Archive-Team
/
docker-mailserver
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use Sieve for Rspamd and SA/Amavis 

As mentioned by @polarathene, the previous changes included a mixture of
Dovecot Sieve (for Rspamd) and a native implementation for SA/Amavis.
Now, we handle everything through Sieve. This is really a breaking
change.
This commit is contained in:
georglauterbach 2024-01-26 14:18:28 +01:00
parent 8d58e1565f
commit 8ea0ae2ff0
No known key found for this signature in database
GPG Key ID: F367F7C43C118578
3 changed files with 54 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
target/scripts/start-mailserver.sh
View File

@ -49,6 +49,7 @@ function _register_functions() {
_register_setup_function '_setup_dovecot_sieve' _register_setup_function '_setup_dovecot_sieve'
_register_setup_function '_setup_dovecot_dhparam' _register_setup_function '_setup_dovecot_dhparam'
_register_setup_function '_setup_dovecot_quota' _register_setup_function '_setup_dovecot_quota'
_register_setup_function '_setup_spam_subject'
_register_setup_function '_setup_spam_to_junk' _register_setup_function '_setup_spam_to_junk'
_register_setup_function '_setup_spam_mark_as_read' _register_setup_function '_setup_spam_mark_as_read'
fi fi

60
target/scripts/startup/setup.d/security/misc.sh
View File

@ -81,13 +81,9 @@ function __setup__security__spamassassin() {
# shellcheck disable=SC2016 # shellcheck disable=SC2016
sed -i -r 's|^\$sa_kill_level_deflt (.*);|\$sa_kill_level_deflt = '"${SA_KILL}"';|g' /etc/amavis/conf.d/20-debian_defaults sed -i -r 's|^\$sa_kill_level_deflt (.*);|\$sa_kill_level_deflt = '"${SA_KILL}"';|g' /etc/amavis/conf.d/20-debian_defaults
if [[ -z ${SPAM_SUBJECT} ]]; then # disable rewriting the subject as this is handles by _setup_spam_subject (which uses Dovecot Sieve)
# shellcheck disable=SC2016 # shellcheck disable=SC2016
sed -i -r 's|^\$sa_spam_subject_tag (.*);|\$sa_spam_subject_tag = undef;|g' /etc/amavis/conf.d/20-debian_defaults sed -i -r 's|^\$sa_spam_subject_tag (.*);|\$sa_spam_subject_tag = undef;|g' /etc/amavis/conf.d/20-debian_defaults
else
# shellcheck disable=SC2016
sed -i -r 's|^\$sa_spam_subject_tag (.*);|\$sa_spam_subject_tag = '"'${SPAM_SUBJECT}'"';|g' /etc/amavis/conf.d/20-debian_defaults
fi
# activate short circuits when SA BAYES is certain it has spam or ham. # activate short circuits when SA BAYES is certain it has spam or ham.
if [[ ${SA_SHORTCIRCUIT_BAYES_SPAM} -eq 1 ]]; then if [[ ${SA_SHORTCIRCUIT_BAYES_SPAM} -eq 1 ]]; then
@ -245,6 +241,56 @@ function __setup__security__amavis() {
fi fi
} }
# If `SPAM_SUBJECT` is not empty, we create a Sieve script that alters the `Subject`
# header, in order to prepend a user-defined string.
function _setup_spam_subject() {
if [[ -z ${SPAM_SUBJECT} ]]
then
__rspamd__log 'debug' 'Spam subject is not set - no prefix will be added to spam e-mails'
else
__rspamd__log 'debug' "Spam subject is set - the prefix '${SPAM_SUBJECT}' will be added to spam e-mails"
__rspamd__log 'trace' "Enabling '+editheader' Sieve extension"
# check whether sieve_global_extensions is disabled (and enabled it if so)
sed -i -E 's|#(sieve_global_extensions.*)|\1|' /etc/dovecot/conf.d/90-sieve.conf
# then append the extension
sedfile -i -E 's|(sieve_global_extensions.*)|\1 +editheader|' /etc/dovecot/conf.d/90-sieve.conf
# This directory contains Sieve scripts that are executed before user-defined Sieve
# scripts run.
local DOVECOT_SIEVE_GLOBAL_BEFORE_DIR='/usr/lib/dovecot/sieve-global/before'
local DOVECOT_SIEVE_FILE='spam_subject'
readonly DOVECOT_SIEVE_GLOBAL_BEFORE_DIR DOVECOT_SIEVE_FILE
mkdir -p "${DOVECOT_SIEVE_GLOBAL_BEFORE_DIR}"
# ref: https://superuser.com/a/1502589
cat >"${DOVECOT_SIEVE_GLOBAL_BEFORE_DIR}/${DOVECOT_SIEVE_FILE}.sieve" << EOF
require ["editheader","variables"];
if anyof (header :contains "X-Spam-Flag" "YES",
header :contains "X-Spam" "Yes")
{
# Match the entire subject ...
if header :matches "Subject" "*" {
# ... to get it in a match group that can then be stored in a variable:
set "subject" "\${1}";
}
# We can't "replace" a header, but we can delete (all instances of) it and
# re-add (a single instance of) it:
deleteheader "Subject";
# Note that the header is added ":last" (so it won't appear before possible
# "Received" headers).
addheader :last "Subject" "${SPAM_SUBJECT}\${subject}";
}
EOF
sievec "${DOVECOT_SIEVE_GLOBAL_BEFORE_DIR}/${DOVECOT_SIEVE_FILE}.sieve"
chown dovecot:root "${DOVECOT_SIEVE_GLOBAL_BEFORE_DIR}/${DOVECOT_SIEVE_FILE}."{sieve,svbin}
fi
}
# We can use Sieve to move spam emails to the "Junk" folder. # We can use Sieve to move spam emails to the "Junk" folder.
function _setup_spam_to_junk() { function _setup_spam_to_junk() {
if [[ ${MOVE_SPAM_TO_JUNK} -eq 1 ]]; then if [[ ${MOVE_SPAM_TO_JUNK} -eq 1 ]]; then

50
target/scripts/startup/setup.d/security/rspamd.sh
View File

@ -21,7 +21,6 @@ function _setup_rspamd() {
__rspamd__setup_greylisting __rspamd__setup_greylisting
__rspamd__setup_hfilter_group __rspamd__setup_hfilter_group
__rspamd__setup_check_authenticated __rspamd__setup_check_authenticated
__rspamd__setup_spam_subject
_rspamd_handle_user_modules_adjustments # must run last _rspamd_handle_user_modules_adjustments # must run last
# only performing checks, no further setup handled from here onwards # only performing checks, no further setup handled from here onwards
@ -305,55 +304,6 @@ function __rspamd__setup_check_authenticated() {
fi fi
} }
# If `SPAM_SUBJECT` is not empty, we create a Sieve script that alters the `Subject`
# header, in order to prepend a user-defined string.
function __rspamd__setup_spam_subject() {
if [[ -z ${SPAM_SUBJECT} ]]
then
__rspamd__log 'debug' 'Spam subject is not set - no prefix will be added to spam e-mails'
else
__rspamd__log 'debug' "Spam subject is set - the prefix '${SPAM_SUBJECT}' will be added to spam e-mails"
__rspamd__log 'trace' "Enabling '+editheader' Sieve extension"
# check whether sieve_global_extensions is disabled (and enabled it if so)
sed -i -E 's|#(sieve_global_extensions.*)|\1|' /etc/dovecot/conf.d/90-sieve.conf
# then append the extension
sedfile -i -E 's|(sieve_global_extensions.*)|\1 +editheader|' /etc/dovecot/conf.d/90-sieve.conf
# This directory contains Sieve scripts that are executed before user-defined Sieve
# scripts run.
local DOVECOT_SIEVE_GLOBAL_BEFORE_DIR='/usr/lib/dovecot/sieve-global/before'
local DOVECOT_SIEVE_FILE='rspamd_spam_subject'
readonly DOVECOT_SIEVE_GLOBAL_BEFORE_DIR DOVECOT_SIEVE_FILE
mkdir -p "${DOVECOT_SIEVE_GLOBAL_BEFORE_DIR}"
# ref: https://superuser.com/a/1502589
cat >"${DOVECOT_SIEVE_GLOBAL_BEFORE_DIR}/${DOVECOT_SIEVE_FILE}.sieve" << EOF
require ["editheader","variables"];
if header :contains "X-Spam" "Yes"
{
# Match the entire subject ...
if header :matches "Subject" "*" {
# ... to get it in a match group that can then be stored in a variable:
set "subject" "\${1}";
}
# We can't "replace" a header, but we can delete (all instances of) it and
# re-add (a single instance of) it:
deleteheader "Subject";
# Note that the header is added ":last" (so it won't appear before possible
# "Received" headers).
addheader :last "Subject" "${SPAM_SUBJECT}\${subject}";
}
EOF
sievec "${DOVECOT_SIEVE_GLOBAL_BEFORE_DIR}/${DOVECOT_SIEVE_FILE}.sieve"
chown dovecot:root "${DOVECOT_SIEVE_GLOBAL_BEFORE_DIR}/${DOVECOT_SIEVE_FILE}."{sieve,svbin}
fi
}
# This function performs a simple check: go through DKIM configuration files, acquire # This function performs a simple check: go through DKIM configuration files, acquire
# all private key file locations and check whether they exist and whether they can be # all private key file locations and check whether they exist and whether they can be
# accessed by Rspamd. # accessed by Rspamd.