Scanning outbound mail

Why and how to scan outbound mail

Outbound spam can be extremely damaging to the ability of your system to successfully deliver mail so it is pragmatic to avoid delivering spam. Unlike inbound spam, outbound spam outbreaks require incident response (e.g. changing passwords of affected accounts). If the spam outbreak was identified by automated content scanning human verification could be helpful - but may be in violation of applicable privacy laws or company policies. Please consult your legal counsel & company stakeholders to determine policies regarding handling of suspected outbound spam that are suitable for your purposes. How such mail should ultimately be handled is beyond the scope of this document (though it may eventually be extended to provide some example recipes).

Scanning outbound with Rspamd

Rspamd tries to be suitable for outbound scanning with no or little configuration. With proper integration Rspamd should have knowledge of whether mail was sent by an authenticated user (and which) as well as the IP address the mail was received from. If mail was received from an authenticated user or an IP address listed in local_addrs several checks are immutably disabled:

  • ASN: checking is disabled for local IPs, unless check_local is set to true
  • DKIM: checking is disabled; signing is enabled
  • DMARC: is disabled
  • Greylist: is disabled
  • Hfilter: only URL-checks are applied
  • IP Score: is disabled
  • MX Check: is disabled
  • One Received header policy: is disabled
  • Ratelimit: only user ratelimit is applied (to authenticated users - does not deal with local_addrs)
  • RBL: RBLs are disabled according to exclude_users and exclude_local settings (all save for RAMBLER_EMAILBL)
  • Replies: action is not forced
  • SPF: is disabled

Additionally, it is possible to disable/enable checks selectively and/or rescore checks for your authenticated users or relay IPs using settings module.

MTA with milter support (e.g. Postfix or Sendmail)

You might want to add non_smtpd_milters setting to point Rspamd proxy worker for scanning of the emails that are sent directly via sendmail or other local delivery agent. Here is an example for Postfix MTA:

# postfix/main.cf
smtpd_milters=inet:127.0.0.1:11332 # For inbound scan or outbound scan via SMTP
non_smtpd_milters=inet:127.0.0.1:11332 # For invocation via LDA

Exim

Here is an example configuration suitable for filtering outbound email.

# Global options
spamd_address = 127.0.0.1 11333 variant=rspamd
acl_smtp_data = acl_check_data

begin acl

acl_check_data:
  # Set default value for a variable
  warn
    set acl_m_outspam = 0
  # Always scan mail
  warn
    spam = nobody:true
  # Honor "reject" action for inbound mail...
  deny
    ! authenticated = *
    condition = ${if eq{$spam_action}{reject}}
    message = Discarded high-probability spam
  # If it's our user set acl_m_outspam = 1 instead
  warn
    authenticated = *
    condition = ${if eq{$spam_action}{reject}}
    set acl_m_outspam = 1
  accept

begin routers

# Apply special handling to messages with $acl_m_outspam==1
redirect_outbound_spam:
  driver = redirect
  condition = ${if eq{$acl_m_outspam}{1}}
  data = admin@example.com
# <rest of configuration>

See the Exim specification for more information.

Haraka

To enable scanning of outbound mail set the following in config/rspamd.ini:

[check]
authenticated=true

If you wish to honor reject action for authenticated users set the following:

[reject]
authenticated=true