mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21071 Commits
29 Branches
Tree: 7769774962
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7769774962'
${ noResults }
rspamd/src/plugins/lua/greylist.lua

greylist.lua 16KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542 
  1. --[[

  2. Copyright (c) 2022, Vsevolod Stakhov <vsevolod@rspamd.com>

  3. Copyright (c) 2016, Alexey Savelyev <info@homeweb.ru>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. --[[

  19. Example domains whitelist config:

  20. greylist {

  21.   # Search "example.com" and "mail.example.com" for "mx.out.mail.example.com":

  22.   whitelist_domains_url = [

  23.     "$LOCAL_CONFDIR/local.d/maps.d/greylist-whitelist-domains.inc",

  24.     "${CONFDIR}/maps.d/maillist.inc",

  25.     "${CONFDIR}/maps.d/redirectors.inc",

  26.     "${CONFDIR}/maps.d/dmarc_whitelist.inc",

  27.     "${CONFDIR}/maps.d/spf_dkim_whitelist.inc",

  28.     "${CONFDIR}/maps.d/surbl-whitelist.inc",

  29.     "https://maps.rspamd.com/freemail/free.txt.zst"

  30.   ];

  31. }

  32. Example config for exim users:

  33. greylist {

  34.   action = "greylist";

  35. }

  36. --]]

  37. 

  38. if confighelp then

  39.   rspamd_config:add_example(nil, 'greylist',

  40.       "Performs adaptive greylisting using Redis",

  41.       [[

  42. greylist {

  43.   # Buckets expire (1 day by default)

  44.   expire = 1d;

  45.   # Greylisting timeout

  46.   timeout = 5m;

  47.   # Redis prefix

  48.   key_prefix = 'rg';

  49.   # Use body hash up to this value of bytes for greylisting

  50.   max_data_len = 10k;

  51.   # Default greylisting message

  52.   message = 'Try again later';

  53.   # Append symbol on greylisting

  54.   symbol = 'GREYLIST';

  55.   # Default action change (for Exim use `greylist`)

  56.   action = 'soft reject';

  57.   # Skip greylisting if one of the following symbols has been found

  58.   whitelist_symbols = [];

  59.   # Mask bits for ipv4

  60.   ipv4_mask = 19;

  61.   # Mask bits for ipv6

  62.   ipv6_mask = 64;

  63.    # Tell when greylisting is expired (appended to `message`)

  64.   report_time = false;

  65.   # Greylist local messages

  66.   check_local = false;

  67.   # Greylist messages from authenticated users

  68.   check_authed = false;

  69. }

  70.   ]])

  71.   return

  72. end

  73. 

  74. -- A plugin that implements greylisting using redis

  75. 

  76. local redis_params

  77. local whitelisted_ip

  78. local whitelist_domains_map

  79. local toint = math.ifloor or math.floor

  80. local settings = {

  81.   expire = 86400, -- 1 day by default

  82.   timeout = 300, -- 5 minutes by default

  83.   key_prefix = 'rg', -- default hash name

  84.   max_data_len = 10240, -- default data limit to hash

  85.   message = 'Try again later', -- default greylisted message

  86.   symbol = 'GREYLIST',

  87.   action = 'soft reject', -- default greylisted action

  88.   whitelist_symbols = {}, -- whitelist when specific symbols have been found

  89.   ipv4_mask = 19, -- Mask bits for ipv4

  90.   ipv6_mask = 64, -- Mask bits for ipv6

  91.   report_time = false, -- Tell when greylisting is expired (appended to `message`)

  92.   check_local = false,

  93.   check_authed = false,

  94. }

  95. 

  96. local rspamd_logger = require "rspamd_logger"

  97. local rspamd_util = require "rspamd_util"

  98. local lua_redis = require "lua_redis"

  99. local lua_util = require "lua_util"

  100. local fun = require "fun"

  101. local hash = require "rspamd_cryptobox_hash"

  102. local rspamd_lua_utils = require "lua_util"

  103. local lua_map = require "lua_maps"

  104. local N = "greylist"

  105. 

  106. local function data_key(task)

  107.   local cached = task:get_mempool():get_variable("grey_bodyhash")

  108.   if cached then

  109.     return cached

  110.   end

  111. 

  112.   local body = task:get_rawbody()

  113. 

  114.   if not body then

  115.     return nil

  116.   end

  117. 

  118.   local len = body:len()

  119.   if len > settings['max_data_len'] then

  120.     len = settings['max_data_len']

  121.   end

  122. 

  123.   local h = hash.create()

  124.   h:update(body, len)

  125. 

  126.   local b32 = settings['key_prefix'] .. 'b' .. h:base32():sub(1, 20)

  127.   task:get_mempool():set_variable("grey_bodyhash", b32)

  128.   return b32

  129. end

  130. 

  131. local function envelope_key(task)

  132.   local cached = task:get_mempool():get_variable("grey_metahash")

  133.   if cached then

  134.     return cached

  135.   end

  136. 

  137.   local from = task:get_from('smtp')

  138.   local h = hash.create()

  139. 

  140.   local addr = '<>'

  141.   if from and from[1] then

  142.     addr = from[1]['addr']

  143.   end

  144. 

  145.   h:update(addr)

  146.   local rcpt = task:get_recipients('smtp')

  147.   if rcpt then

  148.     table.sort(rcpt, function(r1, r2)

  149.       return r1['addr'] < r2['addr']

  150.     end)

  151. 

  152.     fun.each(function(r)

  153.       h:update(r['addr'])

  154.     end, rcpt)

  155.   end

  156. 

  157.   local ip = task:get_ip()

  158. 

  159.   if ip and ip:is_valid() then

  160.     local s

  161.     if ip:get_version() == 4 then

  162.       s = tostring(ip:apply_mask(settings['ipv4_mask']))

  163.     else

  164.       s = tostring(ip:apply_mask(settings['ipv6_mask']))

  165.     end

  166.     h:update(s)

  167.   end

  168. 

  169.   local b32 = settings['key_prefix'] .. 'm' .. h:base32():sub(1, 20)

  170.   task:get_mempool():set_variable("grey_metahash", b32)

  171.   return b32

  172. end

  173. 

  174. -- Returns pair of booleans: found,greylisted

  175. local function check_time(task, tm, type, now)

  176.   local t = tonumber(tm)

  177. 

  178.   if not t then

  179.     rspamd_logger.errx(task, 'not a valid number: %s', tm)

  180.     return false, false

  181.   end

  182. 

  183.   if now - t < settings['timeout'] then

  184.     return true, true

  185.   else

  186.     -- We just set variable to pass when in post-filter stage

  187.     task:get_mempool():set_variable("grey_whitelisted", type)

  188. 

  189.     return true, false

  190.   end

  191. end

  192. 

  193. local function greylist_message(task, end_time, why)

  194.   task:insert_result(settings['symbol'], 0.0, 'greylisted', end_time, why)

  195. 

  196.   if not settings.check_local and rspamd_lua_utils.is_rspamc_or_controller(task) then

  197.     return

  198.   end

  199. 

  200.   if settings.message_func then

  201.     task:set_pre_result(settings['action'],

  202.         settings.message_func(task, end_time), N)

  203.   else

  204.     local message = settings['message']

  205.     if settings.report_time then

  206.       message = string.format("%s: %s", message, end_time)

  207.     end

  208.     task:set_pre_result(settings['action'], message, N)

  209.   end

  210. 

  211.   task:set_flag('greylisted')

  212. end

  213. 

  214. local function greylist_check(task)

  215.   local ip = task:get_ip()

  216. 

  217.   if ((not settings.check_authed and task:get_user()) or

  218.       (not settings.check_local and ip and ip:is_local())) then

  219.     rspamd_logger.infox(task, "skip greylisting for local networks and/or authorized users");

  220.     return

  221.   end

  222. 

  223.   if ip and ip:is_valid() and whitelisted_ip then

  224.     if whitelisted_ip:get_key(ip) then

  225.       -- Do not check whitelisted ip

  226.       rspamd_logger.infox(task, 'skip greylisting for whitelisted IP')

  227.       return

  228.     end

  229.   end

  230. 

  231.   local body_key = data_key(task)

  232.   local meta_key = envelope_key(task)

  233.   local hash_key = body_key .. meta_key

  234. 

  235.   local function redis_get_cb(err, data)

  236.     local ret_body = false

  237.     local greylisted_body = false

  238.     local ret_meta = false

  239.     local greylisted_meta = false

  240. 

  241.     if data then

  242.       local end_time_body, end_time_meta

  243.       local now = rspamd_util.get_time()

  244. 

  245.       if data[1] and type(data[1]) ~= 'userdata' then

  246.         local tm = tonumber(data[1]) or now

  247.         ret_body, greylisted_body = check_time(task, data[1], 'body', now)

  248.         if greylisted_body then

  249.           end_time_body = tm + settings['timeout']

  250.           task:get_mempool():set_variable("grey_greylisted_body",

  251.               rspamd_util.time_to_string(end_time_body))

  252.         end

  253.       end

  254. 

  255.       if data[2] and type(data[2]) ~= 'userdata' then

  256.         if not ret_body or greylisted_body then

  257.           local tm = tonumber(data[2]) or now

  258.           ret_meta, greylisted_meta = check_time(task, data[2], 'meta', now)

  259. 

  260.           if greylisted_meta then

  261.             end_time_meta = tm + settings['timeout']

  262.             task:get_mempool():set_variable("grey_greylisted_meta",

  263.                 rspamd_util.time_to_string(end_time_meta))

  264.           end

  265.         end

  266.       end

  267. 

  268.       local how

  269.       local end_time_str

  270. 

  271.       if not ret_body and not ret_meta then

  272.         -- no record found

  273.         task:get_mempool():set_variable("grey_greylisted", 'true')

  274.       elseif greylisted_body and greylisted_meta then

  275.         end_time_str = rspamd_util.time_to_string(

  276.             math.min(end_time_body, end_time_meta))

  277.         how = 'meta and body'

  278.       elseif greylisted_body then

  279.         end_time_str = rspamd_util.time_to_string(end_time_body)

  280.         how = 'body only'

  281.       elseif greylisted_meta then

  282.         end_time_str = rspamd_util.time_to_string(end_time_meta)

  283.         how = 'meta only'

  284.       end

  285. 

  286.       if how and end_time_str then

  287.         rspamd_logger.infox(task, 'greylisted until "%s" (%s)',

  288.             end_time_str, how)

  289.         greylist_message(task, end_time_str, 'too early')

  290.       end

  291.     elseif err then

  292.       rspamd_logger.errx(task, 'got error while getting greylisting keys: %1', err)

  293.       return

  294.     end

  295.   end

  296. 

  297.   local ret = lua_redis.redis_make_request(task,

  298.       redis_params, -- connect params

  299.       hash_key, -- hash key

  300.       false, -- is write

  301.       redis_get_cb, --callback

  302.       'MGET', -- command

  303.       { body_key, meta_key } -- arguments

  304.   )

  305.   if not ret then

  306.     rspamd_logger.errx(task, 'cannot make redis request to check results')

  307.   end

  308. end

  309. 

  310. local function greylist_set(task)

  311.   local action = task:get_metric_action()

  312.   local ip = task:get_ip()

  313. 

  314.   -- Don't do anything if pre-result has been already set

  315.   if task:has_pre_result() then

  316.     return

  317.   end

  318. 

  319.   -- Check whitelist_symbols

  320.   for _, sym in ipairs(settings.whitelist_symbols) do

  321.     if task:has_symbol(sym) then

  322.       rspamd_logger.infox(task, 'skip greylisting as we have found symbol %s', sym)

  323.       if action == 'greylist' then

  324.         -- We are going to accept message

  325.         rspamd_logger.infox(task, 'downgrading metric action from "greylist" to "no action"')

  326.         task:disable_action('greylist')

  327.       end

  328.       return

  329.     end

  330.   end

  331. 

  332.   if settings.greylist_min_score then

  333.     local score = task:get_metric_score('default')[1]

  334.     if score < settings.greylist_min_score then

  335.       rspamd_logger.infox(task, 'Score too low - skip greylisting')

  336.       if action == 'greylist' then

  337.         -- We are going to accept message

  338.         rspamd_logger.infox(task, 'Downgrading metric action from "greylist" to "no action"')

  339.         task:disable_action('greylist')

  340.       end

  341.       return

  342.     end

  343.   end

  344. 

  345.   if ((not settings.check_authed and task:get_user()) or

  346.       (not settings.check_local and ip and ip:is_local())) then

  347.     if action == 'greylist' then

  348.       -- We are going to accept message

  349.       rspamd_logger.infox(task, 'Downgrading metric action from "greylist" to "no action"')

  350.       task:disable_action('greylist')

  351.     end

  352.     return

  353.   end

  354. 

  355.   if ip and ip:is_valid() and whitelisted_ip then

  356.     if whitelisted_ip:get_key(ip) then

  357.       if action == 'greylist' then

  358.         -- We are going to accept message

  359.         rspamd_logger.infox(task, 'Downgrading metric action from "greylist" to "no action"')

  360.         task:disable_action('greylist')

  361.       end

  362.       return

  363.     end

  364.   end

  365. 

  366.   local is_whitelisted = task:get_mempool():get_variable("grey_whitelisted")

  367.   local do_greylisting = task:get_mempool():get_variable("grey_greylisted")

  368.   local do_greylisting_required = task:get_mempool():get_variable("grey_greylisted_required")

  369. 

  370.   -- Third and second level domains whitelist

  371.   if not is_whitelisted and whitelist_domains_map then

  372.     local hostname = task:get_hostname()

  373.     if hostname then

  374.       local domain = rspamd_util.get_tld(hostname)

  375.       if whitelist_domains_map:get_key(hostname) or (domain and whitelist_domains_map:get_key(domain)) then

  376.         is_whitelisted = 'meta'

  377.         rspamd_logger.infox(task, 'skip greylisting for whitelisted domain')

  378.       end

  379.     end

  380.   end

  381. 

  382.   if action == 'reject' or

  383.       not do_greylisting_required and action == 'no action' then

  384.     return

  385.   end

  386.   local body_key = data_key(task)

  387.   local meta_key = envelope_key(task)

  388.   local upstream, ret, conn

  389.   local hash_key = body_key .. meta_key

  390. 

  391.   local function redis_set_cb(err)

  392.     if err then

  393.       rspamd_logger.errx(task, 'got error %s when setting greylisting record on server %s',

  394.           err, upstream:get_addr())

  395.     end

  396.   end

  397. 

  398.   local is_rspamc = rspamd_lua_utils.is_rspamc_or_controller(task)

  399. 

  400.   if is_whitelisted then

  401.     if action == 'greylist' then

  402.       -- We are going to accept message

  403.       rspamd_logger.infox(task, 'Downgrading metric action from "greylist" to "no action"')

  404.       task:disable_action('greylist')

  405.     end

  406. 

  407.     task:insert_result(settings['symbol'], 0.0, 'pass', is_whitelisted)

  408.     rspamd_logger.infox(task, 'greylisting pass (%s) until %s',

  409.         is_whitelisted,

  410.         rspamd_util.time_to_string(rspamd_util.get_time() + settings['expire']))

  411. 

  412.     if not settings.check_local and is_rspamc then

  413.       return

  414.     end

  415. 

  416.     ret, conn, upstream = lua_redis.redis_make_request(task,

  417.         redis_params, -- connect params

  418.         hash_key, -- hash key

  419.         true, -- is write

  420.         redis_set_cb, --callback

  421.         'EXPIRE', -- command

  422.         { body_key, tostring(toint(settings['expire'])) } -- arguments

  423.     )

  424.     -- Update greylisting record expire

  425.     if ret then

  426.       conn:add_cmd('EXPIRE', {

  427.         meta_key, tostring(toint(settings['expire']))

  428.       })

  429.     else

  430.       rspamd_logger.errx(task, 'got error while connecting to redis')

  431.     end

  432.   elseif do_greylisting or do_greylisting_required then

  433.     if not settings.check_local and is_rspamc then

  434.       return

  435.     end

  436.     local t = tostring(toint(rspamd_util.get_time()))

  437.     local end_time = rspamd_util.time_to_string(t + settings['timeout'])

  438.     rspamd_logger.infox(task, 'greylisted until "%s", new record', end_time)

  439.     greylist_message(task, end_time, 'new record')

  440.     -- Create new record

  441.     ret, conn, upstream = lua_redis.redis_make_request(task,

  442.         redis_params, -- connect params

  443.         hash_key, -- hash key

  444.         true, -- is write

  445.         redis_set_cb, --callback

  446.         'SETEX', -- command

  447.         { body_key, tostring(toint(settings['expire'])), t } -- arguments

  448.     )

  449. 

  450.     if ret then

  451.       conn:add_cmd('SETEX', {

  452.         meta_key, tostring(toint(settings['expire'])), t

  453.       })

  454.     else

  455.       rspamd_logger.errx(task, 'got error while connecting to redis')

  456.     end

  457.   else

  458.     if action ~= 'no action' and action ~= 'reject' then

  459.       local grey_res = task:get_mempool():get_variable("grey_greylisted_body")

  460. 

  461.       if grey_res then

  462.         -- We need to delay message, hence set a temporary result

  463.         rspamd_logger.infox(task, 'greylisting delayed until "%s": body', grey_res)

  464.         greylist_message(task, grey_res, 'body')

  465.       else

  466.         grey_res = task:get_mempool():get_variable("grey_greylisted_meta")

  467.         if grey_res then

  468.           greylist_message(task, grey_res, 'meta')

  469.         end

  470.       end

  471.     else

  472.       task:insert_result(settings['symbol'], 0.0, 'greylisted', 'passed')

  473.     end

  474.   end

  475. end

  476. 

  477. local opts = rspamd_config:get_all_opt('greylist')

  478. if opts then

  479.   if opts['message_func'] then

  480.     settings.message_func = assert(load(opts['message_func']))()

  481.   end

  482. 

  483.   for k, v in pairs(opts) do

  484.     if k ~= 'message_func' then

  485.       settings[k] = v

  486.     end

  487.   end

  488. 

  489.   local auth_and_local_conf = lua_util.config_check_local_or_authed(rspamd_config, N,

  490.       false, false)

  491.   settings.check_local = auth_and_local_conf[1]

  492.   settings.check_authed = auth_and_local_conf[2]

  493. 

  494.   if settings['greylist_min_score'] then

  495.     settings['greylist_min_score'] = tonumber(settings['greylist_min_score'])

  496.   else

  497.     local greylist_threshold = rspamd_config:get_metric_action('greylist')

  498.     if greylist_threshold then

  499.       settings['greylist_min_score'] = greylist_threshold

  500.     end

  501.   end

  502. 

  503.   whitelisted_ip = lua_map.rspamd_map_add(N, 'whitelisted_ip', 'radix',

  504.       'Greylist whitelist ip map')

  505.   whitelist_domains_map = lua_map.rspamd_map_add(N, 'whitelist_domains_url',

  506.       'map', 'Greylist whitelist domains map')

  507. 

  508.   redis_params = lua_redis.parse_redis_server(N)

  509.   if not redis_params then

  510.     rspamd_logger.infox(rspamd_config, 'no servers are specified, disabling module')

  511.     rspamd_lua_utils.disable_module(N, "redis")

  512.   else

  513.     lua_redis.register_prefix(settings.key_prefix .. 'b[a-z0-9]{20}', N,

  514.         'Greylisting elements (body hashes)"', {

  515.           type = 'string',

  516.         })

  517.     lua_redis.register_prefix(settings.key_prefix .. 'm[a-z0-9]{20}', N,

  518.         'Greylisting elements (meta hashes)"', {

  519.           type = 'string',

  520.         })

  521.     rspamd_config:register_symbol({

  522.       name = 'GREYLIST_SAVE',

  523.       type = 'postfilter',

  524.       callback = greylist_set,

  525.       priority = lua_util.symbols_priorities.medium,

  526.       augmentations = { string.format("timeout=%f", redis_params.timeout or 0.0) },

  527.     })

  528.     local id = rspamd_config:register_symbol({

  529.       name = 'GREYLIST_CHECK',

  530.       type = 'prefilter',

  531.       callback = greylist_check,

  532.       priority = lua_util.symbols_priorities.medium,

  533.       augmentations = { string.format("timeout=%f", redis_params.timeout or 0.0) }

  534.     })

  535.     rspamd_config:register_symbol({

  536.       name = settings.symbol,

  537.       type = 'virtual',

  538.       parent = id,

  539.       score = 0,

  540.     })

  541.   end

  542. end