Rspamd使用通用配置语言(UCL)进行配置。Rspamd定义了几个变量和宏来扩展UCL功能。
最基础设置
C模块启动项在options.inc文件中配置。
# Included from top-level .conf file
filters = "chartable,dkim,spf,surbl,regexp,fuzzy_check";
在filters定义加载模块。
Lua模块启动项在common.conf文件中配置
# A common rspamd configuration file
# Please don't modify this file as your changes might be overwritten with
# the next update.
#
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine
# parameters defined on the top level
#
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add
# parameters defined on the top level
#
# For specific modules or configuration you can also modify
# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults
# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults
#
# See https://rspamd.com/doc/tutorials/writing_rules.html for details
...
modules {
path = "$PLUGINSDIR/lua/"
}
在modules里定义需要加载的模块。
C模块
Chartable
该模块允许从消息文本部分的不同Unicode脚本中查找字符数。如果消息无法转换为UTF-8(例如,当它包含无法识别的字符集定义)时,该模块只检查ASCII和非ASCII字符之间的转换次数。
在modules.d/chartable.conf中配置该模块
# Please don't modify this file as your changes might be overwritten with
# the next update.
#
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine
# parameters defined on the top level
#
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add
# parameters defined on the top level
#
# For specific modules or configuration you can also modify
# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults
# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults
#
# See https://rspamd.com/doc/tutorials/writing_rules.html for details
chartable {
threshold = 0.300000;
symbol = "R_MIXED_CHARSET";
.include(try=true,priority=5) "${DBDIR}/dynamic/chartable.conf"
.include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/chartable.conf"
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/chartable.conf"
}
默认情况下Rspamd将扫描结果与阈值threshold进行比较。
DKIM该模块检查扫描的电子邮件的DKIM签名。配置文件在dkim.conf
- dkim_cache_size(或expire):DKIM密钥缓存的最大大小
- whitelist:不应使用DKIM检查的域的映射
- domains:DKIM使用更严格的分数
- strict_multiplier:如果从domains接收到,则将符号的值乘以该值
- trusted_only:不要检查所有域的DKIM签名,而不是从domains地图中检查
另外,可以通过定义lua脚本完成其他功能。例如,可以使用某些密钥来签出出站邮件。
要使用此功能,可以使用一个选项sign_condition来定义Lua脚本,用于分析任务对象并返回签名参数(如果需要签名)
key:域的私钥路径
selector:DKIM选择器值
domain:用于签名的域名
如果不需要签名,那么这个函数应该返回nil或false。这是一个learn_condition脚本的示例,用于对来自example.com域的邮件进行签名:
#dkim.conf
sign_condition =<<EOD
return function(task)
local from = task:get_from('smtp')
if from and from[1]['addr'] then
if string.find(from[1]['addr'], '@example.com$') then
return {
key = "/etc/dkim/example.com",
domain = "example.com",
selector = "test"
}
end
end
return false
end
EOD;
Fuzzy check
该模块旨在检查存储在模糊存储工作者中的特定模糊模式的消息。同时,该模块负责用消息模式学习模糊存储。
- symbol:要插入的默认符号(如果没有标志匹配)
- min_length:执行模糊检查的单词中文本部分的最小长度(默认 – 检查所有文本部分)
- min_bytes:最小的附件长度和以字节为单位的图像,以便在模糊存储中进行检查
- whitelist:IP列表跳过所有模糊检查
- timeout:等待回覆的超时
模糊规则被定义为一组规则定义。每个规则都必须有服务器列表来检查或学习,以及一组标记和可选参数。下面是规则设置的一个例子:
#fuzzy_check.conf
rule "FUZZY_CUSTOM" {
# List of servers, can be an array or multi-value item
servers = "127.0.0.1:11335";
# List of additional mime types to be checked in this fuzzy ("*" for any)
mime_types = ["application/*", "*/octet-stream"];
# Maximum global score for all maps
max_score = 20.0;
# Ignore flags that are not listed in maps for this rule
skip_unknown = yes;
# If this value is false, then allow learning for this fuzzy rule
read_only = no;
# Fast hash type
algorithm = "mumhash";
}
SURBL
该模块根据一个DNS列表扫描消息中的URL
下面是禁用SURBL配置:
#surbl.conf
rules {
"RAMBLER_URIBL" {
enabled = false;#enabled = true
}
}
SPF
正则表达式
Lua模块
Antivirus
该模块提供与病毒扫描程序的集成,目前支持ClamAV等。配置在antivirus.conf中
# Please don't modify this file as your changes might be overwritten with
# the next update.
#
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine
# parameters defined on the top level
#
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add
# parameters defined on the top level
#
# For specific modules or configuration you can also modify
# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults
# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults
#
# See https://rspamd.com/doc/tutorials/writing_rules.html for details
antivirus {
# multiple scanners could be checked, for each we create a configuration block with an arbitrary name
clamav {
# If set force this action if any virus is found (default unset: no action is forced)
# action = "reject";
# if `true` only messages with non-image attachments will be checked (default true)
attachments_only = true;
# If `max_size` is set, messages > n bytes in size are not scanned
#max_size = 20000000;
# symbol to add (add it to metric if you want non-zero weight)
symbol = "CLAM_VIRUS";
# type of scanner: "clamav", "fprot", "sophos" or "savapi"
type = "clamav";
# For "savapi" you must also specify the following variable
#product_id = 12345;
# You can enable logging for clean messages
#log_clean = true;
# servers to query (if port is unspecified, scanner-specific default is used)
# can be specified multiple times to pool servers
# can be set to a path to a unix socket
# Enable this in local.d/antivirus.conf
#servers = "127.0.0.1:3310";
# if `patterns` is specified virus name will be matched against provided regexes and the related
# symbol will be yielded if a match is found. If no match is found, default symbol is yielded.
patterns {
# symbol_name = "pattern";
JUST_EICAR = "^Eicar-Test-Signature$";
}
# `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned.
whitelist = "/etc/rspamd/antivirus.wl";
}
.include(try=true,priority=5) "${DBDIR}/dynamic/antivirus.conf"
.include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/antivirus.conf"
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/antivirus.conf"
}
ARC
该模块检查扫描的电子邮件的ARC签名和密封。
配置示例如下:
#arc.conf
# If false, messages with empty envelope from are not signed
allow_envfrom_empty = true;
# If true, envelope/header domain mismatch is ignored
allow_hdrfrom_mismatch = false;
# If true, multiple from headers are allowed (but only first is used)
allow_hdrfrom_multiple = false;
# If true, username does not need to contain matching domain
allow_username_mismatch = false;
# If false, messages from authenticated users are not selected for signing
auth_only = true;
# Default path to key, can include '$domain' and '$selector' variables
path = "/var/lib/rspamd/arc/$domain.$selector.key";
# Default selector to use
selector = "arc";
# If false, messages from local networks are not selected for signing
sign_local = true;
# Symbol to add when message is signed
symbol_signed = "ARC_SIGNED";
# Whether to fallback to global config
try_fallback = true;
# Domain to use for ARC signing: can be "header" or "envelope"
use_domain = "header";
# Whether to normalise domains to eSLD
use_esld = true;
# Whether to get keys from Redis
use_redis = false;
# Hash for ARC keys in Redis
key_prefix = "ARC_KEYS";
# map of domains -> names of selectors (since rspamd 1.5.3)
#selector_map = "/etc/rspamd/arc_selectors.map";
# map of domains -> paths to keys (since rspamd 1.5.3)
#path_map = "/etc/rspamd/arc_paths.map";
# Domain specific settings
domain {
example.com {
# Private key path
path = "/var/lib/rspamd/arc/example.key";
# Selector
selector = "ds";
}
}
ASN
Click house
该模块可以收集:扫描邮件的发件人/收件人/分数和元数据,如DKIM / DMARC / bayes /模糊状态以及有关URL和附件的信息。配置示例如下:
clickhouse {
# Push update when 1000 records are collected (1000 if unset)
limit = 1000;
# IP:port of Clickhouse server ("localhost:8123" if unset)
server = "localhost:8123";
# Timeout to wait for response (5 seconds if unset)
timeout = 5;
# How many bits of sending IP to mask in logs for IPv4 (19 if unset)
ipmask = 19;
# How many bits of sending IP to mask in logs for IPv6 (48 if unset)
ipmask6 = 48;
# Record URL paths? (default false)
full_urls = false;
# This parameter points to a map of domain names
# If a message has a domain in this map in From: header and DKIM signature,
# record general metadata in a table named after the domain
#from_tables = "/etc/rspamd/clickhouse_from.map";
# These are tables used to store data in Clickhouse
# Table used to store ASN information (default unset: not collected)
#asn_table = "rspamd_asn"; # default unset
# The following table names are set by default
# Set these if you use want to use different table names
#table = "rspamd"; # general metadata
#attachments_table = "rspamd_attachments"; # attachment metadata
#urls_table = "rspamd_urls"; # url metadata
# These are symbols of other checks in Rspamd
# Set these if you use non-default symbol names (unlikely)
#bayes_spam_symbols = ["BAYES_SPAM"];
#bayes_ham_symbols = ["BAYES_HAM"];
#fann_symbols = ["FANN_SCORE"];
#fuzzy_symbols = ["FUZZY_DENIED"];
#whitelist_symbols = ["WHITELIST_DKIM", "WHITELIST_SPF_DKIM", "WHITELIST_DMARC"];
#dkim_allow_symbols = ["R_DKIM_ALLOW"];
#dkim_reject_symbols = ["R_DKIM_REJECT"];
#dmarc_allow_symbols = ["DMARC_POLICY_ALLOW"];
#dmarc_reject_symbols = ["DMARC_POLICY_REJECT", "DMARC_POLICY_QUARANTINE"];
}
DCC
该模块执行DCC查找以确定消息是否为批量接收。
DKIM
该模块提供了一种相对简单的配置DKIM签名的方法。DKIM签名模块根据可以用各种设置修改的预定义策略选择签名域和选择器。该政策的描述如下:
- 要有资格签名,必须从经过身份验证的用户或保留的IP地址或sign_networks表中的地址(如果已定义)收到邮件
- 如果来自地址的信封不为空,则有效的二级域必须与MIME标题From匹配
- 如果有身份验证的用户存在,那么这个应该是@domain的后缀域名就是从地址中看到的信封/头
- 选择器和密钥路径从域特定配置(如果存在)中选择,返回到全局配置
配置如下:
# dkim_signing.conf
# If false, messages with empty envelope from are not signed
allow_envfrom_empty = true;
# If true, envelope/header domain mismatch is ignored
allow_hdrfrom_mismatch = false;
# If true, multiple from headers are allowed (but only first is used)
allow_hdrfrom_multiple = false;
# If true, username does not need to contain matching domain
allow_username_mismatch = false;
# If false, messages from authenticated users are not selected for signing
auth_only = true;
# Default path to key, can include '$domain' and '$selector' variables
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
# Default selector to use
selector = "dkim";
# If false, messages from local networks are not selected for signing
sign_local = true;
# Map file of IP addresses/subnets to consider for signing
# sign_networks = "/some/file"; # or url
# Symbol to add when message is signed
symbol = "DKIM_SIGNED";
# Whether to fallback to global config
try_fallback = true;
# Domain to use for DKIM signing: can be "header" (MIME From), "envelope" (SMTP From) or "auth" (SMTP username)
use_domain = "header";
# Domain to use for DKIM signing when sender is in sign_networks ("header"/"envelope"/"auth")
#use_domain_sign_networks = "header";
# Domain to use for DKIM signing when sender is a local IP ("header"/"envelope"/"auth")
#use_domain_sign_local = "header";
# Whether to normalise domains to eSLD
use_esld = true;
# Whether to get keys from Redis
use_redis = false;
# Hash for DKIM keys in Redis
key_prefix = "DKIM_KEYS";
# map of domains -> names of selectors (since rspamd 1.5.3)
#selector_map = "/etc/rspamd/dkim_selectors.map";
# map of domains -> paths to keys (since rspamd 1.5.3)
#path_map = "/etc/rspamd/dkim_paths.map";
# Domain specific settings
domain {
example.com {
# Private key path
path = "/var/lib/rspamd/dkim/example.key";
# Selector
selector = "ds";
}
}
DMARC
Emails Scan
该模块实现基于DNS或静态列表的电子邮件过滤。模块的配置是很常见的surbl模块。您可以定义多个rule部分,可以定义静态地图或DNS列表:
# emails.conf
rule "EMAILS_DNSBL" {
dnsbl = "emailbl.rambler.ru";
domain_only = true;
}
rule "EMAILS_STATIC" {
map = "/etc/rspamd/bad_emails.list";
}
Force Actions
该模块的目的是强制执行一个操作元素在本单元规则中有效:
- action:如果规则匹配,则强制执行该操作
- expression:符号或符号组合符合
- honor_action:此列表中的操作不应被覆盖
- message:MTA要使用的SMTP邮件
- require_action:仅在此列表中的度量标准操作时才覆盖操作
- subject:受制于度量设定rewrite subject行动
配置示例如下:
#force_actions.conf
rules {
# For each condition we want to force an action on we define a rule
# Rule is given a descriptive name
MY_WHITELIST {
# This is the action we want to force
action = "no action";
# If the following combination of symbols is present:
expression = "IS_IN_WHITELIST & !CLAM_VIRUS & !FPROT_VIRUS";
}
WHITELIST_EXCEPTION {
action = "reject";
expression = "IS_IN_WHITELIST & (CLAM_VIRUS | FPROT_VIRUS)";
# message setting sets SMTP message returned by mailer
message = "Rejected due to suspicion of virus";
}
DCC_BULK {
action = "rewrite subject";
# Here expression is just one symbol
expression = "DCC_BULK";
# subject setting sets metric subject for rewrite subject action
subject = "[BULK] %s";
# honor_action setting define actions we don't want to override
honor_action = ["reject", "soft reject", "add header"];
}
BAYES_SPAM_UPGRADE {
action = "add header";
expression = "BAYES_SPAM";
# require_action setting defines actions that will be overridden
require_action = ["no action", "greylist"];
}
}
Fuzzy collect
该模块旨在从一些孤立的垃圾邮件收集中收集模糊散列,并将其发布到使用复制协议的本地模糊存储。
要启用收集,您需要在垃圾邮件捕获器上设置Rspamd实例,其工作在仅收集模式。最基本配置如下:
# We skip common section and leave only relevant configuration
worker "fuzzy" {
bind_socket = "*:11335";
count = 1;
# Important to enable this
collection_only = true;
# This is needed to sign collections (will discuss later)
collection_signkey = "utenidt7xdkys5ite89w4gntrdgbsd9gp9rzjjtzzzwx693cei8y";
# This is needed to encrypt communication between collector and this storage
collection_keypair = {
pubkey = "ffg1m6rqi3doy7qggqbr4qjwxw6ahy56nr4zs47doz3nn6euhsty";
privkey = "y6qjkr4htunjwm7i9cxzzu413tnobe8cjmgmo916i1hdy4yh1s4y";
id = "eg6ccqr91bt7bkfspufk5kgrejr8sriypkixo5a5xje83nhd58jnjnusr9ppcjtkgyqc7x1fyqpqkazxk6wnnf9buuxbguspyme7trn";
encoding = "base32";
algorithm = "curve25519";
type = "kex";
}
# Allow local updates
allow_update = ["localhost"];
# Collection should be performed once per minute
sync = 1m;
}
# Needed for `rspamc fuzzy_add`
worker "controller" {
bind_socket = "localhost:11334";
secure_ips = "127.0.0.1";
}
# Needed to send hashes to local storage
fuzzy_check {
min_bytes = 100;
rule "main" {
timeout = 1s;
retransmits = 7;
servers = "localhost:11335";
symbol = "FUZZY_UNKNOWN";
mime_types = "*";
max_score = 20.0;
read_only = no;
skip_unknown = yes;
algorithm = "mumhash";
fuzzy_map = {
FUZZY_DENIED {
max_score = 20.0;
flag = 1;
}
FUZZY_PROB {
max_score = 10.0;
flag = 2;
}
FUZZY_WHITE {
max_score = 2.0;
flag = 3;
}
}
learn_condition =<<EOD
return function(task)
return true
end
EOD
}
}
Greylisting
该模块的目的是延迟垃圾邮件得分高于灰名单动作阈值的消息。
Greylisting模块为Redis中的每个消息保存2个哈希值:
- Meta哈希是基于三重from:to:ip
- Data哈希取自消息的正文,如果它有足够的长度
存储应用了某个掩码的IP地址:它是/19针对IPv4和/64IPv6的。每个散列都有自己的时间戳,Rspamd会检查以下时间:
- greylisting time – 消息应该被暂时拒绝
- expire time – 在Redis中存储灰名单哈希时
配置项在greylist.conf中:
- expire:setup hashing到期时间(默认为1天)
- greylist_min_score:分数低于此阈值的消息不会灰屏(默认未设置)
- ipv4_mask:掩码申请IPv4地址(默认为19)
- ipv6_mask:掩码来应用IPv6地址(默认为64)
- key_prefix:用于哈希存储在Redis中的前缀(rg默认情况下)
- max_data_len:用于身体散列的最大数据长度(默认为10kB)
- message:暂时拒绝原因信息(Try again later默认情况下)
- timeout:定义灰名单超时(默认为5分钟)
- whitelisted_ip:用于跳过灰名单的IP地址和/或子网的映射
- whitelist_domains_url:主机名的主机名和/或eSLD的地图,以跳过灰名单
要使用默认设置启用模块,您需要至少定义redis服务器来存储灰名单数据:
#greylist.conf
servers = "127.0.0.1:6379";
Redis history
该模块旨在将历史记录存储在Redis列表中,对字段进行更细粒度的控制,可选压缩和开箱即用的群集支持。配置如下:
#history_redis.conf
servers = 127.0.0.1:6379; # Redis server to store history
key_prefix = "rs_history"; # Default key name
nrows = 2000; # Default rows limit
compress = true; # Use zstd compression when storing data in redis
IP Score
IP分数在Redis中存储记录,IP Score需要ASN模块的查询信息。默认配置如下:
#ip_score.conf
# how each action is treated in scoring
actions {
reject = 1.0;
"add header" = 0.25;
"rewrite subject" = 0.25;
"no action" = 1.0;
}
# how each component is evaluated
scores {
asn = 0.5;
country = 0.1;
ipnet = 0.8;
ip = 1.0;
}
# prefix for asn hashes
asn_prefix = "a:";
# prefix for country hashes
country_prefix = "c:";
# hash table in redis used for storing scores
hash = "ip_score";
# prefix for subnet hashes
ipnet_prefix = "n:";
# minimum number of messages to be scored
lower_bound = 10;
# the metric to score (usually "default")
metric = "default";
# upper and lower bounds at which to cap total score
#max_score = 10;
#min_score = -5;
# Amount to divide subscores by before applying tanh
score_divisor = 10;
# list of servers (or configure redis globally)
#servers = "localhost";
# symbol to be inserted
symbol = "IP_SCORE";
您还必须为公制注册一些权重。例如,您可以将以下内容添加到metrics.conf:
symbol "IP_SCORE" {
weight = 2.0;
description = "IP reputation";
}
Mailing list
Metadata exporter
元数据导出器处理一组规则,它们识别有趣的消息,并将信息推送到外部服务(目前支持的是Redis Pub / Sub,HTTP POST&SMTP;用户定义的后端也可以使用)。可能的应用程序包括隔离,记录,警报和反馈回路。对于配置中定义的每个规则:
- 一个selector功能标识我们要导出元数据的消息(默认选择器选择所有消息)。
- 一个formatter功能提取从消息(默认格式返回完整的消息内容)格式的元数据。
- 一个pusher功能(由定义的backend设置)推动格式化的元数据的某处
默认配置如下:
metadata_exporter {
# Each rule defines some export process
rules {
# The following rule posts JSON-formatted metadata at the defined URL
# when it sees a rejected mail from an authenticated user
MY_HTTP_ALERT_1 {
backend = "http";
url = "http://127.0.0.1:8080/foo";
# More about selectors and formatters later
selector = "is_reject_authed";
formatter = "json";
}
# This rule posts all messages to a Redis Pub/Sub channel
MY_REDIS_PUBSUB_1 {
backend = "redis_pubsub";
channel = "foo";
# Default formatter and selector is used
}
# This rule sends an e-Mail alert over SMTP containing message metadata
# when it sees a rejected mail from an authenticated user
MY_EMAIL_1 {
backend = "send_mail";
smtp = "127.0.0.1";
mail_to = "user@example.com";
selector = "is_reject_authed";
formatter = "email_alert";
}
}
}
Metric exporter
该模块从rspamd手机统局数据,并将其提供到外部系统。Non-backend-specific配置如下
#metric_exporter.conf
# Backend: just "graphite" for now - MUST be set
backend = "graphite";
# List of metrics to export - MUST be set.
# See next section for list of metrics
metrics = [
"ham_count",
"spam_count",
];
# Below settings are optional and values shown will be used as defaults if these are unset:
# Statefile: Path to file at which to persist last run information
statefile = "$DBDIR/metric_exporter_last_push";
# Timeout in seconds for pushing stats to backend
timeout = 15;
# Interval in seconds at which stats should be pushed
interval = 120;
另外,backend-specific配置如下
# Hostname for Carbon: "localhost" if unset
host = "localhost";
# Port for Carbon: 2003 if unset
port = 2003;
# Prefix for metric names: "rspamd" if unset
metric_prefix = "rspamd";
MID
该模块是抑制某些特定域的DKIM签名的INVALID_MSGID消息的(格式错误消息id)和MISSING_MID(缺少消息id)规则。默认配置如下:
#mid.conf
mid = {
url = [
"${CONFDIR}/mid.inc",
];
}
Milter Header
该模块提供一种比较简单的方法来配置通过Rmilter来添加/删除头文件。默认配置如下:
# milter_headers.conf:
# Options
# Rmilter compatibility option (default false) (enables x-spamd-result, x-rspamd-server & x-rspamd-queue-id)
# extended_spam_headers = true;
# List of headers to be enabled for authenticated users (default empty)
# authenticated_headers = ["authentication-results"];
# List of headers to be enabled for local IPs (default empty)
# local_headers = ["x-spamd-bar"];
# Set false to always add headers for local IPs (default true)
# skip_local = true;
# Set false to always add headers for authenticated users (default true)
# skip_authenticated = true;
# Routines to use- this is the only required setting (may be omitted if using extended_spam_headers)
use = ["x-spamd-bar", "authentication-results"];
# this is where we may configure our selected routines
routines {
# settings for x-spamd-bar routine
x-spamd-bar {
# effectively disables negative spambar
negative = "";
}
# other routines...
}
custom {
# user-defined routines: more on these later
}
Mime type
Multmap模块(重点)
Multmap
该模块处理基于由Rspamd动态更新并被调用的不同类型的列表的规则maps。对于通过文件进行组织的白名单,黑名单和其他列表很有用。配置:
# multimap.conf
symbol {
type = "type";
map = "url";
# [optional params...]
}
symbol1 {
type = "type";
map = "from";
# [optional params...]
}
强制属性有:
- type- 地图类型
-
map – 具有列表的文件的路径,例如:
-
http://example.com/list-
HTTP映射,重新加载使用If-Modified-Since,可以签名 -
https://example.com/list
– HTTPS映射 – 与HTTP相同,但启用了TLS(使用证书检查) - file:///path/to/list – 文件映射,重新加载更改,可以签名
- /path/to/list – 文件映射的较短形式
- cdb://path/to/list.cdb- CDB地图在文件中,无法签名
- redis:// – Redis地图,读取字段中的哈希存储在关键字
-
可选属性:
- prefilter- 定义地图是否在预过滤器模式下使用
- action – 用于预过滤器地图定义由地图匹配设置的动作
- regexp- 设置为true如果您的地图包含正则表达式
- symbols- 该地图可以插入的符号数组(用于键值对),了解更多信息
- score- 符号的分数(可以在该metric部分重新定义)
- description – 地图描述
- group- 符号组(可重新定义metric)
- require_symbols- 必须符合特定消息的符号表达式:了解更多信息
- filter- 匹配输入的特定部分(例如,电子邮件域):这里是映射过滤器的完整定义
MX Check
Neural network
Phishing
该模块报告潜在的被钓鱼网址。默认配置如下
# Phishing.conf
phishing {
symbol = "R_PHISHING"; # Default symbol
# Check only domains from this list
domains = "file:///path/to/map";
# Make exclusions for known redirectors
# Entry format: URL/path for map, colon, name of symbol
redirector_domains = [
"${CONFDIR}/redirectors.map:REDIRECTOR_FALSE"
];
# For certain domains from the specified strict maps
# use another symbol for phishing plugin
strict_domains = [
"${CONFDIR}/paypal.map:PAYPAL_PHISHING"
];
}
Ratelimit
该模块限制来自某些发件人的邮件,将某些IP地址的某些收件人从这些参数中分离出来,将这些参数组合到一个单独的限制内。在默认配置中,没有指定缓存服务器,因此,除非将该选项添加到配置中,否则该模块将无法正常工作。
Ratelimit 模块支持以下配置选项:
- servers – 存储可用数据的服务器列表; 如果未设置,则使用全局设置
- symbol- 如果此选项被指定,则ratelimit插件只是添加相应的符号而不是设置预结果,该值被缩放为,tanh+ 双曲正切函数在哪里
- whitelisted_rcpts – 以逗号分隔的列入白名单的收件人列表。默认情况下,此选项的值为“postmaster,mailer-daemon”
- whitelisted_ip – IP地址或网络的地图列入白名单
- whitelisted_user – 从用户标识符中排除的用户名的映射
- max_delay – 任何限制桶的最大使用寿命(默认为1天)
- max_rcpt – 如果包含超过此值的收件人(默认为5),则不应用ratelimit。如果消息中有很多收件人,则此选项可以避免太多的设置桶的工作。
-
rates – 表格中允许的利率表格:
type = [burst,leak];type可以是下面的一种:
- bounce_to:限制每个收件人弹跳
- bounce_to_ip:每个收件人每ip限制跳出
- to:每个收件人的限制
- to_ip:每对收件人和发件人的IP地址限制
- to_ip_from:每三位数限制:收件人,发件人的信封和发件人的IP
- user:每个认证用户的限制(对出站限制有用)
RBL
该模块支持检查消息的发送方的IPv4 / IPv6源地址与一组RBL以及各种不太常规的使用RBL的方法:对于接收头中的地址; 针对发件人的反向DNS名称和SMTP时间下用于HELO / EHLO的参数。配置结构如下:
# rbl.conf
# default settings defined here
rbls {
# 'rbls' subsection under which the RBL definitions are nested
an_rbl {
# rbl-specific subsection
}
# ...
}
默认设置定义了使用RBL的方式,除非在特定于RBL的子节中被覆盖。
可以为以下参数设置默认值(如果未设置这些参数,则使用默认值),请注意,这些参数可能会在默认配置中重新定义):
- default_ipv4 (true)使用此RBL测试IPv4地址。
- default_ipv6 (false)使用此RBL测试IPv6地址。
- default_received (true)使用此RBL测试在Received标头中找到的IPv4 / IPv6地址。还应将RBL配置为检查IPv4 / IPv6地址之一。
- default_from (false)使用此RBL测试消息发送者的IPv4 / IPv6地址。还应将RBL配置为检查IPv4 / IPv6地址之一。
- default_rdns (false)使用此RBL测试消息发送者的反向DNS名称(传递给rspamd的主机名应已使用正向查找进行验证,特别是如果要用于提供白名单)。
- default_helo (false)使用此RBL测试在SMTP时间为HELO / EHLO发送的参数。
- default_dkim (false)使用此RBL测试在验证的DKIM签名中找到的域。
- default_dkim_domainonly (true)如果只有真测试顶级域,否则测试DKIM签名中找到的整个域。
- default_emails (false)使用此RBL以[localpart]形式测试电子邮件地址。[domainpart]。[rbl]或如果设置为“domain_only”使用[domainpart] [rbl]。
- default_unknown (false)如果设置为false,则不要产生结果,除非从RBL中收到的响应在其相关的returncodes {}子句中定义,否则返回RBL的默认符号。
- default_exclude_users (false)如果设置为true,则如果消息发送方已通过身份验证,则不要使用此RBL。
- default_exclude_private_ips (true)如果为真,如果发送主机地址处于local_addrs&不检查接收到的标头,这些地址不要使用RBL 。
- default_exclude_local (true)如果设置了true&local_exclude_ip_map – 如果发送主机地址在本地IP列表中,则不要使用RBL,并且不要检查接收到的标头,以便这些地址。
- default_is_whitelist (false)如果此列表上的真实匹配项应中和任何此设置为false并且ignore_whitelists不为true的列表。
- default_ignore_whitelists (false)如果为真,则此列表不应被白名单中和。
- local_exclude_ip_map可以设置为IPv4 / IPv6地址和子网列表的URL,不被exclude_local检查视为本地排除。
- hash适用于helo和emailsRBL类型 – 查找散列而不是文字字符串。此参数的可能值是sha1,sha256,sha384,sha512和md5或默认哈希算法的任何其他值。
- disable_monitoring布尔值,完全禁用监视
- monitored_address固定地址检查缺席(1.0.0.127默认情况下)
RBL特定小节的结构如下:
# Descriptive name of RBL or symbol if symbol is not defined.
an_rbl {
# Explicitly defined symbol
symbol = "SOME_SYMBOL";
# RBL-specific defaults (where different from global defaults)
#The global defaults may be overridden using 'helo' to override 'default_helo' and so on.
ipv6 = true;
ipv4 = false;
# Address used for RBL-testing
rbl = "v6bl.example.net";
# Possible responses from RBL and symbols to yield
returncodes {
# Name_of_symbol = "address";
EXAMPLE_ONE = "127.0.0.1";
EXAMPLE_TWO = "127.0.0.2";
}
}
Received policy
该模块的目的是对一个Received header的邮件进行简单的检查。这些检查背后的想法是,合法邮件可能不止一个header,还有一些糟糕的模式,比如动态或宽带,这些都是被黑客入侵的用户机器的垃圾邮件所常见的。配置示例如下:
once_received {
# lines are used to negate this module for certain hosts
good_host = "^mail";
# lines are used to specify certain bad patterns
bad_host = "static";
bad_host = "dynamic";
# for emails with bad patterns or with unresolvable hostnames
symbol_strict = "ONCE_RECEIVED_STRICT";
# for generic one received mail
symbol = "ONCE_RECEIVED";
# define a list of networks for which once_received checks should be excluded.
whitelist = "/tmp/ip.map";
}
Replies
该模块收集经过身份验证的用户发送的消息的message-id头,并将相应的散列存储到Redis中,后者将在可配置的时间之后过期(默认为1天)。此外,它还将所有接收到的消息和检查的头信息都进行了散列(即。消息发送到我们的系统发出的消息的响应中)-并产生一个符号,可以用来调整评分或强制采取行动(很可能是“不采取行动”)根据配置。
- 动作(null)如果设置,将给定的操作应用于标识为回复的消息(通常将设置为“无操作”以接受)。
- 到期(86400)时间(以秒为单位),之后到期记录(默认为一天)。
- key_prefix(rr)字符串前缀为Redis中的键。
- 消息(消息回复我们发起的一个)当行动被迫时通过的讯息。
- 服务器(null)Redis主机的逗号分隔列表
-
符号(REPLY)符号在标识为回复的消息上产生。
# replies.conf # This setting is non-default & may be desirable #action = "no action"; # These are default settings you may want to change expire = 86400; key_prefix = "rr"; message = "Message is reply to one we originated"; symbol = "REPLY"; # Module specific redis configuration #servers = "localhost";
Rspamd update
模块允许加载rspamd规则,调整符号分数和操作,而不需要完全守护程序重新启动。 rspamd_update提供了在不更新rspamd本身的情况下更新新规则和分数更改的方法。
更新结构:
- symbols- 已经在rspamd中的符号的新分数列表(加载priority = 1以覆盖默认设置)
- actions- 行动分数列表(也载入priority = 1)
-
rules- 将加载到rspamd中的lua代码片段列表,可以使用rspamd_config全局注册新的规则
示例如下:rules = { test =<<EOD rspamd_config.TEST = { callback = function(task) return true end, score = 1.0, description = 'test', } EOD } actions = { greylist = 3.4, } symbols = { R_DKIM_ALLOW = -0.5, }
Spamassassin rule
该模块旨在为rspamd读取和采用spamassassin规则。该插件的目标是在rspamd内本地重用现有的spamassassin规则。此插件的配置非常简单:只需将所有SA规则粘贴到单个文件中,并将其提供给spamassassin模块:
spamassassin {
ruleset = "/path/to/file";
# Limit search size to 100 kilobytes for all regular expressions
match_limit = 100k;
# Those regexp atoms will not be passed through hyperscan:
pcre_only = ["RULE1", "__RULE2"];
}
Spamtrap
使用spamtrap模块,您可以捕获垃圾邮件陷阱的电子邮件,甚至捕获所有的域。配置参数如下:
- action:您可以选择设置一个动作
- symbol:如果发现收件人和垃圾邮件被收集的电子邮件/域之间的匹配,将插入的符号的名称。默认为“SPAMTRAP”
- score:这个符号的得分。它默认为中性0.0
- learn_fuzzy:启用或禁用模糊学习的布尔值。默认为“false”
- learn_spam:Boolean启用或禁用bayes垃圾邮件学习。默认为“false”
- fuzzy_flag:模糊标志,它必须与fuzzy_check中定义的标志匹配“被拒绝”规则
- fuzzy_weight:模糊规则的权重因子。默认为10.0
- key_prefix:用于查找垃圾邮件记录的Redis前缀。它默认为’sptr_’
-
map:您可以定义一个正则表达式映射,该映射将自动禁用此模块的Redis
action = "no action"; score = 1.0; learn_fuzzy = true; learn_spam = true; map = file://$LOCAL_CONFDIR/maps.d/spamtrap.map; enabled = true;
Trie
URL redirector
这个模块为SURBL模块提供了一个连接到引用或参照重定向。要启用它,redirector_hosts_map必须在SURBL配置中设置:
# surbl.conf
redirector_hosts_map = "/etc/rspamd/redirectors.inc";
可以设置以下配置来控制URL重定向器模块的行为:
# url_redirector.conf
# How long to cache dereferenced links in Redis (default 1 day)
expire = 1d;
# Timeout for HTTP requests (10 seconds by default)
timeout = 10; # 10 seconds by default
# How many nested redirects to follow (default 1)
nested_limit = 1;
# Prefix for keys in redis (default "rdr:")
key_prefix = "rdr:";
# Check SSL certificates (default false)
check_ssl = false;
max_size = 10k; # maximum body to process
URL reputation
URL信誉插件过滤URL的相关性,并为持久存在于Redis中的所选TLD分配动态声誉(有关配置redis的信息,请参阅此处)。要启用它,应在以下位置设置以下内容/etc/rspamd/local.d/url_reputation.conf:
# url_reputation.conf
enabled = true;
配置示例如下:
# url_reputation.conf
# Key prefix for redis - default "Ur."
key_prefix = "Ur.";
# Symbols to insert - defaults as shown
symbols {
white = "URL_REPUTATION_WHITE";
black = "URL_REPUTATION_BLACK";
grey = "URL_REPUTATION_GREY";
neutral = "URL_REPUTATION_NEUTRAL";
}
# DKIM/DMARC/SPF allow symbols - defaults as shown
foreign_symbols {
dmarc = "DMARC_POLICY_ALLOW";
dkim = "R_DKIM_ALLOW";
spf = "R_SPF_ALLOW";
}
# SURBL metatags to ignore - default as shown
ignore_surbl = ["URIBL_BLOCKED", "DBL_PROHIBIT", "SURBL_BLOCKED"];
# Amount of samples required for scoring - default 5
threshold = 5;
# Maximum number of TLDs to update reputation on (default 1)
update_limit = 1;
# Maximum number of TLDs to query reputation on (default 100)
query_limit = 100;
# If true, try to find most 'relevant' URL (default true)
relevance = true;
URL tags
Whitelist
白名单模块旨在否定或增加已知来自受信任来源的某些消息的分数。白名单配置非常简单。您可以在rules段内定义一组规则 。每个规则必须具有domains指定域的映射(如果指定为字符串)或域的直接列表(如果指定为数组)的属性。
允许以下约束:
- valid_spf:需要有效的SPF策略
- valid_dkim:需要DKIM验证
- valid_dmarc:需要有效的DMARC策略
三种工作模式:
- whitelist(默认):当找到域并且满足定义的约束之一时添加符号(例如valid_dmarc)
- blacklist:当一个域已发现添加符号和定义的约束之一是NOT满足(例如valid_dmarc)
- strict:当已经找到域并且当定义的某些约束失败时,满足定义的约束(例如valid_dmarc)和添加具有POSITIVE(垃圾邮件)分数的符号之后,添加带有负(ham)分数的符号
可选设置:
- score:默认分数
- group:默认组(whitelist如果未明确指定,则使用组)
- one_shot:默认单次拍摄模式
- description:默认描述
配置示例如下:
# whitelist.conf
whitelist {
rules {
WHITELIST_SPF = {
valid_spf = true;
domains = [
"github.com",
];
score = -1.0;
}
WHITELIST_DKIM = {
valid_dkim = true;
domains = [
"github.com",
];
score = -2.0;
}
WHITELIST_SPF_DKIM = {
valid_spf = true;
valid_dkim = true;
domains = [
["github.com", 2.0],
];
score = -3.0;
}
STRICT_SPF_DKIM = {
valid_spf = true;
valid_dkim = true;
strict = true;
domains = [
["paypal.com", 2.0],
];
score = -3.0; # For strict rules negative score should be defined
}
BLACKLIST_DKIM = {
valid_spf = true;
valid_dkim = true;
blacklist = true;
domains = "/some/file/blacklist_dkim.map";
score = 3.0; # Note positive score here
}
WHITELIST_DMARC_DKIM = {
valid_dkim = true;
valid_dmarc = true;
domains = [
"github.com",
];
score = -7.0;
}
}
}
版权声明:本文为weixin_37958284原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。