Are there similar setting to SA trusted_networks and local_networks ?
490 views
Skip to first unread message
Tobi
Jan 12, 2018, 4:41:09 AM1/12/18
to rspamd
Hello list,
my first post here, so hopefully not asking something very obvious :-)
I'm testing rspamd on my servers and found no way to "migrate" spamassassin trusted_networks and local_networks setting. Just saw local_addrs and added my networks there. But it seems that in this case all dns based checks are skipped.
Is there a way to tell rspamd that a list of networks is trustworthy and should not be checked against rbl? I need to move the first untrusted hop (the one to be checked in rbl) out of my networks. Currently the ips of my gateway mx are checked in rbl which makes not much sense for me :-)
Thanks for any hint
Regards
tobi
my first post here, so hopefully not asking something very obvious :-)
I'm testing rspamd on my servers and found no way to "migrate" spamassassin trusted_networks and local_networks setting. Just saw local_addrs and added my networks there. But it seems that in this case all dns based checks are skipped.
Is there a way to tell rspamd that a list of networks is trustworthy and should not be checked against rbl? I need to move the first untrusted hop (the one to be checked in rbl) out of my networks. Currently the ips of my gateway mx are checked in rbl which makes not much sense for me :-)
Thanks for any hint
Regards
tobi
Andrew Lewis
Jan 12, 2018, 5:20:04 AM1/12/18
to rsp...@googlegroups.com
Hi,
Checks that are default-disabled for local networks should be sane,
see here:
https://rspamd.com/doc/tutorials/scanning_outbound.html#scanning-outbound-with-rspamd
If you want to disable RBLs only, you can use RBL module's
`local_exclude_ip_map` setting.
If you want some other set of checks, you can set check_local and
check_authenticated to true in options {} to re-enable all the
default-disabled checks, then use settings to disable the stuff you
don't want: https://rspamd.com/doc/configuration/settings.html
Best,
-AL.
Andrew Lewis
Jan 12, 2018, 5:32:28 AM1/12/18
to rsp...@googlegroups.com
> If you want some other set of checks, you can set check_local and
> check_authenticated to true in options {} to re-enable all the
> default-disabled checks, then use settings to disable the stuff you
> don't want: https://rspamd.com/doc/configuration/settings.html
place & you've not yet added them to local_addrs setting, you could
proceed straight to settings and disable whichever undesired checks
for these IPs.
Best,
-AL.
Tobi
Jan 12, 2018, 5:47:42 AM1/12/18
to rspamd
Am Freitag, 12. Januar 2018 11:20:04 UTC+1 schrieb Andrew Lewis:
If you want to disable RBLs only, you can use RBL module's
`local_exclude_ip_map` setting.
Does this mean that rbl checks are only disabled for local_addrs or does
it mean they're generally disabled for messages coming from
local_addrs?
I still want rbl lookups for msg coming from local_addrs but I just need rspamd to go one (or more) hop(s) back (in received header) and take the first address NOT covered by local_addrs parameter.
Somehow I have to tell rspamd what the first untrusted hop is which should be checked against rbl
I still want rbl lookups for msg coming from local_addrs but I just need rspamd to go one (or more) hop(s) back (in received header) and take the first address NOT covered by local_addrs parameter.
Somehow I have to tell rspamd what the first untrusted hop is which should be checked against rbl
Regards
tobi
Andrew Lewis
Jan 12, 2018, 6:20:32 AM1/12/18
to rsp...@googlegroups.com
Hi,
>> If you want to disable RBLs only, you can use RBL module's
>> `local_exclude_ip_map` setting.
> Does this mean that rbl checks are only disabled for local_addrs or does
> it mean they're generally disabled for messages coming from local_addrs?
(this can be configured per-RBL). Additionally you can disable RBLs
using RBL module's `local_exclude_ip_map` setting or the Settings
module.
> I still want rbl lookups for msg coming from local_addrs but I just need
> rspamd to go one (or more) hop(s) back (in received header) and take the
> first address NOT covered by local_addrs parameter.
Best,
-AL.
Tobi
Jan 13, 2018, 11:48:26 AM1/13/18
to rsp...@googlegroups.com
> That is not supported - rather run Rspamd on the MX if you can.
Unfortunately it's not an option to move my whole scanners to the MXs. They have way too.low ressources to run my scanner environment. And I cannot move MX to my current scanner as my scanners also run the mailbox backends (dovecot director setup does not allow director and backend running on the same dovecot instance).
Do you think there is a chance with a feature request for rspamd? Currently missing this feature is a stopper for me, although I like rspamd very much
Cheers
tobi
Andrew Lewis
Jan 15, 2018, 7:00:15 AM1/15/18
to rsp...@googlegroups.com
Hi,
> Currently missing this feature is a stopper for me, although I like
> rspamd very much
There is existing support for overriding IP from Lua, so you might do
this with a rule.
-- Look for this hostname to identify point of handoff
local FRIENDLY_HN = 'aluminium.tinfoilcat.org'
-- Override this IP (and missing/invalid IPs) only
local FRIENDLY_IP = '37.48.67.26'
rspamd_config.LOCAL_IP_OVERRIDE = {
callback = function(task)
local ip = task:get_from_ip()
if ip then
if ip:is_valid() and ip:to_string() ~= FRIENDLY_IP then
return false
end
end
for _, r in ipairs(task:get_received_headers()) do
if r['by_hostname'] == FRIENDLY_HN and r['from_hostname'] ~=
FRIENDLY_HN then
if r['real_ip'] and r['real_ip']:is_valid() then
task:set_from_ip(r['from_ip'])
return true, r['from_ip']
end
end
end
end,
type = 'prefilter',
priority = 11,
}
Best,
-AL.
> Currently missing this feature is a stopper for me, although I like
> rspamd very much
this with a rule.
-- Look for this hostname to identify point of handoff
local FRIENDLY_HN = 'aluminium.tinfoilcat.org'
-- Override this IP (and missing/invalid IPs) only
local FRIENDLY_IP = '37.48.67.26'
rspamd_config.LOCAL_IP_OVERRIDE = {
callback = function(task)
local ip = task:get_from_ip()
if ip then
if ip:is_valid() and ip:to_string() ~= FRIENDLY_IP then
return false
end
end
for _, r in ipairs(task:get_received_headers()) do
if r['by_hostname'] == FRIENDLY_HN and r['from_hostname'] ~=
FRIENDLY_HN then
if r['real_ip'] and r['real_ip']:is_valid() then
task:set_from_ip(r['from_ip'])
return true, r['from_ip']
end
end
end
end,
type = 'prefilter',
priority = 11,
}
Best,
-AL.
Tobi
Jan 16, 2018, 8:50:19 AM1/16/18
to rsp...@googlegroups.com
Hi Andrew
first of all: thanks a lot :-)
Based on your snippet I wrote a rule that mimics spamassassin
trusted_networks setting.
I changed your code so FRIENDLY_HN and FRIENDLY_IP are "exploded" into a
tables. This allows multiple values to be provided as trusted hosts
local FRIENDLY_HN = 'mx01.domain.tld mx02.domain.tld mx.other-domain.tld'
local FRIENDLY_IP = '203.0.113.1 203.0.113.2 203.0.113.3'
local FRIENDLY_HOST = {}
local FRIENDLY_ADDRS = {}
local delimiter = ' '
for match in (FRIENDLY_IP..delimiter):gmatch("(.-)"..delimiter) do
table.insert(FRIENDLY_ADDRS, match)
end
for match in (FRIENDLY_HN..delimiter):gmatch("(.-)"..delimiter) do
table.insert(FRIENDLY_HOST, match)
end
local function has_value (tab, val)
for index, value in ipairs(tab) do
if value == val then
return true
end
end
return false
end
rspamd_config.LOCAL_IP_OVERRIDE = {
callback = function(task)
local ip = task:get_from_ip()
if ip then
if ip:is_valid() and has_value(FRIENDLY_ADDRS, ip:to_string()) == false then
return false
end
end
for _, r in ipairs(task:get_received_headers()) do
if has_value(FRIENDLY_HOST, r['by_hostname']) and has_value(FRIENDLY_HOST, r['from_hostname']) == false then
if r['real_ip'] and r['real_ip']:is_valid() then
task:set_from_ip(r['from_ip'])
return true, r['from_ip']
end
end
end
end,
type = 'prefilter',
priority = 11,
score = 0.1,
}
First tests show it works as it's intended. IPs of my MX are replaced by
the ip of the server handing of to my MX. So the correct ip is queried
agains rbl
Again thanks a lot for your help
Cheers
tobi
first of all: thanks a lot :-)
Based on your snippet I wrote a rule that mimics spamassassin
trusted_networks setting.
I changed your code so FRIENDLY_HN and FRIENDLY_IP are "exploded" into a
tables. This allows multiple values to be provided as trusted hosts
local FRIENDLY_HN = 'mx01.domain.tld mx02.domain.tld mx.other-domain.tld'
local FRIENDLY_IP = '203.0.113.1 203.0.113.2 203.0.113.3'
local FRIENDLY_HOST = {}
local FRIENDLY_ADDRS = {}
local delimiter = ' '
for match in (FRIENDLY_IP..delimiter):gmatch("(.-)"..delimiter) do
table.insert(FRIENDLY_ADDRS, match)
end
for match in (FRIENDLY_HN..delimiter):gmatch("(.-)"..delimiter) do
table.insert(FRIENDLY_HOST, match)
end
local function has_value (tab, val)
for index, value in ipairs(tab) do
if value == val then
return true
end
end
return false
end
rspamd_config.LOCAL_IP_OVERRIDE = {
callback = function(task)
local ip = task:get_from_ip()
if ip then
return false
end
end
for _, r in ipairs(task:get_received_headers()) do
if r['real_ip'] and r['real_ip']:is_valid() then
task:set_from_ip(r['from_ip'])
return true, r['from_ip']
end
end
end
end,
type = 'prefilter',
priority = 11,
}
First tests show it works as it's intended. IPs of my MX are replaced by
the ip of the server handing of to my MX. So the correct ip is queried
agains rbl
Again thanks a lot for your help
Cheers
tobi
Reply all
Reply to author
Forward
0 new messages