rspamd: disable checks for authenticated users (#3440)

Co-authored-by: Casper <casperklein@users.noreply.github.com>
Co-authored-by: William Desportes <williamdes@wdes.fr>

docs/content/config/environment.md

@@ -338,6 +338,15 @@ The purpose of this setting is to opt-out of starting an internal Redis instance
 - 0 => Disabled
 - 1 => Enabled
 
+##### RSPAMD_CHECK_AUTHENTICATED
+
+This settings controls whether checks should be performed on emails coming from authenticated users (i.e. most likely outgoing emails). The default value is `0` in order to align better with SpamAssassin. **We recommend** reading through [the Rspamd documentation on scanning outbound emails][rspamd-scanning-outbound] though to decide for yourself whether you need and want this feature.
+
+- **0** => No checks will be performed for authenticated users
+- 1 => All default checks will be performed for authenticated users
+
+[rspamd-scanning-outbound]: https://rspamd.com/doc/tutorials/scanning_outbound.html
+
 ##### RSPAMD_GREYLISTING
 
 Controls whether the [Rspamd Greylisting module][rspamd-greylisting-module] is enabled. This module can further assist in avoiding spam emails by [greylisting] e-mails with a certain spam score.

docs/content/config/security/rspamd.md

@@ -21,11 +21,12 @@ The following environment variables are related to Rspamd:
 
 1. [`ENABLE_RSPAMD`](../environment.md#enable_rspamd)
 2. [`ENABLE_RSPAMD_REDIS`](../environment.md#enable_rspamd_redis)
-3. [`RSPAMD_GREYLISTING`](../environment.md#rspamd_greylisting)
-4. [`RSPAMD_HFILTER`](../environment.md#rspamd_hfilter)
-5. [`RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE`](../environment.md#rspamd_hfilter_hostname_unknown_score)
-6. [`RSPAMD_LEARN`](../environment.md#rspamd_learn)
-7. [`MOVE_SPAM_TO_JUNK`](../environment.md#move_spam_to_junk)
+3. [`RSPAMD_CHECK_AUTHENTICATED`](../environment.md#rspamd_check_authenticated)
+4. [`RSPAMD_GREYLISTING`](../environment.md#rspamd_greylisting)
+5. [`RSPAMD_HFILTER`](../environment.md#rspamd_hfilter)
+6. [`RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE`](../environment.md#rspamd_hfilter_hostname_unknown_score)
+7. [`RSPAMD_LEARN`](../environment.md#rspamd_learn)
+8. [`MOVE_SPAM_TO_JUNK`](../environment.md#move_spam_to_junk)
 
 With these variables, you can enable Rspamd itself and you can enable / disable certain features related to Rspamd.
 

mailserver.env

@@ -142,6 +142,13 @@ ENABLE_RSPAMD_REDIS=
 # 1     => enabled
 RSPAMD_LEARN=0
 
+# This settings controls whether checks should be performed on emails coming
+# from authenticated users (i.e. most likely outgoing emails). The default value
+# is `0` in order to align better with SpamAssassin. We recommend reading
+# through https://rspamd.com/doc/tutorials/scanning_outbound.html though to
+# decide for yourself whether you need and want this feature.
+RSPAMD_CHECK_AUTHENTICATED=0
+
 # Controls whether the Rspamd Greylisting module is enabled.
 # This module can further assist in avoiding spam emails by greylisting
 # e-mails with a certain spam score.

target/rspamd/local.d/settings.conf

@@ -0,0 +1,12 @@
+# documentation: https://rspamd.com/doc/configuration/settings.html
+
+# DMS::SED_TAG::1::START
+# Disable all checks for authenticated users
+authenticated {
+    priority = high;
+    authenticated = yes;
+    apply {
+        groups_enabled = [];
+    }
+}
+# DMS::SED_TAG::1::END

target/scripts/startup/setup.d/security/rspamd.sh

@@ -14,6 +14,7 @@ function _setup_rspamd() {
     __rspamd__setup_learning
     __rspamd__setup_greylisting
     __rspamd__setup_hfilter_group
+    __rspamd__setup_check_authenticated
     __rspamd__handle_user_modules_adjustments # must run last
 
     __rspamd__log 'trace' '----------  Setup finished  ----------'
@@ -250,7 +251,8 @@ function __rspamd__setup_hfilter_group() {
   if _env_var_expect_zero_or_one 'RSPAMD_HFILTER' && [[ ${RSPAMD_HFILTER} -eq 1 ]]; then
     __rspamd__log 'debug' 'Hfilter (group) module is enabled'
     # Check if we received a number first
-    if _env_var_expect_integer 'RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE' && [[ ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE} -ne 6 ]]; then
+    if _env_var_expect_integer 'RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE' \
+    && [[ ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE} -ne 6 ]]; then
       __rspamd__log 'trace' "Adjusting score for 'HFILTER_HOSTNAME_UNKNOWN' in Hfilter group module to ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE}"
       sed -i -E \
         "s|(.*score =).*(# __TAG__HFILTER_HOSTNAME_UNKNOWN)|\1 ${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE}; \2|g" \
@@ -264,6 +266,20 @@ function __rspamd__setup_hfilter_group() {
   fi
 }
 
+function __rspamd__setup_check_authenticated() {
+  local MODULE_FILE="${RSPAMD_LOCAL_D}/settings.conf"
+  if _env_var_expect_zero_or_one 'RSPAMD_CHECK_AUTHENTICATED' \
+  && [[ ${RSPAMD_CHECK_AUTHENTICATED} -eq 0 ]]
+  then
+    __rspamd__log 'debug' 'Content checks for authenticated users are disabled'
+  else
+    __rspamd__log 'debug' 'Enabling content checks for authenticated users'
+    sed -i -E \
+      '/DMS::SED_TAG::1::START/{:a;N;/DMS::SED_TAG::1::END/!ba};/authenticated/d' \
+      "${MODULE_FILE}"
+  fi
+}
+
 # Parses `RSPAMD_CUSTOM_COMMANDS_FILE` and executed the directives given by the file.
 # To get a detailed explanation of the commands and how the file works, visit
 # https://docker-mailserver.github.io/docker-mailserver/edge/config/security/rspamd/#with-the-help-of-a-custom-file

target/scripts/startup/variables-stack.sh

@@ -51,6 +51,7 @@ function __environment_variables_general_setup() {
   VARS[POSTGREY_MAX_AGE]="${POSTGREY_MAX_AGE:=35}"
   VARS[POSTGREY_TEXT]="${POSTGREY_TEXT:=Delayed by Postgrey}"
   VARS[POSTSCREEN_ACTION]="${POSTSCREEN_ACTION:=enforce}"
+  VARS[RSPAMD_CHECK_AUTHENTICATED]="${RSPAMD_CHECK_AUTHENTICATED:=0}"
   VARS[RSPAMD_GREYLISTING]="${RSPAMD_GREYLISTING:=0}"
   VARS[RSPAMD_HFILTER]="${RSPAMD_HFILTER:=1}"
   VARS[RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE]="${RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE:=6}"

test/tests/parallel/set1/spam_virus/rspamd_full.bats

@@ -25,6 +25,7 @@ function setup_file() {
     --env LOG_LEVEL=trace
     --env MOVE_SPAM_TO_JUNK=1
     --env RSPAMD_LEARN=1
+    --env RSPAMD_CHECK_AUTHENTICATED=0
     --env RSPAMD_GREYLISTING=1
     --env RSPAMD_HFILTER=1
     --env RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE=7
@@ -292,10 +293,22 @@ function teardown_file() { _default_teardown ; }
 }
 
 @test 'hfilter group module is configured correctly' {
-  _run_in_container_bash '[[ -f /etc/rspamd/local.d/hfilter_group.conf ]]'
+  local MODULE_FILE='/etc/rspamd/local.d/hfilter_group.conf'
+  _run_in_container_bash "[[ -f ${MODULE_FILE} ]]"
   assert_success
 
-  _run_in_container grep '__TAG__HFILTER_HOSTNAME_UNKNOWN' /etc/rspamd/local.d/hfilter_group.conf
+  _run_in_container grep '__TAG__HFILTER_HOSTNAME_UNKNOWN' "${MODULE_FILE}"
   assert_success
   assert_output --partial 'score = 7;'
 }
+
+@test 'checks on authenticated users are disabled' {
+  local MODULE_FILE='/etc/rspamd/local.d/settings.conf'
+  _run_in_container_bash "[[ -f ${MODULE_FILE} ]]"
+  assert_success
+
+  _run_in_container grep -E -A 6 'authenticated \{' "${MODULE_FILE}"
+  assert_success
+  assert_output --partial 'authenticated = yes;'
+  assert_output --partial 'groups_enabled = [];'
+}

test/tests/parallel/set1/spam_virus/rspamd_partly.bats

@@ -24,6 +24,7 @@ function setup_file() {
     --env LOG_LEVEL=trace
     --env MOVE_SPAM_TO_JUNK=0
     --env RSPAMD_LEARN=0
+    --env RSPAMD_CHECK_AUTHENTICATED=1
     --env RSPAMD_GREYLISTING=0
     --env RSPAMD_HFILTER=0
   )
@@ -85,3 +86,12 @@ function teardown_file() { _default_teardown ; }
   _run_in_container_bash '[[ -f /etc/rspamd/local.d/hfilter_group.conf ]]'
   assert_failure
 }
+
+@test 'checks on authenticated users are enabled' {
+  local MODULE_FILE='/etc/rspamd/local.d/settings.conf'
+  _run_in_container_bash "[[ -f ${MODULE_FILE} ]]"
+  assert_success
+
+  _run_in_container grep -E 'authenticated \{' "${MODULE_FILE}"
+  assert_failure
+}