diff --git a/cmdeploy/src/cmdeploy/__init__.py b/cmdeploy/src/cmdeploy/__init__.py index 96328e4e..e38eb6c5 100644 --- a/cmdeploy/src/cmdeploy/__init__.py +++ b/cmdeploy/src/cmdeploy/__init__.py @@ -352,17 +352,18 @@ def _configure_rspamd(dkim_selector: str, mail_domain: str) -> bool: ) need_restart |= options_inc.changed - groups_conf = files.put( - name="set metrics for DKIM, SPF, and DMARC fails", + # https://rspamd.com/doc/modules/force_actions.html + force_actions_conf = files.put( + name="Set up rules to reject on DKIM, SPF and DMARC fails", src=importlib.resources.files(__package__).joinpath( - "rspamd/policies_group.conf" + "rspamd/force_actions.conf" ), - dest="/etc/rspamd/local.d/policies_group.conf", + dest="/etc/rspamd/local.d/force_actions.conf", user="root", group="root", mode="644", ) - need_restart |= groups_conf.changed + need_restart |= force_actions_conf.changed dkim_directory = "/var/lib/rspamd/dkim/" dkim_key_path = f"{dkim_directory}{mail_domain}.{dkim_selector}.key" diff --git a/cmdeploy/src/cmdeploy/rspamd/force_actions.conf b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf new file mode 100644 index 00000000..a5be7511 --- /dev/null +++ b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf @@ -0,0 +1,11 @@ +rules { + REJECT_DKIM_SPF { + action = "reject"; + # Reject if + # bad DKIM signature (R_DKIM_REJECT) + # no DKIM signature (R_DKIM_NA) + # SPF failure (R_SPF_FAIL) + # DMARC policy failure (DMARC_POLICY_REJECT) + expression = "R_DKIM_REJECT | R_DKIM_NA | R_SPF_FAIL | DMARC_POLICY_REJECT"; + } +} diff --git a/cmdeploy/src/cmdeploy/rspamd/policies_group.conf b/cmdeploy/src/cmdeploy/rspamd/policies_group.conf deleted file mode 100644 index 6ad714d8..00000000 --- a/cmdeploy/src/cmdeploy/rspamd/policies_group.conf +++ /dev/null @@ -1,14 +0,0 @@ -symbols { - "R_DKIM_REJECT" { - weight = 15; - } - "R_SPF_FAIL" { - weight = 15; - } - "R_DKIM_NA" { - weight = 15; - } - "DMARC_POLICY_REJECT" { - weight = 15; - } -} \ No newline at end of file