Skip to content

Instantly share code, notes, and snippets.

@ThomasLeister
Last active May 9, 2024 10:49
Show Gist options
  • Save ThomasLeister/f41adad98bb46d0c8418de50b5efb4a0 to your computer and use it in GitHub Desktop.
Save ThomasLeister/f41adad98bb46d0c8418de50b5efb4a0 to your computer and use it in GitHub Desktop.
How to whitelist IP addresses or domains in Rspamd

Whitelist IP addresses based on pre-filter policy

/etc/rspamd/local.d/multimap.conf:

  IP_WHITELIST {
      type = "ip";
      prefilter = true;
      map = "/${LOCAL_CONFDIR}/local.d/ip_whitelist.map";
      action = "accept";
  }

/etc/rspamd/local.d/ip_whitelist.map:

  192.168.122.3
  192.168.122.4

Lower spam score of e-mails with a certain domain name (post-filter mode)

/etc/rspamd/local.d/multimap.conf:

  WHITELIST_SENDER_DOMAIN {
      type = "from";
      filter = "email:domain";
      map = "/etc/rspamd/local.d/whitelist.sender.domain.map";
      score = -6.0
  }

/etc/rspamd/local.d/whitelist.sender.domain.map:

  meinedomain.tld
  anderedomain.tld
@ThomasLeister
Copy link
Author

Can the same basic principle be applied for blacklisting IPs?

Yes, have a look here: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1

@ThomasLeister
Copy link
Author

I've just had an email where bayes was 100% sure it wasn't spam, but their other parameters were so bad, it was marked as spam. Does learn_ham help here?

No, the learning process does only affect the bayesian filter. If the other parameters were too bad, you can create whitelist that server or tune the corresponding check weight.

@Gerben-W
Copy link

Gerben-W commented May 19, 2020

I have setup these Whitelist filters, but in the whitelist sender domain file only the first entry is being filtered. The other ones do not seem te get the lower score. Am I doing something wrong?

My config:
/etc/rspamd/local.d/multimap.conf

# Whitelists
local_wl_domain {
        type = "from";
        filter = "email:domain";
        map = "$CONFDIR/local.d/local_wl_domain.map";
        symbol = "LOCAL_WL_DOMAIN";
        regex = true;
        prefilter = true;
        score = -6.0;
        description = "Whitelist map for LOCAL_WL_DOMAIN";
}
local_wl_from {
        type = "from";
        filter = "email:domain:tld";
        map = "$CONFDIR/local.d/local_wl_from.map";
        symbol = "LOCAL_WL_FROM";
        regex = true;
        prefilter = true;
        score = -6.0;
        description = "Whitelist map for LOCAL_WL_FROM";
}
local_wl_ip {
        type = "ip";
        map = "$CONFDIR/local.d/local_wl_ip.map";
        symbol = "LOCAL_WL_IP";
        regex = true;
        prefilter = true;
        score = -6.0;
        description = "Whitelist map for LOCAL_WL_IP";
}
local_wl_rcpt {
        type = "rcpt";
        map = "$CONFDIR/local.d/local_wl_rcpt.map";
        symbol = "LOCAL_WL_RCPT";
        regex = true;
        prefilter = true;
        score = -6.0;
        description = "Whitelist map for LOCAL_WL_RCPT";
}


/etc/rspamd/local.d/local_wl_domain.map

domain1.com
n.domain2.com
e.domain3.com
domain4.org

@sirio81
Copy link

sirio81 commented Dec 10, 2020

Hi, does /etc/rspamd/local.d/ip_whitelist.map accept cidr notation? I.e. 192.168.122.0/24

@TonyGravagno
Copy link

@javimox
Copy link

javimox commented Mar 27, 2021

HI @Gerben-W,

You have there regex = true; but your file local_wl_domain.map does not look like regexp (eg. dots must be escaped). Either remove regex from your multimap or convert the entries of the map to regex.

eg: match email using regex:
/^user@example\.com$/i

I have setup these Whitelist filters, but in the whitelist sender domain file only the first entry is being filtered. The other ones do not seem te get the lower score. Am I doing something wrong?

My config:
/etc/rspamd/local.d/multimap.conf

# Whitelists
local_wl_domain {
        type = "from";
        filter = "email:domain";
        map = "$CONFDIR/local.d/local_wl_domain.map";
        symbol = "LOCAL_WL_DOMAIN";
        regex = true;
        prefilter = true;
        score = -6.0;
        description = "Whitelist map for LOCAL_WL_DOMAIN";
}
local_wl_from {
        type = "from";
        filter = "email:domain:tld";
        map = "$CONFDIR/local.d/local_wl_from.map";
        symbol = "LOCAL_WL_FROM";
        regex = true;
        prefilter = true;
        score = -6.0;
        description = "Whitelist map for LOCAL_WL_FROM";
}
local_wl_ip {
        type = "ip";
        map = "$CONFDIR/local.d/local_wl_ip.map";
        symbol = "LOCAL_WL_IP";
        regex = true;
        prefilter = true;
        score = -6.0;
        description = "Whitelist map for LOCAL_WL_IP";
}
local_wl_rcpt {
        type = "rcpt";
        map = "$CONFDIR/local.d/local_wl_rcpt.map";
        symbol = "LOCAL_WL_RCPT";
        regex = true;
        prefilter = true;
        score = -6.0;
        description = "Whitelist map for LOCAL_WL_RCPT";
}

/etc/rspamd/local.d/local_wl_domain.map

domain1.com
n.domain2.com
e.domain3.com
domain4.org

@sneak
Copy link

sneak commented May 31, 2021

Is it okay to put v6 IPs in the ip_whitelist.map? Should they be put in brackets?

@williamdes
Copy link

The docs say it's regexp not regex
See: https://rspamd.com/doc/modules/multimap.html#maps-content

@TonyGravagno
Copy link

Good catch, @williamdes - It probably would have been better if Booleans were globally regex while actual expressions were regexp, but it's too late to go back.

@williamdes
Copy link

Thanks, for now this is still not working.
So I would argue that prefilter should be false. It seems to not define a action anyway. But defines a score, that is the second reason to think it should be false.

I am still unsure why it's not working anyway

@williamdes
Copy link

Good catch, @williamdes - It probably would have been better if Booleans were globally regex while actual expressions were regexp, but it's too late to go back.

I am not too sure what to conclude about your reply, I definitely it's regexp since this example on the page you linked: https://rspamd.com/doc/modules/multimap.html#regexp-maps

@TonyGravagno
Copy link

I'm saying you're right - The code from @Gerben-W has regex and the doc definitely has regexP. So, good on you for catching that.

My comment was only a whimsical lament - I think most of us easily confuse and interchange property values named RegEx or RegexP, etc, just because there is no standard abbreviation. And in Rspamd we see the name, with and without P, used chaotically.

@jniltinho
Copy link

Hello,

How do I put a blocking filter for
real_hostname or from_hostname,

using regex like

mail-yw1-f173.google.com
/^mail-.*google\.com$/i

@TonyGravagno
Copy link

TonyGravagno commented Mar 20, 2024

@jniltinho This gist is about whitelist/allow, not blacklist/reject. However, blocking is done with a few more parmeters and by specifying the pre-filter map parameter

prefilter = true;
action = "reject";
filter = "real_hostname";

See also Received Filter.

( Not tested, I believe this is correct and will edit if required. )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment