Commit Graph

22 Commits (0839490beb6065018b454dec3042cbf45d04fe12)

Author SHA1 Message Date
bors[bot] 0839490beb
Merge
2479: Rework the anti-spoofing rule r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

We shouldn't assume that Mailu is the only MTA allowed to send emails on behalf of the domains it hosts.
We should also ensure that it's non-trivial for email-spoofing of hosted domains to happen

Previously we were preventing any spoofing of the envelope from; Now we are preventing spoofing of both the envelope from and the header from unless some form of authentication passes (is a RELAYHOST, SPF, DKIM, ARC)

### Related issue(s)
- close 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere d8cf0c3848 Revert "Admin may not have started up when this loads"
This reverts commit 0f17299b4e.
Florent Daigniere 0f17299b4e Admin may not have started up when this loads
Florent Daigniere 95a3a3d342 doh
Florent Daigniere bd1b73032c Poke a hole for mailing lists
Florent Daigniere c4fcaed7d4 doh
Florent Daigniere 8929f54de5 clarify
Also cover the case where the DKIM sig is for another domain and there
is no explicit DMARC policy
Florent Daigniere 8da6117bb9 clarify
Florent Daigniere af87456faf this works for me
Florent Daigniere be4dd6d84a Spell it out
Florent Daigniere f7b3aad831 Ensure we REJECT when we don't have a DMARC policy
This restores the old behaviour
Florent Daigniere 8775a2bf04 untested code that may just work
Florent Daigniere 5d09390147 enable rspamd's autolearn feature
Vincent Kling bab3f0f5a4 Remove POD_ADDRESS_RANGE
henniaufmrenni 8eb8cb1f48 Update deprecated rspamd config option
This gets rid of the following error message:
lua; antivirus.lua:109: CLAM_VIRUS [clamav]: Using attachments_only is deprecated. Please use scan_mime_parts = true instead

As per the rspamd documentation https://rspamd.com/doc/modules/antivirus.html
attachments_only = true; # Before 1.8.1
scan_mime_parts = true; # After 1.8.1

The currently used version is rspamd 3.1.
Florent Daigniere 89a7a8ac13 Fix score of RCVD_NO_TLS_LAST
Florent Daigniere 74b31dc407 Ensure that RCVD_NO_TLS_LAST doesn't add spam points
Florent Daigniere 2170e07731 Tell rspamd about RELAYNETS
Alexander Graf 893705169e PoC rspamd use dkimkeys from admin using vault api
anrc 59bc4f7aea
Remove the username from the milter_headers
Rspamd adds the name of the authenticated user by default. Setting add_smtp_user to false prevents the login to be leaked.
Michael Wyraz e857b9d659 Document default antivirus behaviour, add an option to reject viruses
Tim Möhlmann 4e4b071fb0
Move services into core and optional