From d575d62b18addbe502935ecbbfa3f2807cd6a7f3 Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Sun, 14 Jan 2024 13:12:05 +0000
Subject: [PATCH] rspamd: give the reason to MTA when incoming mail is rejected

This is not secret but makes it easier for mail server admins
to debug why chatmail does not accept their emails.
If the server generates bounce messages, users will also see this
and can redirect to their server support.
It also shows up in /var/log/rspamd/rspamd.log on chatmail server.
---
 .../src/cmdeploy/rspamd/force_actions.conf    | 68 ++++++++++++-------
 1 file changed, 42 insertions(+), 26 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/rspamd/force_actions.conf b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
index 9ca9549..3755986 100644
--- a/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
+++ b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
@@ -1,30 +1,46 @@
 rules {
-    REJECT_DKIM_SPF {
+    # Reject on missing or invalid DKIM signature.
+    #
+    # We require DKIM signature on incoming mails regardless of DMARC policy.
+    #
+    # - R_DKIM_REJECT: DKIM reject inserted by `dkim` module.
+    # - R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
+    # - No DKIM signing (R_DKIM_NA symbol inserted by `dkim` module)
+    REJECT_DKIM {
         action = "reject";
-        # Reject if
-        #   - R_DKIM_RJECT: DKIM reject inserted by `dkim` module.
-        #   - R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
-        #   - No DKIM signing (R_DKIM_NA symbol inserted by `dkim` module)
-        #
-        #   - SPF failure (R_SPF_FAIL)
-        #   - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
-        #
-        #   - DMARC policy failure (DMARC_POLICY_REJECT)
-        #
-        # Do not reject if:
-        #   - R_DKIM_TEMPFAIL, it is a DNS resolution failure
-        #     and we do not want to lose messages because of faulty network.
-        #
-        #   - R_SPF_SOFTFAIL
-        #   - R_SPF_NEUTRAL
-        #   - R_SPF_DNSFAIL
-        #   - R_SPF_NA
-        #
-        #   - DMARC_DNSFAIL
-        #   - DMARC_NA
-        #   - DMARC_POLICY_SOFTFAIL
-        #   - DMARC_POLICY_QUARANTINE
-        #   - DMARC_BAD_POLICY
-        expression = "R_DKIM_REJECT | R_DKIM_PERMFAIL | R_DKIM_NA | R_SPF_FAIL | R_SPF_PERMFAIL | DMARC_POLICY_REJECT";
+        expression = "R_DKIM_REJECT | R_DKIM_PERMFAIL | R_DKIM_NA";
+        message = "Rejected due to missing or invalid DKIM signature";
     }
+
+    # Reject on SPF failure.
+    #
+    # - SPF failure (R_SPF_FAIL)
+    # - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
+    REJECT_SPF {
+        action = "reject";
+        expression = "R_SPF_FAIL | R_SPF_PERMFAIL";
+        message = "Rejected due to failed SPF check";
+    }
+
+    # Reject on DMARC policy check failure.
+    REJECT_DMARC {
+        action = "reject";
+        expression = "DMARC_POLICY_REJECT";
+        message = "Rejected due to DMARC policy";
+    }
+
+    # Do not reject if:
+    # - R_DKIM_TEMPFAIL, it is a DNS resolution failure
+    #   and we do not want to lose messages because of faulty network.
+    #
+    # - R_SPF_SOFTFAIL
+    # - R_SPF_NEUTRAL
+    # - R_SPF_DNSFAIL
+    # - R_SPF_NA
+    #
+    # - DMARC_DNSFAIL
+    # - DMARC_NA
+    # - DMARC_POLICY_SOFTFAIL
+    # - DMARC_POLICY_QUARANTINE
+    # - DMARC_BAD_POLICY
 }