From 36623188b536bea82e6e35a2410ef546e055dfb0 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 28 Jan 2023 14:12:14 +0100 Subject: [PATCH] Don't apply antispoof rules on locally generated emails --- core/rspamd/conf/force_actions.conf | 6 +++--- core/rspamd/conf/local_subnet.map | 2 ++ core/rspamd/conf/multimap.conf | 5 +++++ towncrier/newsfragments/2632.bugfix | 1 + 4 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 core/rspamd/conf/local_subnet.map create mode 100644 towncrier/newsfragments/2632.bugfix diff --git a/core/rspamd/conf/force_actions.conf b/core/rspamd/conf/force_actions.conf index 9f803405..9346fdeb 100644 --- a/core/rspamd/conf/force_actions.conf +++ b/core/rspamd/conf/force_actions.conf @@ -1,17 +1,17 @@ rules { ANTISPOOF_NOAUTH { action = "reject"; - expression = "!MAILLIST & ((IS_LOCAL_DOMAIN_E & MISSING_FROM) | (IS_LOCAL_DOMAIN_H & (R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA)))"; + expression = "!IS_LOCALLY_GENERATED & !MAILLIST & ((IS_LOCAL_DOMAIN_E & MISSING_FROM) | (IS_LOCAL_DOMAIN_H & (R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA)))"; message = "Rejected (anti-spoofing: noauth). Please setup DMARC with DKIM or SPF if you want to send emails from your domain from other servers."; } ANTISPOOF_DMARC_ENFORCE_LOCAL { action = "reject"; - expression = "!MAILLIST & (IS_LOCAL_DOMAIN_H | IS_LOCAL_DOMAIN_E) & (DMARC_POLICY_SOFTFAIL | DMARC_POLICY_REJECT | DMARC_POLICY_QUARANTINE | DMARC_NA)"; + expression = "!IS_LOCALLY_GENERATED & !MAILLIST & (IS_LOCAL_DOMAIN_H | IS_LOCAL_DOMAIN_E) & (DMARC_POLICY_SOFTFAIL | DMARC_POLICY_REJECT | DMARC_POLICY_QUARANTINE | DMARC_NA)"; message = "Rejected (anti-spoofing: DMARC compliance is enforced for local domains, regardless of the policy setting)"; } ANTISPOOF_AUTH_FAILED { action = "reject"; - expression = "!MAILLIST & BLACKLIST_ANTISPOOF"; + expression = "!IS_LOCALLY_GENERATED & !MAILLIST & BLACKLIST_ANTISPOOF"; message = "Rejected (anti-spoofing: auth-failed)"; } } diff --git a/core/rspamd/conf/local_subnet.map b/core/rspamd/conf/local_subnet.map new file mode 100644 index 00000000..9ead47e0 --- /dev/null +++ b/core/rspamd/conf/local_subnet.map @@ -0,0 +1,2 @@ +{{ SUBNET }} +{{ SUBNET6 }} diff --git a/core/rspamd/conf/multimap.conf b/core/rspamd/conf/multimap.conf index 7ee6669e..cc407269 100644 --- a/core/rspamd/conf/multimap.conf +++ b/core/rspamd/conf/multimap.conf @@ -10,6 +10,11 @@ IS_LOCAL_DOMAIN_E { map = "http://{{ ADMIN_ADDRESS }}/internal/rspamd/local_domains"; } +IS_LOCALLY_GENERATED { + type = "ip" + map = ["/etc/rspamd/local.d/local_subnet.map"]; +} + FORBIDDEN_FILE_EXTENSION { type = "filename"; filter = "extension"; diff --git a/towncrier/newsfragments/2632.bugfix b/towncrier/newsfragments/2632.bugfix new file mode 100644 index 00000000..6831764e --- /dev/null +++ b/towncrier/newsfragments/2632.bugfix @@ -0,0 +1 @@ +Fix a bug introduced in master whereby anything locally generated (sieve, autoresponder, ...) would be blocked by the anti-spoofing rules