From a1e7c618420c72364251f072e35834a48ab6a9a4 Mon Sep 17 00:00:00 2001 From: Andrew Lewis Date: Tue, 17 Feb 2015 09:46:40 +0200 Subject: Unbreak operation of rbl.lua in certain instances --- src/plugins/lua/rbl.lua | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/plugins/lua/rbl.lua b/src/plugins/lua/rbl.lua index 82955f13c..198e725f4 100644 --- a/src/plugins/lua/rbl.lua +++ b/src/plugins/lua/rbl.lua @@ -36,10 +36,7 @@ local private_ips = nil local rspamd_logger = require "rspamd_logger" local rspamd_ip = require "rspamd_ip" -local function validate_dns(lstr, rstr) - if (lstr:len() + rstr:len()) > 252 then - return false - end +local function validate_dns(lstr) for v in lstr:gmatch("[^%.]+") do if not v:match("^[%w-]+$") or v:len() > 63 or v:match("^-") or v:match("-$") then @@ -144,7 +141,7 @@ local function rbl_cb (task) if not havegot['helo'] then havegot['helo'] = task:get_helo() if havegot['helo'] == nil or - not validate_dns(havegot['helo'], rbl['rbl']) then + not validate_dns(havegot['helo']) then notgot['helo'] = true return end -- cgit v1.2.3 From 6088c2b15fec2aad5043a8b29b1ef250ae7d90dd Mon Sep 17 00:00:00 2001 From: Andrew Lewis Date: Tue, 17 Feb 2015 10:22:19 +0200 Subject: Make local/private IP exclusions work for all RBL types --- doc/markdown/modules/rbl.md | 4 ++-- src/plugins/lua/rbl.lua | 18 ++++++++++++++---- 2 files changed, 16 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/doc/markdown/modules/rbl.md b/doc/markdown/modules/rbl.md index bff67e31d..e27e94049 100644 --- a/doc/markdown/modules/rbl.md +++ b/doc/markdown/modules/rbl.md @@ -55,11 +55,11 @@ If set to true, do not use this RBL if the message sender is authenticated. - default_exclude_private_ips (false) -If true & private_ips is set appropriately, from/received RBL checks will ignore private IP address space. +If true & private_ips is set appropriately, do not use the RBL if the sending host address is in the private IP list & do not check received headers baring these addresses. - default_exclude_local (true) -If true, and local_exclude_ip_map has been set - exclude specified addresses/subnets from received/from RBL checks. +If true & local_exclude_ip_map has been set - do not use the RBL if the sending host address is in the local IP list & do not check received headers baring these addresses. Other parameters which can be set here are: diff --git a/src/plugins/lua/rbl.lua b/src/plugins/lua/rbl.lua index 198e725f4..625333f01 100644 --- a/src/plugins/lua/rbl.lua +++ b/src/plugins/lua/rbl.lua @@ -133,6 +133,20 @@ local function rbl_cb (task) end end + if (rbl['exclude_local'] or rbl['exclude_private_ips']) and not notgot['from'] then + if not havegot['from'] then + havegot['from'] = task:get_from_ip() + if not havegot['from']:is_valid() then + notgot['from'] = true + end + end + if havegot['from'] and not notgot['from'] and ((rbl['exclude_local'] and + is_excluded_ip(havegot['from'])) or (rbl['exclude_private_ips'] and + is_private_ip(havegot['from']))) then + return + end + end + if rbl['helo'] then (function() if notgot['helo'] then @@ -180,10 +194,6 @@ local function rbl_cb (task) return end end - if (rbl['exclude_private_ips'] and is_private_ip(havegot['from'])) - or (is_excluded_ip(havegot['from']) and rbl['exclude_local']) then - return - end if (havegot['from']:get_version() == 6 and rbl['ipv6']) or (havegot['from']:get_version() == 4 and rbl['ipv4']) then task:get_resolver():resolve_a(task:get_session(), task:get_mempool(), -- cgit v1.2.3 From 9ad2a7d1e58101e4dea0695a6d56bce7a1f4bce3 Mon Sep 17 00:00:00 2001 From: Andrew Lewis Date: Tue, 17 Feb 2015 12:47:17 +0200 Subject: Support emails dnsbl --- conf/modules.conf | 19 +++++++++++------- src/plugins/lua/rbl.lua | 51 ++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 62 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/conf/modules.conf b/conf/modules.conf index 1a4185c97..1fd71f2ed 100644 --- a/conf/modules.conf +++ b/conf/modules.conf @@ -201,6 +201,16 @@ rbl { } } + rambleremails { + symbol = RAMBLER_EMAILBL; + rbl = email-bl.rambler.ru; + from = false; + emails = true; + exclude_users = false; + exclude_private_ips = false; + exclude_local = false; + } + } } @@ -222,13 +232,8 @@ once_received { phishing { symbol = "PHISHING"; } -emails { - rule { - symbol = RAMBLER_EMAILBL; - dnsbl = email-bl.rambler.ru; - domain_only = false; - } -} +#emails { +#} spf { spf_cache_size = 2k; spf_cache_expire = 1d; diff --git a/src/plugins/lua/rbl.lua b/src/plugins/lua/rbl.lua index 625333f01..852fe1f04 100644 --- a/src/plugins/lua/rbl.lua +++ b/src/plugins/lua/rbl.lua @@ -165,6 +165,51 @@ local function rbl_cb (task) end)() end + if rbl['emails'] then + (function() + if notgot['emails'] then + return + end + if not havegot['emails'] then + havegot['emails'] = task:get_emails() + if havegot['emails'] == nil then + notgot['emails'] = true + return + end + local cleanList = {} + for _, e in pairs(havegot['emails']) do + local localpart = e:get_user() + local domainpart = e:get_host() + if rbl['emails'] == 'domain_only' then + if not cleanList[domainpart] and validate_dns(domainpart) then + cleanList[domainpart] = true + end + else + if validate_dns(localpart) and validate_dns(domainpart) then + table.insert(cleanList, localpart .. '.' .. domainpart) + end + end + end + havegot['emails'] = cleanList + if not next(havegot['emails']) then + notgot['emails'] = true + return + end + end + if rbl['emails'] == 'domain_only' then + for domain, _ in pairs(havegot['emails']) do + task:get_resolver():resolve_a(task:get_session(), task:get_mempool(), + domain .. '.' .. rbl['rbl'], rbl_dns_cb, k) + end + else + for _, email in pairs(havegot['emails']) do + task:get_resolver():resolve_a(task:get_session(), task:get_mempool(), + email .. '.' .. rbl['rbl'], rbl_dns_cb, k) + end + end + end)() + end + if rbl['rdns'] then (function() if notgot['rdns'] then @@ -248,6 +293,7 @@ if type(rspamd_config.get_api_version) ~= 'nil' then rspamd_config:register_module_option('rbl', 'local_exclude_ip_map', 'string') rspamd_config:register_module_option('rbl', 'default_exclude_local', 'string') rspamd_config:register_module_option('rbl', 'private_ips', 'string') + rspamd_config:register_module_option('rbl', 'default_emails', 'string') end end @@ -286,6 +332,9 @@ end if(opts['default_exclude_local'] == nil) then opts['default_exclude_local'] = true end +if(opts['default_emails'] == nil) then + opts['default_emails'] = false +end if(opts['local_exclude_ip_map'] ~= nil) then local_exclusions = rspamd_config:add_radix_map(opts['local_exclude_ip_map']) end @@ -296,7 +345,7 @@ end for key,rbl in pairs(opts['rbls']) do local o = { "ipv4", "ipv6", "from", "received", "unknown", "rdns", "helo", "exclude_users", - "exclude_private_ips", "exclude_local" + "exclude_private_ips", "exclude_local", "emails" } for i=1,table.maxn(o) do if(rbl[o[i]] == nil) then -- cgit v1.2.3 From 9e1b3fd96d6313535e02cb9ece8a90c0cb0062b2 Mon Sep 17 00:00:00 2001 From: Andrew Lewis Date: Tue, 17 Feb 2015 13:12:05 +0200 Subject: Since exclude_private_ips requires config to change behaviour now we can make it default true --- conf/modules.conf | 1 - doc/markdown/modules/rbl.md | 2 +- src/plugins/lua/rbl.lua | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/conf/modules.conf b/conf/modules.conf index 1fd71f2ed..6310f4326 100644 --- a/conf/modules.conf +++ b/conf/modules.conf @@ -87,7 +87,6 @@ rbl { default_from = true; default_received = false; default_exclude_users = true; - default_exclude_private_ips = true; private_ips = "127.0.0.0/8 10.0.0.0/8 192.168.0.0/16 169.254.0.0/16 172.16.0.0/12 100.64.0.0/10 fc00::/7 fe80::/10 fec0::/10 ::1"; diff --git a/doc/markdown/modules/rbl.md b/doc/markdown/modules/rbl.md index 67f495892..6ffb46cda 100644 --- a/doc/markdown/modules/rbl.md +++ b/doc/markdown/modules/rbl.md @@ -57,7 +57,7 @@ If set to false, do not yield a result unless the response received from the RBL If set to true, do not use this RBL if the message sender is authenticated. -- default_exclude_private_ips (false) +- default_exclude_private_ips (true) If true & private_ips is set appropriately, do not use the RBL if the sending host address is in the private IP list & do not check received headers baring these addresses. diff --git a/src/plugins/lua/rbl.lua b/src/plugins/lua/rbl.lua index 852fe1f04..792c92569 100644 --- a/src/plugins/lua/rbl.lua +++ b/src/plugins/lua/rbl.lua @@ -327,7 +327,7 @@ if(opts['default_exclude_users'] == nil) then opts['default_exclude_users'] = false end if(opts['default_exclude_private_ips'] == nil) then - opts['default_exclude_private_ips'] = false + opts['default_exclude_private_ips'] = true end if(opts['default_exclude_local'] == nil) then opts['default_exclude_local'] = true -- cgit v1.2.3