diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 21:30:40 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 21:30:40 +0000 |
commit | 133a45c109da5310add55824db21af5239951f93 (patch) | |
tree | ba6ac4c0a950a0dda56451944315d66409923918 /conf/modules.d | |
parent | Initial commit. (diff) | |
download | rspamd-133a45c109da5310add55824db21af5239951f93.tar.xz rspamd-133a45c109da5310add55824db21af5239951f93.zip |
Adding upstream version 3.8.1.upstream/3.8.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
49 files changed, 2141 insertions, 0 deletions
diff --git a/conf/modules.d/antivirus.conf b/conf/modules.d/antivirus.conf new file mode 100644 index 0000000..b172288 --- /dev/null +++ b/conf/modules.d/antivirus.conf @@ -0,0 +1,58 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/antivirus.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/antivirus.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/antivirus.html + +antivirus { + # multiple scanners could be checked, for each we create a configuration block with an arbitrary name + #clamav { + # If set force this action if any virus is found (default unset: no action is forced) + # action = "reject"; + # message = '${SCANNER}: virus found: "${VIRUS}"'; + # Scan mime_parts separately - otherwise the complete mail will be transferred to AV Scanner + #scan_mime_parts = true; + # Scanning Text is suitable for some av scanner databases (e.g. Sanesecurity) + #scan_text_mime = false; + #scan_image_mime = false; + # If `max_size` is set, messages > n bytes in size are not scanned + #max_size = 20000000; + # symbol to add (add it to metric if you want non-zero weight) + #symbol = "CLAM_VIRUS"; + # type of scanner: "clamav", "fprot", "sophos" or "savapi" + #type = "clamav"; + # For "savapi" you must also specify the following variable + #product_id = 12345; + # You can enable logging for clean messages + #log_clean = true; + # servers to query (if port is unspecified, scanner-specific default is used) + # can be specified multiple times to pool servers + # can be set to a path to a unix socket + # Enable this in local.d/antivirus.conf + #servers = "127.0.0.1:3310"; + # if `patterns` is specified virus name will be matched against provided regexes and the related + # symbol will be yielded if a match is found. If no match is found, default symbol is yielded. + #patterns { + # symbol_name = "pattern"; + # JUST_EICAR = '^Eicar-Test-Signature$'; + #} + #patterns_fail { + # symbol_name = "pattern"; + #CLAM_PROTOCOL_ERROR = '^unhandled response'; + #} + # `whitelist` points to a map of signature names. Hits on these signatures are ignored. + #whitelist = "/etc/rspamd/antivirus.wl"; + #} + + .include(try=true,priority=5) "${DBDIR}/dynamic/antivirus.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/antivirus.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/antivirus.conf" +} diff --git a/conf/modules.d/arc.conf b/conf/modules.d/arc.conf new file mode 100644 index 0000000..f26dad8 --- /dev/null +++ b/conf/modules.d/arc.conf @@ -0,0 +1,72 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/arc.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/arc.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/arc.html + + +# To configure this module, please also check the following document: +# https://rspamd.com/doc/tutorials/scanning_outbound.html and +# https://rspamd.com/doc/modules/arc.html + +# To enable this module define the following attributes: +# path = "${DBDIR}/arc/$domain.$selector.key"; +# OR +# domain { ... }, if you use per-domain conf +# OR +# set `use_redis=true;` and define redis servers + +arc { + # If false, messages with empty envelope from are not signed + allow_envfrom_empty = true; + # If true, envelope/header domain mismatch is ignored + allow_hdrfrom_mismatch = true; + # If true, multiple from headers are allowed (but only first is used) + allow_hdrfrom_multiple = false; + # If true, username does not need to contain matching domain + allow_username_mismatch = false; + # Default path to key, can include '$domain' and '$selector' variables + #path = "${DBDIR}/arc/$domain.$selector.key"; + # Default selector to use + selector = "arc"; + # If false, messages from authenticated users are not selected for signing + sign_authenticated = false; + # If false, inbound messages are not selected for signing + sign_inbound = true; + # If false, messages from local networks are not selected for signing + sign_local = false; + # Symbol to add when message is signed + sign_symbol = "ARC_SIGNED"; + # Whether to fallback to global config + try_fallback = true; + # Domain to use for ARC signing: can be "header", "envelope" or "recipient" + use_domain = "recipient"; + # Whether to normalise domains to eSLD + use_esld = true; + # Whether to get keys from Redis + use_redis = false; + # Hash for ARC keys in Redis + key_prefix = "ARC_KEYS"; + + # Domain specific settings + #domain { + # example.com { + # # Private key path + # path = "${DBDIR}/arc/example.key"; + # # Selector + # selector = "ds"; + # } + #} + + .include(try=true,priority=5) "${DBDIR}/dynamic/arc.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/arc.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/arc.conf" +} diff --git a/conf/modules.d/asn.conf b/conf/modules.d/asn.conf new file mode 100644 index 0000000..61efd52 --- /dev/null +++ b/conf/modules.d/asn.conf @@ -0,0 +1,29 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/asn.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/asn.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/asn.html + +asn { + # Provider: just "rspamd" for now + provider_type = "rspamd"; + # Provider-specific configuration + provider_info { + ip4 = "asn.rspamd.com"; + ip6 = "asn6.rspamd.com"; + } + # If defined, insert symbol with lookup results + # symbol = "ASN"; + + .include(try=true,priority=5) "${DBDIR}/dynamic/asn.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/asn.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/asn.conf" +} diff --git a/conf/modules.d/aws_s3.conf b/conf/modules.d/aws_s3.conf new file mode 100644 index 0000000..5d78148 --- /dev/null +++ b/conf/modules.d/aws_s3.conf @@ -0,0 +1,27 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/aws_s3.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/aws_s3.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/aws_s3.html + +aws_s3 { + # Required attributes + #s3_bucket = 'xxx'; + s3_region = 'us-east-1'; + s3_host = 's3.amazonaws.com'; + #s3_secret_key = 'xxx'; + #s3_key_id = 'xxx'; + # Enable in local.d/aws_s3.conf + enabled = false; + .include(try=true,priority=5) "${DBDIR}/dynamic/aws_s3.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/aws_s3.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/aws_s3.conf" +} diff --git a/conf/modules.d/bimi.conf b/conf/modules.d/bimi.conf new file mode 100644 index 0000000..ed7be6b --- /dev/null +++ b/conf/modules.d/bimi.conf @@ -0,0 +1,30 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/bimi.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/bimi.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Currently there is no documentation for this module. When it is written it will +# be available at https://rspamd.com/doc/modules/bimi.html + +bimi { + # Required attributes + #helper_url = "http://127.0.0.1:3030", + helper_timeout = 5s; + helper_sync = true; + vmc_only = true; + redis_prefix = 'rs_bimi'; + redis_min_expiry = 24h; + + # Enable in local.d/bimi.conf + enabled = false; + .include(try=true,priority=5) "${DBDIR}/dynamic/bimi.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/bimi.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/bimi.conf" +} diff --git a/conf/modules.d/chartable.conf b/conf/modules.d/chartable.conf new file mode 100644 index 0000000..849c8bd --- /dev/null +++ b/conf/modules.d/chartable.conf @@ -0,0 +1,21 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/chartable.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/chartable.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/chartable.html + +chartable { + threshold = 0.300000; + symbol = "R_MIXED_CHARSET"; + .include(try=true,priority=5) "${DBDIR}/dynamic/chartable.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/chartable.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/chartable.conf" +} diff --git a/conf/modules.d/clickhouse.conf b/conf/modules.d/clickhouse.conf new file mode 100644 index 0000000..5edf710 --- /dev/null +++ b/conf/modules.d/clickhouse.conf @@ -0,0 +1,59 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/clickhouse.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/clickhouse.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/clickhouse.html + +clickhouse { + # Push update when 1000 records are collected (1000 if unset) + limit = 1000; + # IP:port of Clickhouse server + # server = "localhost:8123"; + # Timeout to wait for response (5 seconds if unset) + timeout = 5; + # How many bits of sending IP to mask in logs for IPv4 (19 if unset) + ipmask = 19; + # How many bits of sending IP to mask in logs for IPv6 (48 if unset) + ipmask6 = 48; + # Record URL paths? (default false) + full_urls = false; + # This parameter points to a map of domain names + # If a message has a domain in this map in From: header and DKIM signature, + # record general metadata in a table named after the domain + #from_tables = "/etc/rspamd/clickhouse_from.map"; + # These are symbols of other checks in Rspamd + # Set these if you use non-default symbol names (unlikely) + #bayes_spam_symbols = ["BAYES_SPAM"]; + #bayes_ham_symbols = ["BAYES_HAM"]; + #fann_symbols = ["FANN_SCORE"]; + #fuzzy_symbols = ["FUZZY_DENIED"]; + #whitelist_symbols = ["WHITELIST_DKIM", "WHITELIST_SPF_DKIM", "WHITELIST_DMARC"]; + #dkim_allow_symbols = ["R_DKIM_ALLOW"]; + #dkim_reject_symbols = ["R_DKIM_REJECT"]; + #dmarc_allow_symbols = ["DMARC_POLICY_ALLOW"]; + #dmarc_reject_symbols = ["DMARC_POLICY_REJECT", "DMARC_POLICY_QUARANTINE"]; + + #retention { + # # disabled by default + # enable = true; + # # drop | detach, please refer to ClickHouse docs for details + # # http://clickhouse-docs.readthedocs.io/en/latest/query_language/queries.html#manipulations-with-partitions-and-parts + # method = "drop"; + # # how many month the data should be kept in ClickHouse + # period_months = 3; + # # how often run the cleanup process + # run_every = "7d"; + #} + + .include(try=true,priority=5) "${DBDIR}/dynamic/clickhouse.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/clickhouse.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/clickhouse.conf" +} diff --git a/conf/modules.d/dcc.conf b/conf/modules.d/dcc.conf new file mode 100644 index 0000000..22ca600 --- /dev/null +++ b/conf/modules.d/dcc.conf @@ -0,0 +1,28 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/dcc.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/dcc.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/dcc.html + +dcc { + + enabled = false; + + # Define local socket or TCP servers in upstreams syntax + # When sockets and servers are definined - servers is used! + socket = "/var/dcc/dccifd"; # Unix socket + #servers = "127.0.0.1:10045" # OR TCP upstreams + timeout = 2s; # Timeout to wait for checks + + .include(try=true,priority=5) "${DBDIR}/dynamic/dcc.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/dcc.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/dcc.conf" +} diff --git a/conf/modules.d/dkim.conf b/conf/modules.d/dkim.conf new file mode 100644 index 0000000..689ecd2 --- /dev/null +++ b/conf/modules.d/dkim.conf @@ -0,0 +1,25 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/dkim.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/dkim.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/dkim.html + +dkim { + dkim_cache_size = 2k; + dkim_cache_expire = 1d; + time_jitter = 6h; + trusted_only = false; + skip_multi = false; + + .include(try=true,priority=5) "${DBDIR}/dynamic/dkim.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/dkim.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/dkim.conf" +} diff --git a/conf/modules.d/dkim_signing.conf b/conf/modules.d/dkim_signing.conf new file mode 100644 index 0000000..42cb0e2 --- /dev/null +++ b/conf/modules.d/dkim_signing.conf @@ -0,0 +1,77 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/dkim_signing.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/dkim_signing.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details + + +# To configure this module, please also check the following document: +# https://rspamd.com/doc/tutorials/scanning_outbound.html and +# https://rspamd.com/doc/modules/dkim_signing.html + +# To enable this module define the following attributes: +# path = "/var/lib/rspamd/dkim/$domain.$selector.key"; +# OR +# domain { ... }, if you use per-domain conf +# OR +# set `use_redis=true;` and define redis servers + +dkim_signing { + # If false, messages with empty envelope from are not signed + allow_envfrom_empty = true; + # If true, envelope/header domain mismatch is ignored + allow_hdrfrom_mismatch = false; + # If true, multiple from headers are allowed (but only first is used) + allow_hdrfrom_multiple = false; + # If true, username does not need to contain matching domain + allow_username_mismatch = false; + # Default path to key, can include '$domain' and '$selector' variables + #path = "/var/lib/rspamd/dkim/$domain.$selector.key"; + # Default selector to use + selector = "dkim"; + # If false, messages from authenticated users are not selected for signing + sign_authenticated = true; + # If false, messages from local networks are not selected for signing + sign_local = true; + # Symbol to add when message is signed + symbol = "DKIM_SIGNED"; + # Whether to fallback to global config + try_fallback = true; + # Domain to use for DKIM signing: can be "header" or "envelope" + use_domain = "header"; + # Whether to normalise domains to eSLD + use_esld = true; + # Whether to get keys from Redis + use_redis = false; + # Hash for DKIM keys in Redis + key_prefix = "DKIM_KEYS"; + + # Domain specific settings + #domain { + # example.com { + # selectors [ + # { # Private key path + # path = "/var/lib/rspamd/dkim/example.key"; + # # Selector + # selector = "ds"; + # }, + # { # multiple dkim signature + # path = "/var/lib/rspamd/dkim/eddsa.key"; + # selector = "eddsa"; + # } + # ] + # } + #} + + + + .include(try=true,priority=5) "${DBDIR}/dynamic/dkim_signing.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/dkim_signing.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/dkim_signing.conf" +} diff --git a/conf/modules.d/dmarc.conf b/conf/modules.d/dmarc.conf new file mode 100644 index 0000000..d487041 --- /dev/null +++ b/conf/modules.d/dmarc.conf @@ -0,0 +1,19 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/dmarc.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/dmarc.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/dmarc.html + +dmarc { + .include(try=true,priority=5) "${DBDIR}/dynamic/dmarc.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/dmarc.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/dmarc.conf" +} diff --git a/conf/modules.d/elastic.conf b/conf/modules.d/elastic.conf new file mode 100644 index 0000000..8056023 --- /dev/null +++ b/conf/modules.d/elastic.conf @@ -0,0 +1,35 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/elastic.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/elastic.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/elastic.html + +elastic { + # Push update when 10 records are collected (10 if unset) + limit = 10; + # IP:port of Elasticsearch server + #server = "localhost:9200"; + # Timeout to wait for response (5 seconds if unset) + timeout = 5; + # Elasticsearch template file (json format) + #template_file = "${SHAREDIR}/elastic/rspamd_template.json"; + # Kibana prebuild visualizations and dashboard template (json format) + #kibana_file = "${SHAREDIR}/elastic/kibana.json"; + # Elasticsearch index name pattern + index_pattern = "rspamd-%Y.%m.%d"; + # Dump debug information + debug = false; + # Import kibana template + import_kibana = false; + .include(try=true,priority=5) "${DBDIR}/dynamic/elastic.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/elastic.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/elastic.conf" +} diff --git a/conf/modules.d/emails.conf b/conf/modules.d/emails.conf new file mode 100644 index 0000000..19f750f --- /dev/null +++ b/conf/modules.d/emails.conf @@ -0,0 +1,8 @@ +# Deprecated, preserved for compatibility purposes! Use rbl module +# Module documentation https://rspamd.com/doc/modules/rbl.html + +emails { + .include(try=true,priority=5) "${DBDIR}/dynamic/emails.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/emails.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/emails.conf" +} diff --git a/conf/modules.d/external_relay.conf b/conf/modules.d/external_relay.conf new file mode 100644 index 0000000..7d52ced --- /dev/null +++ b/conf/modules.d/external_relay.conf @@ -0,0 +1,22 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/external_relay.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/external_relay.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/external_relay.html + +external_relay { + # This module is default-disabled + enabled = false; + + .include(try=true,priority=5) "${DBDIR}/dynamic/external_relay.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/external_relay.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/external_relay.conf" +} diff --git a/conf/modules.d/external_services.conf b/conf/modules.d/external_services.conf new file mode 100644 index 0000000..549c7d7 --- /dev/null +++ b/conf/modules.d/external_services.conf @@ -0,0 +1,92 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/external_services.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/external_services.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/external_services.html + +external_services { + oletools { + # If set force this action if any virus is found (default unset: no action is forced) + # action = "reject"; + # If set, then rejection message is set to this value (mention single quotes) + # If `max_size` is set, messages > n bytes in size are not scanned + # max_size = 20000000; + # log_clean = true; + # servers = "127.0.0.1:10050"; + # cache_expire = 86400; + # scan_mime_parts = true; + # extended = false; + # if `patterns` is specified virus name will be matched against provided regexes and the related + # symbol will be yielded if a match is found. If no match is found, default symbol is yielded. + patterns { + # symbol_name = "pattern"; + } + # mime-part regex matching in content-type or filename + mime_parts_filter_regex { + #GEN1 = "application\/octet-stream"; + DOC2 = "application\/msword"; + DOC3 = "application\/vnd\.ms-word.*"; + XLS = "application\/vnd\.ms-excel.*"; + PPT = "application\/vnd\.ms-powerpoint.*"; + GEN2 = "application\/vnd\.openxmlformats-officedocument.*"; + } + # Mime-Part filename extension matching (no regex) + mime_parts_filter_ext { + doc = "doc"; + dot = "dot"; + docx = "docx"; + dotx = "dotx"; + docm = "docm"; + dotm = "dotm"; + xls = "xls"; + xlt = "xlt"; + xla = "xla"; + xlsx = "xlsx"; + xltx = "xltx"; + xlsm = "xlsm"; + xltm = "xltm"; + xlam = "xlam"; + xlsb = "xlsb"; + ppt = "ppt"; + pot = "pot"; + pps = "pps"; + ppa = "ppa"; + pptx = "pptx"; + potx = "potx"; + ppsx = "ppsx"; + ppam = "ppam"; + pptm = "pptm"; + potm = "potm"; + ppsm = "ppsm"; + } + # `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned. + whitelist = "/etc/rspamd/antivirus.wl"; + } + dcc { + # If set force this action if any virus is found (default unset: no action is forced) + # action = "reject"; + # If set, then rejection message is set to this value (mention single quotes) + # If `max_size` is set, messages > n bytes in size are not scanned + max_size = 20000000; + #servers = "127.0.0.1:10045"; + # if `patterns` is specified virus name will be matched against provided regexes and the related + # symbol will be yielded if a match is found. If no match is found, default symbol is yielded. + patterns { + # symbol_name = "pattern"; + } + # `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned. + whitelist = "/etc/rspamd/antivirus.wl"; + } + + .include(try=true,priority=5) "${DBDIR}/dynamic/external_services.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/external_services.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/external_services.conf" +} diff --git a/conf/modules.d/force_actions.conf b/conf/modules.d/force_actions.conf new file mode 100644 index 0000000..a753066 --- /dev/null +++ b/conf/modules.d/force_actions.conf @@ -0,0 +1,22 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/force_actions.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/force_actions.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/force_actions.html + +force_actions { + + # Refer to https://rspamd.com/doc/modules/force_actions.html for information on configuration + + .include(try=true,priority=5) "${DBDIR}/dynamic/force_actions.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/force_actions.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/force_actions.conf" +} diff --git a/conf/modules.d/forged_recipients.conf b/conf/modules.d/forged_recipients.conf new file mode 100644 index 0000000..b480bb1 --- /dev/null +++ b/conf/modules.d/forged_recipients.conf @@ -0,0 +1,22 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/forged_recipients.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/forged_recipients.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/forged_recipients.html + +forged_recipients { + symbol_sender = "FORGED_SENDER"; + symbol_rcpt = "FORGED_RECIPIENTS"; + + .include(try=true,priority=5) "${DBDIR}/dynamic/forged_recipients.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/forged_recipients.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/forged_recipients.conf" +} diff --git a/conf/modules.d/fuzzy_check.conf b/conf/modules.d/fuzzy_check.conf new file mode 100644 index 0000000..73e280f --- /dev/null +++ b/conf/modules.d/fuzzy_check.conf @@ -0,0 +1,49 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/fuzzy_check.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/fuzzy_check.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/fuzzy_check.html + +fuzzy_check { + min_bytes = 1k; # Since small parts and small attachments causes too many FP + timeout = 2s; + retransmits = 1; + rule "rspamd.com" { + algorithm = "mumhash"; + servers = "round-robin:fuzzy1.rspamd.com:11335,fuzzy2.rspamd.com:11335"; + encryption_key = "icy63itbhhni8bq15ntp5n5symuixf73s1kpjh6skaq4e7nx5fiy"; + symbol = "FUZZY_UNKNOWN"; + mime_types = ["*"]; + max_score = 20.0; + read_only = yes; + skip_unknown = yes; + short_text_direct_hash = true; # If less than min_length then use direct hash + min_length = 64; # Minimum words count to consider shingles + fuzzy_map = { + FUZZY_DENIED { + max_score = 20.0; + flag = 1; + } + FUZZY_PROB { + max_score = 10.0; + flag = 2; + } + FUZZY_WHITE { + max_score = 2.0; + flag = 3; + } + } + } + # Include dynamic conf for the rule + .include(try=true,priority=5) "${DBDIR}/dynamic/fuzzy_check.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/fuzzy_check.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/fuzzy_check.conf" +} diff --git a/conf/modules.d/greylist.conf b/conf/modules.d/greylist.conf new file mode 100644 index 0000000..fde9cc0 --- /dev/null +++ b/conf/modules.d/greylist.conf @@ -0,0 +1,35 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/greylist.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/greylist.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/greylisting.html + +greylist { + # Search "example.com" and "mail.example.com" for "mx.out.mail.example.com": + whitelist_domains_url = [ + "$LOCAL_CONFDIR/local.d/greylist-whitelist-domains.inc", + "$LOCAL_CONFDIR/local.d/maps.d/greylist-whitelist-domains.inc", + ]; + + expire = 1d; # 1 day by default + timeout = 5min; # 5 minutes by default + key_prefix = "rg"; # default hash name + max_data_len = 10k; # default data limit to hash + message = "Try again later"; # default greylisted message + #symbol = "GREYLIST"; # Symbol to insert + action = "soft reject"; # default greylisted action + ipv4_mask = 19; # Mask bits for ipv4 + ipv6_mask = 64; # Mask bits for ipv6 + + .include(try=true,priority=5) "${DBDIR}/dynamic/greylist.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/greylist.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/greylist.conf" +} diff --git a/conf/modules.d/hfilter.conf b/conf/modules.d/hfilter.conf new file mode 100644 index 0000000..36d5f47 --- /dev/null +++ b/conf/modules.d/hfilter.conf @@ -0,0 +1,26 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/hfilter.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/hfilter.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/hfilter.html + +hfilter { + helo_enabled = true; + hostname_enabled = true; + url_enabled = true; + from_enabled = true; + rcpt_enabled = true; + mid_enabled = false; + + .include(try=true,priority=5) "${DBDIR}/dynamic/hfilter.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/hfilter.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/hfilter.conf" +} diff --git a/conf/modules.d/history_redis.conf b/conf/modules.d/history_redis.conf new file mode 100644 index 0000000..0d1c7f6 --- /dev/null +++ b/conf/modules.d/history_redis.conf @@ -0,0 +1,25 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/history_redis.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/history_redis.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/history_redis.html + +history_redis { + #servers = 127.0.0.1:6379; # Redis server to store history + key_prefix = "rs_history"; # Default key name + nrows = 200; # Default rows limit + compress = true; # Use zstd compression when storing data in redis + subject_privacy = false; # subject privacy is off + + .include(try=true,priority=5) "${DBDIR}/dynamic/history_redis.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/history_redis.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/history_redis.conf" +} diff --git a/conf/modules.d/http_headers.conf b/conf/modules.d/http_headers.conf new file mode 100644 index 0000000..51e5b82 --- /dev/null +++ b/conf/modules.d/http_headers.conf @@ -0,0 +1,22 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/http_headers.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/http_headers.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/http_headers.html + +http_headers { + # This module is default-disabled + enabled = false; + + .include(try=true,priority=5) "${DBDIR}/dynamic/http_headers.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/http_headers.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/http_headers.conf" +} diff --git a/conf/modules.d/known_senders.conf b/conf/modules.d/known_senders.conf new file mode 100644 index 0000000..80b9239 --- /dev/null +++ b/conf/modules.d/known_senders.conf @@ -0,0 +1,31 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/known_senders.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/known_senders.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/known_senders.html + +known_senders { + # This module is default-disabled + enabled = false; + + # Domains to track senders + domains = "https://maps.rspamd.com/freemail/free.txt.zst"; + # Maximum number of elements + max_senders = 100000; + # Maximum time to live (when not using bloom filters) + max_ttl = 30d; + # Use bloom filters (must be enabled in Redis as a plugin) + use_bloom = false; + + .include(try=true,priority=5) "${DBDIR}/dynamic/known_senders.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/known_senders.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/known_senders.conf" +}
\ No newline at end of file diff --git a/conf/modules.d/maillist.conf b/conf/modules.d/maillist.conf new file mode 100644 index 0000000..3ddd0a6 --- /dev/null +++ b/conf/modules.d/maillist.conf @@ -0,0 +1,20 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/maillist.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/maillist.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/maillist.html + +maillist { + symbol = "MAILLIST"; + .include(try=true,priority=5) "${DBDIR}/dynamic/maillist.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/maillist.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/maillist.conf" +} diff --git a/conf/modules.d/metadata_exporter.conf b/conf/modules.d/metadata_exporter.conf new file mode 100644 index 0000000..cd62be5 --- /dev/null +++ b/conf/modules.d/metadata_exporter.conf @@ -0,0 +1,24 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/metadata_exporter.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/metadata_exporter.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/metadata_exporter.html + +metadata_exporter { + + # Refer to https://rspamd.com/doc/modules/metadata_exporter.html for information on configuration + rules { + } + + .include(try=true,priority=5) "${DBDIR}/dynamic/metadata_exporter.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/metadata_exporter.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/metadata_exporter.conf" +} diff --git a/conf/modules.d/metric_exporter.conf b/conf/modules.d/metric_exporter.conf new file mode 100644 index 0000000..8edce1d --- /dev/null +++ b/conf/modules.d/metric_exporter.conf @@ -0,0 +1,21 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/metric_exporter.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/metric_exporter.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/metric_exporter.html +metric_exporter { + + # Refer to https://rspamd.com/doc/modules/metric_exporter.html for information on configuration + + .include(try=true,priority=5) "${DBDIR}/dynamic/metric_exporter.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/metric_exporter.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/metric_exporter.conf" +} diff --git a/conf/modules.d/mid.conf b/conf/modules.d/mid.conf new file mode 100644 index 0000000..e214a71 --- /dev/null +++ b/conf/modules.d/mid.conf @@ -0,0 +1,28 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/mid.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/mid.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/mid.html + +mid = { + source = { + url = [ + "https://maps.rspamd.com/rspamd/mid.inc.zst", + "$LOCAL_CONFDIR/local.d/maps.d/mid.inc", + "$LOCAL_CONFDIR/local.d/mid.inc", + "fallback+file://${CONFDIR}/maps.d/mid.inc" + ]; + } + + .include(try=true,priority=5) "${DBDIR}/dynamic/mid.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/mid.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/mid.conf" +} diff --git a/conf/modules.d/milter_headers.conf b/conf/modules.d/milter_headers.conf new file mode 100644 index 0000000..eafdaed --- /dev/null +++ b/conf/modules.d/milter_headers.conf @@ -0,0 +1,29 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/milter_headers.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/milter_headers.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/milter_headers.html + +milter_headers { + + # Refer to https://rspamd.com/doc/modules/milter_headers.html for information on configuration + + use = []; + + # Compatibility + .include(try=true,priority=5) "${DBDIR}/dynamic/rmilter_headers.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/rmilter_headers.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/rmilter_headers.conf" + + .include(try=true,priority=5) "${DBDIR}/dynamic/milter_headers.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/milter_headers.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/milter_headers.conf" +} diff --git a/conf/modules.d/mime_types.conf b/conf/modules.d/mime_types.conf new file mode 100644 index 0000000..1f67595 --- /dev/null +++ b/conf/modules.d/mime_types.conf @@ -0,0 +1,41 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/mime_types.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/mime_types.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/mime_types.html + +mime_types { + file = [ + "https://maps.rspamd.com/rspamd/mime_types.inc.zst", + "$LOCAL_CONFDIR/local.d/maps.d/mime_types.inc.local", + "${DBDIR}/mime_types.inc.local", + "fallback+file://${CONFDIR}/maps.d/mime_types.inc" + ] + + # Match specific extensions to specific content types + extension_map = { + html = "text/html"; + txt = [ + "message/disposition-notification", + "text/plain", + "text/rfc822-headers" + ]; + pdf = [ + "application/octet-stream", + "application/pdf", + "application/x-pdf" + ]; + } + + .include(try=true,priority=5) "${DBDIR}/dynamic/mime_types.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/mime_types.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/mime_types.conf" +} diff --git a/conf/modules.d/multimap.conf b/conf/modules.d/multimap.conf new file mode 100644 index 0000000..b707ddf --- /dev/null +++ b/conf/modules.d/multimap.conf @@ -0,0 +1,182 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/multimap.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/multimap.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/multimap.html + +multimap { + redirector { + type = "url"; + filter = "tld"; + map = "https://maps.rspamd.com/rspamd/redirectors.inc.zst"; + symbol = "REDIRECTOR_URL"; + description = "The presence of a redirector in the mail"; + score = 0.0; + one_shot = true; + } + + # Freemail Addresses + freemail_envfrom { + type = "from"; + filter = "email:domain"; + map = "https://maps.rspamd.com/freemail/free.txt.zst"; + symbol = "FREEMAIL_ENVFROM"; + description = "Envelope From is a Freemail address"; + score = 0.0; + } + + freemail_envrcpt { + type = "rcpt"; + filter = "email:domain"; + map = "https://maps.rspamd.com/freemail/free.txt.zst"; + symbol = "FREEMAIL_ENVRCPT"; + description = "Envelope Recipient is a Freemail address"; + score = 0.0; + one_shot = true; + } + + freemail_from { + type = "header"; + header = "from"; + filter = "email:domain"; + map = "https://maps.rspamd.com/freemail/free.txt.zst"; + symbol = "FREEMAIL_FROM"; + description = "From is a Freemail address"; + score = 0.0; + } + + freemail_to { + type = "header"; + header = "To"; + filter = "email:domain"; + map = "https://maps.rspamd.com/freemail/free.txt.zst"; + symbol = "FREEMAIL_TO"; + description = "To is a Freemail address"; + score = 0.0; + one_shot = true; + } + + freemail_cc { + type = "header"; + header = "Cc"; + filter = "email:domain"; + map = "https://maps.rspamd.com/freemail/free.txt.zst"; + symbol = "FREEMAIL_CC"; + description = "To is a Freemail address"; + score = 0.0; + one_shot = true; + } + + freemail_replyto { + type = "header"; + header = "Reply-To"; + filter = "email:domain"; + map = "https://maps.rspamd.com/freemail/free.txt.zst"; + symbol = "FREEMAIL_REPLYTO"; + description = "Reply-To is a Freemail address"; + score = 0.0; + } + + # Disposable Addresses + disposable_envfrom { + type = "from"; + filter = "email:domain"; + map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; + symbol = "DISPOSABLE_ENVFROM"; + description = "Envelope From is a Disposable e-mail address"; + score = 0.0; + } + + disposable_envrcpt { + type = "rcpt"; + filter = "email:domain"; + map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; + symbol = "DISPOSABLE_ENVRCPT"; + description = "Envelope Recipient is a Disposable e-mail address"; + score = 0.0; + one_shot = true; + } + + disposable_from { + type = "header"; + header = "from"; + filter = "email:domain"; + map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; + symbol = "DISPOSABLE_FROM"; + description = "From a Disposable e-mail address"; + score = 0.0; + } + + disposable_to { + type = "header"; + header = "To"; + filter = "email:domain"; + map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; + symbol = "DISPOSABLE_TO"; + description = "To a disposable e-mail address"; + score = 0.0; + one_shot = true; + } + + disposable_cc { + type = "header"; + header = "Cc"; + filter = "email:domain"; + map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; + symbol = "DISPOSABLE_CC"; + description = "To a disposable e-mail address"; + score = 0.0; + one_shot = true; + } + + disposable_replyto { + type = "header"; + header = "Reply-To"; + filter = "email:domain"; + map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; + symbol = "DISPOSABLE_REPLYTO"; + description = "Reply-To a disposable e-mail address"; + score = 0.0; + } + + .include(try=true,priority=5) "${DBDIR}/dynamic/multimap.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/multimap.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/multimap.conf" +} + +/* Example setup +sender_from_whitelist_user { + type = "from"; + filter = "email:user"; + map = "file:///tmp/from.map"; + symbol = "SENDER_FROM_WHITELIST_USER"; + action = "accept"; # Prefilter mode +} +sender_from_regexp { + type = "header"; + header = "from"; + filter = 'regexp:/.*@/'; + map = "file:///tmp/from_re.map"; + symbol = "SENDER_FROM_REGEXP"; +} +url_map { + type = "url"; + filter = "tld"; + map = "file:///tmp/url.map"; + symbol = "URL_MAP"; +} +url_tld_re { + type = "url"; + filter = 'tld:regexp:/\.[^.]+$/'; # Extracts the last component of URL + map = "file:///tmp/url.map"; + symbol = "URL_MAP_RE"; +} +*/ diff --git a/conf/modules.d/mx_check.conf b/conf/modules.d/mx_check.conf new file mode 100644 index 0000000..2068fc5 --- /dev/null +++ b/conf/modules.d/mx_check.conf @@ -0,0 +1,43 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/mx_check.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/mx_check.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/mx_check.html + +# This module is *DISABLED* by default +# If you need to enable it, then define the following line in +# local.d/mx_check.conf: +# +# enabled = true; +# +# You also need to define redis servers for this module + +mx_check { + # connection timeout in seconds + timeout = 1.0; + # symbol yielded if no MX is connectable + symbol_bad_mx = "MX_INVALID"; + # symbol yielded if no MX is found + symbol_no_mx = "MX_MISSING"; + # symbol yielded if MX is connectable + symbol_good_mx = "MX_GOOD"; + # lifetime of redis cache - 1 day by default + expire = 86400; + # prefix used for redis key + key_prefix = "rmx"; + + # !!! Disabled by default !!! + enabled = false; + + .include(try=true,priority=5) "${DBDIR}/dynamic/mx_check.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/mx_check.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/mx_check.conf" +} diff --git a/conf/modules.d/neural.conf b/conf/modules.d/neural.conf new file mode 100644 index 0000000..2ab0cbe --- /dev/null +++ b/conf/modules.d/neural.conf @@ -0,0 +1,35 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/neural.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/neural.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/neural.html + +neural { + #servers = 127.0.0.1:6379; # Redis server to store learning data and ANN + + train { + max_trains = 1k; # Number of trains per epoch + max_usages = 20; # Number of learn iterations while ANN data is valid + learning_rate = 0.01; # Rate of learning (Torch only) + max_iterations = 25; # Maximum iterations of learning (Torch only) + } + + timeout = 20; # Increase redis timeout + + # Legacy support + .include(try=true,priority=5) "${DBDIR}/dynamic/fann_redis.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/fann_redis.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/fann_redis.conf" + + .include(try=true,priority=5) "${DBDIR}/dynamic/neural.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/neural.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/neural.conf" +} diff --git a/conf/modules.d/once_received.conf b/conf/modules.d/once_received.conf new file mode 100644 index 0000000..ab07492 --- /dev/null +++ b/conf/modules.d/once_received.conf @@ -0,0 +1,26 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/once_received.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/once_received.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/once_received.html + +once_received { + good_host = "mail"; + bad_host = "static"; + bad_host = "dynamic"; + symbol_strict = "ONCE_RECEIVED_STRICT"; + symbol = "ONCE_RECEIVED"; + symbol_mx = "DIRECT_TO_MX"; + + .include(try=true,priority=5) "${DBDIR}/dynamic/once_received.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/once_received.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/once_received.conf" +} diff --git a/conf/modules.d/p0f.conf b/conf/modules.d/p0f.conf new file mode 100644 index 0000000..049d4fe --- /dev/null +++ b/conf/modules.d/p0f.conf @@ -0,0 +1,45 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/p0f.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/p0f.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/p0f.html + +p0f { + # Disable module by default + enabled = false; + + # Path to the unix socket that p0f listens on + socket = '/var/run/p0f.sock'; + + # Connection timeout + timeout = 5s; + + # If defined, insert symbol with lookup results + symbol = 'P0F'; + + # Patterns to match against results returned by p0f + # Symbol will be yielded on OS string, link type or distance matches + patterns = { + WINDOWS = '^Windows.*'; + #DSL = '^DSL$'; + #DISTANCE10 = '^distance:10$'; + } + + # Cache lifetime in seconds (default - 2 hours) + expire = 7200; + + # Cache key prefix + prefix = 'p0f'; + + .include(try=true,priority=5) "${DBDIR}/dynamic/p0f.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/p0f.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/p0f.conf" +} diff --git a/conf/modules.d/phishing.conf b/conf/modules.d/phishing.conf new file mode 100644 index 0000000..a6531e6 --- /dev/null +++ b/conf/modules.d/phishing.conf @@ -0,0 +1,48 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/phishing.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/phishing.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/phishing.html + +phishing { + symbol = "PHISHING"; + # Disabled by default + openphish_enabled = false; + openphish_premium = false; + openphish_map = "https://www.openphish.com/feed.txt"; + # Phishtank is disabled by default in the module, so let's enable it here explicitly + phishtank_enabled = true; + + # List of excluded hosts from checks over openphish, phishtank and generic_service + phishing_feed_exclusion_symbol = "PHISHED_EXCLUDED"; + # Disabled by default + phishing_feed_exclusion_enabled = false; + phishing_feed_exclusion_map = "$LOCAL_CONFDIR/local.d/maps.d/phishing_feed_exclusion.inc"; + + # Make exclusions for known redirectors and domains + exceptions = { + REDIRECTOR_FALSE = [ + "https://maps.rspamd.com/rspamd/redirectors.inc.zst", + "$LOCAL_CONFDIR/local.d/maps.d/redirectors.inc", + "$LOCAL_CONFDIR/local.d/redirectors.inc", + "fallback+file://${CONFDIR}/maps.d/redirectors.inc" + ]; + PHISHED_WHITELISTED = [ + "glob;https://maps.rspamd.com/rspamd/phishing_whitelist.inc.zst", + "glob;$LOCAL_CONFDIR/local.d/maps.d/phishing_whitelist.inc", + "glob;$LOCAL_CONFDIR/local.d/phishing_whitelist.inc", + ]; + }; + + .include(try=true,priority=5) "${DBDIR}/dynamic/phishing.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/phishing.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/phishing.conf" +} diff --git a/conf/modules.d/ratelimit.conf b/conf/modules.d/ratelimit.conf new file mode 100644 index 0000000..d1a91d3 --- /dev/null +++ b/conf/modules.d/ratelimit.conf @@ -0,0 +1,44 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/ratelimit.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/ratelimit.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/ratelimit.html + +ratelimit { + #rates { + # Predefined ratelimit + #to = { + # bucket = { + # burst = 100; + # rate = 0.01666666666666666666; # leak 1 message per minute + # } + #} + # or define it with selector + #other_limit_alt = { + # selector = 'rcpts:addr.take_n(5)'; + # bucket = { + # burst = 100; + # rate = "1 / 1m"; # leak 1 message per minute + # } + #} + #} + # If symbol is specified, then it is inserted *instead* of setting result to soft reject + #symbol = "R_RATELIMIT"; + + # If info_symbol is specified, then it is inserted next to set the result + #info_symbol = "R_RATELIMIT_INFO"; + + whitelisted_rcpts = "postmaster,mailer-daemon"; + + .include(try=true,priority=5) "${DBDIR}/dynamic/ratelimit.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/ratelimit.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/ratelimit.conf" +} diff --git a/conf/modules.d/rbl.conf b/conf/modules.d/rbl.conf new file mode 100644 index 0000000..79dfc84 --- /dev/null +++ b/conf/modules.d/rbl.conf @@ -0,0 +1,347 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/rbl.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/rbl.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/rbl.html + +rbl { + default_exclude_users = true; + default_unknown = true; + + url_whitelist = [ + "https://maps.rspamd.com/rspamd/surbl-whitelist.inc.zst", + "$LOCAL_CONFDIR/local.d/maps.d/surbl-whitelist.inc.local", + "${DBDIR}/surbl-whitelist.inc.local", + "fallback+file://${CONFDIR}/maps.d/surbl-whitelist.inc" + ]; + + attached_maps = [ + { + selector_alias = "surbl_hashbl_map", + description = "SURBL hashbl map", + url = "regexp;http://sa-update.surbl.org/rspamd/surbl-hashbl-map.inc", + } + ] + + rbls { + + spamhaus { + symbol = "SPAMHAUS"; # Augmented by prefixes + rbl = "zen.spamhaus.org"; + # Check types + checks = ['received', 'from']; + + symbols_prefixes = { + received = 'RECEIVED', + from = 'RBL', + } + returncodes { + SPAMHAUS_SBL = "127.0.0.2"; + SPAMHAUS_CSS = "127.0.0.3"; + SPAMHAUS_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"]; + SPAMHAUS_PBL = ["127.0.0.10", "127.0.0.11"]; + SPAMHAUS_DROP = "127.0.0.9"; + SPAMHAUS_BLOCKED_OPENRESOLVER = "127.255.255.254"; + SPAMHAUS_BLOCKED= "127.255.255.255"; + } + } + + mailspike { + symbol = "MAILSPIKE"; + rbl = "rep.mailspike.net"; + is_whitelist = true; + checks = ['from']; + whitelist_exception = "MAILSPIKE"; + whitelist_exception = "RWL_MAILSPIKE_GOOD"; + whitelist_exception = "RWL_MAILSPIKE_NEUTRAL"; + whitelist_exception = "RWL_MAILSPIKE_POSSIBLE"; + whitelist_exception = "RBL_MAILSPIKE_WORST"; + whitelist_exception = "RBL_MAILSPIKE_VERYBAD"; + whitelist_exception = "RBL_MAILSPIKE_BAD"; + returncodes { + RBL_MAILSPIKE_WORST = "127.0.0.10"; + RBL_MAILSPIKE_VERYBAD = "127.0.0.11"; + RBL_MAILSPIKE_BAD = "127.0.0.12"; + RWL_MAILSPIKE_NEUTRAL = ["127.0.0.16", "127.0.0.15", "127.0.0.14", "127.0.0.13"]; + RWL_MAILSPIKE_POSSIBLE = "127.0.0.17"; + RWL_MAILSPIKE_GOOD = "127.0.0.18"; + RWL_MAILSPIKE_VERYGOOD = "127.0.0.19"; + RWL_MAILSPIKE_EXCELLENT = "127.0.0.20"; + } + } + + senderscore { + symbol = "RBL_SENDERSCORE"; + checks = ['from']; + rbl = "bl.score.senderscore.com"; + } + + sem { + symbol = "RBL_SEM"; + rbl = "bl.spameatingmonkey.net"; + ipv6 = false; + checks = ['from']; + } + + semIPv6 { + symbol = "RBL_SEM_IPV6"; + rbl = "bl.ipv6.spameatingmonkey.net"; + ipv4 = false; + ipv6 = true; + checks = ['from']; + } + + dnswl { + symbol = "RCVD_IN_DNSWL"; + rbl = "list.dnswl.org"; + ipv6 = true; + checks = ['from', 'received']; + is_whitelist = true; + returncodes_matcher = "luapattern"; + whitelist_exception = "RCVD_IN_DNSWL"; + whitelist_exception = "RCVD_IN_DNSWL_NONE"; + whitelist_exception = "RCVD_IN_DNSWL_LOW"; + whitelist_exception = "DNSWL_BLOCKED"; + returncodes { + RCVD_IN_DNSWL_NONE = ["127%.0%.%d%.0", "127%.0%.[02-9]%d%.0", "127%.0%.1[1-9]%.0", "127%.0%.[12]%d%d%.0"]; + RCVD_IN_DNSWL_LOW = ["127%.0%.%d%.1", "127%.0%.[02-9]%d%.1", "127%.0%.1[1-9]%.1", "127%.0%.[12]%d%d%.1"]; + RCVD_IN_DNSWL_MED = ["127%.0%.%d%.2", "127%.0%.[02-9]%d%.2", "127%.0%.1[1-9]%.2", "127%.0%.[12]%d%d%.2"]; + RCVD_IN_DNSWL_HI = ["127%.0%.%d%.3", "127%.0%.[02-9]%d%.3", "127%.0%.1[1-9]%.3", "127%.0%.[12]%d%d%.3"]; + DNSWL_BLOCKED = ["127%.0%.0%.255", "127%.0%.10%.%d+"]; + } + } + + # Provided by https://virusfree.cz + virusfree { + symbol = "RBL_VIRUSFREE_UNKNOWN"; + rbl = "bip.virusfree.cz"; + ipv6 = true; + checks = ['from']; + returncodes { + RBL_VIRUSFREE_BOTNET = "127.0.0.2"; + } + } + + nixspam { + symbol = "RBL_NIXSPAM"; + rbl = "ix.dnsbl.manitu.net"; + ipv6 = true; + checks = ['from']; + } + + blocklistde { + symbols_prefixes = { + received = 'RECEIVED', + from = 'RBL', + } + symbol = "BLOCKLISTDE"; + rbl = "bl.blocklist.de"; + checks = ['from', 'received']; + } + + # Dkim whitelist + dnswl_dwl { + symbol = "DWL_DNSWL"; + rbl = "dwl.dnswl.org"; + checks = ['dkim']; + ignore_whitelist = true; + returncodes_matcher = "luapattern"; + unknown = false; + + returncodes { + DWL_DNSWL_NONE = ["127%.0%.%d%.0", "127%.0%.[02-9]%d%.0", "127%.0%.1[1-9]%.0", "127%.0%.[12]%d%d%.0"]; + DWL_DNSWL_LOW = ["127%.0%.%d%.1", "127%.0%.[02-9]%d%.1", "127%.0%.1[1-9]%.1", "127%.0%.[12]%d%d%.1"]; + DWL_DNSWL_MED = ["127%.0%.%d%.2", "127%.0%.[02-9]%d%.2", "127%.0%.1[1-9]%.2", "127%.0%.[12]%d%d%.2"]; + DWL_DNSWL_HI = ["127%.0%.%d%.3", "127%.0%.[02-9]%d%.3", "127%.0%.1[1-9]%.3", "127%.0%.[12]%d%d%.3"]; + DWL_DNSWL_BLOCKED = ["127%.0%.0%.255", "127%.0%.10%.%d+"]; + } + } + + RSPAMD_EMAILBL { + ignore_whitelist = true; + ignore_url_whitelist = true; + ignore_defaults = true; + exclude_users = false; + emails_delimiter = "."; + hash_format = "base32"; + hash_len = 32; + rbl = "email.rspamd.com"; + checks = ['emails', 'replyto']; + hash = "blake2"; + returncodes = { + RSPAMD_EMAILBL = "127.0.0.2"; + } + } + + MSBL_EBL { + ignore_whitelist = true; + ignore_url_whitelist = true; + ignore_defaults = true; + exclude_users = false; + rbl = "ebl.msbl.org"; + checks = ['emails', 'replyto']; + emails_domainonly = false; + hash = "sha1"; + returncodes = { + MSBL_EBL = [ + "127.0.0.2", + "127.0.0.3" + ]; + MSBL_EBL_GREY = [ + "127.0.1.2", + "127.0.1.3" + ]; + } + } + + "SURBL_MULTI" { + ignore_defaults = true; + rbl = "multi.surbl.org"; + checks = ['emails', 'dkim', 'helo', 'rdns', 'replyto', 'urls']; + emails_domainonly = true; + exclude_users = false; + + returnbits = { + CRACKED_SURBL = 128; + ABUSE_SURBL = 64; + MW_SURBL_MULTI = 16; + PH_SURBL_MULTI = 8; + SURBL_BLOCKED = 1; + } + } + + SURBL_HASHBL { + rbl = "hashbl.surbl.org"; + ignore_defaults = true; + random_monitored = true, + # TODO: make limit more configurable maybe? + selector = "specific_urls_filter_map('surbl_hashbl_map', {limit = 10}).apply_methods('get_host', 'get_path').join_tables('/')", + hash = 'md5'; + hash_len = 32; + returncodes_matcher = "luapattern"; + returncodes = { + SURBL_HASHBL_PHISH = "127.0.0.8"; + SURBL_HASHBL_MALWARE = "127.0.0.16"; + SURBL_HASHBL_ABUSE = "127.0.0.64"; + SURBL_HASHBL_CRACKED = "127.0.0.128"; + SURBL_HASHBL_EMAIL = "127.0.1.%d+"; + } + } + + "URIBL_MULTI" { + ignore_defaults = true; + rbl = "multi.uribl.com"; + checks = ['emails', 'dkim', 'helo', 'rdns', 'replyto', 'urls']; + emails_domainonly = true; + exclude_users = false; + + returnbits { + URIBL_BLOCKED = 1; + URIBL_BLACK = 2; + URIBL_GREY = 4; + URIBL_RED = 8; + } + } + + "RSPAMD_URIBL" { + ignore_defaults = true; + rbl = "uribl.rspamd.com"; + checks = ['emails', 'dkim', 'urls']; + emails_domainonly = true; + hash = 'blake2'; + hash_len = 32; + hash_format = 'base32'; + exclude_users = false; + + returncodes = { + RSPAMD_URIBL = [ + "127.0.0.2", + ]; + } + } + + "DBL" { + ignore_defaults = true; + rbl = "dbl.spamhaus.org"; + no_ip = true; + checks = ['emails', 'dkim', 'helo', 'rdns', 'replyto', 'urls']; + emails_domainonly = true; + exclude_users = false; + + returncodes = { + # spam domain + DBL_SPAM = "127.0.1.2"; + # phish domain + DBL_PHISH = "127.0.1.4"; + # malware domain + DBL_MALWARE = "127.0.1.5"; + # botnet C&C domain + DBL_BOTNET = "127.0.1.6"; + # abused legit spam + DBL_ABUSE = "127.0.1.102"; + # abused spammed redirector domain + DBL_ABUSE_REDIR = "127.0.1.103"; + # abused legit phish + DBL_ABUSE_PHISH = "127.0.1.104"; + # abused legit malware + DBL_ABUSE_MALWARE = "127.0.1.105"; + # abused legit botnet C&C + DBL_ABUSE_BOTNET = "127.0.1.106"; + # error - IP queries prohibited! + DBL_PROHIBIT = "127.0.1.255"; + # issue #3074 + DBL_BLOCKED_OPENRESOLVER = "127.255.255.254"; + DBL_BLOCKED = "127.255.255.255"; + } + } + + # Not enabled by default due to privacy concerns! (see also groups.d/surbl_group.conf) + "SPAMHAUS_ZEN_URIBL" { + enabled = false; + rbl = "zen.spamhaus.org"; + checks = ['emails']; + resolve_ip = true; + returncodes = { + URIBL_SBL = "127.0.0.2"; + URIBL_SBL_CSS = "127.0.0.3"; + URIBL_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"]; + URIBL_PBL = ["127.0.0.10", "127.0.0.11"]; + URIBL_DROP = "127.0.0.9"; + } + } + + "SEM_URIBL_UNKNOWN" { + ignore_defaults = true; + rbl = "uribl.spameatingmonkey.net"; + no_ip = true; + checks = ['emails', 'dkim', 'urls']; + emails_domainonly = true; + returnbits { + SEM_URIBL = 2; + } + } + + "SEM_URIBL_FRESH15_UNKNOWN" { + ignore_defaults = true; + rbl = "fresh15.spameatingmonkey.net"; + no_ip = true; + checks = ['emails', 'dkim', 'urls']; + emails_domainonly = true; + returnbits { + SEM_URIBL_FRESH15 = 2; + } + } + } + + .include(try=true,priority=5) "${DBDIR}/dynamic/rbl.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/rbl.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/rbl.conf" +} diff --git a/conf/modules.d/redis.conf b/conf/modules.d/redis.conf new file mode 100644 index 0000000..24948b1 --- /dev/null +++ b/conf/modules.d/redis.conf @@ -0,0 +1,27 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/redis.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/redis.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# See https://rspamd.com/doc/configuration/redis.html + +redis { + #servers = "127.0.0.1"; # Read servers (unless write_servers are unspecified) + #servers = "master-slave:127.0.0.1,10.0.1.1"; + #write_servers = "127.0.0.1"; # Servers to write data + #disabled_modules = ["ratelimit"]; # List of modules that should not use redis from this section + #timeout = 1s; + #db = "0"; + #username = "some_username"; + #password = "some_password"; + .include(try=true,priority=5) "${DBDIR}/dynamic/redis.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/redis.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/redis.conf" +} diff --git a/conf/modules.d/regexp.conf b/conf/modules.d/regexp.conf new file mode 100644 index 0000000..f7d5921 --- /dev/null +++ b/conf/modules.d/regexp.conf @@ -0,0 +1,21 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/regexp.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/regexp.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/regexp.html + +regexp { + max_size = 1M; + + .include(try=true,priority=5) "${DBDIR}/dynamic/regexp.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/regexp.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/regexp.conf" +} diff --git a/conf/modules.d/replies.conf b/conf/modules.d/replies.conf new file mode 100644 index 0000000..a1a85df --- /dev/null +++ b/conf/modules.d/replies.conf @@ -0,0 +1,30 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/replies.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/replies.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/replies.html + +replies { + # This setting is non-default & is required to be set + # Redis servers to use + #servers = "localhost"; + # This setting is non-default & may be desirable + #action = "no action"; + # These are default settings you may want to change + expire = 86400; + key_prefix = "rr"; + message = "Message is reply to one we originated"; + symbol = "REPLY"; + + .include(try=true,priority=5) "${DBDIR}/dynamic/replies.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/replies.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/replies.conf" +} diff --git a/conf/modules.d/reputation.conf b/conf/modules.d/reputation.conf new file mode 100644 index 0000000..fe9d5f7 --- /dev/null +++ b/conf/modules.d/reputation.conf @@ -0,0 +1,30 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/reputation.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/reputation.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/reputation.html + +reputation { +# rules { +# SPF_REPUTATION = { +# selector { +# type = "spf"; +# } +# backend { +# type = "redis"; +# } +# symbol = "SPF_REPUTATION"; +# } +# } + .include(try=true,priority=5) "${DBDIR}/dynamic/reputation.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/reputation.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/reputation.conf" +} diff --git a/conf/modules.d/rspamd_update.conf b/conf/modules.d/rspamd_update.conf new file mode 100644 index 0000000..1b998b2 --- /dev/null +++ b/conf/modules.d/rspamd_update.conf @@ -0,0 +1,26 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/rspamd_update.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/rspamd_update.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/rspamd_update.html + +# This module is disabled by default, please don't enable it unless you know +# what are you doing! + +rspamd_update { + rules = "sign+https://updates.rspamd.com/rspamd-${BRANCH_VERSION}.ucl"; + key = "qxuogdh5eghytji1utkkte1dn3n81c3y5twe61uzoddzwqzuxxyb"; + enabled = false; # Disable this module by default + + .include(try=true,priority=5) "${DBDIR}/dynamic/rspamd_update.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/rspamd_update.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/rspamd_update.conf" +} diff --git a/conf/modules.d/spamassassin.conf b/conf/modules.d/spamassassin.conf new file mode 100644 index 0000000..79f7527 --- /dev/null +++ b/conf/modules.d/spamassassin.conf @@ -0,0 +1,26 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/spamassassin.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/spamassassin.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/spamassassin.html + +spamassassin { + # This config defines no SA files leaving this module efficiently disabled by default + #ruleset = "/path/to/file"; + # Limit search size to 100 kilobytes for all regular expressions + #match_limit = 100k; + # Those regexp atoms will not be passed through hyperscan: + #pcre_only = ["RULE1", "__RULE2"]; + + .include(try=true,priority=5) "${DBDIR}/dynamic/spamassassin.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/spamassassin.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/spamassassin.conf" +} diff --git a/conf/modules.d/spamtrap.conf b/conf/modules.d/spamtrap.conf new file mode 100644 index 0000000..d0e70f6 --- /dev/null +++ b/conf/modules.d/spamtrap.conf @@ -0,0 +1,53 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/spamtrap.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/spamtrap.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/spamtrap.html + +# This module is *DISABLED* by default +# If you need to enable it, then define the following line in +# local.d/spamtrap.conf: +# +# enabled = true; +# +# You also need to define redis servers for this module + +spamtrap { + # Optionally set an action + #action = "no action"; + # A map file containing regexp entries for spamtrap emails and domains + #map = file://$LOCAL_CONFDIR/local.d/maps.d/spamtrap.map + # Name of the symbol + #symbol = "SPAMTRAP"; + # A score for this module + #score = 0.0; + # Flag to enable fuzzy learning + learn_fuzzy = false; + # Flag to enable bayes spam learning + learn_spam = false; + # Fuzzy flag + #fuzzy_flag = 1; + # Fuzzy weight + #fuzzy_weight = 10.0; + # Redis key prefix + #key_prefix = 'sptr_'; + # Skip spamtrap checks for authorized users + #check_authed = false; + # Skip spamtrap checks for local networks + #check_local = false; + + # !!! Disabled by default !!! + enabled = false; + + .include(try=true,priority=5) "${DBDIR}/dynamic/spamtrap.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/spamtrap.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/spamtrap.conf" +} diff --git a/conf/modules.d/spf.conf b/conf/modules.d/spf.conf new file mode 100644 index 0000000..c4284bc --- /dev/null +++ b/conf/modules.d/spf.conf @@ -0,0 +1,22 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/spf.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/spf.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/spf.html +spf { + spf_cache_size = 2k; + spf_cache_expire = 1d; + + .include(try=true,priority=5) "${DBDIR}/dynamic/spf.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/spf.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/spf.conf" + +} diff --git a/conf/modules.d/surbl.conf b/conf/modules.d/surbl.conf new file mode 100644 index 0000000..89b8842 --- /dev/null +++ b/conf/modules.d/surbl.conf @@ -0,0 +1,9 @@ +# Deprecated, use RBL module! +surbl { + rules { + } + + .include(try=true,priority=5) "${DBDIR}/dynamic/surbl.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/surbl.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/surbl.conf" +} diff --git a/conf/modules.d/trie.conf b/conf/modules.d/trie.conf new file mode 100644 index 0000000..9a1e1ca --- /dev/null +++ b/conf/modules.d/trie.conf @@ -0,0 +1,37 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/trie.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/trie.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/trie.html + +trie { + # Each subsection defines a single rule with associated symbol + # This config defines no tries leaving this module efficiently disabled by default +# SYMBOL1 { +# # Define rules in the file (it is *NOT* a map) +# file = "/some/path"; +# # Raw rules search within the whole undecoded messages +# raw = true; +# # If we have multiple occurrences of strings from this rule +# # then we insert a symbol multiple times +# multi = true; +# } +# SYMBOL2 { +# patterns = [ +# "pattern1", +# "pattern2", +# "pattern3" +# ] +# } + .include(try=true,priority=5) "${DBDIR}/dynamic/trie.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/trie.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/trie.conf" +} diff --git a/conf/modules.d/url_redirector.conf b/conf/modules.d/url_redirector.conf new file mode 100644 index 0000000..da3b5bb --- /dev/null +++ b/conf/modules.d/url_redirector.conf @@ -0,0 +1,27 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/url_redirector.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/url_redirector.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/url_redirector.html + +url_redirector { + expire = 1d; # 1 day by default + timeout = 10; # 10 seconds by default + nested_limit = 1; # How many redirects to follow + #proxy = "http://example.com:3128"; # Send request through proxy + key_prefix = "rdr:"; # default hash name + check_ssl = false; # check ssl certificates + max_size = 10k; # maximum body to process + + .include(try=true,priority=5) "${DBDIR}/dynamic/url_redirector.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/url_redirector.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/url_redirector.conf" +} diff --git a/conf/modules.d/whitelist.conf b/conf/modules.d/whitelist.conf new file mode 100644 index 0000000..a4b39aa --- /dev/null +++ b/conf/modules.d/whitelist.conf @@ -0,0 +1,66 @@ +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/whitelist.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/whitelist.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# Module documentation can be found at https://rspamd.com/doc/modules/whitelist.html + +whitelist { + rules { + "WHITELIST_SPF" = { + valid_spf = true; + domains = [ + "$LOCAL_CONFDIR/local.d/maps.d/spf_whitelist.inc.local", + "${DBDIR}/spf_whitelist.inc.local", + "fallback+file://${CONFDIR}/maps.d/spf_whitelist.inc" + ]; + score = -1.0 + inverse_symbol = "BLACKLIST_SPF"; + } + + "WHITELIST_DKIM" = { + valid_dkim = true; + domains = [ + "$LOCAL_CONFDIR/local.d/maps.d/dkim_whitelist.inc.local", + "${DBDIR}/dkim_whitelist.inc.local", + "fallback+file://${CONFDIR}/maps.d/dkim_whitelist.inc" + ]; + score = -1.0; + inverse_symbol = "BLACKLIST_DKIM"; + } + "WHITELIST_SPF_DKIM" = { + valid_spf = true; + valid_dkim = true; + domains = [ + "https://maps.rspamd.com/rspamd/spf_dkim_whitelist.inc.zst", + "$LOCAL_CONFDIR/local.d/maps.d/spf_dkim_whitelist.inc.local", + "${DBDIR}/spf_dkim_whitelist.inc.local", + "fallback+file://${CONFDIR}/maps.d/spf_dkim_whitelist.inc" + ]; + score = -3.0; + inverse_symbol = "BLACKLIST_SPF_DKIM"; + } + "WHITELIST_DMARC" = { + valid_dmarc = true; + domains = [ + "https://maps.rspamd.com/rspamd/dmarc_whitelist_new.inc.zst", + "$LOCAL_CONFDIR/local.d/maps.d/dmarc_whitelist.inc.local", + "${DBDIR}/dmarc_whitelist.inc.local", + "fallback+file://${CONFDIR}/maps.d/dmarc_whitelist.inc" + ]; + score = -7.0; + inverse_symbol = "BLACKLIST_DMARC"; + } + } + + .include(try=true,priority=5) "${DBDIR}/dynamic/whitelist.conf" + .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/whitelist.conf" + .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/whitelist.conf" +} |