[Postfix/Rspamd] Do not reject unauthenticated sender mismatches but rewrite their subject and assign symbol SPOOFED_SENDER with score 1.0

data/conf/postfix/main.cf

@@ -62,7 +62,7 @@ smtpd_sasl_authenticated_header = yes
 smtpd_sasl_path = inet:dovecot:10001
 smtpd_sasl_type = dovecot
 smtpd_sender_login_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_sender_acl.cf
-smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unlisted_sender, reject_unknown_sender_domain
+smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_mynetworks, permit_sasl_authenticated, reject_unlisted_sender, reject_unknown_sender_domain
 smtpd_soft_error_limit = 3
 smtpd_tls_auth_only = yes
 smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem

data/conf/rspamd/local.d/force_actions.conf

@@ -2,7 +2,7 @@ rules {
   DKIM_FAIL {
     action = "add header";
     expression = "R_DKIM_REJECT & !MAILLIST & !MAILCOW_WHITE & !MAILCOW_BLACK";
-    require_action = ["no action", "greylist"];
+    require_action = ["no action", "greylist", "soft reject"];
   }
   VIRUS_FOUND {
     action = "reject";
@@ -19,4 +19,9 @@ rules {
     expression = "WHITELISTED_FWD_HOST";
     require_action = ["greylist", "soft reject"];
   }
+  ADD_UNAUTH_SUBJ {
+    action = "rewrite subject";
+    subject = "[Unauth] %s";
+    expression = "SPOOFED_SENDER";
+  }
 }

data/conf/rspamd/local.d/metrics.conf

@@ -34,3 +34,7 @@ group "MX" {
 	  one_shot = "true";
 	}
 }
+symbol "SPOOFED_SENDER" {
+	description = "Sender is not authenticated but part of mailcow managed domains";
+	score = 1.0;
+}

data/conf/rspamd/local.d/multimap.conf

@@ -1,22 +1,29 @@
 RCPT_MAILCOW_DOMAIN {
   type = "rcpt";
-  filter = "email:domain"
-  map = "redis://DOMAIN_MAP"
+  filter = "email:domain";
+  map = "redis://DOMAIN_MAP";
 }
 
 RCPT_WANTS_SUBJECT_TAG {
   type = "rcpt";
   filter = "email:addr"
-  map = "redis://RCPT_WANTS_SUBJECT_TAG"
+  map = "redis://RCPT_WANTS_SUBJECT_TAG";
 }
 
 WHITELISTED_FWD_HOST {
   type = "ip";
-  map = "redis://WHITELISTED_FWD_HOST"
+  map = "redis://WHITELISTED_FWD_HOST";
 }
 
 KEEP_SPAM {
   type = "ip";
-  map = "redis://KEEP_SPAM"
+  map = "redis://KEEP_SPAM";
   action = "accept";
 }
+
+SPOOFED_SENDER {
+  type = "rcpt";
+  filter = "email:domain";
+  map = "redis://DOMAIN_MAP";
+  require_symbols = "AUTH_NA | !RCVD_VIA_SMTP_AUTH";
+}

data/conf/rspamd/lua/rspamd.local.lua

@@ -58,6 +58,9 @@ rspamd_config:register_symbol({
     local redis_params = rspamd_parse_redis_server('dyn_rl')
     local rspamd_logger = require "rspamd_logger"
     local envfrom = task:get_from(1)
+    if not envfrom then
+      return false
+    end
     local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case
     local env_from_addr = envfrom[1].addr:lower() -- get smtp from addr in lower case