Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:rspamd_spamassassin [2023/11/16 12:21] – [Customize the score] niccolo
+++ doc:appunti:linux:sa:rspamd_spamassassin [2024/01/26 15:22] – [ClamAV on TCP socket in Debian 12] niccolo
@@ Line 256: / Line 256: @@
 </file>
-Local configuration must go into **local.d/rbl.conf**. Suppose we want to disable one RBL:
+Local configuration must go into **local.d/rbl.conf**, here it is an example on how to add a custom RBL:
 <file>
-rules {
+# Map containing additional IPv4/IPv6 addresses/subnets that should
-    "RCVD_IN_DNSWL" {
+# be excluded from checks where exclude_local is true (the default).
-        enabled = false;
+local_exclude_ip_map = "${LOCAL_CONFDIR}/maps.d/rbl_local_exclude_ip.map";
+# Add a custom RBL.
+rbls {
+    zen_rigacci {
+        # Checks to enable for this RBL.
+        # from: the sending IP that sent the message.
+        checks = ["from"];
+        # Address used for RBL-testing.
+        rbl = "zen.rigacci.org";
+        ipv4 = true;
+        ipv6 = true;
+        exclude_local = true;
+        local_exclude_ip_map = "${LOCAL_CONFDIR}/maps.d/zen_rigacci_exclude_ip.map";
+        # Symbol to yeld.
+        symbol = "ZEN_RIGACCI";
+        returncodes = {
+            # Apply a specific symbol instead of the generic one.
+            "ZEN_RIGACCI_CODE_1" = "127.0.0.1";
+            "ZEN_RIGACCI_CODE_2" = "127.0.0.2";
+            "ZEN_RIGACCI_CODE_3" = "127.0.0.3";
+        }
+    }
+}
+</file>
+The file pointed by the **local_exclude_ip_map** option can be updated (adding or removing IP addresses or subnets) without the need to reload any service.
+A custom score can be defined into **local.d/rbl_group.conf**:
+<file>
+symbols = {
+    "ZEN_RIGACCI" {
+        weight = 6.2;
+        description = "From address is listed in ZEN Rigacci.Org";
+        groups = ["zen_rigacci"];
+    }
+}
+symbols = {
+    "ZEN_RIGACCI_CODE_1" {
+        weight = 6.8;
+        description = "From address is listed in ZEN Rigacci.Org, code 1";
+        groups = ["zen_rigacci"];
+    }
+}
+</file>
+Several RBLs are enabled per default in the Debian 12 install. if you want to disable some, just add the symbol into the **rbls** list with the option **enabled = false**:
+<file>
+rbls {
+    dnswl {
+      symbol = "RCVD_IN_DNSWL";
+      enabled = false;
     }
 }
@@ Line 273: / Line 327: @@
 # local.d/antivirus.conf
 clamav {
+    # The antivirus engine to use.
+    type = "clamav";
+    servers = "127.0.0.1:3310";
     # If set, force this action if any virus is found (default unset: no action is forced).
-    #action = "add_header";
+    action = "reject";
+    message = 'Forbidden: virus found: "${VIRUS}"';
     # If `max_size` is set, messages > n bytes in size are not scanned
-    # symbol to add (add it to metric if you want non-zero weight)
-    symbol = "CLAM_VIRUS";
     max_size = 20000000;
-    type = "clamav";
+    # Symbol to add (add it to metrics if you want non-zero weight).
-    servers = "127.0.0.1:3310";
+    # You can use this if you want to apply default actions based on score.
+    symbol = "CLAM_VIRUS";
     # Prefix used for caching in Redis: scanner-specific defaults are used.
     # If Redis is enabled and multiple scanners of the same type are present,
@@ Line 294: / Line 351: @@
 }
 </file>
+If the **action** option is not set, the action based on the overall SPAM score is taken. In the example above we forced the //reject// action and using the **message** option we will create a specific SMTP 554 5.7.1 message for the virus found case.
 **NOTICE**: The optional section **patterns**: if one the patterns matches (the ones on the right of the equal sign), the specified symbol is added to the message, instead of the one specified at the module level.
@@ Line 334: / Line 393: @@
 </code>
-As you can see from the log below, an SPF fail does not trigger a significative SPAM score using the default metrics: only 0.90/18.00:
+The ''VIOLATED_DIRECT_SPF'' is a composite symbol, it combines an SPF (soft) fail and has no Received or no trusted received relays. As you can see from the log below, an SPF fail does not trigger a significative SPAM score using the default metrics: only 0.90/18.00:
 <code>
@@ Line 342: / Line 401: @@
     (default: F (no action): [0.90/18.00] [R_SPF_FAIL(1.00){-all;},
     MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},ASN(0.00){asn:24940,
-    ipnet:2a01:4f8::/32, country:DE;},DMARC_NA(0.00){texnet.it;},
+    ipnet:2a01:4f8::/32, country:DE;},DMARC_NA(0.00){rigacci.org;},
     FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},MIME_TRACE(0.00){0:+;},
     RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},
@@ Line 481: / Line 540: @@
 ^ add_header        | Add a header ''X-Spam: Yes'' to the message, but the message is eccepted for delivery.  |
 ^ rewrite_subject   | The message is accepted, but the ''Subject:'' header is modified according to the global //actions// => //subject// setting.  |
-^ soft reject       | The message is rejected with a 451 SMTP status code, meaning a temporary problem. The sender MTA is notified with a temporary failure message and it should retry later. Notice that this action **is not a greylisting**, when the message is retried the same rule applies again.  |
+^ soft reject       | The message is rejected with a 451 SMTP status code, meaning a temporary problem. The sender MTA is notified with a temporary failure message and it should retry later. Notice that this action **is not a greylisting**: when the message is retried the same rule applies again.  |
 ^ reject            | The message is reject witha 554 SMTP status code. The default message generated by the Postfix MTA is ''554 5.7.1 Matched map: TEST_SPAM_STRING''. The sender MTA should create a //sender non-delivery notification//.  |
@@ Line 563: / Line 622: @@
 X-Rspamd-Action: rewrite subject
 </file>
+With the following example we add a custom **X-Virus** header if a symbol was added, e.g. by the antivirus module. In this case the antivirus module should not apply its own //reject// action, otherwise it is pointless to mangle the headers.
+<file>
+# Add the X-Spamd-Result header and others to all the messages.
+use = ["x-spamd-result", "x-spam-level", "x-spam-status", "x-virus"];
+# Implies X-Spamd-Result and add X-Rspamd-Queue-Id, X-Rspamd-Server and X-Rspamd-Action.
+extended_spam_headers = true;
+# Special routine to add custon a X-Virus header upon specific symbols.
+routines {
+  x-virus {
+    header = "X-Virus";
+    remove = 0;
+    # The following setting is an empty list by default and required to be set.
+    # These are user-defined symbols added by the antivirus module.
+    symbols = ["CLAM_VIRUS", "JUST_EICAR"];
+  }
+}
+</file>
 ===== Logging =====
-Example to enable logging in milter protocol, create the file **/etc/rspamd/local.d/logging.inc** with:
+Example to enable logging for the //milter// and the //rbl// modules: create the file **/etc/rspamd/local.d/logging.inc** with:
 <file>
-debug_modules = ["milter"]
+debug_modules = ["milter", "rbl"]
 </file>
@@ Line 593: / Line 674: @@
 <code>
 systemctl daemon-reload
+systemctl restart clamav-daemon.socket
 systemctl restart clamav-daemon.service
 </code>