RMM DokuWiki

User Tools

Site Tools

You are here: start » linux_server_manuals » dovecot_ldap_rspamd
linux_server_manuals:dovecot_ldap_rspamd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux_server_manuals:dovecot_ldap_rspamd [2018/01/14 11:29] – [rspamd] ronneylinux_server_manuals:dovecot_ldap_rspamd [2018/01/28 18:49] (current) – [Clamav integration] ronney
Line 153: Line 153:
 </file> </file>
  
-====== Fail2ban for dovecot ======+==== Fail2ban for dovecot ====
  
 use fail2ban with dovecot to ban ips which try several times to authenticate unsuccessful, add to use fail2ban with dovecot to ban ips which try several times to authenticate unsuccessful, add to
Line 163: Line 163:
  
  
-====== Postfix ======+===== Postfix =====
  
 Install postfix Install postfix
Line 211: Line 211:
 #map with aliases #map with aliases
 virtual_alias_maps = hash:/etc/postfix/virtual-alias-map virtual_alias_maps = hash:/etc/postfix/virtual-alias-map
 +# If you have some docker containers or similar stuff, we need to add the
 +# 172.17.0.0/16 subnet to mynetwork, so they are able to send mail.
 +# If you don't use that subnet, you can leave that directive on it's default setting.
 +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.17.0.0/16
 </file> </file>
  
Line 233: Line 237:
 </file> </file>
  
-====== rspamd ======+===== rspamd =====
  
-see https://thomas-leister.de/en/mailserver-debian-stretch/+The documentation about the functionality and configuration of rspamd is a bit sparse. 
 +The one here is working, but no garantees, that it is perfect....
  
-install:+==== Configuration ==== 
 + 
 +Install rspamd and redis. 
 + 
 +<code>
 CODENAME=`lsb_release -c -s` CODENAME=`lsb_release -c -s`
 wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add - wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
Line 244: Line 253:
 aptitude update aptitude update
 aptitude install rspamd redis-server aptitude install rspamd redis-server
 +</code>
  
-edite /etc/redis/redis.conf +edit /etc/redis/redis.conf (according to rspamd.com) 
 +<file>
 maxmemory 500mb maxmemory 500mb
 maxmemory-policy volatile-lru maxmemory-policy volatile-lru
 +</file>
  
-files in /etc/rspamd/local.d +Config files in /etc/rspamd/local.d override defaults settings.
- +
-options.inc +
- +
-local_addrs = "127.0.0.0/8, 172.17.0.0/16, ::1"; +
- +
- +
-greylist.conf  +
- +
-whitelisted_ip="172.17.0.0/16" +
- +
- +
-worker-normal.inc+
  
 +Create /etc/rspamd/local.d/worker-normal.inc
 +<file>
 bind_socket = "localhost:11333"; bind_socket = "localhost:11333";
 +</file>
  
 +Create a passwordhash for the webinterface.
 +<code>
 +rspamadm pw
 +</code>
 +Then enter that hash in the file /etc/rspamd/local.d/worker-controller.inc
 +<file>
 +#password for read access
 +password = "$2$17qeh8cdsqxgufkz9or9ecm6uquj6duk$tbniammzqfxdigogkm1abdoa78pmfzag4u5xqkgswabpp8zxrkzb"
 +#password for write access. you need to set both. I know, it's stupid ;-)
 +enable_password = "$2$17qeh8cdsqxgufkz9or9ecm6uquj6duk$tbniammzqfxdigogkm1abdoa78pmfzag4u5xqkgswabpp8zxrkzb"
 +</file>
  
-worker-normal.inc (password webinterfaceis a hash, must be generated bz rspamadm pw) +/etc/rspamd/local.d/worker-proxy.inc (milter for postfix)
- +
-password = "a2oihr4qowaefasiodf" +
- +
- +
-worker-proxy.inc   (milter for postfix)+
  
 +<file>
 bind_socket = "localhost:11332"; bind_socket = "localhost:11332";
 milter = yes; milter = yes;
Line 281: Line 290:
     self_scan = yes;     self_scan = yes;
 } }
 +</file>
  
-milter_headers.conf+We want that rspamd adds some headers to the mails. For details see the documentation 
 +Create file /etc/rspamd/local.d/milter_headers.conf
  
 +<file>
 use = ["x-spam-status", "x-spam-level", "authentication-results"]; use = ["x-spam-status", "x-spam-level", "authentication-results"];
 skip_local = false; skip_local = false;
 authenticated_headers = ["authentication-results"]; authenticated_headers = ["authentication-results"];
 +</file>
  
- +rspamd is incredibly verbose. let's decrease logging: 
-logging.inc +Create /etc/rspamd/local.d/logging.inc 
 +<file>
 level = "warning"; level = "warning";
 +</file>
  
 +activate redis support
 +Create file /etc/rspamd/local.d/redis.conf
 +<file>
 +servers = "127.0.0.1";
 +</file>
  
-classifier-bayes.conf +For Bayes filter redis support needs to be activated explicitly 
 +Create /etc/rspamd/local.d/classifier-bayes.conf 
 +<file>
 backend = "redis"; backend = "redis";
 autolearn = true; autolearn = true;
 +</file>
  
 +==== Access to Rspamd Webinterface ====
  
-rdis.conf +To be able to access the rspamd webinterface we need to add a config file to apache
- +create /etc/apache2/conf-available/rspamd.conf
-servers = "127.0.0.1"; +
- +
- +
-create /etc/apache2/rspamd.conf+
  
 +<file>
 +RewriteEngine on
 +RewriteRule ^/rspamd$ /rspamd/ [R]
 <Location /rspamd> <Location /rspamd>
-        ProxyPass http://localhost:11334  +        ProxyPass http://localhost:11334 
-        ProxyPassReverse http://localhost:11334     +        ProxyPassReverse http://localhost:11334 
-        ProxyPreserveHost On                                                                               +        ProxyPreserveHost On
 </Location> </Location>
 +</file>
  
 +Then enable it:
 +<code>
 a2enconf rspamd a2enconf rspamd
 +</code>
  
-/etc/postfix/main.cf+==== Postfix integration ====
  
-#smtpd_milters = inet:localhost:11332 +Make postfix use rspamd, therefore add following lines to 
-#unix sockets is not configured correctly yet, use inet sockets +/etc/postfix/main.cf 
-smtpd_milters = unix:/var/lib/rspamd/milter.sock +<file> 
-non_smtpd_milters = unix:/var/lib/rspamd/milter.sock+#TODO: It would be more effective using unix sockets. 
 +#smtpd_milters = unix:/var/lib/rspamd/milter.sock 
 +smtpd_milters = inet:localhost:11332 
 +non_smtpd_milters = inet:localhost:11332
 milter_protocol = 6 milter_protocol = 6
 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
 # skip mail without checks if something goes wrong # skip mail without checks if something goes wrong
 milter_default_action = accept milter_default_action = accept
 +</file>
  
-add automatic spam movement and spam learning when user moves them:+==== Dovecot integration ====
  
-file /etc/dovecot/sieve/spam.sieve+We want Dovecot to automatically move new mails to spam folder when they were recognized as spam mail. Additionally, when the user moves mail to the spam folder or away from spam folder, rspamd should learn them as spam or ham.
  
 +Create file /etc/dovecot/sieve/spam.sieve
 +<file>
 require "fileinto"; require "fileinto";
  
Line 339: Line 370:
     fileinto "Junk";     fileinto "Junk";
 } }
 +</file>
  
  
-file /etc/dovecot/sieve/learn-spam.sieve +Create file /etc/dovecot/sieve/learn-spam.sieve 
 +<file>
 require ["vnd.dovecot.pipe", "copy", "imapsieve"]; require ["vnd.dovecot.pipe", "copy", "imapsieve"];
  
 pipe :copy "rspamc" ["learn_spam"]; pipe :copy "rspamc" ["learn_spam"];
 +</file>
  
- +Create file /etc/dovecot/sieve/learn-ham.sieve 
-file /etc/dovecot/sieve/learn-ham.sieve +<file>
 require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"]; require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
  
Line 361: Line 393:
  
 pipe :copy "rspamc" ["learn_ham"]; pipe :copy "rspamc" ["learn_ham"];
 +</file>
 +
 +Since dovecot does not have write permission for /etc/dovecot/sieve we need to compile the sieve scripts by hand
 +<code>
 +sievec learn-ham.sieve
 +sievec learn-spam.sieve
 +sievec spam.sieve
 +</code>
  
 +For the learning scripts to work, they need to be added to the dovecot configuration:
 edit /etc/dovecot/conf.d/90-plugin.conf edit /etc/dovecot/conf.d/90-plugin.conf
 +<file>
 plugin{ plugin{
 ... ...
 +  #to make spam stuff work
   sieve_plugins = sieve_imapsieve sieve_extprograms   sieve_plugins = sieve_imapsieve sieve_extprograms
   sieve_before = /etc/dovecot/sieve/spam.sieve   sieve_before = /etc/dovecot/sieve/spam.sieve
   sieve_global_extensions = +vnd.dovecot.pipe   sieve_global_extensions = +vnd.dovecot.pipe
   sieve_pipe_bin_dir = /usr/bin   sieve_pipe_bin_dir = /usr/bin
-    # From elsewhere to Spam folder +  # From elsewhere to Spam folder 
-    imapsieve_mailbox1_name = Junk +  imapsieve_mailbox1_name = Junk 
-    imapsieve_mailbox1_causes = COPY +  imapsieve_mailbox1_causes = COPY 
-    imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve+  imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
  
     # From Spam folder to elsewhere     # From Spam folder to elsewhere
-    imapsieve_mailbox2_name = * +  imapsieve_mailbox2_name = * 
-    imapsieve_mailbox2_from = Junk +  imapsieve_mailbox2_from = Junk 
-    imapsieve_mailbox2_causes = COPY +  imapsieve_mailbox2_causes = COPY 
-    imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve +  imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve...
-...+
 } }
 +</file>
  
-file /conf.d/20-imap.conf 
  
 +Edit file /conf.d/20-imap.conf
 +<file>
 protocol imap { protocol imap {
  mail_plugins = $mail_plugins imap_sieve  mail_plugins = $mail_plugins imap_sieve
Line 391: Line 435:
   mail_plugins = $mail_plugins sieve   mail_plugins = $mail_plugins sieve
 } }
 +</file>
  
-----+==== dkim and arc mail signing ====
  
-let rspamd dkim sign our mails:+To let Rspamd dkim sign outgoing mails, following is needed
  
 +<code>
 mkdir /etc/rspamd/dkim mkdir /etc/rspamd/dkim
 rspamadm dkim_keygen -b 2048 -s 2018 -k 2018.key > 2018.txt rspamadm dkim_keygen -b 2048 -s 2018 -k 2018.key > 2018.txt
-chown _rspamd:_rspamd -R dkim+chown _rspamd:_rspamd -R /etc/rspamd/dkim
 chmod 440 /etc/rspamd/dkim/* chmod 440 /etc/rspamd/dkim/*
 +</code>
  
-look at 2018.txt to see how dns entry should look like.+Look at 2018.txt to see how your dns entry should look like. and then make that DNS-entry.
  
 edit file dkim_signing.conf edit file dkim_signing.conf
 +<file>
 path = "/etc/rspamd/dkim/$selector.key"; path = "/etc/rspamd/dkim/$selector.key";
 selector = "2018"; selector = "2018";
  
 +# I need that, since in my case, usernames are without the domain.
 +# Otherwise he won't do any dkim signing.
 +allow_username_mismatch = true;
 +</file>
  
-cp -/etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf+If you provide mailinglists, mail forwarding or similar  stuff, you also want to use arc. It has the same config as dkim. So we'll just generate a symlink for it: 
 +<code> 
 +ln -/etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf 
 +</code>
  
----------------+==== Clamav integration ====
  
 setup clamav for use with rspamd setup clamav for use with rspamd
Line 455: Line 509:
  
 --------- ---------
 +apache reverse proxy for web interface
 +-----
 +
 more fail2ban more fail2ban
  
linux_server_manuals/dovecot_ldap_rspamd.1515929363.txt.gz · Last modified: 2018/01/14 11:29 by ronney