[Rspamd-Users] multimap and header lines

Mon Nov 18 17:38:45 UTC 2024

Am 18.11.2024 um 17:34 schrieb Valentijn Sessink <valentijn at sessink.nl>:
> 
> Hi List,
> 
> I wanted to just match one header; but wanted to be able to add more headers if necessary. Now my question is: what is the correct way of matching a single header line, from start to end?
> 
> I now have: multimap.conf
> NOTACCEPTABLE { type = "content"; filter = "headers";map = "/tmp/headerblock.map"; regexp = true; action = "reject";
> message = "no thanks"; }
> 
> With headerblock.map saying:
> /(*ANYCRLF)(^|\R)X-fc9822d6-c227-4fb2-a50a-c86656e68129: yes\R/
> 
> which pretty much matches a regular e-mail that has a header
> X-fc9822d6-c227-4fb2-a50a-c86656e68129: yes
> 
> ... but it still doesn't seem to match a <CR><LF> header. Yeah I know that SMTP has strict CRLF rules, but I also know that there's no real penalty.
> 
> So:
> - what is the correct way to match a specific header line from beginning to end?
> Subquestions:
> - are headers normalized, when multimap kicks in?
> - does the PCRE clause (*ANYCRLF) do anything? Should I leave that out?
> 
> BTW the header I'm actually trying to block is
> X-sender: postmaster at salesforce.com ;-)
> 
> V.
Hi Valentijn,

two things jump to me:

1. My /tmp/ directory gets wiped every reboot so I would rather not put config files there. But maybe you run your rspamd chrooted.
2. I never saw the "(*ANYCRLF)“ and such stuff here, and the All-in-the-know Gerald suggested for a similar question:
> It might be due to line endings: \n versus \r\n via smtp.
> You could try to use \r?\n in your regex.

And with this or even \r?\n? you should be prepared for all CR/LFs coming.

Cheers!

Tino

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4339 bytes
Desc: not available
URL: <https://lists.rspamd.com/pipermail/users/attachments/20241118/4018eb72/attachment.bin>