rspamd: add recipient whitelist/blacklist maps

Author: jnorell

install/lib/installer_base.lib.php

@@ -1939,7 +1939,7 @@ public function configure_rspamd() {
 		# generated local.d/maps.d files
 		$filename = '/etc/rspamd/local.d/maps.d/ip_whitelist.inc.ispc';
 		@unlink($filename);
-		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'client' AND `access` = 'OK' AND `active` = 'y' AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
+		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'client' AND `access` = 'OK' AND `active` = 'y' AND `sys_userid` IN (SELECT `userid` FROM `sys_user` WHERE `sys_groupid` = 0) AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
 		if (count($records) > 0) {
 			if ($fp = fopen($filename, 'w')) {
 				fwrite($fp, "# ISPConfig whitelisted ip addresses\n\n");
@@ -1954,7 +1954,7 @@ public function configure_rspamd() {
 
 		$filename = '/etc/rspamd/local.d/maps.d/sender_whitelist.inc.ispc';
 		@unlink($filename);
-		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'sender' AND `source` LIKE '%@%' AND `access` = 'OK' AND `active` = 'y' AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
+		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'sender' AND `source` LIKE '%@%' AND `access` = 'OK' AND `active` = 'y' AND `sys_userid` IN (SELECT `userid` FROM `sys_user` WHERE `sys_groupid` = 0) AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
 		if (count($records) > 0) {
 			if ($fp = fopen($filename, 'w')) {
 				fwrite($fp, "# ISPConfig whitelisted sender addresses\n\n");
@@ -1969,7 +1969,7 @@ public function configure_rspamd() {
 
 		$filename = '/etc/rspamd/local.d/maps.d/sender_blacklist.inc.ispc';
 		@unlink($filename);
-		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'sender' AND `source` LIKE '%@%' AND `access` LIKE 'REJECT%' AND `active` = 'y' AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
+		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'sender' AND `source` LIKE '%@%' AND `access` LIKE 'REJECT%' AND `active` = 'y' AND `sys_userid` IN (SELECT `userid` FROM `sys_user` WHERE `sys_groupid` = 0) AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
 		if (count($records) > 0) {
 			if ($fp = fopen($filename, 'w')) {
 				fwrite($fp, "# ISPConfig blacklisted sender addresses\n\n");
@@ -1984,7 +1984,7 @@ public function configure_rspamd() {
 
 		$filename = '/etc/rspamd/local.d/maps.d/sender_domain_whitelist.inc.ispc';
 		@unlink($filename);
-		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'sender' AND `source` NOT LIKE '%@%' AND `access` = 'OK' AND `active` = 'y' AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
+		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'sender' AND `source` NOT LIKE '%@%' AND `access` = 'OK' AND `active` = 'y' AND `sys_userid` IN (SELECT `userid` FROM `sys_user` WHERE `sys_groupid` = 0) AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
 		if (count($records) > 0) {
 			if ($fp = fopen($filename, 'w')) {
 				fwrite($fp, "# ISPConfig whitelisted sender domains\n\n");
@@ -1999,7 +1999,7 @@ public function configure_rspamd() {
 
 		$filename = '/etc/rspamd/local.d/maps.d/sender_domain_blacklist.inc.ispc';
 		@unlink($filename);
-		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'sender' AND `source` NOT LIKE '%@%' AND `access` LIKE 'REJECT%' AND `active` = 'y' AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
+		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'sender' AND `source` NOT LIKE '%@%' AND `access` LIKE 'REJECT%' AND `active` = 'y' AND `sys_userid` IN (SELECT `userid` FROM `sys_user` WHERE `sys_groupid` = 0) AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
 		if (count($records) > 0) {
 			if ($fp = fopen($filename, 'w')) {
 				fwrite($fp, "# ISPConfig blacklisted sender domains\n\n");
@@ -2012,6 +2012,66 @@ public function configure_rspamd() {
 			}
 		}
 
+		$filename = '/etc/rspamd/local.d/maps.d/recipient_whitelist.inc.ispc';
+		@unlink($filename);
+		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'recipient' AND `source` LIKE '%@%' AND `access` = 'OK' AND `active` = 'y' AND `sys_userid` IN (SELECT `userid` FROM `sys_user` WHERE `sys_groupid` = 0) AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
+		if (count($records) > 0) {
+			if ($fp = fopen($filename, 'w')) {
+				fwrite($fp, "# ISPConfig whitelisted recipient addresses\n\n");
+				foreach($records as $record) {
+					fwrite($fp, $record['source'] . "\n");
+				}
+				fclose($fp);
+			} else {
+				$this->error("Error: cannot open $filename for writing");
+			}
+		}
+
+		$filename = '/etc/rspamd/local.d/maps.d/recipient_blacklist.inc.ispc';
+		@unlink($filename);
+		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'recipient' AND `source` LIKE '%@%' AND `access` LIKE 'REJECT%' AND `active` = 'y' AND `sys_userid` IN (SELECT `userid` FROM `sys_user` WHERE `sys_groupid` = 0) AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
+		if (count($records) > 0) {
+			if ($fp = fopen($filename, 'w')) {
+				fwrite($fp, "# ISPConfig blacklisted recipient addresses\n\n");
+				foreach($records as $record) {
+					fwrite($fp, $record['source'] . "\n");
+				}
+				fclose($fp);
+			} else {
+				$this->error("Error: cannot open $filename for writing");
+			}
+		}
+
+		$filename = '/etc/rspamd/local.d/maps.d/recipient_domain_whitelist.inc.ispc';
+		@unlink($filename);
+		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'recipient' AND `source` NOT LIKE '%@%' AND `access` = 'OK' AND `active` = 'y' AND `sys_userid` IN (SELECT `userid` FROM `sys_user` WHERE `sys_groupid` = 0) AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
+		if (count($records) > 0) {
+			if ($fp = fopen($filename, 'w')) {
+				fwrite($fp, "# ISPConfig whitelisted recipient domains\n\n");
+				foreach($records as $record) {
+					fwrite($fp, ltrim($record['source'], '.') . "\n");
+				}
+				fclose($fp);
+			} else {
+				$this->error("Error: cannot open $filename for writing");
+			}
+		}
+
+		$filename = '/etc/rspamd/local.d/maps.d/recipient_domain_blacklist.inc.ispc';
+		@unlink($filename);
+		$records = $this->db->queryAllRecords("SELECT `source` FROM ?? WHERE `type` = 'recipient' AND `source` NOT LIKE '%@%' AND `access` LIKE 'REJECT%' AND `active` = 'y' AND `sys_userid` IN (SELECT `userid` FROM `sys_user` WHERE `sys_groupid` = 0) AND `server_id` = ? ORDER BY `source` ASC", $conf['mysql']['database'] . '.mail_access', $conf['server_id']);
+		if (count($records) > 0) {
+			if ($fp = fopen($filename, 'w')) {
+				fwrite($fp, "# ISPConfig blacklisted recipient domains\n\n");
+				foreach($records as $record) {
+					fwrite($fp, ltrim($record['source'], '.') . "\n");
+				}
+				fclose($fp);
+			} else {
+				$this->error("Error: cannot open $filename for writing");
+			}
+		}
+
 
 		# rename rspamd templates we no longer use
 		if(file_exists("/etc/rspamd/local.d/greylist.conf")) {

install/tpl/rspamd_force_actions.conf.master

@@ -6,7 +6,7 @@ rules {
   }
 
   ISPC_BLACKLIST_SENDER {
-    expression = "(ISPC_BLACKLIST_FROM or ISPC_BLACKLIST_FROM_DOMAIN) and R_DKIM_ALLOW and !ISPC_WHITELIST_SENDER and !ISPC_WHITELIST_SENDER_DOMAIN";
+    expression = "(ISPC_BLACKLIST_FROM or ISPC_BLACKLIST_FROM_DOMAIN) and R_DKIM_ALLOW and !ISPC_WHITELIST_SENDER and !ISPC_WHITELIST_SENDER_DOMAIN and !ISPC_WHITELIST_RECIPIENT";
     action = "reject";
   }
 
@@ -15,4 +15,19 @@ rules {
     action = "no action";
   }
 
+  ISPC_WHITELIST_RECIPIENT {
+    expression = "ISPC_WHITELIST_ENVRCPT and !CLAM_VIRUS and !JUST_EICAR";
+    action = "no action";
+  }
+
+  ISPC_BLACKLIST_RECIPIENT {
+    expression = "(ISPC_BLACKLIST_TO or ISPC_BLACKLIST_TO_DOMAIN) and !ISPC_WHITELIST_SENDER and !ISPC_WHITELIST_SENDER_DOMAIN and !ISPC_WHITELIST_RECIPIENT";
+    action = "reject";
+  }
+
+  ISPC_WHITELIST_RECIPIENT_DOMAIN {
+    expression = "ISPC_WHITELIST_ENVRCPT_DOMAIN and !CLAM_VIRUS and !JUST_EICAR";
+    action = "no action";
+  }
+
 }

install/tpl/rspamd_multimap.conf.master

@@ -1,6 +1,6 @@
 ISPC_WHITELIST_IP {
-  description = "Whitelisted ip address";
   group = "ISPConfig";
+  description = "Whitelisted ip address.";
   type = "ip";
   map = [ "$LOCAL_CONFDIR/local.d/maps.d/ip_whitelist.inc.ispc", "$LOCAL_CONFDIR/local.d/maps.d/ip_whitelist.inc.local" ];
   prefilter = "true";
@@ -10,63 +10,110 @@ ISPC_WHITELIST_IP {
 # ISPC_BLACKLIST_IP:  Postfix blocks blacklisted IP's, no need to configure those here.
 
 ISPC_WHITELIST_ENVFROM {
-  type = "from";
-  filter = "email";
+  group = "ISPConfig";
+  description = "Whitelisted sender address.";
+  type = "selector";
+  filter = "from('smtp')";
   map = [ "$LOCAL_CONFDIR/local.d/maps.d/sender_whitelist.inc.ispc", "$LOCAL_CONFDIR/local.d/maps.d/sender_whitelist.inc.local" ];
   score = -7.0;
-  description = "Whitelisted sender address";
-  group = "ispconfig";
 }
 
 # ISPC_BLACKLIST_ENVFROM:  Postfix blocks blacklisted senders, no need to configure those here.
 
 ISPC_WHITELIST_ENVFROM_DOMAIN {
-  type = "from";
-  filter = "email:domain";
+  group = "ISPConfig";
+  description = "Whitelisted sender domain.";
+  type = "selector";
+  filter = "from('smtp'):domain";
   map = [ "$LOCAL_CONFDIR/local.d/maps.d/sender_domain_whitelist.inc.ispc", "$LOCAL_CONFDIR/local.d/maps.d/sender_domain_whitelist.inc.local" ];
   score = -7.0;
-  description = "Whitelisted sender domain";
-  group = "ispconfig";
 }
 
 # ISPC_BLACKLIST_ENVFROM_DOMAIN:  Postfix blocks blacklisted sender domains, no need to configure those here.
 
 ISPC_WHITELIST_FROM {
+  group = "ISPConfig";
+  description = "From: header address in sender whitelist.";
   type = "selector";
   selector = "from('mime')";
   map = [ "$LOCAL_CONFDIR/local.d/maps.d/sender_whitelist.inc.ispc", "$LOCAL_CONFDIR/local.d/maps.d/sender_whitelist.inc.local" ];
   # trivial to spoof so primarily used via composite expression in force_actions.conf
   score = -1.0;
-  description = "From: header address in sender whitelist.";
-  group = "ispconfig";
 }
 
 ISPC_BLACKLIST_FROM {
+  group = "ISPConfig";
+  description = "From: header address in sender blacklist.";
   type = "selector";
   selector = "from('mime')";
   map = [ "$LOCAL_CONFDIR/local.d/maps.d/sender_blacklist.inc.ispc", "$LOCAL_CONFDIR/local.d/maps.d/sender_blacklist.inc.local" ];
   score = 12.0;
-  description = "From: header address in sender blacklist.";
-  group = "ispconfig";
 }
 
 ISPC_WHITELIST_FROM_DOMAIN {
+  group = "ISPConfig";
+  description = "From: header domain in sender whitelist.";
   type = "selector";
   selector = "from('mime'):domain";
   map = [ "$LOCAL_CONFDIR/local.d/maps.d/sender_domain_whitelist.inc.ispc", "$LOCAL_CONFDIR/local.d/maps.d/sender_domain_whitelist.inc.local" ];
   # trivial to spoof so primarily used via composite expression in force_actions.conf
   score = -1.0;
-  description = "From: header domain in sender whitelist.";
-  group = "ispconfig";
 }
 
 ISPC_BLACKLIST_FROM_DOMAIN {
+  group = "ISPConfig";
+  description = "From: header domain in sender blacklist.";
   type = "selector";
   selector = "from('mime'):domain";
   map = [ "$LOCAL_CONFDIR/local.d/maps.d/sender_domain_blacklist.inc.ispc", "$LOCAL_CONFDIR/local.d/maps.d/sender_domain_blacklist.inc.local" ];
   score = 12.0;
-  description = "From: header domain in sender blacklist.";
-  group = "ispconfig";
+}
+
+# Reminder: test if whitelisted sender bypasses dkim signing for sender
+# Reminder: test if whitelisted recipient address bypasses dkim signing for sender
+
+ISPC_WHITELIST_ENVRCPT {
+  group = "ISPConfig";
+  description = "Whitelisted recipient address.";
+  type = "selector";
+  filter = "rcpts('smtp')";
+  map = [ "$LOCAL_CONFDIR/local.d/maps.d/recipient_whitelist.inc.ispc", "$LOCAL_CONFDIR/local.d/maps.d/recipient_whitelist.inc.local" ];
+  score = -7.0;
+}
+
+# ISPC_BLACKLIST_ENVRCPT:  Postfix blocks blacklisted recipients, no need to configure those here.
+
+ISPC_WHITELIST_ENVRCPT_DOMAIN {
+  group = "ISPConfig";
+  description = "Whitelisted recipient domain.";
+  type = "selector";
+  filter = "rcpts('smtp'):domain";
+  map = [ "$LOCAL_CONFDIR/local.d/maps.d/recipient_domain_whitelist.inc.ispc", "$LOCAL_CONFDIR/local.d/maps.d/recipient_domain_whitelist.inc.local" ];
+  score = -7.0;
+}
+
+# ISPC_BLACKLIST_ENVRCPT_DOMAIN:  Postfix blocks blacklisted recipient domains, no need to configure those here.
+
+# ISPC_WHITELIST_TO: headers are trivial to forge, no whitelisting based on them
+
+ISPC_BLACKLIST_TO {
+  group = "ISPConfig";
+  description = "To:/Cc: header address in recipient blacklist.";
+  type = "selector";
+  selector = "rcpts('mime')";
+  map = [ "$LOCAL_CONFDIR/local.d/maps.d/recipient_blacklist.inc.ispc", "$LOCAL_CONFDIR/local.d/maps.d/recipient_blacklist.inc.local" ];
+  score = 12.0;
+}
+
+# ISPC_WHITELIST_TO_DOMAIN: headers are trivial to forge, no whitelisting based on them
+
+ISPC_BLACKLIST_TO_DOMAIN {
+  group = "ISPConfig";
+  description = "To:/Cc: header domain in recipient blacklist.";
+  type = "selector";
+  selector = "rcpts('mime'):domain";
+  map = [ "$LOCAL_CONFDIR/local.d/maps.d/recipient_domain_blacklist.inc.ispc", "$LOCAL_CONFDIR/local.d/maps.d/recipient_domain_blacklist.inc.local" ];
+  score = 12.0;
 }