mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15574 Commits
28 Branches
Tree: 69f50374bb
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '69f50374bb'
${ noResults }
rspamd/src/plugins/lua/greylist.lua

greylist.lua 14KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480 
  1. --[[

  2. Copyright (c) 2016, Vsevolod Stakhov <vsevolod@highsecure.ru>

  3. Copyright (c) 2016, Alexey Savelyev <info@homeweb.ru>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. --[[

  19. Example domains whitelist config:

  20. greylist {

  21.   # Search "example.com" and "mail.example.com" for "mx.out.mail.example.com":

  22.   whitelist_domains_url = [

  23.     "$LOCAL_CONFDIR/local.d/greylist-whitelist-domains.inc",

  24.     "${CONFDIR}/maps.d/maillist.inc",

  25.     "${CONFDIR}/maps.d/redirectors.inc",

  26.     "${CONFDIR}/maps.d/dmarc_whitelist.inc",

  27.     "${CONFDIR}/maps.d/spf_dkim_whitelist.inc",

  28.     "${CONFDIR}/maps.d/surbl-whitelist.inc",

  29.     "https://maps.rspamd.com/freemail/free.txt.zst"

  30.   ];

  31. }

  32. Example config for exim users:

  33. greylist {

  34.   action = "greylist";

  35. }

  36. --]]

  37. 

  38. if confighelp then

  39.   return

  40. end

  41. 

  42. -- A plugin that implements greylisting using redis

  43. 

  44. local redis_params

  45. local whitelisted_ip

  46. local whitelist_domains_map

  47. local toint = math.ifloor or math.floor

  48. local settings = {

  49.   expire = 86400, -- 1 day by default

  50.   timeout = 300, -- 5 minutes by default

  51.   key_prefix = 'rg', -- default hash name

  52.   max_data_len = 10240, -- default data limit to hash

  53.   message = 'Try again later', -- default greylisted message

  54.   symbol = 'GREYLIST',

  55.   action = 'soft reject', -- default greylisted action

  56.   whitelist_symbols = {}, -- whitelist when specific symbols have been found

  57.   ipv4_mask = 19, -- Mask bits for ipv4

  58.   ipv6_mask = 64, -- Mask bits for ipv6

  59.   report_time = false, -- Tell when greylisting is epired (appended to `message`)

  60.   check_local = false,

  61.   check_authed = false,

  62. }

  63. 

  64. local rspamd_logger = require "rspamd_logger"

  65. local rspamd_util = require "rspamd_util"

  66. local lua_redis = require "lua_redis"

  67. local fun = require "fun"

  68. local hash = require "rspamd_cryptobox_hash"

  69. local rspamd_lua_utils = require "lua_util"

  70. local lua_map = require "lua_maps"

  71. local N = "greylist"

  72. 

  73. local function data_key(task)

  74.   local cached = task:get_mempool():get_variable("grey_bodyhash")

  75.   if cached then

  76.     return cached

  77.   end

  78. 

  79.   local body = task:get_rawbody()

  80. 

  81.   if not body then return nil end

  82. 

  83.   local len = body:len()

  84.   if len > settings['max_data_len'] then

  85.     len = settings['max_data_len']

  86.   end

  87. 

  88.   local h = hash.create()

  89.   h:update(body, len)

  90. 

  91.   local b32 = settings['key_prefix'] .. 'b' .. h:base32():sub(1, 20)

  92.   task:get_mempool():set_variable("grey_bodyhash", b32)

  93.   return b32

  94. end

  95. 

  96. local function envelope_key(task)

  97.   local cached = task:get_mempool():get_variable("grey_metahash")

  98.   if cached then

  99.     return cached

  100.   end

  101. 

  102.   local from = task:get_from('smtp')

  103.   local h = hash.create()

  104. 

  105.   local addr = '<>'

  106.   if from and from[1] then

  107.     addr = from[1]['addr']

  108.   end

  109. 

  110.   h:update(addr)

  111.   local rcpt = task:get_recipients('smtp')

  112.   if rcpt then

  113.     table.sort(rcpt, function(r1, r2)

  114.       return r1['addr'] < r2['addr']

  115.     end)

  116. 

  117.     fun.each(function(r)

  118.       h:update(r['addr'])

  119.     end, rcpt)

  120.   end

  121. 

  122.   local ip = task:get_ip()

  123. 

  124.   if ip and ip:is_valid() then

  125.     local s

  126.     if ip:get_version() == 4 then

  127.       s = tostring(ip:apply_mask(settings['ipv4_mask']))

  128.     else

  129.       s = tostring(ip:apply_mask(settings['ipv6_mask']))

  130.     end

  131.     h:update(s)

  132.   end

  133. 

  134.   local b32 = settings['key_prefix'] .. 'm' .. h:base32():sub(1, 20)

  135.   task:get_mempool():set_variable("grey_metahash", b32)

  136.   return b32

  137. end

  138. 

  139. -- Returns pair of booleans: found,greylisted

  140. local function check_time(task, tm, type, now)

  141.   local t = tonumber(tm)

  142. 

  143.   if not t then

  144.     rspamd_logger.errx(task, 'not a valid number: %s', tm)

  145.     return false,false

  146.   end

  147. 

  148.   if now - t < settings['timeout'] then

  149.     return true,true

  150.   else

  151.     -- We just set variable to pass when in post-filter stage

  152.     task:get_mempool():set_variable("grey_whitelisted", type)

  153. 

  154.     return true,false

  155.   end

  156. end

  157. 

  158. local function greylist_message(task, end_time, why)

  159.   task:insert_result(settings['symbol'], 0.0, 'greylisted', end_time, why)

  160. 

  161.   if not settings.check_local and rspamd_lua_utils.is_rspamc_or_controller(task) then

  162.     return

  163.   end

  164. 

  165.   if settings.message_func then

  166.     task:set_pre_result(settings['action'],

  167.       settings.message_func(task, end_time), N)

  168.   else

  169.     local message = settings['message']

  170.     if settings.report_time then

  171.       message = string.format("%s: %s", message, end_time)

  172.     end

  173.     task:set_pre_result(settings['action'], message, N)

  174.   end

  175. 

  176.   task:set_flag('greylisted')

  177. end

  178. 

  179. local function greylist_check(task)

  180.   local ip = task:get_ip()

  181. 

  182.   if ((not settings.check_authed and task:get_user()) or

  183.       (not settings.check_local and ip and ip:is_local())) then

  184.     rspamd_logger.infox(task, "skip greylisting for local networks and/or authorized users");

  185.     return

  186.   end

  187. 

  188.   if ip and ip:is_valid() and whitelisted_ip then

  189.     if whitelisted_ip:get_key(ip) then

  190.       -- Do not check whitelisted ip

  191.       rspamd_logger.infox(task, 'skip greylisting for whitelisted IP')

  192.       return

  193.     end

  194.   end

  195. 

  196.   local body_key = data_key(task)

  197.   local meta_key = envelope_key(task)

  198.   local hash_key = body_key .. meta_key

  199. 

  200.   local function redis_get_cb(err, data)

  201.     local ret_body = false

  202.     local greylisted_body = false

  203.     local ret_meta = false

  204.     local greylisted_meta = false

  205. 

  206.     if data then

  207.       local end_time_body,end_time_meta

  208.       local now = rspamd_util.get_time()

  209. 

  210.       if data[1] and type(data[1]) ~= 'userdata' then

  211.         local tm = tonumber(data[1]) or now

  212.         ret_body,greylisted_body = check_time(task, data[1], 'body', now)

  213.         if greylisted_body then

  214.           end_time_body = tm + settings['timeout']

  215.           task:get_mempool():set_variable("grey_greylisted_body",

  216.               rspamd_util.time_to_string(end_time_body))

  217.         end

  218.       end

  219. 

  220.       if data[2] and type(data[2]) ~= 'userdata' then

  221.         if not ret_body or greylisted_body then

  222.           local tm = tonumber(data[2]) or now

  223.           ret_meta,greylisted_meta = check_time(task, data[2], 'meta', now)

  224. 

  225.           if greylisted_meta then

  226.             end_time_meta = tm + settings['timeout']

  227.             task:get_mempool():set_variable("grey_greylisted_meta",

  228.                 rspamd_util.time_to_string(end_time_meta))

  229.           end

  230.         end

  231.       end

  232. 

  233.       local how

  234.       local end_time_str

  235. 

  236.       if not ret_body and not ret_meta then

  237.         -- no record found

  238.         task:get_mempool():set_variable("grey_greylisted", 'true')

  239.       elseif greylisted_body and greylisted_meta then

  240.         end_time_str = rspamd_util.time_to_string(

  241.             math.min(end_time_body, end_time_meta))

  242.         how = 'meta and body'

  243.       elseif greylisted_body then

  244.         end_time_str = rspamd_util.time_to_string(end_time_body)

  245.         how = 'body only'

  246.       elseif greylisted_meta then

  247.         end_time_str = rspamd_util.time_to_string(end_time_meta)

  248.         how = 'meta only'

  249.       end

  250. 

  251.       if how and end_time_str then

  252.         rspamd_logger.infox(task, 'greylisted until "%s" (%s)',

  253.             end_time_str, how)

  254.         greylist_message(task, end_time_str, 'too early')

  255.       end

  256.     elseif err then

  257.       rspamd_logger.errx(task, 'got error while getting greylisting keys: %1', err)

  258.       return

  259.     end

  260.   end

  261. 

  262.   local ret = lua_redis.redis_make_request(task,

  263.       redis_params, -- connect params

  264.       hash_key, -- hash key

  265.       false, -- is write

  266.       redis_get_cb, --callback

  267.       'MGET', -- command

  268.       {body_key, meta_key} -- arguments

  269.   )

  270.   if not ret then

  271.     rspamd_logger.errx(task, 'cannot make redis request to check results')

  272.   end

  273. end

  274. 

  275. local function greylist_set(task)

  276.   local action = task:get_metric_action('default')

  277.   local ip = task:get_ip()

  278. 

  279.   -- Don't do anything if pre-result has been already set

  280.   if task:has_pre_result() then return end

  281. 

  282.   -- Check whitelist_symbols

  283.   for _,sym in ipairs(settings.whitelist_symbols) do

  284.     if task:has_symbol(sym) then

  285.       rspamd_logger.infox(task, 'skip greylisting as we have found symbol %s', sym)

  286.       if action == 'greylist' then

  287.         -- We are going to accept message

  288.         rspamd_logger.infox(task, 'downgrading metric action from "greylist" to "no action"')

  289.         task:disable_action('greylist')

  290.       end

  291.       return

  292.     end

  293.   end

  294. 

  295.   if settings.greylist_min_score then

  296.     local score = task:get_metric_score('default')[1]

  297.     if score < settings.greylist_min_score then

  298.       rspamd_logger.infox(task, 'Score too low - skip greylisting')

  299.       if action == 'greylist' then

  300.         -- We are going to accept message

  301.         rspamd_logger.infox(task, 'Downgrading metric action from "greylist" to "no action"')

  302.         task:disable_action('greylist')

  303.       end

  304.       return

  305.     end

  306.   end

  307. 

  308.   if ((not settings.check_authed and task:get_user()) or

  309.       (not settings.check_local and ip and ip:is_local())) then

  310.     if action == 'greylist' then

  311.       -- We are going to accept message

  312.       rspamd_logger.infox(task, 'Downgrading metric action from "greylist" to "no action"')

  313.       task:disable_action('greylist')

  314.     end

  315.     return

  316.   end

  317. 

  318.   if ip and ip:is_valid() and whitelisted_ip then

  319.     if whitelisted_ip:get_key(ip) then

  320.       if action == 'greylist' then

  321.         -- We are going to accept message

  322.         rspamd_logger.infox(task, 'Downgrading metric action from "greylist" to "no action"')

  323.         task:disable_action('greylist')

  324.       end

  325.       return

  326.     end

  327.   end

  328. 

  329.   local is_whitelisted = task:get_mempool():get_variable("grey_whitelisted")

  330.   local do_greylisting = task:get_mempool():get_variable("grey_greylisted")

  331.   local do_greylisting_required = task:get_mempool():get_variable("grey_greylisted_required")

  332. 

  333.   -- Third and second level domains whitelist

  334.   if not is_whitelisted and whitelist_domains_map then

  335.     local hostname = task:get_hostname()

  336.     if hostname then

  337.       local domain = rspamd_util.get_tld(hostname)

  338.       if whitelist_domains_map:get_key(hostname) or (domain and whitelist_domains_map:get_key(domain)) then

  339.         is_whitelisted = 'meta'

  340.         rspamd_logger.infox(task, 'skip greylisting for whitelisted domain')

  341.       end

  342.     end

  343.   end

  344. 

  345.   if action == 'reject' or

  346.       not do_greylisting_required and action == 'no action' then

  347.     return

  348.   end

  349.   local body_key = data_key(task)

  350.   local meta_key = envelope_key(task)

  351.   local upstream, ret, conn

  352.   local hash_key = body_key .. meta_key

  353. 

  354.   local function redis_set_cb(err)

  355.     if err then

  356.       rspamd_logger.errx(task, 'got error %s when setting greylisting record on server %s',

  357.         err, upstream:get_addr())

  358.     end

  359.   end

  360. 

  361.   local is_rspamc = rspamd_lua_utils.is_rspamc_or_controller(task)

  362. 

  363.   if is_whitelisted then

  364.     if action == 'greylist' then

  365.       -- We are going to accept message

  366.       rspamd_logger.infox(task, 'Downgrading metric action from "greylist" to "no action"')

  367.       task:disable_action('greylist')

  368.     end

  369. 

  370.     task:insert_result(settings['symbol'], 0.0, 'pass', is_whitelisted)

  371.     rspamd_logger.infox(task, 'greylisting pass (%s) until %s',

  372.       is_whitelisted,

  373.       rspamd_util.time_to_string(rspamd_util.get_time() + settings['expire']))

  374. 

  375.     if not settings.check_local and is_rspamc then return end

  376. 

  377.     ret,conn,upstream = lua_redis.redis_make_request(task,

  378.       redis_params, -- connect params

  379.       hash_key, -- hash key

  380.       true, -- is write

  381.       redis_set_cb, --callback

  382.       'EXPIRE', -- command

  383.       {body_key, tostring(toint(settings['expire']))} -- arguments

  384.     )

  385.     -- Update greylisting record expire

  386.     if ret then

  387.       conn:add_cmd('EXPIRE', {

  388.         meta_key, tostring(toint(settings['expire']))

  389.       })

  390.     else

  391.       rspamd_logger.errx(task, 'got error while connecting to redis')

  392.     end

  393.   elseif do_greylisting or do_greylisting_required then

  394.     if not settings.check_local and is_rspamc then return end

  395.     local t = tostring(toint(rspamd_util.get_time()))

  396.     local end_time = rspamd_util.time_to_string(t + settings['timeout'])

  397.     rspamd_logger.infox(task, 'greylisted until "%s", new record', end_time)

  398.     greylist_message(task, end_time, 'new record')

  399.     -- Create new record

  400.     ret,conn,upstream = lua_redis.redis_make_request(task,

  401.       redis_params, -- connect params

  402.       hash_key, -- hash key

  403.       true, -- is write

  404.       redis_set_cb, --callback

  405.       'SETEX', -- command

  406.       {body_key, tostring(toint(settings['expire'])), t} -- arguments

  407.     )

  408. 

  409.     if ret then

  410.       conn:add_cmd('SETEX', {

  411.         meta_key, tostring(toint(settings['expire'])), t

  412.       })

  413.     else

  414.       rspamd_logger.errx(task, 'got error while connecting to redis')

  415.     end

  416.   else

  417.     if action ~= 'no action' and action ~= 'reject' then

  418.       local grey_res = task:get_mempool():get_variable("grey_greylisted_body")

  419. 

  420.       if grey_res then

  421.         -- We need to delay message, hence set a temporary result

  422.         rspamd_logger.infox(task, 'greylisting delayed until "%s": body', grey_res)

  423.         greylist_message(task, grey_res, 'body')

  424.       else

  425.         grey_res = task:get_mempool():get_variable("grey_greylisted_meta")

  426.         if grey_res then

  427.           greylist_message(task, grey_res, 'meta')

  428.         end

  429.       end

  430.     else

  431.       task:insert_result(settings['symbol'], 0.0, 'greylisted', 'passed')

  432.     end

  433.   end

  434. end

  435. 

  436. local opts = rspamd_config:get_all_opt('greylist')

  437. if opts then

  438.   if opts['message_func'] then

  439.     settings.message_func = assert(load(opts['message_func']))()

  440.   end

  441. 

  442.   for k,v in pairs(opts) do

  443.     if k ~= 'message_func' then

  444.       settings[k] = v

  445.     end

  446.   end

  447. 

  448.   if settings['greylist_min_score'] then

  449.     settings['greylist_min_score'] = tonumber(settings['greylist_min_score'])

  450.   else

  451.     local greylist_threshold = rspamd_config:get_metric_action('greylist')

  452.     if greylist_threshold then

  453.       settings['greylist_min_score'] = greylist_threshold

  454.     end

  455.   end

  456. 

  457.   whitelisted_ip = lua_map.rspamd_map_add(N, 'whitelisted_ip', 'radix',

  458.     'Greylist whitelist ip map')

  459.   whitelist_domains_map = lua_map.rspamd_map_add(N, 'whitelist_domains_url',

  460.     'map', 'Greylist whitelist domains map')

  461. 

  462.   redis_params = lua_redis.parse_redis_server(N)

  463.   if not redis_params then

  464.     rspamd_logger.infox(rspamd_config, 'no servers are specified, disabling module')

  465.     rspamd_lua_utils.disable_module(N, "redis")

  466.   else

  467.     rspamd_config:register_symbol({

  468.       name = 'GREYLIST_SAVE',

  469.       type = 'postfilter',

  470.       callback = greylist_set,

  471.       priority = 6,

  472.     })

  473.     rspamd_config:register_symbol({

  474.       name = 'GREYLIST_CHECK',

  475.       type = 'prefilter',

  476.       callback = greylist_check,

  477.       priority = 6,

  478.     })

  479.   end

  480. end