOL);
+  http_response_code(501);
+  exit;
+}
+// Init Redis
+$redis = new Redis();
+$redis->connect('redis-mailcow', 6379);
+
+// Functions
+function parse_email($email) {
+  if(!filter_var($email, FILTER_VALIDATE_EMAIL)) return false;
+  $a = strrpos($email, '@');
+  return array('local' => substr($email, 0, $a), 'domain' => substr(substr($email, $a), 1));
+}
+if (!function_exists('getallheaders'))  {
+  function getallheaders() {
+    if (!is_array($_SERVER)) {
+      return array();
+    }
+    $headers = array();
+    foreach ($_SERVER as $name => $value) {
+      if (substr($name, 0, 5) == 'HTTP_') {
+        $headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))))] = $value;
+      }
+    }
+    return $headers;
+  }
+}
+
+
+$headers = getallheaders();
+
+$qid      = $headers['X-Rspamd-Qid'];
+$rcpts    = $headers['X-Rspamd-Rcpt'];
+$ip       = $headers['X-Rspamd-Ip'];
+$subject  = $headers['X-Rspamd-Subject'];
+
+$rcpt_final_mailboxes = array();
+
+// Loop through all rcpts
+foreach (json_decode($rcpts, true) as $rcpt) {
+  // Remove tag
+  $rcpt = preg_replace('/^(.*?)\+.*(@.*)$/', '$1$2', $rcpt);
+
+  // Break rcpt into local part and domain part
+  $parsed_rcpt = parse_email($rcpt);
+
+  // Skip if not a mailcow handled domain
+  try {
+    if (!$redis->hGet('DOMAIN_MAP', $parsed_rcpt['domain'])) {
+      continue;
+    }
+  }
+  catch (RedisException $e) {
+    error_log("NOTIFY: " . $e . PHP_EOL);
+    http_response_code(504);
+    exit;
+  }
+
+  // Always assume rcpt is not a final mailbox but an alias for a mailbox or further aliases
+  //
+  //             rcpt
+  //              |
+  // mailbox <-- goto ---> alias1, alias2, mailbox2
+  //                          |       |
+  //                      mailbox3    |
+  //                                  |
+  //                               alias3 ---> mailbox4
+  //
+  try {
+    $stmt = $pdo->prepare("SELECT `goto` FROM `alias` WHERE `address` = :rcpt AND `active` = '1'");
+    $stmt->execute(array(
+      ':rcpt' => $rcpt
+    ));
+    $gotos = $stmt->fetch(PDO::FETCH_ASSOC)['goto'];
+    if (empty($gotos)) {
+      $stmt = $pdo->prepare("SELECT `goto` FROM `alias` WHERE `address` = :rcpt AND `active` = '1'");
+      $stmt->execute(array(
+        ':rcpt' => '@' . $parsed_rcpt['domain']
+      ));
+      $gotos = $stmt->fetch(PDO::FETCH_ASSOC)['goto'];
+    }
+    if (empty($gotos)) {
+      $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :rcpt AND `active` = '1'");
+      $stmt->execute(array(':rcpt' => $parsed_rcpt['domain']));
+      $goto_branch = $stmt->fetch(PDO::FETCH_ASSOC)['target_domain'];
+      if ($goto_branch) {
+        $gotos = $parsed_rcpt['local'] . '@' . $goto_branch;
+      }
+    }
+    $gotos_array = explode(',', $gotos);
+
+    $loop_c = 0;
+
+    while (count($gotos_array) != 0 && $loop_c <= 20) {
+
+      // Loop through all found gotos
+      foreach ($gotos_array as $index => &$goto) {
+        error_log("RCPT RESOVLER: http pipe: query " . $goto . " as username from mailbox" . PHP_EOL);
+        $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :goto AND `active`= '1';");
+        $stmt->execute(array(':goto' => $goto));
+        $username = $stmt->fetch(PDO::FETCH_ASSOC)['username'];
+        if (!empty($username)) {
+          error_log("RCPT RESOVLER: http pipe: mailbox found: " . $username . PHP_EOL);
+          // Current goto is a mailbox, save to rcpt_final_mailboxes if not a duplicate
+          if (!in_array($username, $rcpt_final_mailboxes)) {
+            $rcpt_final_mailboxes[] = $username;
+          }
+        }
+        else {
+          $parsed_goto = parse_email($goto);
+          if (!$redis->hGet('DOMAIN_MAP', $parsed_goto['domain'])) {
+            error_log("RCPT RESOVLER:" . $goto . " is not a mailcow handled mailbox or alias address" . PHP_EOL);
+          }
+          else {
+            $stmt = $pdo->prepare("SELECT `goto` FROM `alias` WHERE `address` = :goto AND `active` = '1'");
+            $stmt->execute(array(':goto' => $goto));
+            $goto_branch = $stmt->fetch(PDO::FETCH_ASSOC)['goto'];
+            if ($goto_branch) {
+              error_log("RCPT RESOVLER: http pipe: goto address " . $goto . " is a alias branch for " . $goto_branch . PHP_EOL);
+              $goto_branch_array = explode(',', $goto_branch);
+            } else {
+              $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` AND '1'");
+              $stmt->execute(array(':domain' => $parsed_goto['domain']));
+              $goto_branch = $stmt->fetch(PDO::FETCH_ASSOC)['target_domain'];
+              if ($goto_branch) {
+                error_log("RCPT RESOVLER: http pipe: goto domain " . $parsed_gto['domain'] . " is a domain alias branch for " . $goto_branch . PHP_EOL);
+                $goto_branch_array = array($parsed_gto['local'] . '@' . $goto_branch);
+              }
+            }
+          }
+        }
+        // goto item was processed, unset
+        unset($gotos_array[$index]);
+      }
+
+      // Merge goto branch array derived from previous loop (if any), filter duplicates and unset goto branch array
+      if (!empty($goto_branch_array)) {
+        $gotos_array = array_unique(array_merge($gotos_array, $goto_branch_array));
+        unset($goto_branch_array);
+      }
+
+      // Reindex array
+      $gotos_array = array_values($gotos_array);
+
+      // Force exit if loop cannot be solved
+      // Postfix does not allow for alias loops, so this should never happen.
+      $loop_c++;
+      error_log("RCPT RESOVLER: http pipe: goto array count on loop #". $loop_c . " is " . count($gotos_array) . PHP_EOL);
+    }
+  }
+  catch (PDOException $e) {
+    error_log("RCPT RESOVLER: " . $e->getMessage() . PHP_EOL);
+    http_response_code(502);
+    exit;
+  }
+}
+
+
+foreach ($rcpt_final_mailboxes as $rcpt_final) {
+  $stmt = $pdo->prepare("SELECT * FROM `pushover`
+    WHERE `username` = :username AND `active` = '1'");
+  $stmt->execute(array(
+    ':username' => $rcpt
+  ));
+  $api_data = $stmt->fetch(PDO::FETCH_ASSOC);
+  if (isset($api_data['key']) && isset($api_data['token'])) {
+    $title = (!empty($api_data['title'])) ? $api_data['title'] : 'Mail';
+    $text = (!empty($api_data['text'])) ? $api_data['text'] : 'You\'ve got mail 📧';
+    curl_setopt_array($ch = curl_init(), array(
+      CURLOPT_URL => "https://api.pushover.net/1/messages.json",
+      CURLOPT_POSTFIELDS => array(
+    "token" => $api_data['token'],
+    "user" => $api_data['key'],
+    "title" => $title,
+    "message" => sprintf("%s", str_replace('{SUBJECT}', $subject, $text))
+      ),
+      CURLOPT_SAFE_UPLOAD => true,
+      CURLOPT_RETURNTRANSFER => true,
+    ));
+    $result = curl_exec($ch);
+    $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+    curl_close($ch);
+    error_log("NOTIFY: result: " . $httpcode . PHP_EOL);
+  }
+}