profile
viewpoint

Ask questionsRspamd: whitelist/blacklist enhancement

The whitelist/blacklist of rspamd is designed to work with the second domain level, eg domain.org, so you blacklist or whitelist the domain and all subdomains: email:domain:tld

https://rspamd.com/doc/modules/multimap.html#from-rcpt-and-header-filters

However when you try to blacklist/whitelist a subdomain, it won't work because rspamd extracts only the second level of the domain name

Proposed solution

  1. In rules evaluation, try to match both the eSLD (effective second level domain - rspamd :tld filter) and the whole domain suffix against the email address of the sender/recipient.

  2. Whitelist rules are always processed before the blacklist, thus allowing a subdomain (e.g. myhost.domain.com) to be whitelisted if a more generic rule wants to blacklist the entire domain (e.g. domain.com).

Docs changes

  • [x] document the new behavior: clarify what happens by writing a top level domain or a subdomain record

Alternative solutions

as an alternative we could make a validator and refuse subdomain, asking or top level domain

See also

https://community.nethserver.org/t/whitelist-in-mail-server-not-working/13911/


thank jfernandez

NethServer/dev

Answer questions DavidePrincipi

Useful QA commands

Inspect currently expanded whitelist and blacklist rules:

grep -r -F .  /etc/rspamd/{white,black}list* | grep -v -F '#' | sort

Sample curl invocation

((++I)) ; curl smtp://$(hostname):25/$(hostname) -v --mail-from davidep2@nethserver.org --mail-rcpt postmaster@dpnet.nethesis.it <<EOF
Subject: Test ${I}
Date: $(date -R)
Message-ID: <${I}.$(date +%s)@$(hostname -d)>
From: davidep2@nethserver.org
To: postmaster@dpnet.nethesis.it
Mime-Version: 1.0

Test $I

Configuration settings for bayes expiry module should be 
added to the corresponding classifier section (for instance 
in the local.d/classifier-bayes.conf).
Bayes expiry module provides intelligent expiration of 
statistical tokens for the new schema of Redis statistics 
storage.

EOF

Test case 0 - sender blacklist

  • Add a complete address to the sender blacklist, and check the message is rejected (e.g. user@complete.example.com)
  • Add a third level domain like my.example.com to the sender black list, and check the message is rejected if the sender is in that domain
  • Add a second level domain like example.com to the sender black list, and check the message is rejected if the sender is in that domain

Test case 1 - sender whitelist vs sender blacklist

With the blacklist from test case 0:

  • Add the same complete sender address user@complete.example.com to the whitelist and check it wins over the blacklist rule. Message must be accepted
  • Add other.example.com to the sender whitelist and check that a sender from that domain is always accepted
  • Check a sender from example.com is still rejected

Test case 2 - recipient whitelist vs sender blacklist

Check that by setting a recipient whitelist rule it always wins against the blacklist sender rule.

Test case 3 - IP whitelist vs sender blacklist

Check that by setting an IP client whitelist in Relay > Configuration > Allow relay from IP addresses, the IP whitelist always wins over the sender blacklist

useful!

Related questions

VPN Cockpit UI hot 1
Github User Rank List