From 6502a5ba3ae5a7ad79c5576a9d83265598b9b732 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Thu, 11 Feb 2021 16:43:35 -0700
Subject: [PATCH] WIP: rspamd whitelisting and rule priorities

---
 install/lib/installer_base.lib.php            | 120 +++++++-----------
 install/tpl/dkim_whitelist.inc.master         |   5 +
 install/tpl/dmarc_whitelist.inc.master        |   9 ++
 ...ter => rspamd_antivirus_group.conf.master} |   0
 ...nf.master => rspamd_rbl_group.conf.master} |   0
 ....master => rspamd_surbl_group.conf.master} |   0
 install/tpl/rspamd_users.inc.conf.master      |   1 -
 install/tpl/rspamd_whitelist.conf.master      |  38 ++++++
 install/tpl/spf_dkim_whitelist.inc.master     |   8 ++
 install/tpl/spf_whitelist.inc.master          |   6 +
 server/conf/rspamd_users.conf.master          |  25 +---
 11 files changed, 117 insertions(+), 95 deletions(-)
 create mode 100644 install/tpl/dkim_whitelist.inc.master
 create mode 100644 install/tpl/dmarc_whitelist.inc.master
 rename install/tpl/{rspamd_symbols_antivirus.conf.master => rspamd_antivirus_group.conf.master} (100%)
 rename install/tpl/{rspamd_override_rbl.conf.master => rspamd_rbl_group.conf.master} (100%)
 rename install/tpl/{rspamd_override_surbl.conf.master => rspamd_surbl_group.conf.master} (100%)
 delete mode 120000 install/tpl/rspamd_users.inc.conf.master
 create mode 100644 install/tpl/rspamd_whitelist.conf.master
 create mode 100644 install/tpl/spf_dkim_whitelist.inc.master
 create mode 100644 install/tpl/spf_whitelist.inc.master

diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 95c6cb87ef..94116e32f8 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -1802,6 +1802,10 @@ class installer_base {
 			mkdir('/etc/rspamd/local.d/', 0755, true);
 		}
 
+		if(!is_dir('/etc/rspamd/local.d/maps.d/')){
+			mkdir('/etc/rspamd/local.d/maps.d/', 0755, true);
+		}
+
 		if(!is_dir('/etc/rspamd/override.d/')){
 			mkdir('/etc/rspamd/override.d/', 0755, true);
 		}
@@ -1833,82 +1837,51 @@ class installer_base {
 		$tpl->setLoop('whitelist_ips', $whitelist_ips);
 		wf('/etc/rspamd/local.d/users.conf', $tpl->grab());
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_groups.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_groups.conf.master /etc/rspamd/local.d/groups.conf');
-		} else {
-			exec('cp tpl/rspamd_groups.conf.master /etc/rspamd/local.d/groups.conf');
-		}
-
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_antivirus.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_antivirus.conf.master /etc/rspamd/local.d/antivirus.conf');
-		} else {
-			exec('cp tpl/rspamd_antivirus.conf.master /etc/rspamd/local.d/antivirus.conf');
-		}
-
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_classifier-bayes.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_classifier-bayes.conf.master /etc/rspamd/local.d/classifier-bayes.conf');
-		} else {
-			exec('cp tpl/rspamd_classifier-bayes.conf.master /etc/rspamd/local.d/classifier-bayes.conf');
-		}
-
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_greylist.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_greylist.conf.master /etc/rspamd/local.d/greylist.conf');
-		} else {
-			exec('cp tpl/rspamd_greylist.conf.master /etc/rspamd/local.d/greylist.conf');
-		}
-
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_symbols_antivirus.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_symbols_antivirus.conf.master /etc/rspamd/local.d/antivirus_group.conf');
-		} else {
-			exec('cp tpl/rspamd_symbols_antivirus.conf.master /etc/rspamd/local.d/antivirus_group.conf');
-		}
-
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_override_rbl.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_override_rbl.conf.master /etc/rspamd/override.d/rbl_group.conf');
-		} else {
-			exec('cp tpl/rspamd_override_rbl.conf.master /etc/rspamd/override.d/rbl_group.conf');
-		}
-
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_override_surbl.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_override_surbl.conf.master /etc/rspamd/override.d/surbl_group.conf');
-		} else {
-			exec('cp tpl/rspamd_override_surbl.conf.master /etc/rspamd/override.d/surbl_group.conf');
-		}
-
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_mx_check.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_mx_check.conf.master /etc/rspamd/local.d/mx_check.conf');
-		} else {
-			exec('cp tpl/rspamd_mx_check.conf.master /etc/rspamd/local.d/mx_check.conf');
-		}
-
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_redis.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_redis.conf.master /etc/rspamd/local.d/redis.conf');
-		} else {
-			exec('cp tpl/rspamd_redis.conf.master /etc/rspamd/local.d/redis.conf');
-		}
-
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_milter_headers.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_milter_headers.conf.master /etc/rspamd/local.d/milter_headers.conf');
-		} else {
-			exec('cp tpl/rspamd_milter_headers.conf.master /etc/rspamd/local.d/milter_headers.conf');
-		}
-
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_options.inc.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_options.inc.master /etc/rspamd/local.d/options.inc');
-		} else {
-			exec('cp tpl/rspamd_options.inc.master /etc/rspamd/local.d/options.inc');
+		$local_d = array(
+			'groups.conf',
+			'antivirus.conf',
+			'classifier-bayes.conf',
+			'greylist.conf',
+			'mx_check.conf',
+			'redis.conf',
+			'milter_headers.conf',
+			'options.inc',
+			'neural.conf',
+			'neural_group.conf',
+			'group.conf',
+		);
+		foreach ($local_d as $f) {
+			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master")) {
+				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master /etc/rspamd/local.d/${f}");
+			} else {
+				exec("cp tpl/rspamd_${f}.master /etc/rspamd/local.d/${f}");
+			}
 		}
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_neural.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_neural.conf.master /etc/rspamd/local.d/neural.conf');
-		} else {
-			exec('cp tpl/rspamd_neural.conf.master /etc/rspamd/local.d/neural.conf');
+		$override_d = array(
+			'rbl_group.conf',
+			'surbl_group.conf',
+		);
+		foreach ($override_d as $f) {
+			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master")) {
+				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master /etc/rspamd/override.d/${f}");
+			} else {
+				exec("cp tpl/rspamd_{f}.master /etc/rspamd/override.d/${f}");
+			}
 		}
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_neural_group.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_neural_group.conf.master /etc/rspamd/local.d/neural_group.conf');
-		} else {
-			exec('cp tpl/rspamd_neural_group.conf.master /etc/rspamd/local.d/neural_group.conf');
+		$maps_d = array(
+			'dkim_whitelist.inc',
+			'dmarc_whitelist.inc',
+			'spf_dkim_whitelist.inc',
+			'spf_whitelist.inc',
+		);
+		foreach ($maps_d as $f) {
+			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master")) {
+				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_${f}.master /etc/rspamd/local.d/maps.d/");
+			} else {
+				exec("cp tpl/rspamd_${f}.master /etc/rspamd/local.d/maps.d/");
+			}
 		}
 
 		$tpl = new tpl();
@@ -1916,8 +1889,9 @@ class installer_base {
 		$tpl->setVar('dkim_path', $mail_config['dkim_path']);
 		wf('/etc/rspamd/local.d/dkim_signing.conf', $tpl->grab());
 
-		exec('chmod a+r /etc/rspamd/local.d/* /etc/rspamd/override.d/*');
+		exec('chmod a+r /etc/rspamd/local.d/* /etc/rspamd/local.d/maps.d/* /etc/rspamd/override.d/*');
 
+		# unneccesary, since this was done above?
 		$command = 'usermod -a -G amavis _rspamd';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
diff --git a/install/tpl/dkim_whitelist.inc.master b/install/tpl/dkim_whitelist.inc.master
new file mode 100644
index 0000000000..e9049c3ea8
--- /dev/null
+++ b/install/tpl/dkim_whitelist.inc.master
@@ -0,0 +1,5 @@
+# Domain whitelist via valid DKIM policy
+# (Prefer to spf_dkim_whitelist for domains that use both SPF and DKIM.)
+
+ispconfig.org
+
diff --git a/install/tpl/dmarc_whitelist.inc.master b/install/tpl/dmarc_whitelist.inc.master
new file mode 100644
index 0000000000..a8d866467b
--- /dev/null
+++ b/install/tpl/dmarc_whitelist.inc.master
@@ -0,0 +1,9 @@
+# Domain whitelist via valid DMARC policy (aligned SPF and/or aligned DKIM)
+
+comodo.com
+geotrust.com
+geotrusteurope.com
+howtoforge.com
+ispconfig.org
+letsencrypt.org
+
diff --git a/install/tpl/rspamd_symbols_antivirus.conf.master b/install/tpl/rspamd_antivirus_group.conf.master
similarity index 100%
rename from install/tpl/rspamd_symbols_antivirus.conf.master
rename to install/tpl/rspamd_antivirus_group.conf.master
diff --git a/install/tpl/rspamd_override_rbl.conf.master b/install/tpl/rspamd_rbl_group.conf.master
similarity index 100%
rename from install/tpl/rspamd_override_rbl.conf.master
rename to install/tpl/rspamd_rbl_group.conf.master
diff --git a/install/tpl/rspamd_override_surbl.conf.master b/install/tpl/rspamd_surbl_group.conf.master
similarity index 100%
rename from install/tpl/rspamd_override_surbl.conf.master
rename to install/tpl/rspamd_surbl_group.conf.master
diff --git a/install/tpl/rspamd_users.inc.conf.master b/install/tpl/rspamd_users.inc.conf.master
deleted file mode 120000
index 30bb52fd8e..0000000000
--- a/install/tpl/rspamd_users.inc.conf.master
+++ /dev/null
@@ -1 +0,0 @@
-../../server/conf/rspamd_users.inc.conf.master
\ No newline at end of file
diff --git a/install/tpl/rspamd_whitelist.conf.master b/install/tpl/rspamd_whitelist.conf.master
new file mode 100644
index 0000000000..6b4647a948
--- /dev/null
+++ b/install/tpl/rspamd_whitelist.conf.master
@@ -0,0 +1,38 @@
+rules {
+  "ISPC_WHITELIST_SPF" = {
+    valid_spf = true;
+    domains = [
+      "$LOCAL_CONFDIR/local.d/maps.d/spf_whitelist.inc.ispc"
+    ];
+    score = -2.0
+    inverse_symbol = "ISPC_BLACKLIST_SPF";
+  }
+
+  "ISPC_WHITELIST_DKIM" = {
+    valid_dkim = true;
+    domains = [
+      "$LOCAL_CONFDIR/local.d/maps.d/dkim_whitelist.inc.ispc"
+    ];
+    score = -2.0;
+    inverse_symbol = "ISPC_BLACKLIST_DKIM";
+  }
+
+  "ISPC_WHITELIST_SPF_DKIM" = {
+    valid_spf = true;
+    valid_dkim = true;
+    domains = [
+      "$LOCAL_CONFDIR/local.d/maps.d/spf_dkim_whitelist.inc.ispc"
+    ];
+    score = -4.0;
+    inverse_symbol = "ISPC_BLACKLIST_SPF_DKIM";
+  }
+
+  "ISPC_WHITELIST_DMARC" = {
+    valid_dmarc = true;
+    domains = [
+      "$LOCAL_CONFDIR/local.d/maps.d/dmarc_whitelist.inc.ispc"
+    ];
+    score = -7.0;
+    inverse_symbol = "ISPC_BLACKLIST_DMARC";
+  }
+}
diff --git a/install/tpl/spf_dkim_whitelist.inc.master b/install/tpl/spf_dkim_whitelist.inc.master
new file mode 100644
index 0000000000..cfb3be3177
--- /dev/null
+++ b/install/tpl/spf_dkim_whitelist.inc.master
@@ -0,0 +1,8 @@
+# Domain whitelist via valid SPF policy AND valid DKIM policy
+# (Prefer to spf_whitelist or dkim_whitelist for domains that use both SPF and DKIM.)
+
+comodo.com
+geotrust.com
+geotrusteurope.com
+letsencrypt.org
+
diff --git a/install/tpl/spf_whitelist.inc.master b/install/tpl/spf_whitelist.inc.master
new file mode 100644
index 0000000000..8eda01c8d6
--- /dev/null
+++ b/install/tpl/spf_whitelist.inc.master
@@ -0,0 +1,6 @@
+# Domain whitelist via valid SPF policy
+# (Prefer to spf_dkim_whitelist for domains that use both SPF and DKIM.)
+
+howtoforge.com
+ispconfig.org
+
diff --git a/server/conf/rspamd_users.conf.master b/server/conf/rspamd_users.conf.master
index 73d437d6cb..d7ab2d8b50 100644
--- a/server/conf/rspamd_users.conf.master
+++ b/server/conf/rspamd_users.conf.master
@@ -1,41 +1,24 @@
 settings {
 	authenticated {
-		priority = 10;
+		priority = 9;
 		authenticated = yes;
-		#apply "default" { groups_disabled = ["rbl", "spf"]; }
 		apply "default" {
-			#symbols_enabled = [];
 			symbols_disabled = [];
-			#groups_enabled = [];
-			groups_disabled = ["rbl"];
+			groups_disabled = ["rbl", "spf"];
 		}
 	}
 	whitelist {
-		priority = 10;
+		priority = 7;
 		rcpt = "postmaster";
 		rcpt = "hostmaster";
 		rcpt = "abuse";
 		want_spam = yes;
 	}
 	whitelist-ip {
-		priority = 10;
+		priority = 5;
 <tmpl_loop name="whitelist_ips">
 		ip = "<tmpl_var name='ip'>";
 </tmpl_loop>
-		
-		want_spam = yes;
-	}
-#	whitelist-timmehosting {
-#		priority = 20;
-#		from = "@xxx";
-#		from = "@xxx";
-#		want_spam = yes;
-#	}
-	whitelist-ca {
-		priority = 20;
-		from = "@comodo.com";
-		from = "@geotrust.com";
-		from = "@geotrusteurope.com";
 		want_spam = yes;
 	}
 	.include(try=true; glob=true) "$LOCAL_CONFDIR/local.d/users/*.conf"
-- 
GitLab