#!/bin/bash
#
# This file is an example post-data hook that will run standard filtering
# utilities if they are available.
#
# - greylist (from greylistd) to do greylisting.
# - spamc (from Spamassassin) to filter spam.
# - rspamc (from rspamd) or chasquid-rspamd to filter spam.
# - clamdscan (from ClamAV) to filter virus.
# - dkimsign (from driusan/dkim or dkimpy) to do DKIM signing.
#
# If it exits with code 20, it will be considered a permanent error.
# Otherwise, temporary.
set -e
# Note greylistd needs you to add the user to the "greylist" group:
# usermod -a -G greylist mail
if [ "$AUTH_AS" == "" ] && [ "$SPF_PASS" == "0" ] && \
command -v greylist >/dev/null && \
groups | grep -q greylist;
then
REMOTE_IP=$(echo "$REMOTE_ADDR" | rev | cut -d : -f 2- | rev)
if ! greylist update "$REMOTE_IP" "$MAIL_FROM" 1>&2; then
echo "greylisted, please try again"
exit 75 # temporary error
fi
echo "X-Greylist: pass"
fi
TF="$(mktemp --tmpdir post-data-XXXXXXXXXX)"
trap 'rm "$TF"' EXIT
# Save the message to the temporary file, so we can pass it on to the various
# filters.
cat > "$TF"
if command -v spamc >/dev/null; then
if ! SL=$(spamc -c - < "$TF") ; then
echo "spam detected"
exit 20 # permanent
fi
echo "X-Spam-Score: $SL"
fi
# Spam filter through rspamd.
#
# Use chasquid-rspamd (from https://github.com/Thor77/chasquid-rspamd) if
# available, otherwise fall back to rspamc.
if command -v chasquid-rspamd >/dev/null; then
chasquid-rspamd < "$TF" 2>/dev/null
elif command -v rspamc >/dev/null; then
# Note the actions emitted by rspamc come from the thresholds
# configured in /etc/rspamd/actions.conf.
# The ones handled here are common defaults, but they might require
# adjusting to match your rspamd configuration.
# Note that greylisting is disabled in rspamc by design, so the
# "greylist" action is ignored here to prevent false rejections.
ACTION=$( rspamc < "$TF" 2>/dev/null | grep Action: | cut -d " " -f 2- )
case "$ACTION" in
reject)
echo "spam detected"
exit 20 # permanent error
;;
esac
echo "X-Spam-Action:" "$ACTION"
fi
if command -v clamdscan >/dev/null; then
if ! clamdscan --no-summary --infected - < "$TF" 1>&2 ; then
echo "virus detected"
exit 20 # permanent
fi
echo "X-Virus-Scanned: pass"
fi
# DKIM sign with either driusan/dkim or dkimpy.
#
# Do it only if all the following are true:
# - User has authenticated.
# - dkimsign binary exists.
# - domains/$DOMAIN/dkim_selector file exists.
# - certs/$DOMAIN/dkim_privkey.pem file exists.
#
# Note this has not been thoroughly tested, so might need further adjustments.
if [ "$AUTH_AS" != "" ] && command -v dkimsign >/dev/null; then
DOMAIN=$( echo "$MAIL_FROM" | cut -d '@' -f 2 )
if [ -f "domains/$DOMAIN/dkim_selector" ] \
&& [ -f "certs/$DOMAIN/dkim_privkey.pem" ];
then
# driusan/dkim and dkimpy both provide the same binary (dkimsign) but
# take different arguments, so we need to tell them apart.
# This is awful but it should work reasonably well.
if dkimsign --help 2>&1 | grep -q -- --identity; then
# dkimpy
dkimsign \
"$(cat "domains/$DOMAIN/dkim_selector")" \
"$DOMAIN" \
"certs/$DOMAIN/dkim_privkey.pem" \
< "$TF" > "$TF.dkimout"
# dkimpy doesn't provide a way to just show the new
# headers, so we have to compute the difference.
# ALSOCHANGE(test/t-19-dkimpy/config/hooks/post-data)
diff --changed-group-format='%>' \
--unchanged-group-format='' \
"$TF" "$TF.dkimout" && exit 1
rm "$TF.dkimout"
else
# driusan/dkim
dkimsign -n -hd \
-key "certs/$DOMAIN/dkim_privkey.pem" \
-s "$(cat "domains/$DOMAIN/dkim_selector")" \
-d "$DOMAIN" \
< "$TF"
fi
fi
fi