From 5366df8dc649bf128c582b8f413da8c7abd8f1ff Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Sun, 14 Jan 2024 08:45:23 +0000
Subject: [PATCH] Replace rspamd rule weights with a strict rule

---
 cmdeploy/src/cmdeploy/__init__.py                | 11 ++++++-----
 cmdeploy/src/cmdeploy/rspamd/force_actions.conf  | 11 +++++++++++
 cmdeploy/src/cmdeploy/rspamd/policies_group.conf | 14 --------------
 3 files changed, 17 insertions(+), 19 deletions(-)
 create mode 100644 cmdeploy/src/cmdeploy/rspamd/force_actions.conf
 delete mode 100644 cmdeploy/src/cmdeploy/rspamd/policies_group.conf

diff --git a/cmdeploy/src/cmdeploy/__init__.py b/cmdeploy/src/cmdeploy/__init__.py
index 96328e4e..e38eb6c5 100644
--- a/cmdeploy/src/cmdeploy/__init__.py
+++ b/cmdeploy/src/cmdeploy/__init__.py
@@ -352,17 +352,18 @@ def _configure_rspamd(dkim_selector: str, mail_domain: str) -> bool:
     )
     need_restart |= options_inc.changed
 
-    groups_conf = files.put(
-        name="set metrics for DKIM, SPF, and DMARC fails",
+    # https://rspamd.com/doc/modules/force_actions.html
+    force_actions_conf = files.put(
+        name="Set up rules to reject on DKIM, SPF and DMARC fails",
         src=importlib.resources.files(__package__).joinpath(
-            "rspamd/policies_group.conf"
+            "rspamd/force_actions.conf"
         ),
-        dest="/etc/rspamd/local.d/policies_group.conf",
+        dest="/etc/rspamd/local.d/force_actions.conf",
         user="root",
         group="root",
         mode="644",
     )
-    need_restart |= groups_conf.changed
+    need_restart |= force_actions_conf.changed
 
     dkim_directory = "/var/lib/rspamd/dkim/"
     dkim_key_path = f"{dkim_directory}{mail_domain}.{dkim_selector}.key"
diff --git a/cmdeploy/src/cmdeploy/rspamd/force_actions.conf b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
new file mode 100644
index 00000000..a5be7511
--- /dev/null
+++ b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
@@ -0,0 +1,11 @@
+rules {
+    REJECT_DKIM_SPF {
+        action = "reject";
+        # Reject if
+        #   bad DKIM signature (R_DKIM_REJECT)
+        #   no DKIM signature (R_DKIM_NA)
+        #   SPF failure (R_SPF_FAIL)
+        #   DMARC policy failure (DMARC_POLICY_REJECT)
+        expression = "R_DKIM_REJECT | R_DKIM_NA | R_SPF_FAIL | DMARC_POLICY_REJECT";
+    }
+}
diff --git a/cmdeploy/src/cmdeploy/rspamd/policies_group.conf b/cmdeploy/src/cmdeploy/rspamd/policies_group.conf
deleted file mode 100644
index 6ad714d8..00000000
--- a/cmdeploy/src/cmdeploy/rspamd/policies_group.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-symbols {
-    "R_DKIM_REJECT" {
-        weight = 15;
-    }
-    "R_SPF_FAIL" {
-        weight = 15;
-    }
-    "R_DKIM_NA" {
-        weight = 15;
-    }
-    "DMARC_POLICY_REJECT" {
-        weight = 15;
-    }
-}
\ No newline at end of file