mirror of
https://github.com/rspamd/rspamd.git
synced 2024-07-31 20:21:26 +02:00
597 lines
16 KiB
Lua
597 lines
16 KiB
Lua
--[[
|
|
Copyright (c) 2022, Vsevolod Stakhov <vsevolod@rspamd.com>
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
]]--
|
|
|
|
local logger = require "rspamd_logger"
|
|
local lua_util = require "lua_util"
|
|
local rspamd_util = require "rspamd_util"
|
|
local fun = require "fun"
|
|
|
|
local function is_implicit(t)
|
|
local mt = getmetatable(t)
|
|
|
|
return mt and mt.class and mt.class == 'ucl.type.impl_array'
|
|
end
|
|
|
|
local function metric_pairs(t)
|
|
-- collect the keys
|
|
local keys = {}
|
|
local implicit_array = is_implicit(t)
|
|
|
|
local function gen_keys(tbl)
|
|
if implicit_array then
|
|
for _,v in ipairs(tbl) do
|
|
if v.name then
|
|
table.insert(keys, {v.name, v})
|
|
v.name = nil
|
|
else
|
|
-- Very tricky to distinguish:
|
|
-- group {name = "foo" ... } + group "blah" { ... }
|
|
for gr_name,gr in pairs(v) do
|
|
if type(gr_name) ~= 'number' then
|
|
-- We can also have implicit arrays here
|
|
local gr_implicit = is_implicit(gr)
|
|
|
|
if gr_implicit then
|
|
for _,gr_elt in ipairs(gr) do
|
|
table.insert(keys, {gr_name, gr_elt})
|
|
end
|
|
else
|
|
table.insert(keys, {gr_name, gr})
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
else
|
|
if tbl.name then
|
|
table.insert(keys, {tbl.name, tbl})
|
|
tbl.name = nil
|
|
else
|
|
for k,v in pairs(tbl) do
|
|
if type(k) ~= 'number' then
|
|
-- We can also have implicit arrays here
|
|
local sym_implicit = is_implicit(v)
|
|
|
|
if sym_implicit then
|
|
for _,elt in ipairs(v) do
|
|
table.insert(keys, {k, elt})
|
|
end
|
|
else
|
|
table.insert(keys, {k, v})
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
gen_keys(t)
|
|
|
|
-- return the iterator function
|
|
local i = 0
|
|
return function()
|
|
i = i + 1
|
|
if keys[i] then
|
|
return keys[i][1], keys[i][2]
|
|
end
|
|
end
|
|
end
|
|
|
|
local function group_transform(cfg, k, v)
|
|
if v.name then k = v.name end
|
|
|
|
local new_group = {
|
|
symbols = {}
|
|
}
|
|
|
|
if v.enabled then new_group.enabled = v.enabled end
|
|
if v.disabled then new_group.disabled = v.disabled end
|
|
if v.max_score then new_group.max_score = v.max_score end
|
|
|
|
if v.symbol then
|
|
for sk,sv in metric_pairs(v.symbol) do
|
|
if sv.name then
|
|
sk = sv.name
|
|
sv.name = nil -- Remove field
|
|
end
|
|
|
|
new_group.symbols[sk] = sv
|
|
end
|
|
end
|
|
|
|
if not cfg.group then cfg.group = {} end
|
|
|
|
if cfg.group[k] then
|
|
cfg.group[k] = lua_util.override_defaults(cfg.group[k], new_group)
|
|
else
|
|
cfg.group[k] = new_group
|
|
end
|
|
|
|
logger.infox("overriding group %s from the legacy metric settings", k)
|
|
end
|
|
|
|
local function symbol_transform(cfg, k, v)
|
|
-- first try to find any group where there is a definition of this symbol
|
|
for gr_n, gr in pairs(cfg.group) do
|
|
if gr.symbols and gr.symbols[k] then
|
|
-- We override group symbol with ungrouped symbol
|
|
logger.infox("overriding group symbol %s in the group %s", k, gr_n)
|
|
gr.symbols[k] = lua_util.override_defaults(gr.symbols[k], v)
|
|
return
|
|
end
|
|
end
|
|
-- Now check what Rspamd knows about this symbol
|
|
local sym = rspamd_config:get_symbol(k)
|
|
|
|
if not sym or not sym.group then
|
|
-- Otherwise we just use group 'ungrouped'
|
|
if not cfg.group.ungrouped then
|
|
cfg.group.ungrouped = {
|
|
symbols = {}
|
|
}
|
|
end
|
|
|
|
cfg.group.ungrouped.symbols[k] = v
|
|
logger.debugx("adding symbol %s to the group 'ungrouped'", k)
|
|
end
|
|
end
|
|
|
|
local function test_groups(groups)
|
|
for gr_name, gr in pairs(groups) do
|
|
if not gr.symbols then
|
|
local cnt = 0
|
|
for _,_ in pairs(gr) do cnt = cnt + 1 end
|
|
|
|
if cnt == 0 then
|
|
logger.debugx('group %s is empty', gr_name)
|
|
else
|
|
logger.infox('group %s has no symbols', gr_name)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
local function convert_metric(cfg, metric)
|
|
if metric.actions then
|
|
cfg.actions = lua_util.override_defaults(cfg.actions, metric.actions)
|
|
logger.infox("overriding actions from the legacy metric settings")
|
|
end
|
|
if metric.unknown_weight then
|
|
cfg.actions.unknown_weight = metric.unknown_weight
|
|
end
|
|
|
|
if metric.subject then
|
|
logger.infox("overriding subject from the legacy metric settings")
|
|
cfg.actions.subject = metric.subject
|
|
end
|
|
|
|
if metric.group then
|
|
for k, v in metric_pairs(metric.group) do
|
|
group_transform(cfg, k, v)
|
|
end
|
|
else
|
|
if not cfg.group then
|
|
cfg.group = {
|
|
ungrouped = {
|
|
symbols = {}
|
|
}
|
|
}
|
|
end
|
|
end
|
|
|
|
if metric.symbol then
|
|
for k, v in metric_pairs(metric.symbol) do
|
|
symbol_transform(cfg, k, v)
|
|
end
|
|
end
|
|
|
|
return cfg
|
|
end
|
|
|
|
-- Converts a table of groups indexed by number (implicit array) to a
|
|
-- merged group definition
|
|
local function merge_groups(groups)
|
|
local ret = {}
|
|
for k,gr in pairs(groups) do
|
|
if type(k) == 'number' then
|
|
for key,sec in pairs(gr) do
|
|
ret[key] = sec
|
|
end
|
|
else
|
|
ret[k] = gr
|
|
end
|
|
end
|
|
|
|
return ret
|
|
end
|
|
|
|
-- Checks configuration files for statistics
|
|
local function check_statistics_sanity()
|
|
local local_conf = rspamd_paths['LOCAL_CONFDIR']
|
|
local local_stat = string.format('%s/local.d/%s', local_conf,
|
|
'statistic.conf')
|
|
local local_bayes = string.format('%s/local.d/%s', local_conf,
|
|
'classifier-bayes.conf')
|
|
|
|
if rspamd_util.file_exists(local_stat) and
|
|
rspamd_util.file_exists(local_bayes) then
|
|
logger.warnx(rspamd_config, 'conflicting files %s and %s are found: '..
|
|
'Rspamd classifier configuration might be broken!', local_stat, local_bayes)
|
|
end
|
|
end
|
|
|
|
-- Converts surbl module config to rbl module
|
|
local function surbl_section_convert(cfg, section)
|
|
local rbl_section = cfg.rbl.rbls
|
|
local wl = section.whitelist
|
|
for name,value in pairs(section.rules or {}) do
|
|
if rbl_section[name] then
|
|
logger.warnx(rspamd_config, 'conflicting names in surbl and rbl rules: %s, prefer surbl rule!',
|
|
name)
|
|
end
|
|
local converted = {
|
|
urls = true,
|
|
ignore_defaults = true,
|
|
}
|
|
|
|
if wl then
|
|
converted.whitelist = wl
|
|
end
|
|
|
|
for k,v in pairs(value) do
|
|
local skip = false
|
|
-- Rename
|
|
if k == 'suffix' then k = 'rbl' end
|
|
if k == 'ips' then k = 'returncodes' end
|
|
if k == 'bits' then k = 'returnbits' end
|
|
if k == 'noip' then k = 'no_ip' end
|
|
-- Crappy legacy
|
|
if k == 'options' then
|
|
if v == 'noip' or v == 'no_ip' then
|
|
converted.no_ip = true
|
|
skip = true
|
|
end
|
|
end
|
|
if k:match('check_') then
|
|
local n = k:match('check_(.*)')
|
|
k = n
|
|
end
|
|
|
|
if k == 'dkim' and v then
|
|
converted.dkim_domainonly = false
|
|
converted.dkim_match_from = true
|
|
end
|
|
|
|
if k == 'emails' and v then
|
|
-- To match surbl behaviour
|
|
converted.emails_domainonly = true
|
|
end
|
|
|
|
if not skip then
|
|
converted[k] = lua_util.deepcopy(v)
|
|
end
|
|
end
|
|
rbl_section[name] = lua_util.override_defaults(rbl_section[name], converted)
|
|
end
|
|
end
|
|
|
|
-- Converts surbl module config to rbl module
|
|
local function emails_section_convert(cfg, section)
|
|
local rbl_section = cfg.rbl.rbls
|
|
local wl = section.whitelist
|
|
for name,value in pairs(section.rules or {}) do
|
|
if rbl_section[name] then
|
|
logger.warnx(rspamd_config, 'conflicting names in emails and rbl rules: %s, prefer emails rule!',
|
|
name)
|
|
end
|
|
local converted = {
|
|
emails = true,
|
|
ignore_defaults = true,
|
|
}
|
|
|
|
if wl then
|
|
converted.whitelist = wl
|
|
end
|
|
|
|
for k,v in pairs(value) do
|
|
local skip = false
|
|
-- Rename
|
|
if k == 'dnsbl' then k = 'rbl' end
|
|
if k == 'check_replyto' then k = 'replyto' end
|
|
if k == 'hashlen' then k = 'hash_len' end
|
|
if k == 'encoding' then k = 'hash_format' end
|
|
if k == 'domain_only' then k = 'emails_domainonly' end
|
|
if k == 'delimiter' then k = 'emails_delimiter' end
|
|
if k == 'skip_body' then
|
|
skip = true
|
|
if v then
|
|
-- Hack
|
|
converted.emails = false
|
|
converted.replyto = true
|
|
else
|
|
converted.emails = true
|
|
end
|
|
end
|
|
if k == 'expect_ip' then
|
|
-- Another stupid hack
|
|
if not converted.return_codes then
|
|
converted.returncodes = {}
|
|
end
|
|
local symbol = value.symbol or name
|
|
converted.returncodes[symbol] = { v }
|
|
skip = true
|
|
end
|
|
|
|
if not skip then
|
|
converted[k] = lua_util.deepcopy(v)
|
|
end
|
|
end
|
|
rbl_section[name] = lua_util.override_defaults(rbl_section[name], converted)
|
|
end
|
|
end
|
|
|
|
return function(cfg)
|
|
local ret = false
|
|
|
|
if cfg['metric'] then
|
|
for _, v in metric_pairs(cfg.metric) do
|
|
cfg = convert_metric(cfg, v)
|
|
end
|
|
ret = true
|
|
end
|
|
|
|
if cfg.symbols then
|
|
for k, v in metric_pairs(cfg.symbols) do
|
|
symbol_transform(cfg, k, v)
|
|
end
|
|
end
|
|
|
|
check_statistics_sanity()
|
|
|
|
if not cfg.actions then
|
|
logger.errx('no actions defined')
|
|
else
|
|
-- Perform sanity check for actions
|
|
local actions_defs = {'no action', 'no_action', -- In case if that's added
|
|
'greylist', 'add header', 'add_header',
|
|
'rewrite subject', 'rewrite_subject', 'quarantine',
|
|
'reject', 'discard'}
|
|
|
|
if not cfg.actions['no action'] and not cfg.actions['no_action'] and
|
|
not cfg.actions['accept'] then
|
|
for _,d in ipairs(actions_defs) do
|
|
if cfg.actions[d] then
|
|
|
|
local action_score = nil
|
|
if type(cfg.actions[d]) == 'number' then
|
|
action_score = cfg.actions[d]
|
|
elseif type(cfg.actions[d]) == 'table' and cfg.actions[d]['score'] then
|
|
action_score = cfg.actions[d]['score']
|
|
end
|
|
|
|
if type(cfg.actions[d]) ~= 'table' and not action_score then
|
|
cfg.actions[d] = nil
|
|
elseif type(action_score) == 'number' and action_score < 0 then
|
|
cfg.actions['no_action'] = cfg.actions[d] - 0.001
|
|
logger.infox(rspamd_config, 'set no_action score to: %s, as action %s has negative score',
|
|
cfg.actions['no_action'], d)
|
|
break
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
local actions_set = lua_util.list_to_hash(actions_defs)
|
|
|
|
-- Now check actions section for garbage
|
|
actions_set['unknown_weight'] = true
|
|
actions_set['grow_factor'] = true
|
|
actions_set['subject'] = true
|
|
|
|
for k,_ in pairs(cfg.actions) do
|
|
if not actions_set[k] then
|
|
logger.warnx(rspamd_config, 'unknown element in actions section: %s', k)
|
|
end
|
|
end
|
|
|
|
-- Performs thresholds sanity
|
|
-- We exclude greylist here as it can be set to whatever threshold in practice
|
|
local actions_order = {
|
|
'no_action',
|
|
'add_header',
|
|
'rewrite_subject',
|
|
'quarantine',
|
|
'reject',
|
|
'discard'
|
|
}
|
|
for i=1,(#actions_order - 1) do
|
|
local act = actions_order[i]
|
|
|
|
if cfg.actions[act] and type(cfg.actions[act]) == 'number' then
|
|
local score = cfg.actions[act]
|
|
|
|
for j=i+1,#actions_order do
|
|
local next_act = actions_order[j]
|
|
if cfg.actions[next_act] and type(cfg.actions[next_act]) == 'number' then
|
|
local next_score = cfg.actions[next_act]
|
|
if next_score <= score then
|
|
logger.errx(rspamd_config, 'invalid actions thresholds order: action %s (%s) must have lower '..
|
|
'score than action %s (%s)', act, score, next_act, next_score)
|
|
ret = false
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
if not cfg.group then
|
|
logger.errx('no symbol groups defined')
|
|
else
|
|
if cfg.group[1] then
|
|
-- We need to merge groups
|
|
cfg.group = merge_groups(cfg.group)
|
|
ret = true
|
|
end
|
|
test_groups(cfg.group)
|
|
end
|
|
|
|
-- Deal with dkim settings
|
|
if not cfg.dkim then
|
|
cfg.dkim = {}
|
|
else
|
|
if cfg.dkim.sign_condition then
|
|
-- We have an obsoleted sign condition, so we need to either add dkim_signing and move it
|
|
-- there or just move sign condition there...
|
|
if not cfg.dkim_signing then
|
|
logger.warnx('obsoleted DKIM signing method used, converting it to "dkim_signing" module')
|
|
cfg.dkim_signing = {
|
|
sign_condition = cfg.dkim.sign_condition
|
|
}
|
|
else
|
|
if not cfg.dkim_signing.sign_condition then
|
|
logger.warnx('obsoleted DKIM signing method used, move it to "dkim_signing" module')
|
|
cfg.dkim_signing.sign_condition = cfg.dkim.sign_condition
|
|
else
|
|
logger.warnx('obsoleted DKIM signing method used, ignore it as "dkim_signing" also defines condition!')
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
-- Again: legacy stuff :(
|
|
if not cfg.dkim.sign_headers then
|
|
local sec = cfg.dkim_signing
|
|
if sec and sec[1] then sec = cfg.dkim_signing[1] end
|
|
|
|
if sec and sec.sign_headers then
|
|
cfg.dkim.sign_headers = sec.sign_headers
|
|
end
|
|
end
|
|
|
|
-- DKIM signing/ARC legacy
|
|
for _, mod in ipairs({'dkim_signing', 'arc'}) do
|
|
if cfg[mod] then
|
|
if cfg[mod].auth_only ~= nil then
|
|
if cfg[mod].sign_authenticated ~= nil then
|
|
logger.warnx(rspamd_config,
|
|
'both auth_only (%s) and sign_authenticated (%s) for %s are specified, prefer auth_only',
|
|
cfg[mod].auth_only, cfg[mod].sign_authenticated, mod)
|
|
end
|
|
cfg[mod].sign_authenticated = cfg[mod].auth_only
|
|
end
|
|
end
|
|
end
|
|
|
|
if cfg.dkim and cfg.dkim.sign_headers and type(cfg.dkim.sign_headers) == 'table' then
|
|
-- Flatten
|
|
cfg.dkim.sign_headers = table.concat(cfg.dkim.sign_headers, ':')
|
|
end
|
|
|
|
-- Try to find some obvious issues with configuration
|
|
for k,v in pairs(cfg) do
|
|
if type(v) == 'table' and v[k] and type (v[k]) == 'table' then
|
|
logger.errx('nested section: %s { %s { ... } }, it is likely a configuration error',
|
|
k, k)
|
|
end
|
|
end
|
|
|
|
-- If neural network is enabled we MUST have `check_all_filters` flag
|
|
if cfg.neural then
|
|
if not cfg.options then
|
|
cfg.options = {}
|
|
end
|
|
|
|
if not cfg.options.check_all_filters then
|
|
logger.infox(rspamd_config, 'enable `options.check_all_filters` for neural network')
|
|
cfg.options.check_all_filters = true
|
|
end
|
|
end
|
|
|
|
-- Deal with IP_SCORE
|
|
if cfg.ip_score and (cfg.ip_score.servers or cfg.redis.servers) then
|
|
logger.warnx(rspamd_config, 'ip_score module is deprecated in honor of reputation module!')
|
|
|
|
if not cfg.reputation then
|
|
cfg.reputation = {
|
|
rules = {}
|
|
}
|
|
end
|
|
|
|
if not cfg.reputation.rules then cfg.reputation.rules = {} end
|
|
|
|
if not fun.any(function(_, v) return v.selector and v.selector.ip end,
|
|
cfg.reputation.rules) then
|
|
logger.infox(rspamd_config, 'attach ip reputation element to use it')
|
|
|
|
cfg.reputation.rules.ip_score = {
|
|
selector = {
|
|
ip = {},
|
|
},
|
|
backend = {
|
|
redis = {},
|
|
}
|
|
}
|
|
|
|
if cfg.ip_score.servers then
|
|
cfg.reputation.rules.ip_score.backend.redis.servers = cfg.ip_score.servers
|
|
end
|
|
|
|
if cfg.symbols and cfg.symbols['IP_SCORE'] then
|
|
local t = cfg.symbols['IP_SCORE']
|
|
|
|
if not cfg.symbols['SENDER_REP_SPAM'] then
|
|
cfg.symbols['SENDER_REP_SPAM'] = t
|
|
cfg.symbols['SENDER_REP_HAM'] = t
|
|
cfg.symbols['SENDER_REP_HAM'].weight = -(t.weight or 0)
|
|
end
|
|
end
|
|
else
|
|
logger.infox(rspamd_config, 'ip reputation already exists, do not do any IP_SCORE transforms')
|
|
end
|
|
end
|
|
|
|
if cfg.surbl then
|
|
if not cfg.rbl then
|
|
cfg.rbl = {
|
|
rbls = {}
|
|
}
|
|
end
|
|
if not cfg.rbl.rbls then
|
|
cfg.rbl.rbls = {}
|
|
end
|
|
surbl_section_convert(cfg, cfg.surbl)
|
|
logger.infox(rspamd_config, 'converted surbl rules to rbl rules')
|
|
cfg.surbl = {}
|
|
end
|
|
|
|
if cfg.emails then
|
|
if not cfg.rbl then
|
|
cfg.rbl = {
|
|
rbls = {}
|
|
}
|
|
end
|
|
if not cfg.rbl.rbls then
|
|
cfg.rbl.rbls = {}
|
|
end
|
|
emails_section_convert(cfg, cfg.emails)
|
|
logger.infox(rspamd_config, 'converted emails rules to rbl rules')
|
|
cfg.emails = {}
|
|
end
|
|
|
|
return ret, cfg
|
|
end
|