Split DKIM checks into separate rules

Now errors distinguish between missing DKIM singature, missing DNS entry or invalid DKIM signature.
2024-01-15 02:36:10 +00:00 · 2024-01-15 02:36:10 +00:00 · 700256c273
commit 700256c273
parent d575d62b18
1 changed files with 26 additions and 12 deletions
--- a/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
+++ b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
@ -1,19 +1,32 @@
 rules {
-    # Reject on missing or invalid DKIM signature.
-    #
-    # We require DKIM signature on incoming mails regardless of DMARC policy.
-    #
-    # - R_DKIM_REJECT: DKIM reject inserted by `dkim` module.
-    # - R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
-    # - No DKIM signing (R_DKIM_NA symbol inserted by `dkim` module)
-    REJECT_DKIM {
+    ## Reject on missing or invalid DKIM signatures.
+    ##
+    ## We require DKIM signature on incoming mails regardless of DMARC policy.
+
+    # R_DKIM_REJECT: DKIM reject inserted by `dkim` module.
+    REJECT_INVALID_DKIM {
        action = "reject";
-        expression = "R_DKIM_REJECT | R_DKIM_PERMFAIL | R_DKIM_NA";
-        message = "Rejected due to missing or invalid DKIM signature";
+        expression = "R_DKIM_REJECT";
+        message = "Rejected due to invalid DKIM signature";
    }

-    # Reject on SPF failure.
-    #
+    # R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
+    REJECT_PERMFAIL_DKIM {
+        action = "reject";
+        expression = "R_DKIM_PERMFAIL";
+        message = "Rejected due to missing DKIM DNS entry";
+    }
+
+    # No DKIM signature (R_DKIM_NA symbol inserted by `dkim` module).
+    REJECT_MISSING_DKIM {
+        action = "reject";
+        expression = "R_DKIM_NA";
+        message = "Rejected due to missing DKIM signature";
+    }
+
+
+    ## Reject on SPF failure.
+
    # - SPF failure (R_SPF_FAIL)
    # - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
    REJECT_SPF {
@ -29,6 +42,7 @@ rules {
        message = "Rejected due to DMARC policy";
    }

+
    # Do not reject if:
    # - R_DKIM_TEMPFAIL, it is a DNS resolution failure
    #   and we do not want to lose messages because of faulty network.