Skip to content

Instantly share code, notes, and snippets.

@kvaps
Last active May 6, 2024 05:13
Show Gist options
  • Save kvaps/25507a87dc287e6a620e1eec2d60ebc1 to your computer and use it in GitHub Desktop.
Save kvaps/25507a87dc287e6a620e1eec2d60ebc1 to your computer and use it in GitHub Desktop.
Howto create local whitelists and blacklists for Rspamd

Local whitelists and blacklists for Rspamd

  • cd /etc/rspamd
  • create rspamd.conf.local
  • create lists:
touch local_bl_from.map.inc local_bl_ip.map.inc local_bl_rcpt.map.inc \
local_wl_from.map.inc local_wl_ip.map.inc local_wl_rcpt.map.inc
  • change permissions:
chmod o+w local_bl_from.map.inc local_bl_ip.map.inc local_bl_rcpt.map.inc \
local_wl_from.map.inc local_wl_ip.map.inc local_wl_rcpt.map.inc

Thanks to @mnik247 in #118

multimap {
# ip - matches source IP of message (radix map)
# from - matches envelope from (or header From if envelope from is absent)
# rcpt - matches any of envelope rcpt or header To if envelope info is missing
# header - matches any header specified (must have header = "Header-Name" configuration attribute)
# dnsbl - matches source IP against some DNS blacklist (consider using RBL module for this)
local_bl_ip { type = "ip"; map = "$CONFDIR/local_bl_ip.map.inc"; symbol = "LOCAL_BL_IP"; description = "Local ip blacklist";}
local_bl_from { type = "from"; map = "$CONFDIR/local_bl_from.map.inc"; symbol = "LOCAL_BL_FROM"; description = "Local from blacklist";}
local_bl_rcpt { type = "rcpt"; map = "$CONFDIR/local_bl_rcpt.map.inc"; symbol = "LOCAL_BL_RCPT"; description = "Local rcpt blacklist";}
local_wl_ip { type = "ip"; map = "$CONFDIR/local_wl_ip.map.inc"; symbol = "LOCAL_WL_IP"; description = "Local ip whitelist";}
local_wl_from { type = "from"; map = "$CONFDIR/local_wl_from.map.inc"; symbol = "LOCAL_WL_FROM"; description = "Local from whitelist";}
local_wl_rcpt { type = "rcpt"; map = "$CONFDIR/local_wl_rcpt.map.inc"; symbol = "LOCAL_WL_RCPT"; description = "Local rcpt whitelist";}
}
metric {
name = "default";
group {
name = "local";
symbol {
weight = 3;
description = "Sender ip listed in local ip blacklist";
name = "LOCAL_BL_IP";
}
symbol {
weight = 3;
description = "Sender from listed in local from blacklist";
name = "LOCAL_BL_FROM";
}
symbol {
weight = 3;
description = "Recipient listed in local rcpt blacklist";
name = "LOCAL_BL_RCPT";
}
symbol {
weight = -5;
description = "Sender ip listed in local ip whitelist";
name = "LOCAL_WL_IP";
}
symbol {
weight = -5;
description = "Sender from listed in local from whitelist";
name = "LOCAL_WL_FROM";
}
symbol {
weight = -5;
description = "Recipient listed in local rcpt whitelist";
name = "LOCAL_WL_RCPT";
}
}
}
@meifi
Copy link

meifi commented Aug 10, 2017

Hi, how can we make this lists in the webgui editable under configuration --> lists?

Copy link

ghost commented Oct 5, 2017

Hi,

just put them into $CONFDIR/local.d/...

Copy link

ghost commented Nov 16, 2017

Hi,

after touch edit files, because files cant be empty or you will get cant retrieve map data error in webgui

@leoberto89
Copy link

Hi, I have the same error like layer3:

2018-02-10 17:08:18 #4264(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_bl_rcpt.map.inc: No such file or directory
2018-02-10 17:08:18 #4264(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_wl_from.map.inc
2018-02-10 17:08:18 #4264(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_wl_from.map.inc
2018-02-10 17:08:18 #4264(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_wl_from.map.inc: No such file or directory
2018-02-10 17:08:18 #4264(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_wl_rcpt.map.inc
2018-02-10 17:08:18 #4264(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_wl_rcpt.map.inc
2018-02-10 17:08:18 #4264(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_wl_rcpt.map.inc: No such file or directory
2018-02-10 17:08:18 #4264(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_wl_ip.map.inc
2018-02-10 17:08:18 #4264(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_wl_ip.map.inc
2018-02-10 17:08:18 #4264(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_wl_ip.map.inc: No such file or directory
2018-02-10 17:08:18 #4264(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_bl_from.map.inc
2018-02-10 17:08:18 #4264(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_bl_from.map.inc
2018-02-10 17:08:18 #4264(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_bl_from.map.inc: No such file or directory
2018-02-10 17:08:18 #4262(normal) <49ef81>; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_bl_ip.map.inc
2018-02-10 17:08:18 #4262(normal) <49ef81>; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_bl_ip.map.inc
2018-02-10 17:08:18 #4262(normal) <49ef81>; map; read_map_file: can't open map /etc/rspamd/local.d/local_bl_ip.map.inc: No such file or directory
2018-02-10 17:08:18 #4262(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_bl_rcpt.map.inc
2018-02-10 17:08:18 #4262(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_bl_rcpt.map.inc
2018-02-10 17:08:18 #4262(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_bl_rcpt.map.inc: No such file or directory
2018-02-10 17:08:18 #4262(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_wl_from.map.inc
2018-02-10 17:08:18 #4262(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_wl_from.map.inc
2018-02-10 17:08:18 #4262(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_wl_from.map.inc: No such file or directory
2018-02-10 17:08:18 #4263(normal) <49ef81>; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_bl_ip.map.inc
2018-02-10 17:08:18 #4263(normal) <49ef81>; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_bl_ip.map.inc
2018-02-10 17:08:18 #4263(normal) <49ef81>; map; read_map_file: can't open map /etc/rspamd/local.d/local_bl_ip.map.inc: No such file or directory
2018-02-10 17:08:18 #4263(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_bl_rcpt.map.inc
2018-02-10 17:08:18 #4263(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_bl_rcpt.map.inc
2018-02-10 17:08:18 #4263(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_bl_rcpt.map.inc: No such file or directory
2018-02-10 17:08:18 #4263(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_wl_from.map.inc
2018-02-10 17:08:18 #4263(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_wl_from.map.inc
2018-02-10 17:08:18 #4263(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_wl_from.map.inc: No such file or directory
2018-02-10 17:08:18 #4263(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_wl_ip.map.inc
2018-02-10 17:08:18 #4263(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_wl_ip.map.inc
2018-02-10 17:08:18 #4263(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_wl_ip.map.inc: No such file or directory
2018-02-10 17:08:18 #4263(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_bl_from.map.inc
2018-02-10 17:08:18 #4263(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_bl_from.map.inc
2018-02-10 17:08:18 #4263(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_bl_from.map.inc: No such file or directory
2018-02-10 17:08:18 #4262(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_wl_rcpt.map.inc
2018-02-10 17:08:18 #4262(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_wl_rcpt.map.inc
2018-02-10 17:08:18 #4262(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_wl_rcpt.map.inc: No such file or directory
2018-02-10 17:08:18 #4262(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_wl_ip.map.inc
2018-02-10 17:08:18 #4262(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_wl_ip.map.inc
2018-02-10 17:08:18 #4262(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_wl_ip.map.inc: No such file or directory
2018-02-10 17:08:18 #4262(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_bl_from.map.inc
2018-02-10 17:08:18 #4262(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_bl_from.map.inc
2018-02-10 17:08:18 #4262(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_bl_from.map.inc: No such file or directory
2018-02-10 17:08:21 #4263(normal) ; map; rspamd_map_file_check_callback: old mtime is -1, new mtime is 1518289626 for map file /etc/rspamd/local.d/local_wl_rcpt.map.inc
2018-02-10 17:08:21 #4263(normal) ; map; rspamd_map_file_read_callback: rereading map file /etc/rspamd/local.d/local_wl_rcpt.map.inc
2018-02-10 17:08:21 #4263(normal) ; map; read_map_file: can't open map /etc/rspamd/local.d/local_wl_rcpt.map.inc: No such file or directory

@xmacan
Copy link

xmacan commented May 4, 2018

If file has 0 bytes size, you will see No such file or directory. If size > 0 (new line is enough), the message " can't open map ... No such file of directory" will not in log and map is loaded (and you can edit it via web gui). I guess that this behavior is strange.

@vstakhov
Copy link

I have added this to the documentation (adopted for the general Rspamd configuration guidelines):

rspamd/rspamd.com@75fd771

@vstakhov
Copy link

0 size maps should also be fixed in WebUI case.

@mspenkov
Copy link

Hi,
Sorry for my stupidity, but how can I add a field with any subdomain?
Example: we receive mail from address nobody@mx3.domain.ru and from address nobody@mx4.domain.ru. How to make the rule "*.domain.ru"?

@pclemot
Copy link

pclemot commented Nov 14, 2018

Maybe with Regexp maps?

@mspenkov
Copy link

I'm having the same question as @mspenkov has.

email:domain:tld - parse header value as email address and extract effective second level domain from it (Somebody user@foo.example.com -> example.com)

local_bl_from_domain { type = "from"; filter = "email:domain:tld"; map = "$CONFDIR/maps/local_bl_from_second_domain.map.inc"; symbol = "LOCAL_BL_FROM_DOMAIN"; description = "Local from domain blacklist";}

@celogeek
Copy link

Hi,

I'm trying to exclude my local network for spam check for mail sent from the internal network.

My local docker connect to each other with ipv6 local network

I want to allow all: fd00:dead:beef::* and if possible exclude the gateway: fd00:dead:beef::1.

I have a config like this (all different docker):
matomo -> (postfix <-> rspamd) -> dovecot

Matomo sends an email to postfix for a user into dovecot. rspamd check this and apply dkim/darc signature, and antispam check then transmit it to dovecot.
The issue is that Matomo sends a terrible report with a score of 10. I have tried to learn from it 10 times, on different reports from matomo but it doesn't work. I still get a 9.3 score.

Thanks

@celogeek
Copy link

I have tested this in my local_wl_ip.map.inc:

# Local ip whitelist
fd00:dead:beef::/64
10.20.0.0/24

And it works!

I add to my blacklist the ip of the router :

# Local ip blacklist
fd00:dead:beef::1
10.20.0.1

This one cancel the whitelist bonus. I have set whitelist and blacklist to a weight of 5.

@Grucqq
Copy link

Grucqq commented Jun 5, 2019

Hi,
Should this multimap work with the latest rspamd 1.9.4 ? can't get it to work
this version works from beggining, second one from rspamd didn't works too.

Edit: added local.d/groups conf & everything works well in both versions

@denydias
Copy link

denydias commented Aug 30, 2019

OP doesn't work with rspamd 1.9 anymore because of the nested multimap. Also local.d/metrics.conf is deprecated and local.d/groups.conf should be used instead.

After digging the docs and code, this is what works for me. The empty line in the end is significant.

local.d/multimap.conf

# local.d/multimap.conf
# see local.d/groups.conf for multimap symbols

# Blacklists
local_bl_domain {
  type = "from";
  filter = "email:domain";
  map = "$CONFDIR/maps.d/local_bl_domain.inc";
  prefilter = true;
  action = "reject";
  description = "Blacklisted domain";
}
local_bl_from {
  type = "from";
  map = "$CONFDIR/maps.d/local_bl_from.inc";
  symbol = "LOCAL_BL_FROM";
  description = "Blacklist map for LOCAL_BL_FROM";
}
local_bl_ip {
  type = "ip";
  map = "$CONFDIR/maps.d/local_bl_ip.inc";
  symbol = "LOCAL_BL_IP";
  description = "Blacklist map for LOCAL_BL_IP";
}
local_bl_rcpt {
  type = "rcpt";
  map = "$CONFDIR/maps.d/local_bl_rcpt.inc";
  symbol = "LOCAL_BL_RCPT";
  description = "Blacklist map for LOCAL_BL_RCPT";
}

# Whitelists
local_wl_domain {
  type = "from";
  filter = "email:domain:tld";
  map = "$CONFDIR/maps.d/local_wl_domain.inc";
  symbol = "LOCAL_WL_DOMAIN";
  description = "Whitelist map for LOCAL_WL_DOMAIN";
}
local_wl_from {
  type = "from";
  map = "$CONFDIR/maps.d/local_wl_from.inc";
  symbol = "LOCAL_WL_FROM";
  description = "Whitelist map for LOCAL_WL_FROM";
}
local_wl_ip {
  type = "ip";
  map = "$CONFDIR/maps.d/local_wl_ip.inc";
  symbol = "LOCAL_WL_IP";
  description = "Whitelist map for LOCAL_WL_IP";
}
local_wl_rcpt {
  type = "rcpt";
  map = "$CONFDIR/maps.d/local_wl_rcpt.inc";
  symbol = "LOCAL_WL_RCPT";
  description = "Whitelist map for LOCAL_WL_RCPT";
}

local.d/groups.conf

# local.d/groups.conf
# see local.d/multimap.conf for mappings
group "multimap" {
  symbols = {
    # Blacklists
    "LOCAL_BL_FROM" {
      weight = 3.0;
      description = "Sender FROM listed in local blacklist";
    }
    "LOCAL_BL_IP" {
      weight = 3.0;
      description = "Sender IP listed in local blacklist";
    }
    "LOCAL_BL_RCPT" {
      weight = 3.0;
      description = "Recipient listed in local blacklist";
    }
    # Whitelists
    "LOCAL_WL_DOMAIN" {
      weight = -5;
      description = "Domain listed in local whitelist";
    }
    "LOCAL_WL_FROM" {
      weight = -5;
      description = "Sender FROM listed in local whitelist";
    }
    "LOCAL_WL_IP" {
      weight = -5;
      description = "Sender IP listed in local whitelist";
    }
    "LOCAL_WL_RCPT" {
      weight = -5;
      description = "Recipient listed in local whitelist";
    }
  }
}

@moisseev
Copy link

moisseev commented Mar 2, 2020

@denydiases example can be simplified. It's possible to set score and group in the local.d/multimap.conf like this.
So local.d/groups.conf is not necessary.

@defulmere
Copy link

defulmere commented Sep 25, 2020

OP doesn't work with rspamd 1.9 anymore because of the nested multimap. Also local.d/metrics.conf is deprecated and local.d/groups.conf should be used instead.

After digging the docs and code, this is what works for me. The empty line in the end is significant.
...

@denydias You just made my day, thanks for sharing your examples!

@denydias
Copy link

@denydias You just made my day, thanks for sharing your examples!

I'm glad I did, @defulmere! Enjoy the day. 😉

@fool15982
Copy link

fool15982 commented Nov 24, 2020

Hi @ll,

I am trying to figure out what is wrong, but it doesn't work for me as expected.
I have added groups.conf and multimap.conf into the local.d folder and I can see them in my Rspam web interface. Storing new entries works as well but for unknown reason the blocked domains still were processed and stored into my spam folder or inbox.
I have raised the weight in groups up to 15 but I can't get it to work (blocking all incoming mails from a specific domain using "Blacklisted domain").
Anyone who has an idea?

BR
Andre

UPDATE
I am not sure, but it seems that domains entered via web interface are not getting blocked properly. I have added an unexisting domain and used a free testmailer and forged the sender address. This testmail was blocked as expected and the log confirmed it was caused by the local blocklist. Anyone out there who can confirm that?

@adjustGirl
Copy link

is there anything new on this topic? And please be gracious to me, I'm brand new to this tool (V 2.7 on Debian 9). Thanx

@Polve
Copy link

Polve commented Apr 20, 2021

I'm interested in any news in this topic for the current (v2.7) version

@1210315127
Copy link

Hello everyone.
Can anyone please tel how to block subnets instead of a single ip in rspamd. currently blocking single ip in .map.inc
files.

@moisseev
Copy link

Can anyone please tel how to block subnets instead of a single ip in rspamd. currently blocking single ip in .map.inc
files.

https://github.com/moisseev/rspamd-multimap-bl/blob/9a4a7d2ec29d67ac04126ce42e962106e78f2129/local.d/multimap.d/bl-ip.map#L4

@1210315127
Copy link

Can anyone please tel how to block subnets instead of a single ip in rspamd. currently blocking single ip in .map.inc
files.

https://github.com/moisseev/rspamd-multimap-bl/blob/9a4a7d2ec29d67ac04126ce42e962106e78f2129/local.d/multimap.d/bl-ip.map#L4

Thank you bro

@badfires
Copy link

由于嵌套的多图,OP 不再适用于 rspamd 1.9。也local.d/metrics.conf已弃用,local.d/groups.conf应改为使用。

挖掘文档和代码后,这对我有用。最后的空行很重要。

local.d/multimap.conf

# local.d/multimap.conf
# see local.d/groups.conf for multimap symbols

# Blacklists
local_bl_domain {
  type = "from";
  filter = "email:domain";
  map = "$CONFDIR/maps.d/local_bl_domain.inc";
  prefilter = true;
  action = "reject";
  description = "Blacklisted domain";
}
local_bl_from {
  type = "from";
  map = "$CONFDIR/maps.d/local_bl_from.inc";
  symbol = "LOCAL_BL_FROM";
  description = "Blacklist map for LOCAL_BL_FROM";
}
local_bl_ip {
  type = "ip";
  map = "$CONFDIR/maps.d/local_bl_ip.inc";
  symbol = "LOCAL_BL_IP";
  description = "Blacklist map for LOCAL_BL_IP";
}
local_bl_rcpt {
  type = "rcpt";
  map = "$CONFDIR/maps.d/local_bl_rcpt.inc";
  symbol = "LOCAL_BL_RCPT";
  description = "Blacklist map for LOCAL_BL_RCPT";
}

# Whitelists
local_wl_domain {
  type = "from";
  filter = "email:domain:tld";
  map = "$CONFDIR/maps.d/local_wl_domain.inc";
  symbol = "LOCAL_WL_DOMAIN";
  description = "Whitelist map for LOCAL_WL_DOMAIN";
}
local_wl_from {
  type = "from";
  map = "$CONFDIR/maps.d/local_wl_from.inc";
  symbol = "LOCAL_WL_FROM";
  description = "Whitelist map for LOCAL_WL_FROM";
}
local_wl_ip {
  type = "ip";
  map = "$CONFDIR/maps.d/local_wl_ip.inc";
  symbol = "LOCAL_WL_IP";
  description = "Whitelist map for LOCAL_WL_IP";
}
local_wl_rcpt {
  type = "rcpt";
  map = "$CONFDIR/maps.d/local_wl_rcpt.inc";
  symbol = "LOCAL_WL_RCPT";
  description = "Whitelist map for LOCAL_WL_RCPT";
}

local.d/groups.conf

# local.d/groups.conf
# see local.d/multimap.conf for mappings
group "multimap" {
  symbols = {
    # Blacklists
    "LOCAL_BL_FROM" {
      weight = 3.0;
      description = "Sender FROM listed in local blacklist";
    }
    "LOCAL_BL_IP" {
      weight = 3.0;
      description = "Sender IP listed in local blacklist";
    }
    "LOCAL_BL_RCPT" {
      weight = 3.0;
      description = "Recipient listed in local blacklist";
    }
    # Whitelists
    "LOCAL_WL_DOMAIN" {
      weight = -5;
      description = "Domain listed in local whitelist";
    }
    "LOCAL_WL_FROM" {
      weight = -5;
      description = "Sender FROM listed in local whitelist";
    }
    "LOCAL_WL_IP" {
      weight = -5;
      description = "Sender IP listed in local whitelist";
    }
    "LOCAL_WL_RCPT" {
      weight = -5;
      description = "Recipient listed in local whitelist";
    }
  }
}

tks,This solved my problem

@renaudallard
Copy link

"chmod o+w" is almost always a very bad idea. You need to "chown" the files to the user running spamd instead.

@derfz
Copy link

derfz commented May 6, 2024

Can I use local_bl_from.map.inc to blacklist top level (.ru for example) domains?
Or should I be using a different specific method?
The objective here is to block those top level domains that I perceive as problematic.
Sorry, I'm not a coder and I know even less about RSPAMD.

Regards

Fred

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment