# Multimap module

Multimap module is designed to handle rules that are based on different types of lists that are dynamically updated by Rspamd and called maps. This module is useful for whitelists, blacklists and other lists to be organized via files. It can also load remote lists using HTTP and HTTPS protocols or RESP (REdis Serialization Protocol). This article explains in detail all configuration options and features of this module.

## Principles of work

Maps in Rspamd are files or HTTP links that are automatically monitored and reloaded if changed. For example, maps can be defined as following:

map = "http://example.com/file";
map = "file:///etc/rspamd/file.map";
map = "/etc/rspamd/file.map";


Rspamd allows to save traffic for HTTP maps using cached maps and respecting 304 Not modified responce as well as Cache-Control headers and ETag. Maps data is shared between workers and the only worker that is allowed to fetch remote maps is the first controller worker.

The default configuration of this module actively uses compound maps where a map is defined as an array of sources (+ local fallback location). For user defined maps this redundancy is typically unnecessary details. However, that is described in the following FAQ section.

## Configuration

The module itself contains a set of rules in form:

MAP_SYMBOL1 {
type = "type";
map = "url";
# [optional params...]
}
MAP_SYMBOL2 {
type = "type";
map = "from";
# [optional params...]
}

...


You should normally define your own rules in the file /etc/rspamd/local.d/multimap.conf.

### Map attributes

Mandatory attributes are:

• type - map type
• map - [map data](#map-field-syntax]

Optional map configuration attributes:

• prefilter - defines if the map is used in prefilter mode
• action - for prefilter maps defines action set by map match
• regexp - set to true if your map contain regular expressions
• symbols - array of symbols that this map can insert (for key-value pairs), learn more. Please bear in mind, that if you define this attribute, your map must have entries in form key<spaces>value to match a specific symbol.
• score - score of the symbol (can be redefined in the metric section)
• description - map description
• message - message returned to MTA on prefilter reject action being triggered
• group - group for the symbol (can be redefined in metric)
• require_symbols - expression of symbols that have to match for a specific message: learn more
• filter - match specific part of the input (for example, email domain): here is the complete definition of maps filters

For header maps, you also need to specify the exact header using header option.

Important notice: there is a common confusion between type and filter parameters for multimap module. The main rule of thumb is that type means what information is checked in the map, for example, urls, IPs, headers. filter attribute means how this information is transformed before checking, for example extracting domain.

Selector maps are using selectors framework which defines both extraction and transformation. Hence, this type of maps could be considered as the most basic and flexible map types. All other types of maps could be expressed by some selector map. Furthermore, it is possible to store dependent maps in Redis using selectors framework.

### Map field syntax

Example Description
http://example.com/list HTTP map, reloaded using If-Modified-Since, can be signed
https://example.com/list HTTPS map - same as HTTP but with TLS enabled (with certificate check)
file:///path/to/list file map, reloaded on change, can be signed
/path/to/list shorter form of a file map
cdb://path/to/list.cdb CDB map in file, cannot be signed
redis://<hashkey> Redis map, read field in the hash stored at key
redis+selector://selector (from version 2.0) similar to the former one Redis map where a hash key is acquired by application of some selector that allows to create dependent maps

A combination of files and http where the resulting map is a joint list of its elements:

map = [
"https://maps.rspamd.com/rspamd/mime_types.inc.zst",
"${DBDIR}/mime_types.inc.local", "fallback+file://${CONFDIR}/mime_types.inc"
]


You cannot combine redis nor cdb maps with generic maps.

### Maps flaws

Maps content could be augmented by using of flaws, for example map = regexp;/path/to/file.re. This feature is available from the version 2.0.

  local known_types = {
{'regexp;', 'regexp'},
{'re;', 'regexp'},
{'regexp_multi;', 'regexp_multi'},
{'re_multi;', 'regexp_multi'},
{'glob;', 'glob'},
{'glob_multi;', 'glob_multi'},
{'set;', 'set'},
{'hash;', 'hash'},
{'plain;', 'hash'}
}


### Maps content

Maps can contain keys:

key1
key2


key-value pairs (for multi-symbols maps):

key1 value1
key2 value2
key3 value3:score


key1
# Single line comment
key2 # Embedded comment


IP maps can also contain IPs or IP/network in CIDR notation

192.168.1.1
10.0.0.0/8


## Map types

Type attribute means what is matched with this map. The following types are supported:

Type Description
asn matches ASN number passed by ASN module
content matches specific content of a message (e.g. headers, body or even a full message) against some map, usually regular expressions map
country matches country code of AS passed by ASN module
dnsbl matches IP of the host that performed message handoff against some DNS blacklist (consider using RBL module for this)
filename matches attachment filenames and filenames in archives against map. It also includes detected filename match from version 2.0. For example, if some attachment has .png extension but it has real type detected as image/jpeg then two checks would be performed: for the original attachment and for the detected one. This does not include files in archives as Rspamd does not extract them.
from matches envelope from (or header From if envelope from is absent)
header matches any header specified (must have header = "Header-Name" configuration attribute)
helo matches HELO of the message handoff session
hostname matches reverse DNS name of the host that performed message handoff
ip matches IP of the host that performed message handoff (against radix map)
mempool matches contents of a mempool variable (specified with variable parameter)
received (new in 1.5) matches elements of Received headers
rcpt matches any of envelope rcpt or header To if envelope info is missing
selector applies generic selector and check data returned in the specific map. This type must have selector option and an optional delimiter option that defines how to join multiple selectors (an empty string by default). If a selector returns multiple values, e.g. urls, then all values are checked. Normal filter logic can also be applied to the selector’s results.
symbol_options (new in 1.6.3) match ‘options’ yielded by whichever symbol of interest (requires target_symbol parameter)
url matches URLs in messages against maps
user matches authenticated username against maps

DNS maps are legacy and are not encouraged to use in new projects (use rbl for that).

Maps can also be specified as CDB databases that might somehow be useful for large maps:

SOME_SYMBOL {
map = "cdb:///path/to/file.cdb";
type = "from";
}


## Regexp maps

All maps with the exception of ip and dnsbl maps support regexp mode. In this mode, all keys in maps are treated as regular expressions, for example:

# Sole key
/example\d+\.com/i
# Key + value (test)
/other\d+\.com/i test


For performance considerations, use only expressions supported by Hyperscan as this engine provides blazing performance at no additional cost. Currently, there is no way to distinguish what particular regexp was matched in case if multiple regexp were matched.

To enable regexp mode, you should set regexp option to true:

# local.d/multimap.conf
SENDER_FROM_WHITELIST {
type = "from";
map = "file:///tmp/from.map";
regexp = true;
}


## Map filters

It is also possible to apply a filtering expression before checking value against some map. This is mainly useful for header rules. Filters are specified with filter option. Rspamd supports the following filters so far:

### Content filters

Content maps support the following filters:

Content filter Description
body raw undecoded body content (with the exceptions of headers)
full raw undecoded content of a message (including headers)
headers undecoded headers
text decoded and converted text parts (without HTML tags but with newlines)
rawtext decoded but not converted text parts (with HTML tags and newlines)
oneline decoded and stripped text content (without HTML tags and newlines)

### Filename filters

Filename maps checks also include detected filename match from version 2.0. For example, if some attachment has .png extension but it has real type detected as image/jpeg then two checks would be performed: for the original attachment and for the detected one. This does not include files in archives as Rspamd does not extract them.

Filename maps support this filters set:

Filter Description
extension matches file extension
regexp:/re/ extract data from filename according to some regular expression

### From, rcpt and header filters

These are generic emails and headers filters:

Filter Description
email or email:addr parse header value and extract email address from it (Somebody <user@example.com> -> user@example.com)
email:user parse header value as email address and extract user name from it (Somebody <user@example.com> -> user)
email:domain parse header value as email address and extract domain part from it (Somebody <user@example.com> -> example.com)
email:domain:tld parse header value as email address and extract effective second level domain from it (Somebody <user@foo.example.com> -> example.com)
email:name parse header value as email address and extract displayed name from it (Somebody <user@example.com> -> Somebody)
regexp:/re/ extracts generic information using the specified regular expression

### Helo, hostname filters

Filter Description
tld matches eSLD (effective second level domain - a second-level domain or something that’s effectively so like example.com or example.za.org)
tld:regexp:/re/ extracts generic information using the specified regular expression from the eSLD part
top matches TLD (top level domain) part of the helo/hostname

### Mempool filters

• regexp:/re/ - extract data from mempool variable according to some regular expression

If no filter is specified real_ip is used by default.

Filter Description
from_hostname string that represents hostname provided by a peer
from_ip IP address as provided by a peer
real_hostname hostname as resolved by MTA
real_ip IP as resolved by PTR request of MTA
by_hostname MTA hostname
proto protocol, e.g. ESMTP or ESMTPS
timestamp received timestamp
for for value (unparsed mailbox)
tld:from_hostname extract eSLD part from peer-provided hostname
tld:real_hostname extract eSLD part from MTA-verified hostname

The real_ip and from_ip filters must be used in conjunction with IP maps.

• min_pos - Minimum position of Received header to match
• max_pos - Maximum position of Received header to match

Negative values can be specified to match positions relative to the end of Received headers.

• flags - One of more flags which MUST be present to match
• nflags - One or more flags which must NOT be present to match

Currently available flags are ssl (hop used SSL) and authenticated (hop used SMTP authentication).

### Selector options filters

• regexp:/re/ - extract data from selector’s results according to some regular expression (usually not needed)

### Symbol options filters

• regexp:/re/ - extract data from symbol options according to some regular expression

### URL filters

URL maps allows another set of filters (by default, url maps are matched using hostname part):

Filter Description
full matches the complete URL (not the hostname)
full:regexp:/re/ extracts generic information using the specified regular expression from the full URL text
is_obscured matches obscured URLs
is_phished matches hostname but if and only if the URL is phished (e.g. pretended to be from another domain)
is_redirected matches redirected URLs
path match path
query match query string
regexp:/re/ extracts generic information using the specified regular expression from the hostname
tag:name matches full hostnames that have URL tag with name
tld matches eSLD (effective second level domain - a second-level domain or something that’s effectively so like example.com or example.za.org)
tld:regexp:/re/ extracts generic information using the specified regular expression from the eSLD part
top matches TLD (top level domain) part of the hostname

## Pre-filter maps

To enable pre-filter support, you should specify action parameter which can take one of the following values:

• accept - accept the message (no action)
• add header or add_header - add a header to the message
• rewrite subject or rewrite_subject - change the subject
• greylist - greylist the message
• reject - drop the message

No filters will be processed for a message if such a map matches. Multiple symbols or symbol conditions are not supported for prefilter maps by design.

# local.d/multimap.conf
IP_WHITELIST {
type = "ip";
map = "/tmp/ip.map";
prefilter = true;
action = "accept";
}
# Better use RBL module instead
SPAMHAUS_PBL_BLACKLIST {
type = "dnsbl";
map = "pbl.spamhaus.org";
description = "PBL dns block list";
prefilter = true;
action = "reject";
}


## Multiple symbol maps

From the version 1.3.1, it is possible to define multiple symbols and scores using multimap module. To do that, you should define all possible symbols using symbols option in multimap:

# local.d/multimap.conf
CONTENT_BLACKLISTED {
type = "content";
filter = "body"; # can be headers, full, oneline, text, rawtext
map = "${LOCAL_CONFDIR}/content.map"; symbols = ["CONTENT_BLACKLISTED1", "CONTENT_BLACKLISTED2"]; regexp = true; }  In this example, you can use 3 symbols: • CONTENT_BLACKLISTED • CONTENT_BLACKLISTED1 • CONTENT_BLACKLISTED2 the map: # Symbol + score /re1/ CONTENT_BLACKLISTED1:10 # Symbol with default score /re2/ CONTENT_BLACKLISTED2 # Just a default symbol: CONTENT_BLACKLISTED /re3/  Symbols that are not defined in the symbols attribute but used in the map are ignored and replaced by the default map symbol. If the value of a key-value pair is missing, then Rspamd just inserts the default symbol with dynamic weight equal to 1.0 (which is multiplied by metric score afterwards). ### Get all matches If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map: # local.d/multimap.conf CONTENT_BLACKLISTED { type = "content"; filter = "body"; # can be headers, full, oneline, text, rawtext map = "${LOCAL_CONFDIR}/content.map";
symbols = ["CONTENT_BLACKLISTED1", "CONTENT_BLACKLISTED2"];
regexp = true;
multi = true;
}


## Conditional maps

From version 1.3.1, it is possible to set up maps that depends on other rules and check map if some certain condition is satisfied. In particular, you can check that a message has a valid SPF policy to perform some whitelisting. However, you don’t want to bother about mailing lists. Then you can write the following map condition:

# local.d/multimap.conf
FROM_WHITELISTED {
require_symbols = "R_SPF_ALLOW & !MAILLIST";
type = "from";
map = "/some/list";
}


You can use any logic expression of other symbols within require_symbols definition. Rspamd automatically inserts dependency for a multimap rule on all symbols that are required by this particular rule. You cannot use symbols added by post-filters here, however, pre-filter and normal filter symbols are allowed.

## Redis for maps

From version 1.3.3, it is possible to work with maps which are stored in Redis backend. You can use any external application to put data into Redis database using HSET command (e.g HSET hashkey test@example.org 1). After you can define map as protocol redis:// and specify hash key to read. Redis settings can be defined inside multimap module also.

## Combined maps

From version 2.0, you can create maps with multiple values to be checked and joint via expression:

COMBINED_MAP_AND {
type = "combined";
rules {
ip = {
map = "${TESTDIR}/configs/maps/ip.list"; selector = "ip"; } from { map = "${TESTDIR}/configs/maps/domains.list";
selector = "from:domain";
}
}
expression = "from & ip"
}
COMBINED_MAP_OR {
type = "combined";
rules {
ip = {
map = "${TESTDIR}/configs/maps/ip.list"; selector = "ip"; } from { map = "${TESTDIR}/configs/maps/domains.list";
selector = "from:domain";
}
}
expression = "from || ip"
}


Combined maps support merely selectors syntax, not general multimap rules.

## Dependent maps

Version 2.0 also allows to create dependent maps in Redis where map key depends on some other data extracted from the same message. For example, per user based whitelist.

TODO: write more

## Examples

Here are some examples of multimap configurations:

# local.d/multimap.conf
SENDER_FROM_WHITELIST_USER {
type = "from";
filter = "email:user";
map = "file:///tmp/from.map";
action = "accept"; # Prefilter mode
}

# With Redis backend, also you need specify servers for Redis.
SENDER_FROM_WHITELIST_USER {
type = "from";
map = "redis://hashkey";
}

SENDER_FROM_REGEXP {
filter = 'regexp:/.*@/';
map = "file:///tmp/from_re.map";
}
URL_MAP {
type = "url";
filter = "tld";
map = "file:///tmp/url.map";
}
URL_MAP_RE {
type = "url";
filter = 'tld:regexp:/\.[^.]+$/'; # Extracts the last component of URL map = "file:///tmp/url.map"; } FILENAME_BLACKLISTED { type = "filename"; filter = "extension"; map = "${LOCAL_CONFDIR}/filename.map";
action = "reject";
message = "A restricted file type was found";
}
CONTENT_BLACKLISTED {
type = "content";
filter = "body"; # can be headers, full, oneline, text, rawtext
map = "${LOCAL_CONFDIR}/content.map"; symbols = ["CONTENT_BLACKLISTED1", "CONTENT_BLACKLISTED2"]; regexp = true; } ASN_BLACKLIST { type = "asn"; map = "${LOCAL_CONFDIR}/asnlist.map";
}
map = "${LOCAL_CONFDIR}/rcvd_ip.map"; filter = "real_ip"; min_pos = -1; flags = ["authenticated"]; } SYMBOL_OPTIONS_DBL { type = "symbol_options"; target_symbol = "DBL_ABUSE_REDIR"; symbols = ["INTERESTING_DOMAIN"]; map = "${LOCAL_CONFDIR}/dbl_redir_symbols.map";
}
WHITELIST_HELO_RCPT {
type = "combined";
prefilter = true;
action = "accept";
rules {
helo {
map = "${LOCAL_CONFDIR}/helo_smtp.map"; selector = "helo"; } rcpt = { map = "${LOCAL_CONFDIR}/rcpt_internal_subdomains.map";
selector = "rcpts:domain";
}
}
expression = "helo & rcpt"
}


• cd /etc/rspamd
• create local.d folder if not exists
• cd local.d
• create multimap.conf in /etc/rspamd/local.d/ folder if it does not exists
• create lists:
touch local_bl_from.map.inc local_bl_ip.map.inc local_bl_rcpt.map.inc \
local_wl_from.map.inc local_wl_ip.map.inc local_wl_rcpt.map.inc

• change permissions:
chmod o+w local_bl_from.map.inc local_bl_ip.map.inc local_bl_rcpt.map.inc \
local_wl_from.map.inc local_wl_ip.map.inc local_wl_rcpt.map.inc

• edit multimap.conf (you should be in /etc/rspamd/local.d/ folder)
# local.d/multimap.conf

# Blacklists
local_bl_ip { type = "ip"; map = "$LOCAL_CONFDIR/local.d/local_bl_ip.map.inc"; symbol = "LOCAL_BL_IP"; description = "Local ip blacklist";score = 3;} local_bl_from { type = "from"; map = "$LOCAL_CONFDIR/local.d/local_bl_from.map.inc"; symbol = "LOCAL_BL_FROM"; description = "Local from blacklist";score = 3;}
local_bl_rcpt { type = "rcpt"; map = "$LOCAL_CONFDIR/local.d/local_bl_rcpt.map.inc"; symbol = "LOCAL_BL_RCPT"; description = "Local rcpt blacklist";score = 3;} # Whitelists local_wl_ip { type = "ip"; map = "$LOCAL_CONFDIR/local.d/local_wl_ip.map.inc"; symbol = "LOCAL_WL_IP"; description = "Local ip whitelist";score = -5;}
local_wl_from { type = "from"; map = "$LOCAL_CONFDIR/local.d/local_wl_from.map.inc"; symbol = "LOCAL_WL_FROM"; description = "Local from whitelist";score = -5;} local_wl_rcpt { type = "rcpt"; map = "$LOCAL_CONFDIR/local.d/local_wl_rcpt.map.inc"; symbol = "LOCAL_WL_RCPT"; description = "Local rcpt whitelist";score = -5;}