Replace rspamd rule weights with a strict rule

cmdeploy/src/cmdeploy/__init__.py

@@ -352,17 +352,18 @@ def _configure_rspamd(dkim_selector: str, mail_domain: str) -> bool:
     )
     need_restart |= options_inc.changed
 
-    groups_conf = files.put(
-        name="set metrics for DKIM, SPF, and DMARC fails",
+    # https://rspamd.com/doc/modules/force_actions.html
+    force_actions_conf = files.put(
+        name="Set up rules to reject on DKIM, SPF and DMARC fails",
         src=importlib.resources.files(__package__).joinpath(
-            "rspamd/policies_group.conf"
+            "rspamd/force_actions.conf"
         ),
-        dest="/etc/rspamd/local.d/policies_group.conf",
+        dest="/etc/rspamd/local.d/force_actions.conf",
         user="root",
         group="root",
         mode="644",
     )
-    need_restart |= groups_conf.changed
+    need_restart |= force_actions_conf.changed
 
     dkim_directory = "/var/lib/rspamd/dkim/"
     dkim_key_path = f"{dkim_directory}{mail_domain}.{dkim_selector}.key"

cmdeploy/src/cmdeploy/rspamd/force_actions.conf

@@ -0,0 +1,11 @@
+rules {
+    REJECT_DKIM_SPF {
+        action = "reject";
+        # Reject if
+        #   bad DKIM signature (R_DKIM_REJECT)
+        #   no DKIM signature (R_DKIM_NA)
+        #   SPF failure (R_SPF_FAIL)
+        #   DMARC policy failure (DMARC_POLICY_REJECT)
+        expression = "R_DKIM_REJECT | R_DKIM_NA | R_SPF_FAIL | DMARC_POLICY_REJECT";
+    }
+}

cmdeploy/src/cmdeploy/rspamd/policies_group.conf

@@ -1,14 +0,0 @@
-symbols {
-    "R_DKIM_REJECT" {
-        weight = 15;
-    }
-    "R_SPF_FAIL" {
-        weight = 15;
-    }
-    "R_DKIM_NA" {
-        weight = 15;
-    }
-    "DMARC_POLICY_REJECT" {
-        weight = 15;
-    }
-}