Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rspamd: whitelist/blacklist enhancement #5940

Closed
1 task done
stephdl opened this issue Nov 20, 2019 · 25 comments
Closed
1 task done

Rspamd: whitelist/blacklist enhancement #5940

stephdl opened this issue Nov 20, 2019 · 25 comments
Labels
verified All test cases were verified successfully

Comments

@stephdl
Copy link

stephdl commented Nov 20, 2019
edited by DavidePrincipi
Loading

The whitelist/blacklist of rspamd is designed to work with the second domain level, eg domain.org, so you blacklist or whitelist the domain and all subdomains: email:domain:tld

https://rspamd.com/doc/modules/multimap.html#from-rcpt-and-header-filters

However when you try to blacklist/whitelist a subdomain, it won't work because rspamd extracts only the second level of the domain name

Proposed solution

  1. In rules evaluation, try to match both the eSLD (effective second level domain - rspamd :tld filter) and the whole domain suffix against the email address of the sender/recipient.

  2. Whitelist rules are always processed before the blacklist, thus allowing a subdomain (e.g. myhost.domain.com) to be whitelisted if a more generic rule wants to blacklist the entire domain (e.g. domain.com).

Docs changes

  • document the new behavior: clarify what happens by writing a top level domain or a subdomain record

Alternative solutions

as an alternative we could make a validator and refuse subdomain, asking or top level domain

See also

https://community.nethserver.org/t/whitelist-in-mail-server-not-working/13911/

thank jfernandez
@stephdl stephdl self-assigned this Nov 20, 2019
@stephdl stephdl mentioned this issue Nov 20, 2019
Merged
@jcfernandez-890825 jcfernandez-890825 mentioned this issue Nov 20, 2019
Closed
@DavidePrincipi
Copy link
Member

Added section

Docs changes

  • document the new behavior: clarify what happens by writing a top level domain or a subdomain record

stephdl added a commit to NethServer/nethserver-mail that referenced this issue Nov 22, 2019
@stephdl
Merge pull request #163 from stephdl/WlBlSubDomain
c342f00 
Whitelist/Blacklist sub.domain and domain NethServer/dev#5940
@nethbot
Copy link
Member

nethbot commented Nov 22, 2019

in 7.7.1908/testing:

@stephdl
Copy link
Author

stephdl commented Nov 22, 2019
edited
Loading

QA

The rspamd properties RecipientWhiteList, SenderBlackList, SenderWhiteList are split in three lists for each property following if it is an email address, a subdomain (sub.domain.org), or a domain (domain.org)

  • you must valid that that a subdomain goes to :
    /etc/rspamd/blacklist_from_subdomains.map
    /etc/rspamd/whitelist_to_subdomains.map
    /etc/rspamd/whitelist_from_subdomains.map

  • you must valid that that a domain goes to :
    /etc/rspamd/blacklist_from_domains.map
    /etc/rspamd/whitelist_to_domains.map
    /etc/rspamd/whitelist_from_domains.map

  • you must valid that that an email goes to :
    /etc/rspamd/blacklist_from.map
    /etc/rspamd/whitelist_to.map
    /etc/rspamd/whitelist_from.map

  • you must valid that when you blacklist/whitelist for a domain, domain AND all subdomains are blacklisted/Whitelisted
    symbol : FROM_DOMAINS_BLACKLIST
    symbol :TO_DOMAINS_WHITELIST
    symbol :FROM_DOMAINS_WHITELIST

  • you must valid that when you blacklist/whitelist for a subdomain, the subdomain is blacklisted/Whitelisted, all others subdomains and the domain are not blacklisted or whitelisted
    symbol : FROM_SUBDOMAINS_BLACKLIST
    symbol :TO_SUBDOMAINS_WHITELIST
    symbol :FROM_SUBDOMAINS_WHITELIST

  • you must valid that when you blacklist/whitelist for an email, only the email is blacklisted
    symbol : FROM_BLACKLIST
    symbol :TO_WHITELIST
    symbol :FROM_WHITELIST

you can trigger manually email with curl

@stephdl stephdl removed their assignment Nov 22, 2019
@stephdl stephdl added the testing Packages are available from testing repositories label Nov 22, 2019
@federicoballarini
Copy link
Member

Testing cases (1-3):

  • you must valid that that a subdomain goes to: OK
  • you must valid that that a domain goes to: OK
  • you must valid that that an email goes to: OK

@federicoballarini
Copy link
Member

Testing cases (4-6):

  • you must valid that when you blacklist/whitelist for a domain, domain AND all subdomains are blacklisted/Whitelisted: OK
  • you must valid that when you blacklist/whitelist for a subdomain, the subdomain is blacklisted/Whitelisted, all others subdomains and the domain are not blacklisted or whitelisted: OK
  • you must valid that when you blacklist/whitelist for an email, only the email is blacklisted: OK

@federicoballarini
Copy link
Member

Tested and verified.

@stephdl
Copy link
Author

stephdl commented Nov 25, 2019

thank @federicoballarini I really appreciated you job

@stephdl stephdl added the verified All test cases were verified successfully label Nov 25, 2019
@DavidePrincipi DavidePrincipi removed the testing Packages are available from testing repositories label Nov 25, 2019
@nethbot
Copy link
Member

nethbot commented Nov 25, 2019

in 7.7.1908/testing:

@stephdl stephdl added testing Packages are available from testing repositories and removed verified All test cases were verified successfully labels Nov 26, 2019
@DavidePrincipi DavidePrincipi removed the testing Packages are available from testing repositories label Nov 26, 2019
@DavidePrincipi
Copy link
Member

DavidePrincipi commented Nov 26, 2019
edited
Loading

NOT VERIFIED

It seems the pre-filter symbols are evaluated in the same order provided by rspamadm configdump output. There is a big difference between the stable RPM and the testing one:

--- rules.old	2019-11-26 16:27:27.005235429 +0100
+++ rules.new	2019-11-26 16:27:35.413229327 +0100
@@ -1,7 +1,10 @@
     TO_DOMAINS_WHITELIST {
+    FROM_SUBDOMAINS_WHITELIST {
+    TO_SUBDOMAINS_WHITELIST {
     FROM_BLACKLIST {
     FROM_WHITELIST {
     IP_WHITELIST {
     FROM_DOMAINS_BLACKLIST {
+    FROM_SUBDOMAINS_BLACKLIST {
     FROM_DOMAINS_WHITELIST {
     TO_WHITELIST {

An element falling into FROM_SUBDOMAINS_WHITELIST is now at 2nd place, whilst the current stable package puts it at the 2nd-to-last place (implicitly matched by FROM_DOMAINS_WHITELIST).

It seems we have no control over rules priority. We could ask Rspamd developers for that.

Furthermore I expect the IP_WHITELIST is evaluated before any other rule.

Blocks #5951

@DavidePrincipi DavidePrincipi mentioned this issue Nov 26, 2019
Closed
@stephdl
Copy link
Author

stephdl commented Nov 26, 2019

issue done upstream rspamd/rspamd#3165

@nethbot
Copy link
Member

nethbot commented Nov 27, 2019

in 7.7.1908/testing:

@stephdl stephdl mentioned this issue Nov 28, 2019
Closed
@nethbot
Copy link
Member

nethbot commented Nov 29, 2019

in 7.7.1908/testing:

@nethbot
Copy link
Member

nethbot commented Dec 2, 2019

in 7.7.1908/testing:

@nethbot
Copy link
Member

nethbot commented Dec 2, 2019

in 7.7.1908/testing:

@DavidePrincipi DavidePrincipi mentioned this issue Dec 5, 2019
Merged
DavidePrincipi added a commit to NethServer/nethserver-mail that referenced this issue Dec 6, 2019
@DavidePrincipi
Merge pull request #171 from DavidePrincipi/fix-multimap-regression3
e23a329 
Avoid rule evaluation order conflicts

- Evaluate sender blacklist later in filter stage
- Eval domain matches with and without :tld filter
- Start Bayes autolearn only if the score is out of the static range [-5,25], to avoid spam training with a good message just hitting FROM_BLACKLIST

NethServer/dev#5940
@DavidePrincipi DavidePrincipi removed their assignment Dec 6, 2019
@DavidePrincipi DavidePrincipi added the testing Packages are available from testing repositories label Dec 6, 2019
@nethbot
Copy link
Member

nethbot commented Dec 6, 2019

in 7.7.1908/testing:

@DavidePrincipi
Copy link
Member

DavidePrincipi commented Dec 6, 2019
edited
Loading

Useful QA commands

Inspect currently expanded whitelist and blacklist rules:

grep -r -F .  /etc/rspamd/{white,black}list* | grep -v -F '#' | sort

Sample curl invocation

((++I)) ; curl smtp://$(hostname):25/$(hostname) -v --mail-from davidep2@nethserver.org --mail-rcpt postmaster@dpnet.nethesis.it <<EOF
Subject: Test ${I}
Date: $(date -R)
Message-ID: <${I}.$(date +%s)@$(hostname -d)>
From: davidep2@nethserver.org
To: postmaster@dpnet.nethesis.it
Mime-Version: 1.0

Test $I

Configuration settings for bayes expiry module should be 
added to the corresponding classifier section (for instance 
in the local.d/classifier-bayes.conf).
Bayes expiry module provides intelligent expiration of 
statistical tokens for the new schema of Redis statistics 
storage.

EOF

Test case 0 - sender blacklist

  • Add a complete address to the sender blacklist, and check the message is rejected (e.g. user@complete.example.com)
  • Add a third level domain like my.example.com to the sender black list, and check the message is rejected if the sender is in that domain
  • Add a second level domain like example.com to the sender black list, and check the message is rejected if the sender is in that domain

Test case 1 - sender whitelist vs sender blacklist

With the blacklist from test case 0:

  • Add the same complete sender address user@complete.example.com to the whitelist and check it wins over the blacklist rule. Message must be accepted
  • Add other.example.com to the sender whitelist and check that a sender from that domain is always accepted
  • Check a sender from example.com is still rejected

Test case 2 - recipient whitelist vs sender blacklist

Check that by setting a recipient whitelist rule it always wins against the blacklist sender rule.

Test case 3 - IP whitelist vs sender blacklist

Check that by setting an IP client whitelist in Relay > Configuration > Allow relay from IP addresses, the IP whitelist always wins over the sender blacklist

@stephdl stephdl self-assigned this Dec 6, 2019
@stephdl stephdl mentioned this issue Dec 6, 2019
Merged
@stephdl
Copy link
Author

stephdl commented Dec 6, 2019
edited
Loading

QA FAILED

you can find the QA LOG at https://gist.github.com/stephdl/c8eeb58f2e11ed66847e9cb6cb6b6cce

for me the QA has failed, even if the blacklist/whitelist works, because when you blacklist a domain.org you find two symbols (domains and subdomains), when you whitelist a domain.org you match the symbol of the sub.domain.org

I did a PR to use only one symbol, whether you match a domain.org or a sub.domain.org

stephdl added a commit to NethServer/nethserver-mail that referenced this issue Dec 6, 2019
@stephdl
Merge pull request #172 from stephdl/Fix5940
c52bee8 
Same symbol for domain|sub.domain WL|BL NethServer/dev#5940
@nethbot
Copy link
Member

nethbot commented Dec 6, 2019

in 7.7.1908/testing:

@DavidePrincipi
Copy link
Member

Test case 4

Check the /var/log/maillog contains the following symbols:

  • FROM_BLACKLIST
  • FROM_DOMAINS_BLACKLIST
  • TO_WHITELIST
  • TO_DOMAINS_WHITELIST
  • FROM_WHITELIST
  • FROM_DOMAINS_WHITELIST

The maillog must not match any of SUBDOMAINS_ variants.

@stephdl
Copy link
Author

stephdl commented Dec 9, 2019

QA FAILED

The maps for domain_blacklist & domain_whitelist doesn't work anymore because the symbol is already registered for sub_domain_blacklist & sub_domain_whitelist

in short the maps for sub_domain{blacklist,whitelist} are workable because first declared, but domains map are broken

Dec  9 15:46:32 ns7loc14 rspamd[5939]: <u7od8c>; lua; lua_squeeze_rules.lua:127: duplicate symbol registered: FROM_DOMAINS_BLACKLIST, skip
Dec  9 15:46:32 ns7loc14 rspamd[5939]: <u7od8c>; cfg; rspamd_register_symbol_fromlua: duplicate symbol: TO_DOMAINS_WHITELIST, skip registering
Dec  9 15:46:32 ns7loc14 rspamd[5939]: <u7od8c>; cfg; rspamd_register_symbol_fromlua: duplicate symbol: FROM_DOMAINS_WHITELIST, skip registering

@stephdl stephdl mentioned this issue Dec 9, 2019
Closed
@DavidePrincipi DavidePrincipi mentioned this issue Dec 10, 2019
Merged
@nethbot
Copy link
Member

nethbot commented Dec 10, 2019

in 7.7.1908/testing:

@stephdl
Copy link
Author

stephdl commented Dec 10, 2019
edited
Loading

Go back to QA

installed rpm

nethserver-mail-common-2.9.2-2.25.g9198bf5.ns7.noarch
nethserver-mail-smarthost-2.9.2-2.25.g9198bf5.ns7.noarch
nethserver-mail-filter-2.9.2-2.25.g9198bf5.ns7.noarch
nethserver-mail-server-2.9.2-2.25.g9198bf5.ns7.noarch
rspamd-1.9.4-3.x86_64
  • case 0.1 blacklist email
Dec 10 16:54:57 ns7loc13 rspamd[4341]: <f8b6e9>; proxy; rspamd_add_passthrough_result: <2.1575993297@nethservertest.org>: set pre-result to 'reject' (no score): 'Sender email address rejected' from force_actions(1)
Dec 10 16:54:58 ns7loc13 rspamd[4341]: <f8b6e9>; proxy; rspamd_task_write_log: id: <2.1575993297@nethservertest.org>, qid: <561EE60035D5>, ip: 192.168.56.14, from: <stephane@de-labrusse.fr>, (default: T (reject): [2.50/20.00] [HFILTER_HELO_IP_A(1.00){ns7loc13.nethservertest.org;},MV_CASE(0.50){},MX_INVALID(0.50){},FORGED_SENDER(0.30){davidep2@nethserver.org;stephane@de-labrusse.fr;},HFILTER_HELO_NORES_A_OR_MX(0.30){ns7loc13.nethservertest.org;},MIME_GOOD(-0.10){text/plain;},DMARC_NA(0.00){nethserver.org;},FORCE_ACTION_REJECT_FROM_BLACKLIST(0.00){reject;},FROM_BLACKLIST(0.00){stephane@de-labrusse.fr;},FROM_NEQ_ENVFROM(0.00){davidep2@nethserver.org;stephane@de-labrusse.fr;},FROM_NO_DN(0.00){},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},R_DKIM_NA(0.00){},R_SPF_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 491, time: 1472.820ms real, 7.415ms virtual, dns req: 20, digest: <bf523b6d01d7391f5e89517b89c71c56>, rcpts: <postmaster@dpnet.nethesis.it>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: reject "Sender email address rejected"; score=nan (set by force_actions)
Dec 10 16:54:58 ns7loc13 rspamd[4341]: <f8b6e9>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 1 regexps matched, 185 regexps total, 95 regexps cached, 0B scanned using pcre, 1.30KiB scanned total
Dec 10 16:54:58 ns7loc13 postfix/cleanup[4364]: 561EE60035D5: milter-reject: END-OF-MESSAGE from ns7loc13.nethservertest.org[192.168.56.14]: 5.7.1 Sender email address rejected; from=<stephane@de-labrusse.fr> to=<postmaster@dpnet.nethesis.it> proto=ESMTP helo=<ns7loc13.nethservertest.org>
  • case 0.2 blacklist subdomain, domain.tld must not be BL
Dec 10 16:58:15 ns7loc13 rspamd[4618]: <574c3d>; proxy; rspamd_add_passthrough_result: <5.1575993495@nethservertest.org>: set pre-result to 'reject' (no score): 'Sender email address rejected' from force_actions(1)
Dec 10 16:58:16 ns7loc13 rspamd[4618]: <574c3d>; proxy; rspamd_task_write_log: id: <5.1575993495@nethservertest.org>, qid: <63C3760035D7>, ip: 192.168.56.14, from: <stephanie@prometheus.de-labrusse.fr>, (default: T (reject): [2.50/20.00] [HFILTER_HELO_IP_A(1.00){ns7loc13.nethservertest.org;},MV_CASE(0.50){},MX_INVALID(0.50){},FORGED_SENDER(0.30){davidep2@nethserver.org;stephanie@prometheus.de-labrusse.fr;},HFILTER_HELO_NORES_A_OR_MX(0.30){ns7loc13.nethservertest.org;},MIME_GOOD(-0.10){text/plain;},DMARC_NA(0.00){nethserver.org;},FORCE_ACTION_REJECT_FROM_BLACKLIST(0.00){reject;},FROM_NEQ_ENVFROM(0.00){davidep2@nethserver.org;stephanie@prometheus.de-labrusse.fr;},FROM_NO_DN(0.00){},FROM_SUBDOMAINS_BLACKLIST(0.00){prometheus.de-labrusse.fr;},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},R_DKIM_NA(0.00){},R_SPF_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 491, time: 1039.660ms real, 16.095ms virtual, dns req: 20, digest: <46ab2a9313f08c7d1a7f904ee702a40c>, rcpts: <postmaster@dpnet.nethesis.it>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: reject "Sender email address rejected"; score=nan (set by force_actions)
Dec 10 16:58:16 ns7loc13 rspamd[4618]: <574c3d>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 1 regexps matched, 185 regexps total, 95 regexps cached, 0B scanned using pcre, 1.30KiB scanned total
Dec 10 16:58:16 ns7loc13 postfix/cleanup[4646]: 63C3760035D7: milter-reject: END-OF-MESSAGE from ns7loc13.nethservertest.org[192.168.56.14]: 5.7.1 Sender email address rejected; from=<stephanie@prometheus.de-labrusse.fr> to=<postmaster@dpnet.nethesis.it> proto=ESMTP helo=<ns7loc13.nethservertest.org>
  • case 0.3 domain.tld are BL, all subdomain must be BL
[root@ns7loc13 ~]# grep -r -F .  /etc/rspamd/{white,black}list* | grep -v -F '#' | sort
/etc/rspamd/blacklist_from_domains.map:de-labrusse.fr

Dec 10 17:01:27 ns7loc13 rspamd[4907]: <76b223>; proxy; rspamd_add_passthrough_result: <6.1575993687@nethservertest.org>: set pre-result to 'reject' (no score): 'Sender email address rejected' from force_actions(1)
Dec 10 17:01:27 ns7loc13 rspamd[4907]: <76b223>; proxy; rspamd_task_write_log: id: <6.1575993687@nethservertest.org>, qid: <2CA6F60035DA>, ip: 192.168.56.14, from: <stephanie@prometheus.de-labrusse.fr>, (default: T (reject): [2.50/20.00] [HFILTER_HELO_IP_A(1.00){ns7loc13.nethservertest.org;},MV_CASE(0.50){},MX_INVALID(0.50){cached;},FORGED_SENDER(0.30){davidep2@nethserver.org;stephanie@prometheus.de-labrusse.fr;},HFILTER_HELO_NORES_A_OR_MX(0.30){ns7loc13.nethservertest.org;},MIME_GOOD(-0.10){text/plain;},DMARC_NA(0.00){nethserver.org;},FORCE_ACTION_REJECT_FROM_BLACKLIST(0.00){reject;},FROM_DOMAINS_BLACKLIST(0.00){de-labrusse.fr;},FROM_NEQ_ENVFROM(0.00){davidep2@nethserver.org;stephanie@prometheus.de-labrusse.fr;},FROM_NO_DN(0.00){},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},R_DKIM_NA(0.00){},R_SPF_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 491, time: 101.681ms real, 12.448ms virtual, dns req: 10, digest: <dbaed8d4750117b4c3fd993497969cc1>, rcpts: <postmaster@dpnet.nethesis.it>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: reject "Sender email address rejected"; score=nan (set by force_actions)
Dec 10 17:01:27 ns7loc13 rspamd[4907]: <76b223>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 1 regexps matched, 185 regexps total, 95 regexps cached, 0B scanned using pcre, 1.30KiB scanned total
Dec 10 17:01:27 ns7loc13 postfix/cleanup[5002]: 2CA6F60035DA: milter-reject: END-OF-MESSAGE from ns7loc13.nethservertest.org[192.168.56.14]: 5.7.1 Sender email address rejected; from=<stephanie@prometheus.de-labrusse.fr> to=<postmaster@dpnet.nethesis.it> proto=ESMTP helo=<ns7loc13.nethservertest.org>

Dec 10 17:02:24 ns7loc13 rspamd[4907]: <f0e366>; proxy; rspamd_add_passthrough_result: <7.1575993744@nethservertest.org>: set pre-result to 'reject' (no score): 'Sender email address rejected' from force_actions(1)
Dec 10 17:02:24 ns7loc13 rspamd[4907]: <f0e366>; proxy; rspamd_task_write_log: id: <7.1575993744@nethservertest.org>, qid: <B7DEA60035DA>, ip: 192.168.56.14, from: <stephanie@de-labrusse.fr>, (default: T (reject): [2.50/20.00] [HFILTER_HELO_IP_A(1.00){ns7loc13.nethservertest.org;},MV_CASE(0.50){},MX_INVALID(0.50){cached;},FORGED_SENDER(0.30){davidep2@nethserver.org;stephanie@de-labrusse.fr;},HFILTER_HELO_NORES_A_OR_MX(0.30){ns7loc13.nethservertest.org;},MIME_GOOD(-0.10){text/plain;},DMARC_NA(0.00){nethserver.org;},FORCE_ACTION_REJECT_FROM_BLACKLIST(0.00){reject;},FROM_DOMAINS_BLACKLIST(0.00){de-labrusse.fr;},FROM_NEQ_ENVFROM(0.00){davidep2@nethserver.org;stephanie@de-labrusse.fr;},FROM_NO_DN(0.00){},FROM_SUBDOMAINS_BLACKLIST(0.00){de-labrusse.fr;},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},R_DKIM_NA(0.00){},R_SPF_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 491, time: 185.192ms real, 15.267ms virtual, dns req: 16, digest: <751ff0eb92b6a4b22014042541f46070>, rcpts: <postmaster@dpnet.nethesis.it>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: reject "Sender email address rejected"; score=nan (set by force_actions)
Dec 10 17:02:24 ns7loc13 rspamd[4907]: <f0e366>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 1 regexps matched, 185 regexps total, 95 regexps cached, 0B scanned using pcre, 1.30KiB scanned total
Dec 10 17:02:25 ns7loc13 postfix/cleanup[5002]: B7DEA60035DA: milter-reject: END-OF-MESSAGE from ns7loc13.nethservertest.org[192.168.56.14]: 5.7.1 Sender email address rejected; from=<stephanie@de-labrusse.fr> to=<postmaster@dpnet.nethesis.it> proto=ESMTP helo=<ns7loc13.nethservertest.org>
  • case 1.1 domain blacklisted, user WL
Dec 10 17:05:33 ns7loc13 rspamd[5365]: <3815c0>; proxy; rspamd_add_passthrough_result: <8.1575993933@nethservertest.org>: set pre-result to 'no action' (no score): 'Matched map: FROM_WHITELIST' from multimap(1)
Dec 10 17:05:33 ns7loc13 rspamd[5365]: <3815c0>; proxy; rspamd_task_write_log: id: <8.1575993933@nethservertest.org>, qid: <A1AC660035D6>, ip: 192.168.56.14, from: <stephanie@de-labrusse.fr>, (default: F (no action): [0.00/20.00] [FROM_WHITELIST(0.00){stephanie@de-labrusse.fr;}]), len: 491, time: 28.565ms real, 12.040ms virtual, dns req: 1, digest: <3a19582794b7575e4541ef1335ac7f18>, rcpts: <postmaster@dpnet.nethesis.it>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: no action "Matched map: FROM_WHITELIST"; score=nan (set by multimap)
  • case 1.2 subdomain WL, check accepted
Dec 10 17:08:27 ns7loc13 rspamd[5599]: <9218b0>; proxy; rspamd_add_passthrough_result: <9.1575994107@nethservertest.org>: set pre-result to 'no action' (no score): 'Matched map: FROM_SUBDOMAINS_WHITELIST' from multimap(1)
Dec 10 17:08:27 ns7loc13 rspamd[5599]: <9218b0>; proxy; rspamd_task_write_log: id: <9.1575994107@nethservertest.org>, qid: <6911A60035D6>, ip: 192.168.56.14, from: <stephanie@prometheus.de-labrusse.fr>, (default: F (no action): [0.00/20.00] [FROM_SUBDOMAINS_WHITELIST(0.00){prometheus.de-labrusse.fr;}]), len: 491, time: 27.164ms real, 10.199ms virtual, dns req: 1, digest: <ce28ac7c33680c6e45860c23bf830aea>, rcpts: <postmaster@dpnet.nethesis.it>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: no action "Matched map: FROM_SUBDOMAINS_WHITELIST"; score=nan (set by multimap)
  • case 1.3 domain WL, domain.tld must be accepted and all subdomain
[root@ns7loc13 ~]# grep -r -F .  /etc/rspamd/{white,black}list* | grep -v -F '#' | sort
/etc/rspamd/blacklist_from_domains.map:de-labrusse.fr
/etc/rspamd/whitelist_from_domains.map:de-labrusse.fr
/etc/rspamd/whitelist_from.map:stephanie@de-labrusse.fr

Dec 10 17:09:39 ns7loc13 rspamd[5806]: <cdbc35>; proxy; rspamd_add_passthrough_result: <10.1575994179@nethservertest.org>: set pre-result to 'no action' (no score): 'Matched map: FROM_DOMAINS_WHITELIST' from multimap(1)
Dec 10 17:09:39 ns7loc13 rspamd[5806]: <cdbc35>; proxy; rspamd_task_write_log: id: <10.1575994179@nethservertest.org>, qid: <CB0FC60035DC>, ip: 192.168.56.14, from: <stephanie@prometheus.de-labrusse.fr>, (default: F (no action): [0.00/20.00] [FROM_DOMAINS_WHITELIST(0.00){de-labrusse.fr;}]), len: 494, time: 29.006ms real, 10.163ms virtual, dns req: 1, digest: <cdea4676eb87b4beab416370dda325e2>, rcpts: <postmaster@dpnet.nethesis.it>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: no action "Matched map: FROM_DOMAINS_WHITELIST"; score=nan (set by multimap)

Dec 10 17:09:53 ns7loc13 rspamd[5806]: <63e69c>; proxy; rspamd_add_passthrough_result: <11.1575994193@nethservertest.org>: set pre-result to 'no action' (no score): 'Matched map: FROM_SUBDOMAINS_WHITELIST' from multimap(1)
Dec 10 17:09:53 ns7loc13 rspamd[5806]: <63e69c>; proxy; rspamd_task_write_log: id: <11.1575994193@nethservertest.org>, qid: <6AED760035DC>, ip: 192.168.56.14, from: <stephanie@de-labrusse.fr>, (default: F (no action): [0.00/20.00] [FROM_SUBDOMAINS_WHITELIST(0.00){de-labrusse.fr;}]), len: 494, time: 1.595ms real, 1.123ms virtual, dns req: 1, digest: <6fa46788adfdd897f8c8aed39b55ade3>, rcpts: <postmaster@dpnet.nethesis.it>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: no action "Matched map: FROM_SUBDOMAINS_WHITELIST"; score=nan (set by multimap)
  • case 2 check if domain is blacklisted whitelist_TO is WL
[root@ns7loc13 ~]# grep -r -F .  /etc/rspamd/{white,black}list* | grep -v -F '#' | sort
/etc/rspamd/blacklist_from_domains.map:de-labrusse.fr
/etc/rspamd/whitelist_from_domains.map:de-labrusse.fr
/etc/rspamd/whitelist_from.map:stephanie@de-labrusse.fr
/etc/rspamd/whitelist_to_domains.map:de-labrusse.fr
/etc/rspamd/whitelist_to.map:stephanie@de-labrusse.fr

 10 17:21:58 ns7loc13 rspamd[7596]: <c3a474>; proxy; rspamd_add_passthrough_result: <16.1575994918@nethservertest.org>: set pre-result to 'no action' (no score): 'Matched map: TO_WHITELIST' from multimap(1)
Dec 10 17:21:58 ns7loc13 rspamd[7596]: <c3a474>; proxy; rspamd_task_write_log: id: <16.1575994918@nethservertest.org>, qid: <6E96F60035E9>, ip: 192.168.56.14, from: <stephanie@prometheus.de-labrusse.fr>, (default: F (no action): [0.00/20.00] [TO_WHITELIST(0.00){stephanie@de-labrusse.fr;}]), len: 494, time: 17.332ms real, 2.932ms virtual, dns req: 1, digest: <69a46a5c1a326fc75b3fe85b990e1ab1>, rcpts: <stephanie@de-labrusse.fr>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: no action "Matched map: TO_WHITELIST"; score=nan (set by multimap)

Dec 10 17:20:40 ns7loc13 rspamd[7428]: <4211c4>; proxy; rspamd_add_passthrough_result: <15.1575994840@nethservertest.org>: set pre-result to 'no action' (no score): 'Matched map: TO_SUBDOMAINS_WHITELIST' from multimap(1)
Dec 10 17:20:40 ns7loc13 rspamd[7428]: <4211c4>; proxy; rspamd_task_write_log: id: <15.1575994840@nethservertest.org>, qid: <54C6960035E8>, ip: 192.168.56.14, from: <stephanie@prometheus.de-labrusse.fr>, (default: F (no action): [0.00/20.00] [TO_SUBDOMAINS_WHITELIST(0.00){prometheus.de-labrusse.fr;}]), len: 494, time: 9.325ms real, 2.982ms virtual, dns req: 1, digest: <a460c136bd89d5c18655edd42a93318b>, rcpts: <stephane@prometheus.de-labrusse.fr>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: no action "Matched map: TO_SUBDOMAINS_WHITELIST"; score=nan (set by multimap)

Dec 10 17:18:12 ns7loc13 rspamd[6751]: <02f58d>; proxy; rspamd_add_passthrough_result: <14.1575994692@nethservertest.org>: set pre-result to 'no action' (no score): 'Matched map: TO_DOMAINS_WHITELIST' from multimap(1)
Dec 10 17:18:12 ns7loc13 rspamd[6751]: <02f58d>; proxy; rspamd_task_write_log: id: <14.1575994692@nethservertest.org>, qid: <AFEE960035E7>, ip: 192.168.56.14, from: <stephanie@prometheus.de-labrusse.fr>, (default: F (no action): [0.00/20.00] [TO_DOMAINS_WHITELIST(0.00){de-labrusse.fr;}]), len: 494, time: 20.630ms real, 3.135ms virtual, dns req: 1, digest: <934e5ca56a115e53298a26008d2654a7>, rcpts: <stephane@prometheus.de-labrusse.fr>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: no action "Matched map: TO_DOMAINS_WHITELIST"; score=nan (set by multimap)
  • test case 3 IP must be whitelisted
[root@ns7loc13 ~]# grep -r -F .  /etc/rspamd/{white,black}list* | grep -v -F '#' | sort
/etc/rspamd/blacklist_from_domains.map:de-labrusse.fr
/etc/rspamd/whitelist_ip.map:192.168.56.14
/etc/rspamd/whitelist_to_domains.map:de-labrusse.fr
/etc/rspamd/whitelist_to.map:stephanie@de-labrusse.fr

Dec 10 17:32:14 ns7loc13 rspamd[8636]: <96396a>; proxy; rspamd_add_passthrough_result: <19.1575995534@nethservertest.org>: set pre-result to 'no action' (no score): 'Matched map: IP_WHITELIST' from multimap(1)
Dec 10 17:32:14 ns7loc13 rspamd[8636]: <96396a>; proxy; rspamd_task_write_log: id: <19.1575995534@nethservertest.org>, qid: <A8C7160035E5>, ip: 192.168.56.14, from: <stephanie@de-labrusse.fr>, (default: F (no action): [0.00/20.00] [IP_WHITELIST(0.00){192.168.56.14;}]), len: 494, time: 47.454ms real, 15.723ms virtual, dns req: 1, digest: <d2c5c6df3ca06cf4b2e273356c843ba7>, rcpts: <postmaster@dpnet.nethesis.it>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: no action "Matched map: IP_WHITELIST"; score=nan (set by multimap)

but something fun if I set a SenderWhiteList the IP map is no more matched

[root@ns7loc13 ~]# grep -r -F .  /etc/rspamd/{white,black}list* | grep -v -F '#' | sort
/etc/rspamd/blacklist_from_domains.map:de-labrusse.fr
/etc/rspamd/whitelist_from_domains.map:de-labrusse.fr
/etc/rspamd/whitelist_ip.map:192.168.56.14
/etc/rspamd/whitelist_to_domains.map:de-labrusse.fr
/etc/rspamd/whitelist_to.map:stephanie@de-labrusse.fr

Dec 10 17:34:24 ns7loc13 rspamd[8892]: <5f4efd>; proxy; rspamd_add_passthrough_result: <20.1575995664@nethservertest.org>: set pre-result to 'no action' (no score): 'Matched map: FROM_SUBDOMAINS_WHITELIST' from multimap(1)
Dec 10 17:34:24 ns7loc13 rspamd[8892]: <5f4efd>; proxy; rspamd_task_write_log: id: <20.1575995664@nethservertest.org>, qid: <B511D60035DA>, ip: 192.168.56.14, from: <stephanie@de-labrusse.fr>, (default: F (no action): [0.00/20.00] [FROM_SUBDOMAINS_WHITELIST(0.00){de-labrusse.fr;}]), len: 494, time: 43.584ms real, 15.447ms virtual, dns req: 1, digest: <0d5dfbeea4e1dd21f15a229fa512faeb>, rcpts: <postmaster@dpnet.nethesis.it>, mime_rcpts: <postmaster@dpnet.nethesis.it>, forced: no action "Matched map: FROM_SUBDOMAINS_WHITELIST"; score=nan (set by multimap)

@stephdl
Copy link
Author

stephdl commented Dec 10, 2019

set verified

@stephdl stephdl added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Dec 10, 2019
@stephdl stephdl removed their assignment Dec 10, 2019
@nethbot
Copy link
Member

nethbot commented Dec 10, 2019

in 7.7.1908/updates:

@DavidePrincipi
Copy link
Member

TODO: PR for admin's manual

@DavidePrincipi DavidePrincipi mentioned this issue Dec 11, 2019
Merged
DavidePrincipi added a commit to NethServer/docs that referenced this issue Dec 11, 2019
@DavidePrincipi
Clarify Allow/Block rules functioning (#461)
157995b 
NethServer/dev#5940
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
verified All test cases were verified successfully
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@DavidePrincipi @stephdl @federicoballarini @nethbot