-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rspamd: provide RFC7489 compliance for SPF, DKIM & DMARC #3690
Labels
area/configuration (file)
kind/update
Update an existing feature, configuration file or the documentation
service/security/rspamd
Milestone
Comments
georglauterbach
added
area/configuration (file)
kind/update
Update an existing feature, configuration file or the documentation
service/security/rspamd
labels
Dec 9, 2023
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
10 tasks
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
I updated and extended the original issue description quite heavily now. Please take a look at it again. I will re-open this issue and provide another PR that fixes the issue @2GetApp made me aware of and extends the current symbol weights. |
georglauterbach
added a commit
that referenced
this issue
Feb 29, 2024
I updated the symbol weights according to my new insights in #3690 to fix a bug pointed out by @2GetApp and to improve the logic itself. Previously, I reasoned about combinations of symbols that cannot exists, e.g., SPF allow, DKIM allow, DMARC reject. Removing these symbols and then reasoning about the rest is more appropriate. Moreover, I added `DMARC_POLICY_NA` and `DMARC_POLICY_SOFTFAIL` to the whole calculation. The issue description of #3690 I updated. I also added the Rust code I used to do and verify the calculations.
10 tasks
georglauterbach
added a commit
that referenced
this issue
Mar 4, 2024
See updates to #3690: Additional Rspamd Symbols Rspamd has so-called composite symbols that trigger when a condition is met. Especially AUTH_NA and AUTH_NA_OR_FAIL will adjust the scores of various lines in the table above. This needs to be taken into account.
georglauterbach
added a commit
that referenced
this issue
Mar 5, 2024
…3923) * move `policies_group.conf` to correct location I originally assumed the file had to be placed into `scores.d`, but I now know that `local.d` is actually correct. * add configuration for composite symbols See updates to #3690: Additional Rspamd Symbols Rspamd has so-called composite symbols that trigger when a condition is met. Especially AUTH_NA and AUTH_NA_OR_FAIL will adjust the scores of various lines in the table above. This needs to be taken into account. * update CHANGELOG
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/configuration (file)
kind/update
Update an existing feature, configuration file or the documentation
service/security/rspamd
About
Rspamd should comply with RFC7489 to the best of its abilities.
DMS' Action Scores
Milter action scores are configured to:
Symbols
DMARC policies can be
DKIM policies can be
SPF policies can be
Behavior
Here is a table of possible combinations of what can happen with SPF, DKIM & DMARC.
R_SPF_ALLOW
( -1)R_DKIM_ALLOW
( -1)DMARC_POLICY_ALLOW
( -1)pass
( -3)R_SPF_ALLOW
( -1)R_DKIM_ALLOW
( -1)DMARC_POLICY_NA
( 0.5)pass
(-1.5)R_SPF_ALLOW
( -1)R_DKIM_ALLOW
( -1)DMARC_POLICY_SOFTFAIL
( 1.5)pass
(-0.5)R_SPF_ALLOW
( -1)R_DKIM_NA
( 1)DMARC_POLICY_ALLOW_WITH_FAILURES
( 0)pass
( 0)R_SPF_ALLOW
( -1)R_DKIM_NA
( 1)DMARC_POLICY_NA
( 0.5)pass
( 0.5)R_SPF_ALLOW
( -1)R_DKIM_NA
( 1)DMARC_POLICY_SOFTFAIL
( 1.5)pass
( 1.5)R_SPF_ALLOW
( -1)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_ALLOW_WITH_FAILURES
( 0)pass
( 0.5)R_SPF_ALLOW
( -1)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_NA
( 0.5)pass
( 1)R_SPF_ALLOW
( -1)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_SOFTFAIL
( 1.5)pass
( 2)R_SPF_ALLOW
( -1)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_ALLOW_WITH_FAILURES
( 0)pass
( 3.5)R_SPF_ALLOW
( -1)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_NA
( 0.5)greylist
( 4)R_SPF_ALLOW
( -1)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_SOFTFAIL
( 1.5)greylist
( 5)R_SPF_NA
( 1.5)R_DKIM_ALLOW
( -1)DMARC_POLICY_ALLOW_WITH_FAILURES
( 0)pass
( 0.5)R_SPF_NA
( 1.5)R_DKIM_ALLOW
( -1)DMARC_POLICY_NA
( 0.5)pass
( 1)R_SPF_NA
( 1.5)R_DKIM_ALLOW
( -1)DMARC_POLICY_SOFTFAIL
( 1.5)pass
( 2)R_SPF_NA
( 1.5)R_DKIM_NA
( 1)DMARC_POLICY_QUARANTINE
( 3)greylist
( 5.5)R_SPF_NA
( 1.5)R_DKIM_NA
( 1)DMARC_POLICY_REJECT
( 5.5)add_header
( 8)R_SPF_NA
( 1.5)R_DKIM_NA
( 1)DMARC_POLICY_NA
( 0.5)pass
( 3)R_SPF_NA
( 1.5)R_DKIM_NA
( 1)DMARC_POLICY_SOFTFAIL
( 1.5)greylist
( 4)R_SPF_NA
( 1.5)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_QUARANTINE
( 3)add_header
( 6)R_SPF_NA
( 1.5)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_REJECT
( 5.5)add_header
( 8.5)R_SPF_NA
( 1.5)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_NA
( 0.5)pass
( 3.5)R_SPF_NA
( 1.5)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_SOFTFAIL
( 1.5)greylist
( 4.5)R_SPF_NA
( 1.5)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_QUARANTINE
( 3)add_header
( 9)R_SPF_NA
( 1.5)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_REJECT
( 5.5)reject
(11.5)R_SPF_NA
( 1.5)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_NA
( 0.5)add_header
( 6.5)R_SPF_NA
( 1.5)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_SOFTFAIL
( 1.5)add_header
( 7.5)R_SPF_SOFTFAIL
( 2.5)R_DKIM_ALLOW
( -1)DMARC_POLICY_ALLOW_WITH_FAILURES
( 0)pass
( 1.5)R_SPF_SOFTFAIL
( 2.5)R_DKIM_ALLOW
( -1)DMARC_POLICY_NA
( 0.5)pass
( 2)R_SPF_SOFTFAIL
( 2.5)R_DKIM_ALLOW
( -1)DMARC_POLICY_SOFTFAIL
( 1.5)pass
( 3)R_SPF_SOFTFAIL
( 2.5)R_DKIM_NA
( 1)DMARC_POLICY_QUARANTINE
( 3)add_header
( 6.5)R_SPF_SOFTFAIL
( 2.5)R_DKIM_NA
( 1)DMARC_POLICY_REJECT
( 5.5)add_header
( 9)R_SPF_SOFTFAIL
( 2.5)R_DKIM_NA
( 1)DMARC_POLICY_NA
( 0.5)greylist
( 4)R_SPF_SOFTFAIL
( 2.5)R_DKIM_NA
( 1)DMARC_POLICY_SOFTFAIL
( 1.5)greylist
( 5)R_SPF_SOFTFAIL
( 2.5)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_QUARANTINE
( 3)add_header
( 7)R_SPF_SOFTFAIL
( 2.5)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_REJECT
( 5.5)add_header
( 9.5)R_SPF_SOFTFAIL
( 2.5)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_NA
( 0.5)greylist
( 4.5)R_SPF_SOFTFAIL
( 2.5)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_SOFTFAIL
( 1.5)greylist
( 5.5)R_SPF_SOFTFAIL
( 2.5)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_QUARANTINE
( 3)add_header
( 10)R_SPF_SOFTFAIL
( 2.5)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_REJECT
( 5.5)reject
(12.5)R_SPF_SOFTFAIL
( 2.5)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_NA
( 0.5)add_header
( 7.5)R_SPF_SOFTFAIL
( 2.5)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_SOFTFAIL
( 1.5)add_header
( 8.5)R_SPF_FAIL
( 4.5)R_DKIM_ALLOW
( -1)DMARC_POLICY_ALLOW_WITH_FAILURES
( 0)pass
( 3.5)R_SPF_FAIL
( 4.5)R_DKIM_ALLOW
( -1)DMARC_POLICY_NA
( 0.5)greylist
( 4)R_SPF_FAIL
( 4.5)R_DKIM_ALLOW
( -1)DMARC_POLICY_SOFTFAIL
( 1.5)greylist
( 5)R_SPF_FAIL
( 4.5)R_DKIM_NA
( 1)DMARC_POLICY_QUARANTINE
( 3)add_header
( 8.5)R_SPF_FAIL
( 4.5)R_DKIM_NA
( 1)DMARC_POLICY_REJECT
( 5.5)reject
( 11)R_SPF_FAIL
( 4.5)R_DKIM_NA
( 1)DMARC_POLICY_NA
( 0.5)add_header
( 6)R_SPF_FAIL
( 4.5)R_DKIM_NA
( 1)DMARC_POLICY_SOFTFAIL
( 1.5)add_header
( 7)R_SPF_FAIL
( 4.5)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_QUARANTINE
( 3)add_header
( 9)R_SPF_FAIL
( 4.5)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_REJECT
( 5.5)reject
(11.5)R_SPF_FAIL
( 4.5)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_NA
( 0.5)add_header
( 6.5)R_SPF_FAIL
( 4.5)R_DKIM_TEMPFAIL
( 1.5)DMARC_POLICY_SOFTFAIL
( 1.5)add_header
( 7.5)R_SPF_FAIL
( 4.5)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_QUARANTINE
( 3)reject
( 12)R_SPF_FAIL
( 4.5)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_REJECT
( 5.5)reject
(14.5)R_SPF_FAIL
( 4.5)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_NA
( 0.5)add_header
( 9.5)R_SPF_FAIL
( 4.5)R_DKIM_PERMFAIL
( 4.5)DMARC_POLICY_SOFTFAIL
( 1.5)add_header
(10.5)Rspamd Configuration File
Please see
scores.d/policies_group.conf
The Code that Generates All of This
Click me to unveil the Rust code behind the scenes.
You can copy this code and run it to print the table seen above. When you use Cargo, you may also use
cargo test
to check whether changes still conform to specifications.Additional Rspamd Symbols
Rspamd has so-called composite symbols that trigger when a condition is met. Especially
AUTH_NA
andAUTH_NA_OR_FAIL
will adjust the scores of various lines in the table above. This needs to be taken into account.You Think There is Something Wrong Here?
In case you think a value should be changed, please copy the Rust code, apply your changes to the top, and then test the result. You may add additional tests to
combinations_produce_correct_milter_action
as well. Please justify why you disagree with the current setup.The text was updated successfully, but these errors were encountered: