linux_server_manuals:dovecot_ldap_rspamd
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
linux_server_manuals:dovecot_ldap_rspamd [2018/01/13 06:50] – created ronney | linux_server_manuals:dovecot_ldap_rspamd [2018/01/28 18:49] (current) – [Clamav integration] ronney | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Dovecot + Ldap (keycloak) + Rspamd ====== | + | ====== Dovecot |
+ | |||
+ | Postfix will be used to receive mails, it will use Rspamd as effective spam filter and check over LMTP with dovecot if mail adresses exists and if yes, deliver them to dovecot, as long as rspamd doesn' | ||
+ | Dovecot will authenticate user against an Ldap server and only accepts mail for users of the group mail. The Ldap data actually come from an keycloak installation, | ||
+ | Solr is used to eficiently search mails, you mainly need that for webmail clients. | ||
===== Dovecot ===== | ===== Dovecot ===== | ||
Line 10: | Line 14: | ||
==== Make Dovecot use Ldap ==== | ==== Make Dovecot use Ldap ==== | ||
+ | |||
+ | In most config files you can just uncomment the necessary settings. | ||
Edit file / | Edit file / | ||
< | < | ||
- | uncomment: | + | !include auth-ldap.conf.ext |
- | comment: | + | #!include auth-system.conf.ext |
#To strip the domain name from the username before authentication, | #To strip the domain name from the username before authentication, | ||
auth_username_format = %Ln | auth_username_format = %Ln | ||
Line 30: | Line 36: | ||
</ | </ | ||
- | Restart dovecot and test authentification: | + | Restart dovecot and test authentication: |
< | < | ||
servicectl restart dovecot | servicectl restart dovecot | ||
Line 78: | Line 84: | ||
</ | </ | ||
- | edit file conf.d/ | + | edit file / |
- | + | and add to every mailbox: | |
- | add | + | < |
auto = subscribe | auto = subscribe | ||
- | to every mailbox | + | </ |
+ | edit file / | ||
- | edit file conf.d/ | + | < |
protocol lmtp { | protocol lmtp { | ||
# Space separated list of plugins to load (default is global mail_plugins). | # Space separated list of plugins to load (default is global mail_plugins). | ||
Line 93: | Line 99: | ||
mail_plugins = sieve $mail_plugins | mail_plugins = sieve $mail_plugins | ||
} | } | ||
+ | </ | ||
- | add solr support for searching in mails: | + | ==== Solr ==== |
+ | Add solr support for searching in mails: | ||
+ | |||
+ | < | ||
aptitude install solr-tomcat | aptitude install solr-tomcat | ||
+ | </ | ||
- | make tomcat only listen on localhost | + | to make tomcat only listen on localhost edit file / |
- | edit file / | + | < |
- | < | + | < |
+ | </file> | ||
- | copy dovecot solr schema | + | you need to copy dovecot solr schema: |
+ | < | ||
mv / | mv / | ||
ln -s / | ln -s / | ||
+ | </ | ||
- | restart tomcat | + | Then restart tomcat: |
+ | < | ||
+ | systemctl restart tomcat8 | ||
+ | </ | ||
- | edit file conf.d/ 90-plugin.conf | + | edit file / |
+ | < | ||
plugin { | plugin { | ||
+ | ... | ||
fts = solr | fts = solr | ||
fts_solr = url=http:// | fts_solr = url=http:// | ||
+ | ... | ||
+ | } | ||
+ | </ | ||
- | edit conf.d/ | + | edit / |
+ | < | ||
mail_plugins = fts fts_solr | mail_plugins = fts fts_solr | ||
+ | </ | ||
- | generate | + | Create |
+ | < | ||
# dovecot-solr commits & optimization | # dovecot-solr commits & optimization | ||
# http:// | # http:// | ||
Line 128: | Line 151: | ||
# Optimize should be run somewhat rarely, e.g. once a day | # Optimize should be run somewhat rarely, e.g. once a day | ||
23 3 * * * root / | 23 3 * * * root / | ||
+ | </ | ||
- | ----- | + | ==== Fail2ban for dovecot |
- | use fail2ban with dovecot, add to | + | |
- | / | + | |
+ | use fail2ban with dovecot to ban ips which try several times to authenticate unsuccessful, | ||
+ | / | ||
+ | < | ||
[dovecot] | [dovecot] | ||
enabled = true | enabled = true | ||
- | + | </ | |
- | ____________ | + | |
- | postfix: | + | ===== Postfix ===== |
+ | Install postfix | ||
+ | < | ||
aptitude install postfix | aptitude install postfix | ||
+ | </ | ||
- | add alias for root | + | Add alias for root |
+ | < | ||
echo root: user@example.com >> / | echo root: user@example.com >> / | ||
postalias / | postalias / | ||
+ | </ | ||
- | edit / | + | edit / |
+ | < | ||
+ | #comment out | ||
+ | #mydestination = ... | ||
delay_warning_time = 4h | delay_warning_time = 4h | ||
- | smtpd_tls_cert_file=/ | + | smtpd_tls_cert_file=/ |
- | smtpd_tls_key_file=/ | + | smtpd_tls_key_file=/ |
- | #remove | + | #comment out |
+ | #smtpd_use_tls=yes | ||
smtp_tls_security_level=may | smtp_tls_security_level=may | ||
smtpd_tls_security_level=may | smtpd_tls_security_level=may | ||
Line 163: | Line 196: | ||
smtpd_sasl_type = dovecot | smtpd_sasl_type = dovecot | ||
smtpd_sasl_path = private/ | smtpd_sasl_path = private/ | ||
- | |||
smtpd_relay_restrictions = permit_mynetworks, | smtpd_relay_restrictions = permit_mynetworks, | ||
# reject_unverified_recipient uses lmtp to verify if receiver exists. | # reject_unverified_recipient uses lmtp to verify if receiver exists. | ||
- | smtpd_recipient_restrictions = reject_unverified_recipient, | + | smtpd_recipient_restrictions = permit_mynetworks, |
#allow bigger messages | #allow bigger messages | ||
message_size_limit = 73400320 | message_size_limit = 73400320 | ||
- | virtual_mailbox_domaines | + | virtual_mailbox_domaines |
# Transport to dovecot | # Transport to dovecot | ||
virtual_transport = lmtp: | virtual_transport = lmtp: | ||
Line 179: | Line 211: | ||
#map with aliases | #map with aliases | ||
virtual_alias_maps = hash:/ | virtual_alias_maps = hash:/ | ||
+ | # If you have some docker containers or similar stuff, we need to add the | ||
+ | # 172.17.0.0/ | ||
+ | # If you don't use that subnet, you can leave that directive on it's default setting. | ||
+ | mynetworks = 127.0.0.0/8 [:: | ||
+ | </ | ||
+ | |||
+ | Our virtual alias map file. It maps some important accounts, propably some admin user wants to receive those mails. | ||
+ | / | ||
+ | < | ||
+ | postmaster@example.com adminuser@example.com | ||
+ | www-data@example.com adminuser@example.com | ||
+ | root@example.com adminuser@example.com | ||
+ | </ | ||
+ | |||
+ | Postfix will spam syslog with every single connection it made. So we tell it not to log to syslog, you get the same information in mail.info anyway.... | ||
+ | Edit file / | ||
- | file / | ||
change line | change line | ||
+ | < | ||
*.*; | *.*; | ||
+ | </ | ||
to | to | ||
+ | < | ||
*.*; | *.*; | ||
+ | </ | ||
- | otherwise postfix will spam syslog with every single connection it made. you get the same information in mail.info anyway.... | + | ===== rspamd ===== |
- | -------------- | + | The documentation about the functionality and configuration of rspamd is a bit sparse. |
+ | The one here is working, but no garantees, that it is perfect.... | ||
- | rspamd | + | ==== Configuration ==== |
- | see https:// | + | Install rspamd and redis. |
- | install: | + | < |
CODENAME=`lsb_release -c -s` | CODENAME=`lsb_release -c -s` | ||
wget -O- https:// | wget -O- https:// | ||
Line 201: | Line 253: | ||
aptitude update | aptitude update | ||
aptitude install rspamd redis-server | aptitude install rspamd redis-server | ||
+ | </ | ||
- | edite / | + | edit / |
+ | < | ||
maxmemory 500mb | maxmemory 500mb | ||
maxmemory-policy volatile-lru | maxmemory-policy volatile-lru | ||
+ | </ | ||
- | files in / | + | Config |
- | + | ||
- | options.inc | + | |
- | + | ||
- | local_addrs = " | + | |
- | + | ||
- | + | ||
- | greylist.conf | + | |
- | + | ||
- | whitelisted_ip=" | + | |
- | + | ||
- | + | ||
- | worker-normal.inc | + | |
+ | Create / | ||
+ | < | ||
bind_socket = " | bind_socket = " | ||
+ | </ | ||
+ | Create a passwordhash for the webinterface. | ||
+ | < | ||
+ | rspamadm pw | ||
+ | </ | ||
+ | Then enter that hash in the file / | ||
+ | < | ||
+ | #password for read access | ||
+ | password = " | ||
+ | #password for write access. you need to set both. I know, it's stupid ;-) | ||
+ | enable_password = " | ||
+ | </ | ||
- | worker-normal.inc (password webinterface. is a hash, must be generated bz rspamadm pw) | + | / |
- | + | ||
- | password = " | + | |
- | + | ||
- | + | ||
- | worker-proxy.inc | + | |
+ | < | ||
bind_socket = " | bind_socket = " | ||
milter = yes; | milter = yes; | ||
Line 238: | Line 290: | ||
self_scan = yes; | self_scan = yes; | ||
} | } | ||
+ | </ | ||
- | milter_headers.conf | + | We want that rspamd adds some headers to the mails. For details see the documentation |
+ | Create file / | ||
+ | < | ||
use = [" | use = [" | ||
skip_local = false; | skip_local = false; | ||
authenticated_headers = [" | authenticated_headers = [" | ||
+ | </ | ||
- | + | rspamd is incredibly verbose. let's decrease logging: | |
- | logging.inc | + | Create / |
+ | < | ||
level = " | level = " | ||
+ | </ | ||
+ | activate redis support | ||
+ | Create file / | ||
+ | < | ||
+ | servers = " | ||
+ | </ | ||
- | classifier-bayes.conf | + | For Bayes filter redis support needs to be activated explicitly |
+ | Create / | ||
+ | < | ||
backend = " | backend = " | ||
autolearn = true; | autolearn = true; | ||
+ | </ | ||
+ | ==== Access to Rspamd Webinterface ==== | ||
- | rdis.conf | + | To be able to access the rspamd webinterface we need to add a config file to apache. |
- | + | create / | |
- | servers = " | + | |
- | + | ||
- | + | ||
- | create / | + | |
+ | < | ||
+ | RewriteEngine on | ||
+ | RewriteRule ^/rspamd$ /rspamd/ [R] | ||
< | < | ||
- | ProxyPass http:// | + | ProxyPass http:// |
- | ProxyPassReverse http:// | + | ProxyPassReverse http:// |
- | ProxyPreserveHost On | + | ProxyPreserveHost On |
</ | </ | ||
+ | </ | ||
+ | Then enable it: | ||
+ | < | ||
a2enconf rspamd | a2enconf rspamd | ||
+ | </ | ||
- | / | + | ==== Postfix integration ==== |
- | # | + | Make postfix use rspamd, therefore add following lines to |
- | #unix sockets | + | / |
- | smtpd_milters = unix:/ | + | < |
- | non_smtpd_milters = unix:/ | + | #TODO: It would be more effective using unix sockets. |
+ | #smtpd_milters = unix:/ | ||
+ | smtpd_milters = inet: | ||
+ | non_smtpd_milters = inet:localhost: | ||
milter_protocol = 6 | milter_protocol = 6 | ||
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} | milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} | ||
# skip mail without checks if something goes wrong | # skip mail without checks if something goes wrong | ||
milter_default_action = accept | milter_default_action = accept | ||
+ | </ | ||
- | add automatic spam movement and spam learning when user moves them: | + | ==== Dovecot integration ==== |
- | file / | + | We want Dovecot to automatically move new mails to spam folder when they were recognized as spam mail. Additionally, |
+ | Create file / | ||
+ | < | ||
require " | require " | ||
Line 296: | Line 370: | ||
fileinto " | fileinto " | ||
} | } | ||
+ | </ | ||
- | file / | + | Create |
+ | < | ||
require [" | require [" | ||
pipe :copy " | pipe :copy " | ||
+ | </ | ||
- | + | Create | |
- | file / | + | < |
require [" | require [" | ||
Line 318: | Line 393: | ||
pipe :copy " | pipe :copy " | ||
+ | </ | ||
+ | Since dovecot does not have write permission for / | ||
+ | < | ||
+ | sievec learn-ham.sieve | ||
+ | sievec learn-spam.sieve | ||
+ | sievec spam.sieve | ||
+ | </ | ||
+ | |||
+ | For the learning scripts to work, they need to be added to the dovecot configuration: | ||
edit / | edit / | ||
+ | < | ||
plugin{ | plugin{ | ||
... | ... | ||
+ | #to make spam stuff work | ||
sieve_plugins = sieve_imapsieve sieve_extprograms | sieve_plugins = sieve_imapsieve sieve_extprograms | ||
sieve_before = / | sieve_before = / | ||
sieve_global_extensions = +vnd.dovecot.pipe | sieve_global_extensions = +vnd.dovecot.pipe | ||
sieve_pipe_bin_dir = /usr/bin | sieve_pipe_bin_dir = /usr/bin | ||
- | | + | |
- | imapsieve_mailbox1_name = Junk | + | imapsieve_mailbox1_name = Junk |
- | imapsieve_mailbox1_causes = COPY | + | imapsieve_mailbox1_causes = COPY |
- | imapsieve_mailbox1_before = file:/ | + | imapsieve_mailbox1_before = file:/ |
# From Spam folder to elsewhere | # From Spam folder to elsewhere | ||
- | | + | |
- | imapsieve_mailbox2_from = Junk | + | imapsieve_mailbox2_from = Junk |
- | imapsieve_mailbox2_causes = COPY | + | imapsieve_mailbox2_causes = COPY |
- | imapsieve_mailbox2_before = file:/ | + | imapsieve_mailbox2_before = file:/ |
- | ... | + | |
} | } | ||
+ | </ | ||
- | file / | ||
+ | Edit file / | ||
+ | < | ||
protocol imap { | protocol imap { | ||
| | ||
Line 348: | Line 435: | ||
mail_plugins = $mail_plugins sieve | mail_plugins = $mail_plugins sieve | ||
} | } | ||
+ | </ | ||
- | ---- | + | ==== dkim and arc mail signing ==== |
- | let rspamd | + | To let Rspamd |
+ | < | ||
mkdir / | mkdir / | ||
rspamadm dkim_keygen -b 2048 -s 2018 -k 2018.key > 2018.txt | rspamadm dkim_keygen -b 2048 -s 2018 -k 2018.key > 2018.txt | ||
- | chown _rspamd: | + | chown _rspamd: |
chmod 440 / | chmod 440 / | ||
+ | </ | ||
- | look at 2018.txt to see how dns entry should look like. | + | Look at 2018.txt to see how your dns entry should look like. and then make that DNS-entry. |
edit file dkim_signing.conf | edit file dkim_signing.conf | ||
+ | < | ||
path = "/ | path = "/ | ||
selector = " | selector = " | ||
+ | # I need that, since in my case, usernames are without the domain. | ||
+ | # Otherwise he won't do any dkim signing. | ||
+ | allow_username_mismatch = true; | ||
+ | </ | ||
- | cp -R / | + | If you provide mailinglists, |
+ | < | ||
+ | ln -s / | ||
+ | </ | ||
- | --------------- | + | ==== Clamav integration ==== |
setup clamav for use with rspamd | setup clamav for use with rspamd | ||
Line 412: | Line 509: | ||
--------- | --------- | ||
+ | apache reverse proxy for web interface | ||
+ | ----- | ||
+ | |||
more fail2ban | more fail2ban | ||
Line 434: | Line 534: | ||
[postfix-sasl] | [postfix-sasl] | ||
enabled = true | enabled = true | ||
+ | |||
+ | see https:// | ||
[postfix-rbl] | [postfix-rbl] |
linux_server_manuals/dovecot_ldap_rspamd.1515826201.txt.gz · Last modified: 2018/01/13 06:50 by ronney