Don't apply antispoof rules on locally generated emails

main
Florent Daigniere 2 years ago
parent 179c624116
commit 36623188b5

@ -1,17 +1,17 @@
rules { rules {
ANTISPOOF_NOAUTH { ANTISPOOF_NOAUTH {
action = "reject"; action = "reject";
expression = "!MAILLIST & ((IS_LOCAL_DOMAIN_E & MISSING_FROM) | (IS_LOCAL_DOMAIN_H & (R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA)))"; expression = "!IS_LOCALLY_GENERATED & !MAILLIST & ((IS_LOCAL_DOMAIN_E & MISSING_FROM) | (IS_LOCAL_DOMAIN_H & (R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA)))";
message = "Rejected (anti-spoofing: noauth). Please setup DMARC with DKIM or SPF if you want to send emails from your domain from other servers."; message = "Rejected (anti-spoofing: noauth). Please setup DMARC with DKIM or SPF if you want to send emails from your domain from other servers.";
} }
ANTISPOOF_DMARC_ENFORCE_LOCAL { ANTISPOOF_DMARC_ENFORCE_LOCAL {
action = "reject"; action = "reject";
expression = "!MAILLIST & (IS_LOCAL_DOMAIN_H | IS_LOCAL_DOMAIN_E) & (DMARC_POLICY_SOFTFAIL | DMARC_POLICY_REJECT | DMARC_POLICY_QUARANTINE | DMARC_NA)"; expression = "!IS_LOCALLY_GENERATED & !MAILLIST & (IS_LOCAL_DOMAIN_H | IS_LOCAL_DOMAIN_E) & (DMARC_POLICY_SOFTFAIL | DMARC_POLICY_REJECT | DMARC_POLICY_QUARANTINE | DMARC_NA)";
message = "Rejected (anti-spoofing: DMARC compliance is enforced for local domains, regardless of the policy setting)"; message = "Rejected (anti-spoofing: DMARC compliance is enforced for local domains, regardless of the policy setting)";
} }
ANTISPOOF_AUTH_FAILED { ANTISPOOF_AUTH_FAILED {
action = "reject"; action = "reject";
expression = "!MAILLIST & BLACKLIST_ANTISPOOF"; expression = "!IS_LOCALLY_GENERATED & !MAILLIST & BLACKLIST_ANTISPOOF";
message = "Rejected (anti-spoofing: auth-failed)"; message = "Rejected (anti-spoofing: auth-failed)";
} }
} }

@ -0,0 +1,2 @@
{{ SUBNET }}
{{ SUBNET6 }}

@ -10,6 +10,11 @@ IS_LOCAL_DOMAIN_E {
map = "http://{{ ADMIN_ADDRESS }}/internal/rspamd/local_domains"; map = "http://{{ ADMIN_ADDRESS }}/internal/rspamd/local_domains";
} }
IS_LOCALLY_GENERATED {
type = "ip"
map = ["/etc/rspamd/local.d/local_subnet.map"];
}
FORBIDDEN_FILE_EXTENSION { FORBIDDEN_FILE_EXTENSION {
type = "filename"; type = "filename";
filter = "extension"; filter = "extension";

@ -0,0 +1 @@
Fix a bug introduced in master whereby anything locally generated (sieve, autoresponder, ...) would be blocked by the anti-spoofing rules
Loading…
Cancel
Save