rspamd: force DMARC enforcement for certain domains

This replaces our previous approach of overriding the policies for these
domains via static records in Unbound.

Author: thestinger

.gitignore

@@ -16,6 +16,7 @@
 /rspamd/local.d/maps.d/blocklist_esld.map
 /rspamd/local.d/maps.d/blocklist_ip.map
 /rspamd/local.d/maps.d/blocklist_text.map
+/rspamd/local.d/maps.d/force_dmarc.map
 /rspamd/local.d/maps.d/spam_text.map
 /rspamd/local.d/maps.d/tor_exit.map
 /venv/

deploy

@@ -19,7 +19,7 @@ gixy nginx/nginx.conf
 
 remote=root@mail.grapheneos.org
 
-cp blocklist/{{blocklist_{addr,esld,ip,text},tor_exit},spam_text}.map rspamd/local.d/maps.d/
+cp blocklist/{{blocklist_{addr,esld,ip,text},tor_exit},dmarc_upgrade,spam_text}.map rspamd/local.d/maps.d/
 
 rsync dovecot/{dovecot.conf,passwd} $remote:/etc/dovecot/
 rsync -r --delete dovecot/sieve/ $remote:/etc/dovecot/sieve/

rspamd/local.d/force_actions.conf

@@ -28,4 +28,10 @@ rules {
     expression = "R_SPF_PERMFAIL & !DMARC_POLICY_ALLOW";
     message = "SPF permerror";
   }
+
+  DMARC_UPGRADE {
+    action = "quarantine";
+    expression = "DMARC_UPGRADE & !DMARC_POLICY_ALLOW";
+    honor_action = ["reject", "soft reject"];
+  }
 }

rspamd/local.d/multimap.conf

@@ -149,3 +149,10 @@ TOR_EXIT {
   map = "$LOCAL_CONFDIR/local.d/maps.d/tor_exit.map";
   action = "reject";
 }
+
+DMARC_UPGRADE {
+  type = "header";
+  header = "From";
+  filter = "email:domain:tld";
+  map = "$LOCAL_CONFDIR/local.d/maps.d/dmarc_upgrade.map";
+}