WIP: rspamd whitelisting and rule priorities

Author: jnorell

install/lib/installer_base.lib.php

@@ -1814,6 +1814,7 @@ public function configure_rspamd() {
 			$mail_config['dkim_path'] = substr($mail_config['dkim_path'], 0, strlen($mail_config['dkim_path'])-1);
 		}
 		$dkim_domains = $this->db->queryAllRecords('SELECT `dkim_selector`, `domain` FROM ?? WHERE `dkim` = ? ORDER BY `domain` ASC', $conf['mysql']['database'] . '.mail_domain', 'y');
+		# should move maps to local.d/maps.d/ ?
 		$fpp = fopen('/etc/rspamd/local.d/dkim_domains.map', 'w');
 		$fps = fopen('/etc/rspamd/local.d/dkim_selectors.map', 'w');
 		foreach($dkim_domains as $dkim_domain) {
@@ -1824,19 +1825,28 @@ public function configure_rspamd() {
 		fclose($fps);
 		unset($dkim_domains);
 
+		# local.d templates with template tags
 		$tpl = new tpl();
-		$tpl->newTemplate('rspamd_users.conf.master');
+		$tpl->newTemplate('rspamd_dkim_signing.conf.master');
+		$tpl->setVar('dkim_path', $mail_config['dkim_path']);
+		wf('/etc/rspamd/local.d/dkim_signing.conf', $tpl->grab());
+
+		$tpl = new tpl();
+		$tpl->newTemplate('rspamd_options.inc.master');
 
-		$whitelist_ips = array();
-		$ips = $this->db->queryAllRecords("SELECT * FROM server_ip WHERE server_id = ?", $conf['server_id']);
+echo "\nDEBUGGING local_addrs LOOP\n\n";
+sleep(1);
+		$local_addrs = array();
+		$ips = $this->db->queryAllRecords('SELECT `ip_address`, `ip_type` FROM ?? WHERE `server_id` = ?', $conf['mysql']['database'].'.server_ip', $conf['server_id']);
 		if(is_array($ips) && !empty($ips)){
 			foreach($ips as $ip){
-				$whitelist_ips[] = array('ip' => $ip['ip_address']);
+				$local_addrs[] = array('quoted_ip' => "\"".$ip['ip_address']."\",\n");
 			}
 		}
-		$tpl->setLoop('whitelist_ips', $whitelist_ips);
-		wf('/etc/rspamd/local.d/users.conf', $tpl->grab());
+		$tpl->setLoop('local_addrs', $local_addrs);
+		wf('/etc/rspamd/local.d/options.inc', $tpl->grab());
 
+		# local.d templates without template tags
 		$local_d = array(
 			'groups.conf',
 			'antivirus.conf',
@@ -1845,10 +1855,10 @@ public function configure_rspamd() {
 			'mx_check.conf',
 			'redis.conf',
 			'milter_headers.conf',
-			'options.inc',
 			'neural.conf',
 			'neural_group.conf',
-			'group.conf',
+			'users.conf',
+			'groups.conf',
 		);
 		foreach ($local_d as $f) {
 			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master")) {
@@ -1858,6 +1868,7 @@ public function configure_rspamd() {
 			}
 		}
 
+		# override.d templates without template tags
 		$override_d = array(
 			'rbl_group.conf',
 			'surbl_group.conf',
@@ -1866,10 +1877,11 @@ public function configure_rspamd() {
 			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master")) {
 				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master /etc/rspamd/override.d/${f}");
 			} else {
-				exec("cp tpl/rspamd_{f}.master /etc/rspamd/override.d/${f}");
+				exec("cp tpl/rspamd_${f}.master /etc/rspamd/override.d/${f}");
 			}
 		}
 
+		# local.d/maps.d templates without template tags
 		$maps_d = array(
 			'dkim_whitelist.inc',
 			'dmarc_whitelist.inc',
@@ -1884,10 +1896,6 @@ public function configure_rspamd() {
 			}
 		}
 
-		$tpl = new tpl();
-		$tpl->newTemplate('rspamd_dkim_signing.conf.master');
-		$tpl->setVar('dkim_path', $mail_config['dkim_path']);
-		wf('/etc/rspamd/local.d/dkim_signing.conf', $tpl->grab());
 
 		exec('chmod a+r /etc/rspamd/local.d/* /etc/rspamd/local.d/maps.d/* /etc/rspamd/override.d/*');
 

install/tpl/dkim_whitelist.inc.master …all/tpl/rspamd_dkim_whitelist.inc.masterinstall/tpl/dkim_whitelist.inc.master renamed to install/tpl/rspamd_dkim_whitelist.inc.master install/tpl/dkim_whitelist.inc.master renamed to install/tpl/rspamd_dkim_whitelist.inc.master

@@ -5,5 +5,4 @@ geotrust.com
 geotrusteurope.com
 howtoforge.com
 ispconfig.org
-letsencrypt.org
 

install/tpl/dmarc_whitelist.inc.master …ll/tpl/rspamd_dmarc_whitelist.inc.masterinstall/tpl/dmarc_whitelist.inc.master renamed to install/tpl/rspamd_dmarc_whitelist.inc.master install/tpl/dmarc_whitelist.inc.master renamed to install/tpl/rspamd_dmarc_whitelist.inc.master

@@ -1,4 +1,11 @@
-local_addrs = "127.0.0.0/8, ::1";
+# Addrs local to this server.
+local_addrs = [
+		"127.0.0.0/8",
+		"::1",
+<tmpl_loop name="local_addrs">	<tmpl_var name='quoted_ip'></tmpl_loop>];
+
+# This list is generated by ISPConfig, place custom addresses/networks in local_networks.inc.
+local_networks = "/etc/rspamd/local.d/local_networks.inc";
 
 dns {
 	nameserver = ["127.0.0.1:53:10"];

install/tpl/rspamd_options.inc.master

@@ -4,5 +4,6 @@
 comodo.com
 geotrust.com
 geotrusteurope.com
-letsencrypt.org
+# letsencrypt is in rspamd's default spf_dkim_whitelist, only needed if strict:
+#letsencrypt.org both:1.0
 

install/tpl/spf_dkim_whitelist.inc.master …tpl/rspamd_spf_dkim_whitelist.inc.masterinstall/tpl/spf_dkim_whitelist.inc.master renamed to install/tpl/rspamd_spf_dkim_whitelist.inc.master install/tpl/spf_dkim_whitelist.inc.master renamed to install/tpl/rspamd_spf_dkim_whitelist.inc.master

@@ -254,6 +254,8 @@
 
 //* initialize the database
 $inst->db = new db();
+$inst->db->setDBData($conf['mysql']["host"], $conf['mysql']["ispconfig_user"], $conf['mysql']["ispconfig_password"], $conf['mysql']["port"]);
+$inst->db->setDBName($conf['mysql']['database']);
 
 //* initialize the master DB, if we have a multiserver setup
 if($conf['mysql']['master_slave_setup'] == 'y') {

install/tpl/spf_whitelist.inc.master …tall/tpl/rspamd_spf_whitelist.inc.masterinstall/tpl/spf_whitelist.inc.master renamed to install/tpl/rspamd_spf_whitelist.inc.master install/tpl/spf_whitelist.inc.master renamed to install/tpl/rspamd_spf_whitelist.inc.master

@@ -1,26 +1,19 @@
 settings {
 	authenticated {
-		priority = 9;
+		priority = 10;
 		authenticated = yes;
 		apply "default" {
 			symbols_disabled = [];
 			groups_disabled = ["rbl", "spf"];
 		}
 	}
 	whitelist {
-		priority = 7;
+		priority = 5;
 		rcpt = "postmaster";
 		rcpt = "hostmaster";
 		rcpt = "abuse";
 		want_spam = yes;
 	}
-	whitelist-ip {
-		priority = 5;
-<tmpl_loop name="whitelist_ips">
-		ip = "<tmpl_var name='ip'>";
-</tmpl_loop>
-		want_spam = yes;
-	}
 	.include(try=true; glob=true) "$LOCAL_CONFDIR/local.d/users/*.conf"
 	.include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/users.local.conf"
 }