mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19741 Commits
28 Branches
Tree: 05fd471df5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '05fd471df5'
${ noResults }
rspamd/src/plugins/lua/greylist.lua

greylist.lua 16KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534 
  1. --[[

  2. Copyright (c) 2022, Vsevolod Stakhov <vsevolod@rspamd.com>

  3. Copyright (c) 2016, Alexey Savelyev <info@homeweb.ru>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. --[[

  19. Example domains whitelist config:

  20. greylist {

  21.   # Search "example.com" and "mail.example.com" for "mx.out.mail.example.com":

  22.   whitelist_domains_url = [

  23.     "$LOCAL_CONFDIR/local.d/maps.d/greylist-whitelist-domains.inc",

  24.     "${CONFDIR}/maps.d/maillist.inc",

  25.     "${CONFDIR}/maps.d/redirectors.inc",

  26.     "${CONFDIR}/maps.d/dmarc_whitelist.inc",

  27.     "${CONFDIR}/maps.d/spf_dkim_whitelist.inc",

  28.     "${CONFDIR}/maps.d/surbl-whitelist.inc",

  29.     "https://maps.rspamd.com/freemail/free.txt.zst"

  30.   ];

  31. }

  32. Example config for exim users:

  33. greylist {

  34.   action = "greylist";

  35. }

  36. --]]

  37. 

  38. if confighelp then

  39.   rspamd_config:add_example(nil, 'greylist',

  40.       "Performs adaptive greylisting using Redis",

  41.       [[

  42. greylist {

  43.   # Buckets expire (1 day by default)

  44.   expire = 1d;

  45.   # Greylisting timeout

  46.   timeout = 5m;

  47.   # Redis prefix

  48.   key_prefix = 'rg';

  49.   # Use body hash up to this value of bytes for greylisting

  50.   max_data_len = 10k;

  51.   # Default greylisting message

  52.   message = 'Try again later';

  53.   # Append symbol on greylisting

  54.   symbol = 'GREYLIST';

  55.   # Default action change (for Exim use `greylist`)

  56.   action = 'soft reject';

  57.   # Skip greylisting if one of the following symbols has been found

  58.   whitelist_symbols = [];

  59.   # Mask bits for ipv4

  60.   ipv4_mask = 19;

  61.   # Mask bits for ipv6

  62.   ipv6_mask = 64;

  63.    # Tell when greylisting is expired (appended to `message`)

  64.   report_time = false;

  65.   # Greylist local messages

  66.   check_local = false;

  67.   # Greylist messages from authenticated users

  68.   check_authed = false;

  69. }

  70.   ]])

  71.   return

  72. end

  73. 

  74. -- A plugin that implements greylisting using redis

  75. 

  76. local redis_params

  77. local whitelisted_ip

  78. local whitelist_domains_map

  79. local toint = math.ifloor or math.floor

  80. local settings = {

  81.   expire = 86400, -- 1 day by default

  82.   timeout = 300, -- 5 minutes by default

  83.   key_prefix = 'rg', -- default hash name

  84.   max_data_len = 10240, -- default data limit to hash

  85.   message = 'Try again later', -- default greylisted message

  86.   symbol = 'GREYLIST',

  87.   action = 'soft reject', -- default greylisted action

  88.   whitelist_symbols = {}, -- whitelist when specific symbols have been found

  89.   ipv4_mask = 19, -- Mask bits for ipv4

  90.   ipv6_mask = 64, -- Mask bits for ipv6

  91.   report_time = false, -- Tell when greylisting is epired (appended to `message`)

  92.   check_local = false,

  93.   check_authed = false,

  94. }

  95. 

  96. local rspamd_logger = require "rspamd_logger"

  97. local rspamd_util = require "rspamd_util"

  98. local lua_redis = require "lua_redis"

  99. local lua_util = require "lua_util"

  100. local fun = require "fun"

  101. local hash = require "rspamd_cryptobox_hash"

  102. local rspamd_lua_utils = require "lua_util"

  103. local lua_map = require "lua_maps"

  104. local N = "greylist"

  105. 

  106. local function data_key(task)

  107.   local cached = task:get_mempool():get_variable("grey_bodyhash")

  108.   if cached then

  109.     return cached

  110.   end

  111. 

  112.   local body = task:get_rawbody()

  113. 

  114.   if not body then return nil end

  115. 

  116.   local len = body:len()

  117.   if len > settings['max_data_len'] then

  118.     len = settings['max_data_len']

  119.   end

  120. 

  121.   local h = hash.create()

  122.   h:update(body, len)

  123. 

  124.   local b32 = settings['key_prefix'] .. 'b' .. h:base32():sub(1, 20)

  125.   task:get_mempool():set_variable("grey_bodyhash", b32)

  126.   return b32

  127. end

  128. 

  129. local function envelope_key(task)

  130.   local cached = task:get_mempool():get_variable("grey_metahash")

  131.   if cached then

  132.     return cached

  133.   end

  134. 

  135.   local from = task:get_from('smtp')

  136.   local h = hash.create()

  137. 

  138.   local addr = '<>'

  139.   if from and from[1] then

  140.     addr = from[1]['addr']

  141.   end

  142. 

  143.   h:update(addr)

  144.   local rcpt = task:get_recipients('smtp')

  145.   if rcpt then

  146.     table.sort(rcpt, function(r1, r2)

  147.       return r1['addr'] < r2['addr']

  148.     end)

  149. 

  150.     fun.each(function(r)

  151.       h:update(r['addr'])

  152.     end, rcpt)

  153.   end

  154. 

  155.   local ip = task:get_ip()

  156. 

  157.   if ip and ip:is_valid() then

  158.     local s

  159.     if ip:get_version() == 4 then

  160.       s = tostring(ip:apply_mask(settings['ipv4_mask']))

  161.     else

  162.       s = tostring(ip:apply_mask(settings['ipv6_mask']))

  163.     end

  164.     h:update(s)

  165.   end

  166. 

  167.   local b32 = settings['key_prefix'] .. 'm' .. h:base32():sub(1, 20)

  168.   task:get_mempool():set_variable("grey_metahash", b32)

  169.   return b32

  170. end

  171. 

  172. -- Returns pair of booleans: found,greylisted

  173. local function check_time(task, tm, type, now)

  174.   local t = tonumber(tm)

  175. 

  176.   if not t then

  177.     rspamd_logger.errx(task, 'not a valid number: %s', tm)

  178.     return false,false

  179.   end

  180. 

  181.   if now - t < settings['timeout'] then

  182.     return true,true

  183.   else

  184.     -- We just set variable to pass when in post-filter stage

  185.     task:get_mempool():set_variable("grey_whitelisted", type)

  186. 

  187.     return true,false

  188.   end

  189. end

  190. 

  191. local function greylist_message(task, end_time, why)

  192.   task:insert_result(settings['symbol'], 0.0, 'greylisted', end_time, why)

  193. 

  194.   if not settings.check_local and rspamd_lua_utils.is_rspamc_or_controller(task) then

  195.     return

  196.   end

  197. 

  198.   if settings.message_func then

  199.     task:set_pre_result(settings['action'],

  200.       settings.message_func(task, end_time), N)

  201.   else

  202.     local message = settings['message']

  203.     if settings.report_time then

  204.       message = string.format("%s: %s", message, end_time)

  205.     end

  206.     task:set_pre_result(settings['action'], message, N)

  207.   end

  208. 

  209.   task:set_flag('greylisted')

  210. end

  211. 

  212. local function greylist_check(task)

  213.   local ip = task:get_ip()

  214. 

  215.   if ((not settings.check_authed and task:get_user()) or

  216.       (not settings.check_local and ip and ip:is_local())) then

  217.     rspamd_logger.infox(task, "skip greylisting for local networks and/or authorized users");

  218.     return

  219.   end

  220. 

  221.   if ip and ip:is_valid() and whitelisted_ip then

  222.     if whitelisted_ip:get_key(ip) then

  223.       -- Do not check whitelisted ip

  224.       rspamd_logger.infox(task, 'skip greylisting for whitelisted IP')

  225.       return

  226.     end

  227.   end

  228. 

  229.   local body_key = data_key(task)

  230.   local meta_key = envelope_key(task)

  231.   local hash_key = body_key .. meta_key

  232. 

  233.   local function redis_get_cb(err, data)

  234.     local ret_body = false

  235.     local greylisted_body = false

  236.     local ret_meta = false

  237.     local greylisted_meta = false

  238. 

  239.     if data then

  240.       local end_time_body,end_time_meta

  241.       local now = rspamd_util.get_time()

  242. 

  243.       if data[1] and type(data[1]) ~= 'userdata' then

  244.         local tm = tonumber(data[1]) or now

  245.         ret_body,greylisted_body = check_time(task, data[1], 'body', now)

  246.         if greylisted_body then

  247.           end_time_body = tm + settings['timeout']

  248.           task:get_mempool():set_variable("grey_greylisted_body",

  249.               rspamd_util.time_to_string(end_time_body))

  250.         end

  251.       end

  252. 

  253.       if data[2] and type(data[2]) ~= 'userdata' then

  254.         if not ret_body or greylisted_body then

  255.           local tm = tonumber(data[2]) or now

  256.           ret_meta,greylisted_meta = check_time(task, data[2], 'meta', now)

  257. 

  258.           if greylisted_meta then

  259.             end_time_meta = tm + settings['timeout']

  260.             task:get_mempool():set_variable("grey_greylisted_meta",

  261.                 rspamd_util.time_to_string(end_time_meta))

  262.           end

  263.         end

  264.       end

  265. 

  266.       local how

  267.       local end_time_str

  268. 

  269.       if not ret_body and not ret_meta then

  270.         -- no record found

  271.         task:get_mempool():set_variable("grey_greylisted", 'true')

  272.       elseif greylisted_body and greylisted_meta then

  273.         end_time_str = rspamd_util.time_to_string(

  274.             math.min(end_time_body, end_time_meta))

  275.         how = 'meta and body'

  276.       elseif greylisted_body then

  277.         end_time_str = rspamd_util.time_to_string(end_time_body)

  278.         how = 'body only'

  279.       elseif greylisted_meta then

  280.         end_time_str = rspamd_util.time_to_string(end_time_meta)

  281.         how = 'meta only'

  282.       end

  283. 

  284.       if how and end_time_str then

  285.         rspamd_logger.infox(task, 'greylisted until "%s" (%s)',

  286.             end_time_str, how)

  287.         greylist_message(task, end_time_str, 'too early')

  288.       end

  289.     elseif err then

  290.       rspamd_logger.errx(task, 'got error while getting greylisting keys: %1', err)

  291.       return

  292.     end

  293.   end

  294. 

  295.   local ret = lua_redis.redis_make_request(task,

  296.       redis_params, -- connect params

  297.       hash_key, -- hash key

  298.       false, -- is write

  299.       redis_get_cb, --callback

  300.       'MGET', -- command

  301.       {body_key, meta_key} -- arguments

  302.   )

  303.   if not ret then

  304.     rspamd_logger.errx(task, 'cannot make redis request to check results')

  305.   end

  306. end

  307. 

  308. local function greylist_set(task)

  309.   local action = task:get_metric_action()

  310.   local ip = task:get_ip()

  311. 

  312.   -- Don't do anything if pre-result has been already set

  313.   if task:has_pre_result() then return end

  314. 

  315.   -- Check whitelist_symbols

  316.   for _,sym in ipairs(settings.whitelist_symbols) do

  317.     if task:has_symbol(sym) then

  318.       rspamd_logger.infox(task, 'skip greylisting as we have found symbol %s', sym)

  319.       if action == 'greylist' then

  320.         -- We are going to accept message

  321.         rspamd_logger.infox(task, 'downgrading metric action from "greylist" to "no action"')

  322.         task:disable_action('greylist')

  323.       end

  324.       return

  325.     end

  326.   end

  327. 

  328.   if settings.greylist_min_score then

  329.     local score = task:get_metric_score('default')[1]

  330.     if score < settings.greylist_min_score then

  331.       rspamd_logger.infox(task, 'Score too low - skip greylisting')

  332.       if action == 'greylist' then

  333.         -- We are going to accept message

  334.         rspamd_logger.infox(task, 'Downgrading metric action from "greylist" to "no action"')

  335.         task:disable_action('greylist')

  336.       end

  337.       return

  338.     end

  339.   end

  340. 

  341.   if ((not settings.check_authed and task:get_user()) or

  342.       (not settings.check_local and ip and ip:is_local())) then

  343.     if action == 'greylist' then

  344.       -- We are going to accept message

  345.       rspamd_logger.infox(task, 'Downgrading metric action from "greylist" to "no action"')

  346.       task:disable_action('greylist')

  347.     end

  348.     return

  349.   end

  350. 

  351.   if ip and ip:is_valid() and whitelisted_ip then

  352.     if whitelisted_ip:get_key(ip) then

  353.       if action == 'greylist' then

  354.         -- We are going to accept message

  355.         rspamd_logger.infox(task, 'Downgrading metric action from "greylist" to "no action"')

  356.         task:disable_action('greylist')

  357.       end

  358.       return

  359.     end

  360.   end

  361. 

  362.   local is_whitelisted = task:get_mempool():get_variable("grey_whitelisted")

  363.   local do_greylisting = task:get_mempool():get_variable("grey_greylisted")

  364.   local do_greylisting_required = task:get_mempool():get_variable("grey_greylisted_required")

  365. 

  366.   -- Third and second level domains whitelist

  367.   if not is_whitelisted and whitelist_domains_map then

  368.     local hostname = task:get_hostname()

  369.     if hostname then

  370.       local domain = rspamd_util.get_tld(hostname)

  371.       if whitelist_domains_map:get_key(hostname) or (domain and whitelist_domains_map:get_key(domain)) then

  372.         is_whitelisted = 'meta'

  373.         rspamd_logger.infox(task, 'skip greylisting for whitelisted domain')

  374.       end

  375.     end

  376.   end

  377. 

  378.   if action == 'reject' or

  379.       not do_greylisting_required and action == 'no action' then

  380.     return

  381.   end

  382.   local body_key = data_key(task)

  383.   local meta_key = envelope_key(task)

  384.   local upstream, ret, conn

  385.   local hash_key = body_key .. meta_key

  386. 

  387.   local function redis_set_cb(err)

  388.     if err then

  389.       rspamd_logger.errx(task, 'got error %s when setting greylisting record on server %s',

  390.         err, upstream:get_addr())

  391.     end

  392.   end

  393. 

  394.   local is_rspamc = rspamd_lua_utils.is_rspamc_or_controller(task)

  395. 

  396.   if is_whitelisted then

  397.     if action == 'greylist' then

  398.       -- We are going to accept message

  399.       rspamd_logger.infox(task, 'Downgrading metric action from "greylist" to "no action"')

  400.       task:disable_action('greylist')

  401.     end

  402. 

  403.     task:insert_result(settings['symbol'], 0.0, 'pass', is_whitelisted)

  404.     rspamd_logger.infox(task, 'greylisting pass (%s) until %s',

  405.       is_whitelisted,

  406.       rspamd_util.time_to_string(rspamd_util.get_time() + settings['expire']))

  407. 

  408.     if not settings.check_local and is_rspamc then return end

  409. 

  410.     ret,conn,upstream = lua_redis.redis_make_request(task,

  411.       redis_params, -- connect params

  412.       hash_key, -- hash key

  413.       true, -- is write

  414.       redis_set_cb, --callback

  415.       'EXPIRE', -- command

  416.       {body_key, tostring(toint(settings['expire']))} -- arguments

  417.     )

  418.     -- Update greylisting record expire

  419.     if ret then

  420.       conn:add_cmd('EXPIRE', {

  421.         meta_key, tostring(toint(settings['expire']))

  422.       })

  423.     else

  424.       rspamd_logger.errx(task, 'got error while connecting to redis')

  425.     end

  426.   elseif do_greylisting or do_greylisting_required then

  427.     if not settings.check_local and is_rspamc then return end

  428.     local t = tostring(toint(rspamd_util.get_time()))

  429.     local end_time = rspamd_util.time_to_string(t + settings['timeout'])

  430.     rspamd_logger.infox(task, 'greylisted until "%s", new record', end_time)

  431.     greylist_message(task, end_time, 'new record')

  432.     -- Create new record

  433.     ret,conn,upstream = lua_redis.redis_make_request(task,

  434.       redis_params, -- connect params

  435.       hash_key, -- hash key

  436.       true, -- is write

  437.       redis_set_cb, --callback

  438.       'SETEX', -- command

  439.       {body_key, tostring(toint(settings['expire'])), t} -- arguments

  440.     )

  441. 

  442.     if ret then

  443.       conn:add_cmd('SETEX', {

  444.         meta_key, tostring(toint(settings['expire'])), t

  445.       })

  446.     else

  447.       rspamd_logger.errx(task, 'got error while connecting to redis')

  448.     end

  449.   else

  450.     if action ~= 'no action' and action ~= 'reject' then

  451.       local grey_res = task:get_mempool():get_variable("grey_greylisted_body")

  452. 

  453.       if grey_res then

  454.         -- We need to delay message, hence set a temporary result

  455.         rspamd_logger.infox(task, 'greylisting delayed until "%s": body', grey_res)

  456.         greylist_message(task, grey_res, 'body')

  457.       else

  458.         grey_res = task:get_mempool():get_variable("grey_greylisted_meta")

  459.         if grey_res then

  460.           greylist_message(task, grey_res, 'meta')

  461.         end

  462.       end

  463.     else

  464.       task:insert_result(settings['symbol'], 0.0, 'greylisted', 'passed')

  465.     end

  466.   end

  467. end

  468. 

  469. local opts = rspamd_config:get_all_opt('greylist')

  470. if opts then

  471.   if opts['message_func'] then

  472.     settings.message_func = assert(load(opts['message_func']))()

  473.   end

  474. 

  475.   for k,v in pairs(opts) do

  476.     if k ~= 'message_func' then

  477.       settings[k] = v

  478.     end

  479.   end

  480. 

  481.   local auth_and_local_conf = lua_util.config_check_local_or_authed(rspamd_config, N,

  482.       false, false)

  483.   settings.check_local = auth_and_local_conf[1]

  484.   settings.check_authed = auth_and_local_conf[2]

  485. 

  486.   if settings['greylist_min_score'] then

  487.     settings['greylist_min_score'] = tonumber(settings['greylist_min_score'])

  488.   else

  489.     local greylist_threshold = rspamd_config:get_metric_action('greylist')

  490.     if greylist_threshold then

  491.       settings['greylist_min_score'] = greylist_threshold

  492.     end

  493.   end

  494. 

  495.   whitelisted_ip = lua_map.rspamd_map_add(N, 'whitelisted_ip', 'radix',

  496.     'Greylist whitelist ip map')

  497.   whitelist_domains_map = lua_map.rspamd_map_add(N, 'whitelist_domains_url',

  498.     'map', 'Greylist whitelist domains map')

  499. 

  500.   redis_params = lua_redis.parse_redis_server(N)

  501.   if not redis_params then

  502.     rspamd_logger.infox(rspamd_config, 'no servers are specified, disabling module')

  503.     rspamd_lua_utils.disable_module(N, "redis")

  504.   else

  505.     lua_redis.register_prefix(settings.key_prefix .. 'b[a-z0-9]{20}', N,

  506.         'Greylisting elements (body hashes)"', {

  507.           type = 'string',

  508.         })

  509.     lua_redis.register_prefix(settings.key_prefix .. 'm[a-z0-9]{20}', N,

  510.         'Greylisting elements (meta hashes)"', {

  511.           type = 'string',

  512.         })

  513.     rspamd_config:register_symbol({

  514.       name = 'GREYLIST_SAVE',

  515.       type = 'postfilter',

  516.       callback = greylist_set,

  517.       priority = lua_util.symbols_priorities.medium,

  518.       augmentations = {string.format("timeout=%f", redis_params.timeout or 0.0)},

  519.     })

  520.     local id = rspamd_config:register_symbol({

  521.       name = 'GREYLIST_CHECK',

  522.       type = 'prefilter',

  523.       callback = greylist_check,

  524.       priority = lua_util.symbols_priorities.medium,

  525.       augmentations = {string.format("timeout=%f", redis_params.timeout or 0.0)}

  526.     })

  527.     rspamd_config:register_symbol({

  528.       name = settings.symbol,

  529.       type = 'virtual',

  530.       parent = id,

  531.       score = 0,

  532.     })

  533.   end

  534. end