RMM DokuWiki

User Tools

Site Tools

You are here: start » linux_server_manuals » dovecot_ldap_rspamd
linux_server_manuals:dovecot_ldap_rspamd

This is an old revision of the document!

Table of Contents

Dovecot + Ldap (keycloak) + Rspamd

Dovecot

Let's get Dovecot working. 

aptitude install dovecot-core dovecot-imapd dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-sieve dovecot-solr bsd-mailx

Make Dovecot use Ldap

Edit file /etc/dovecot/conf.d/10-auth.conf 

uncomment: !include auth-ldap.conf.ext
comment:  !include auth-system.conf.ext
#To strip the domain name from the username before authentication, and make it lowercase
auth_username_format = %Ln

Edit file /etc/dovecot/dovecot-ldap.conf.ext uncomment and set: 

hosts = 127.0.0.1
auth_bind = yes
base = ou=People,dc=example,dc=com
pass_attrs = uid=user 
# only Members of group mail may receive mails and login to see them.
pass_filter = (&(objectClass=inetOrgPerson)(uid=%u)(memberof=cn=mail,ou=Group,dc=example,dc=com))

Restart dovecot and test authentification: 

servicectl restart dovecot
doveadm auth test exampleuser

Edit file /etc/dovecot/conf.d/10-mail.conf 

mail_location = maildir:~/mail
mail_privileged_group = mail
#if we use mail, as owner for the mail directories, we need to
#change the frst_valid_uid here, to te uid of mail. otherwise create a new user. e.g. vmail
first_valid_uid = 8

# some performance improvement
maildir_very_dirty_syncs = yes

edit file /etc/dovecot/conf.d/10-ssl.conf (assuming you've already setup letsencrypt or some other certificates) 

ssl = required
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem

Edit file /etc/dovecot/conf.d/10-master.conf 

# use lmtp for mail delivery from postfix
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp { 
    user = postfix    
    group = postfix
    mode = 0600
}

service auth {
...
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

....
}

edit file conf.d/15-mailboxes.conf

add
auto = subscribe
to every mailbox

edit file conf.d/20-lmtp.conf

protocol lmtp { 

# Space separated list of plugins to load (default is global mail_plugins).
postmaster_address = postmaster@example.com   # required
# add plugins here which should be supported by lmtp. we use sieve for sorting spam to spam folder
mail_plugins = sieve $mail_plugins

}

add solr support for searching in mails:

aptitude install solr-tomcat

make tomcat only listen on localhost
edit file /etc/tomcat8/server.xml and add address attribute to connector directive:
<Connector address=“127.0.0.1” port=“8080” …./>

copy dovecot solr schema
mv /etc/solr/conf/schema.xml /etc/solr/conf/schema.xml.dist
ln -s /usr/share/dovecot/solr-schema.xml /etc/solr/conf/schema.xml

restart tomcat

edit file conf.d/ 90-plugin.conf

plugin { 

fts = solr
fts_solr = url=http://127.0.0.1:8080/solr/

edit conf.d/10-mail.conf

mail_plugins = fts fts_solr

generate file /etc/cron.d/solr-optimize

# dovecot-solr commits & optimization
# http://wiki2.dovecot.org/Plugins/FTS/Solr

# Commit should be run pretty often, e.g. every two minutes
*/2 * * * * root /usr/bin/curl -s http://localhost:8080/solr/update?commit=true &>/dev/null

# Optimize should be run somewhat rarely, e.g. once a day
23 3 * * * root /usr/bin/curl -s http://localhost:8080/solr/update?optimize=true &>/dev/null

use fail2ban with dovecot, add to
/etc/fail2ban/jail.local

[dovecot]
enabled = true

postfix:

aptitude install postfix

add alias for root
echo root: user@example.com » /etc/aliases
postalias /etc/aliases

edit /etc/postfix/main.cf, comment out mydestination =

delay_warning_time = 4h

smtpd_tls_cert_file=/etc/letsencrypt/live/rmm.li/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/rmm.li/privkey.pem

#remove smtpd_use_tls=yes
smtp_tls_security_level=may
smtpd_tls_security_level=may
smtpd_tls_auth_only = yes

# sasl authentification against dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

# reject_unverified_recipient uses lmtp to verify if receiver exists.
smtpd_recipient_restrictions = reject_unverified_recipient, # ???check_policy_service unix:private/policyd-spf

#allow bigger messages
message_size_limit = 73400320

virtual_mailbox_domaines
# Transport to dovecot
virtual_transport = lmtp:unix:private/dovecot-lmtp

#map with aliases
virtual_alias_maps = hash:/etc/postfix/virtual-alias-map

file /etc/rsyslog.d
change line
*.*;auth,authpriv.none -/var/log/syslog
to
*.*;auth,authpriv.none,mail.none -/var/log/syslog

otherwise postfix will spam syslog with every single connection it made. you get the same information in mail.info anyway….

rspamd

see https://thomas-leister.de/en/mailserver-debian-stretch/

install:
CODENAME=`lsb_release -c -s`
wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
echo “deb http://rspamd.com/apt-stable/ $CODENAME main” > /etc/apt/sources.list.d/rspamd.list
echo “deb-src http://rspamd.com/apt-stable/ $CODENAME main” » /etc/apt/sources.list.d/rspamd.list
aptitude update
aptitude install rspamd redis-server

edite /etc/redis/redis.conf

maxmemory 500mb
maxmemory-policy volatile-lru

files in /etc/rspamd/local.d

options.inc

local_addrs = “127.0.0.0/8, 172.17.0.0/16, ::1”;

greylist.conf

whitelisted_ip=“172.17.0.0/16”

worker-normal.inc

bind_socket = “localhost:11333”;

worker-normal.inc (password webinterface. is a hash, must be generated bz rspamadm pw)

password = “a2oihr4qowaefasiodf”

worker-proxy.inc (milter for postfix)

bind_socket = “localhost:11332”;
milter = yes;
timeout = 120s;
upstream “local” { 

  default = yes;
  self_scan = yes;

}

milter_headers.conf

use = [“x-spam-status”, “x-spam-level”, “authentication-results”];
skip_local = false;
authenticated_headers = [“authentication-results”];

logging.inc

level = “warning”;

classifier-bayes.conf

backend = “redis”;
autolearn = true;

rdis.conf

servers = “127.0.0.1”;

create /etc/apache2/rspamd.conf

<Location /rspamd> 

      ProxyPass http://localhost:11334 
      ProxyPassReverse http://localhost:11334    
      ProxyPreserveHost On

</Location>

a2enconf rspamd

/etc/postfix/main.cf

#smtpd_milters = inet:localhost:11332
#unix sockets is not configured correctly yet, use inet sockets
smtpd_milters = unix:/var/lib/rspamd/milter.sock
non_smtpd_milters = unix:/var/lib/rspamd/milter.sock
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
# skip mail without checks if something goes wrong
milter_default_action = accept

add automatic spam movement and spam learning when user moves them:

file /etc/dovecot/sieve/spam.sieve

require “fileinto”;

if header :contains “X-Spam-Flag” “YES” { 

  fileinto "Junk";

}

if header :is “X-Spam” “Yes” { 

  fileinto "Junk";

}

file /etc/dovecot/sieve/learn-spam.sieve

require [“vnd.dovecot.pipe”, “copy”, “imapsieve”];

pipe :copy “rspamc” [“learn_spam”];

file /etc/dovecot/sieve/learn-ham.sieve

require [“vnd.dovecot.pipe”, “copy”, “imapsieve”, “environment”, “variables”];

if environment :matches “imap.mailbox” “*” { 

set "mailbox" "${1}";

}

if string “${mailbox}” “Trash” { 

stop;

}

pipe :copy “rspamc” [“learn_ham”];

edit /etc/dovecot/conf.d/90-plugin.conf
plugin{

sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_before = /etc/dovecot/sieve/spam.sieve
sieve_global_extensions = +vnd.dovecot.pipe
sieve_pipe_bin_dir = /usr/bin
  # From elsewhere to Spam folder
  imapsieve_mailbox1_name = Junk
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
  # From Spam folder to elsewhere
  imapsieve_mailbox2_name = *
  imapsieve_mailbox2_from = Junk
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve


}

file /conf.d/20-imap.conf

protocol imap {
mail_plugins = $mail_plugins imap_sieve
}

file conf.d/20-lmtp.conf{ 

mail_plugins = $mail_plugins sieve

}

let rspamd dkim sign our mails:

mkdir /etc/rspamd/dkim
rspamadm dkim_keygen -b 2048 -s 2018 -k 2018.key > 2018.txt
chown _rspamd:_rspamd -R dkim
chmod 440 /etc/rspamd/dkim/*

look at 2018.txt to see how dns entry should look like.

edit file dkim_signing.conf

path = “/etc/rspamd/dkim/$selector.key”;
selector = “2018”;

cp -R /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf

setup clamav for use with rspamd

aptitude install clamav-daemon

choose all the defaults during setup (or think a bit yourself ;-))

add user _rspamd to group clamav

adduser _rspamd clamav

/etc/rspamd/local.d/antivirus.conf

clamav { 

# if we want to detect fishing mail and stuff we should deactivate that
# also if you want to detect a mail with the eicar signature
# X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
attachments_only = false;
symbol = "CLAM_VIRUS";
type = "clamav";
#log_clean = false;
servers = "/var/run/clamav/clamd.ctl";

# patterns { 

  # symbol_name = "pattern";
 # JUST_EICAR = "^Eicar-Test-Signature$";

# }
}

setup unbound for dns caching and forwarding

aptitude install unbound

make localhost main dns server in /etc/resolv.conf

nameserver 127.0.0.1

more fail2ban

[apache-auth]
enabled = true

[apache-badbots]
enabled = true

[apache-noscript]
enabled = true

[apache-overflows]
enabled = true

[roundcube-auth]
enabled = true

[postfix]
enabled = true

[postfix-sasl]
enabled = true

[postfix-rbl]
enabled = true

[sshd-ddos]
enabled = true

You could leave a comment if you were logged in.
linux_server_manuals/dovecot_ldap_rspamd.1515826201.txt.gz · Last modified: 2018/01/13 06:50 by ronney