rspamd: Added DQS RBLs when key is set

data/Dockerfiles/rspamd/docker-entrypoint.sh

@@ -124,4 +124,192 @@ for file in /hooks/*; do
   fi
 done
 
+# If DQS KEY is set in mailcow.conf add Spamhaus DQS RBLs
+if [[ ! -z ${SPAMHAUS_DQS_KEY} ]]; then
+    cat <<EOF > /etc/rspamd/custom/dqs-rbl.conf
+  # Autogenerated by mailcow. DO NOT TOUCH!
+  rbls {
+    spamhaus {
+        rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
+        from = false;
+    }
+    spamhaus_from {
+        from = true;
+        received = false;
+        rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
+        returncodes {
+          SPAMHAUS_ZEN = [ "127.0.0.2", "127.0.0.3", "127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7", "127.0.0.9", "127.0.0.10", "127.0.0.11" ];
+        }
+    }
+    spamhaus_authbl_received {
+        # Check if the sender client is listed in AuthBL (AuthBL is *not* part of ZEN)
+        rbl = "${SPAMHAUS_DQS_KEY}.authbl.dq.spamhaus.net";
+        from = false;
+        received = true;
+        ipv6 = true;
+        returncodes {
+          SH_AUTHBL_RECEIVED = "127.0.0.20"
+        }
+    }
+    spamhaus_dbl {
+        # Add checks on the HELO string
+        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
+        helo = true;
+        rdns = true;
+        dkim = true;
+        disable_monitoring = true;
+        returncodes {
+            RBL_DBL_SPAM = "127.0.1.2";
+            RBL_DBL_PHISH = "127.0.1.4";
+            RBL_DBL_MALWARE = "127.0.1.5";
+            RBL_DBL_BOTNET = "127.0.1.6";
+            RBL_DBL_ABUSED_SPAM = "127.0.1.102";
+            RBL_DBL_ABUSED_PHISH = "127.0.1.104";
+            RBL_DBL_ABUSED_MALWARE = "127.0.1.105";
+            RBL_DBL_ABUSED_BOTNET = "127.0.1.106";
+            RBL_DBL_DONT_QUERY_IPS = "127.0.1.255";
+        }
+    }
+    spamhaus_dbl_fullurls {
+        ignore_defaults = true;
+        no_ip = true;
+        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
+        selector = 'urls:get_host'
+        disable_monitoring = true;
+        returncodes {
+            DBLABUSED_SPAM_FULLURLS = "127.0.1.102";
+            DBLABUSED_PHISH_FULLURLS = "127.0.1.104";
+            DBLABUSED_MALWARE_FULLURLS = "127.0.1.105";
+            DBLABUSED_BOTNET_FULLURLS = "127.0.1.106";
+        }
+    }
+    spamhaus_zrd {
+        # Add checks on the HELO string also for DQS
+        rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
+        helo = true;
+        rdns = true;
+        dkim = true;
+        disable_monitoring = true;
+        returncodes {
+            RBL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
+            RBL_ZRD_FRESH_DOMAIN = [
+              "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"
+            ];
+            RBL_ZRD_DONT_QUERY_IPS = "127.0.2.255";
+        }
+    }
+    "SPAMHAUS_ZEN_URIBL" {
+      enabled = true;
+      rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
+      resolve_ip = true;
+      checks = ['urls'];
+      replyto = true;
+      emails = true;
+      ipv4 = true;
+      ipv6 = true;
+      emails_domainonly = true;
+      returncodes {
+        URIBL_SBL = "127.0.0.2";
+        URIBL_SBL_CSS = "127.0.0.3";
+        URIBL_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"];
+        URIBL_PBL = ["127.0.0.10", "127.0.0.11"];
+        URIBL_DROP = "127.0.0.9";
+      }
+    }
+    SH_EMAIL_DBL {
+      ignore_defaults = true;
+      replyto = true;
+      emails_domainonly = true;
+      disable_monitoring = true;
+      rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net"
+      returncodes = {
+        SH_EMAIL_DBL = [
+          "127.0.1.2",
+          "127.0.1.4",
+          "127.0.1.5",
+          "127.0.1.6"
+        ];
+        SH_EMAIL_DBL_ABUSED = [
+          "127.0.1.102",
+          "127.0.1.104",
+          "127.0.1.105",
+          "127.0.1.106"
+        ];
+        SH_EMAIL_DBL_DONT_QUERY_IPS = [ "127.0.1.255" ];
+      }
+    }
+    SH_EMAIL_ZRD {
+      ignore_defaults = true;
+      replyto = true;
+      emails_domainonly = true;
+      disable_monitoring = true;
+      rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net"
+      returncodes = {
+        SH_EMAIL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
+        SH_EMAIL_ZRD_FRESH_DOMAIN = [
+          "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"
+        ];
+        SH_EMAIL_ZRD_DONT_QUERY_IPS = [ "127.0.2.255" ];
+      }
+  }
+  "DBL" {
+      # override the defaults for DBL defined in modules.d/rbl.conf
+      rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
+      disable_monitoring = true;
+  }
+  "ZRD" {
+      ignore_defaults = true;
+      rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
+      no_ip = true;
+      dkim = true;
+      emails = true;
+      emails_domainonly = true;
+      urls = true;
+      returncodes = {
+          ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
+          ZRD_FRESH_DOMAIN = ["127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"];
+      }
+  }
+  spamhaus_sbl_url {
+        ignore_defaults = true
+        rbl = "${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net";
+        checks = ['urls'];
+        disable_monitoring = true;
+        returncodes {
+            SPAMHAUS_SBL_URL = "127.0.0.2";
+        }
+    }
+
+    SH_HBL_EMAIL {
+      ignore_defaults = true;
+      rbl = "_email.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net";
+      emails_domainonly = false;
+      selector = "from('smtp').lower;from('mime').lower";
+      ignore_whitelist = true;
+      checks = ['emails', 'replyto'];
+      hash = "sha1";
+      returncodes = {
+        SH_HBL_EMAIL = [
+          "127.0.3.2"
+        ];
+      }
+    }
+
+    spamhaus_dqs_hbl {
+      symbol = "HBL_FILE_UNKNOWN";
+      rbl = "_file.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net.";
+      selector = "attachments('rbase32', 'sha256')";
+      ignore_whitelist = true;
+      ignore_defaults = true;
+      returncodes {
+        SH_HBL_FILE_MALICIOUS = "127.0.3.10";
+        SH_HBL_FILE_SUSPICIOUS = "127.0.3.15";
+      }
+    }
+  }
+EOF
+else
+  rm -rf /etc/rspamd/custom/dqs-rbl.conf
+fi
+
 exec "$@"

data/conf/rspamd/local.d/rbl.conf

@@ -2,6 +2,7 @@ rbls {
   interserver_ip {
     symbol = "RBL_INTERSERVER_IP";
     rbl = "rbl.interserver.net";
+    from = true;
     ipv6 = false;
     returncodes {
       RBL_INTERSERVER_BAD_IP = "127.0.0.2";
@@ -19,4 +20,7 @@ rbls {
       RBL_INTERSERVER_BAD_URI = "127.0.0.2";
     }
   }
-}
+
+.include(try=true,priority=5) "$LOCAL_CONFDIR/custom/dqs-rbl.conf"  
+
+}

data/conf/rspamd/local.d/rbl_group.conf

@@ -17,4 +17,261 @@ symbols = {
     score = 4.0;
     description = "Listed on Interserver RBL";
   }
+
+  "SPAMHAUS_ZEN" {
+      weight = 7.0;
+      }
+  "SH_AUTHBL_RECEIVED" {
+      weight = 4.0;
+      }
+  "RBL_DBL_SPAM" {
+      weight = 7.0;
+      }
+  "RBL_DBL_PHISH" {
+      weight = 7.0;
+      }
+  "RBL_DBL_MALWARE" {
+      weight = 7.0;
+      }
+  "RBL_DBL_BOTNET" {
+      weight = 7.0;
+      }
+  "RBL_DBL_ABUSED_SPAM" {
+      weight = 3.0;
+      }
+  "RBL_DBL_ABUSED_PHISH" {
+      weight = 3.0;
+      }
+  "RBL_DBL_ABUSED_MALWARE" {
+      weight = 3.0;
+      }
+  "RBL_DBL_ABUSED_BOTNET" {
+      weight = 3.0;
+      }
+  "RBL_ZRD_VERY_FRESH_DOMAIN" {
+      weight = 7.0;
+      }
+  "RBL_ZRD_FRESH_DOMAIN" {
+      weight = 4.0;
+      }
+  "ZRD_VERY_FRESH_DOMAIN" {
+      weight = 7.0;
+      }
+  "ZRD_FRESH_DOMAIN" {
+      weight = 4.0;
+      }
+  "SH_EMAIL_DBL" {
+      weight = 7.0;
+      }
+  "SH_EMAIL_DBL_ABUSED" {
+      weight = 7.0;
+      }
+  "SH_EMAIL_ZRD_VERY_FRESH_DOMAIN" {
+      weight = 7.0;
+      }
+  "SH_EMAIL_ZRD_FRESH_DOMAIN" {
+      weight = 4.0;
+      }
+  "RBL_DBL_DONT_QUERY_IPS" {
+      weight = 0.0;
+      }
+  "RBL_ZRD_DONT_QUERY_IPS" {
+      weight = 0.0;
+      }
+  "SH_EMAIL_ZRD_DONT_QUERY_IPS" {
+      weight = 0.0;
+      }
+  "SH_EMAIL_DBL_DONT_QUERY_IPS" {
+      weight = 0.0;
+      }
+  "DBL" {
+      weight = 0.0;
+      description = "DBL unknown result";
+      groups = ["spamhaus"];
+  }
+  "DBL_SPAM" {
+      weight = 7;
+      description = "DBL uribl spam";
+      groups = ["spamhaus"];
+  }
+  "DBL_PHISH" {
+      weight = 7;
+      description = "DBL uribl phishing";
+      groups = ["spamhaus"];
+  }
+  "DBL_MALWARE" {
+      weight = 7;
+      description = "DBL uribl malware";
+      groups = ["spamhaus"];
+  }
+  "DBL_BOTNET" {
+      weight = 7;
+      description = "DBL uribl botnet C&C domain";
+      groups = ["spamhaus"];
+  }
+
+
+  "DBLABUSED_SPAM_FULLURLS" {
+      weight = 5.5;
+      description = "DBL uribl abused legit spam";
+      groups = ["spamhaus"];
+  }
+  "DBLABUSED_PHISH_FULLURLS" {
+      weight = 5.5;
+      description = "DBL uribl abused legit phish";
+      groups = ["spamhaus"];
+  }
+  "DBLABUSED_MALWARE_FULLURLS" {
+      weight = 5.5;
+      description = "DBL uribl abused legit malware";
+      groups = ["spamhaus"];
+  }
+  "DBLABUSED_BOTNET_FULLURLS" {
+      weight = 5.5;
+      description = "DBL uribl abused legit botnet";
+      groups = ["spamhaus"];
+  }
+  
+  "DBL_ABUSE" {
+      weight = 5.5;
+      description = "DBL uribl abused legit spam";
+      groups = ["spamhaus"];
+  }
+  "DBL_ABUSE_REDIR" {
+      weight = 1.5;
+      description = "DBL uribl abused spammed redirector domain";
+      groups = ["spamhaus"];
+  }
+  "DBL_ABUSE_PHISH" {
+      weight = 5.5;
+      description = "DBL uribl abused legit phish";
+      groups = ["spamhaus"];
+  }
+  "DBL_ABUSE_MALWARE" {
+      weight = 5.5;
+      description = "DBL uribl abused legit malware";
+      groups = ["spamhaus"];
+  }
+  "DBL_ABUSE_BOTNET" {
+      weight = 5.5;
+      description = "DBL uribl abused legit botnet C&C";
+      groups = ["spamhaus"];
+  }
+  "DBL_PROHIBIT" {
+      weight = 0.0;
+      description = "DBL uribl IP queries prohibited!";
+      groups = ["spamhaus"];
+  }
+  "DBL_BLOCKED_OPENRESOLVER" {
+    weight = 0.0;
+    description = "You are querying Spamhaus from an open resolver, please see https://www.spamhaus.org/returnc/pub/";
+    groups = ["spamhaus"];
+  }
+  "DBL_BLOCKED" {
+    weight = 0.0;
+    description = "You are exceeding the query limit, please see https://www.spamhaus.org/returnc/vol/";
+    groups = ["spamhaus"];
+  }
+  "SPAMHAUS_ZEN_URIBL" {
+      weight = 0.0;
+      description = "Spamhaus ZEN URIBL: Filtered result";
+      groups = ["spamhaus"];
+  }
+  "URIBL_SBL" {
+      weight = 6.5;
+      description = "A domain in the message body resolves to an IP listed in Spamhaus SBL";
+      one_shot = true;
+      groups = ["spamhaus"];
+  }
+  "URIBL_SBL_CSS" {
+      weight = 6.5;
+      description = "A domain in the message body resolves to an IP listed in Spamhaus SBL CSS";
+      one_shot = true;
+      groups = ["spamhaus"];
+  }
+  "URIBL_PBL" {
+      weight = 0.01;
+      description = "A domain in the message body resolves to an IP listed in Spamhaus PBL";
+      one_shot = true;
+      groups = ["spamhaus"];
+  }
+  "URIBL_DROP" {
+      weight = 6.5;
+      description = "A domain in the message body resolves to an IP listed in Spamhaus DROP";
+      one_shot = true;
+      groups = ["spamhaus"];
+  }
+  "URIBL_XBL" {
+      weight = 5.0;
+      description = "A domain in the message body resolves to an IP listed in Spamhaus XBL";
+      one_shot = true;
+      groups = ["spamhaus"];
+  }
+  "SPAMHAUS_SBL_URL" {
+      weight = 6.5;
+      description = "A numeric URL in the message body is listed in Spamhaus SBL";
+      one_shot = true;
+      groups = ["spamhaus"];
+  }
+
+  "SH_HBL_EMAIL" {
+      weight = 7;
+      description = "Email listed in HBL";
+      groups = ["spamhaus"];
+  }
+
+  "SH_HBL_FILE_MALICIOUS" {
+      weight = 7;
+      description = "An attachment hash is listed in Spamhaus HBL as malicious";
+      groups = ["spamhaus"];
+  }
+
+  "SH_HBL_FILE_SUSPICIOUS" {
+      weight = 5;
+      description = "An attachment hash is listed in Spamhaus HBL as suspicious";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_CW_BTC" {
+      score = 7;
+      description = "Bitcoin found in Spamhaus cryptowallet list";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_CW_ETH" {
+      score = 7;
+      description = "Ethereum found in Spamhaus cryptowallet list";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_CW_BCH" {
+      score = 7;
+      description = "Bitcoinhash found in Spamhaus cryptowallet list";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_CW_XMR" {
+      score = 7;
+      description = "Monero found in Spamhaus cryptowallet list";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_CW_LTC" {
+      score = 7;
+      description = "Litecoin found in Spamhaus cryptowallet list";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_CW_XRP" {
+      score = 7;
+      description = "Ripple found in Spamhaus cryptowallet list";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_HBL_URL" {
+      score = 7;
+      description = "URL found in spamhaus HBL blocklist";
+      groups = ["spamhaus"];
+  }
+
 }