RMM DokuWiki

User Tools

Site Tools

You are here: start » linux_server_manuals » dovecot_ldap_rspamd
linux_server_manuals:dovecot_ldap_rspamd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
linux_server_manuals:dovecot_ldap_rspamd [2018/01/13 06:50] – created ronneylinux_server_manuals:dovecot_ldap_rspamd [2018/01/28 18:49] (current) – [Clamav integration] ronney
Line 1: Line 1:
-====== Dovecot + Ldap (keycloak) + Rspamd ======+====== Dovecot + Postfix + Ldap (keycloak) + solr + Rspamd ====== 
 + 
 +Postfix will be used to receive mails, it will use Rspamd as effective spam filter and check over LMTP with dovecot if mail adresses exists and if yes, deliver them to dovecot, as long as rspamd doesn't reject the mail. 
 +Dovecot will authenticate user against an Ldap server and only accepts mail for users of the group mail. The Ldap data actually come from an keycloak installation, but that is irrelevant here ;-). 
 +Solr is used to eficiently search mails, you mainly need that for webmail clients.
  
 ===== Dovecot ===== ===== Dovecot =====
Line 10: Line 14:
  
 ==== Make Dovecot use Ldap ==== ==== Make Dovecot use Ldap ====
 +
 +In most config files you can just uncomment the necessary settings.
  
 Edit file /etc/dovecot/conf.d/10-auth.conf Edit file /etc/dovecot/conf.d/10-auth.conf
  
 <code> <code>
-uncomment: !include auth-ldap.conf.ext +!include auth-ldap.conf.ext 
-comment:  !include auth-system.conf.ext+#!include auth-system.conf.ext
 #To strip the domain name from the username before authentication, and make it lowercase #To strip the domain name from the username before authentication, and make it lowercase
 auth_username_format = %Ln auth_username_format = %Ln
Line 30: Line 36:
 </code> </code>
  
-Restart dovecot and test authentification:+Restart dovecot and test authentication:
 <code> <code>
 servicectl restart dovecot servicectl restart dovecot
Line 78: Line 84:
 </code> </code>
  
-edit file conf.d/15-mailboxes.conf +edit file /etc/dovecot/conf.d/15-mailboxes.conf 
- +and add to every mailbox: 
-add +<code> 
 auto = subscribe auto = subscribe
-to every mailbox+</code>
  
 +edit file /etc/dovecot/conf.d/20-lmtp.conf
  
-edit file conf.d/20-lmtp.conf +<code>
 protocol lmtp { protocol lmtp {
   # Space separated list of plugins to load (default is global mail_plugins).   # Space separated list of plugins to load (default is global mail_plugins).
Line 93: Line 99:
   mail_plugins = sieve $mail_plugins   mail_plugins = sieve $mail_plugins
 } }
 +</code>
  
-add solr support for searching in mails:+==== Solr ====
  
 +Add solr support for searching in mails:
 +
 +<code>
 aptitude install solr-tomcat aptitude install solr-tomcat
 +</code>
  
-make tomcat only listen on localhost +to make tomcat only listen on localhost edit file /etc/tomcat8/server.xml and add address attribute to connector directive: 
-edit file /etc/tomcat8/server.xml and add address attribute to connector directive: +<file> 
- <Connector address="127.0.0.1" port="8080" ..../>+<Connector address="127.0.0.1" port="8080" ..../
 +</file>
  
-copy dovecot solr schema+you need to copy dovecot solr schema
 +<code>
 mv /etc/solr/conf/schema.xml /etc/solr/conf/schema.xml.dist mv /etc/solr/conf/schema.xml /etc/solr/conf/schema.xml.dist
 ln -s /usr/share/dovecot/solr-schema.xml /etc/solr/conf/schema.xml ln -s /usr/share/dovecot/solr-schema.xml /etc/solr/conf/schema.xml
 +</code>
  
-restart tomcat+Then restart tomcat
 +<code> 
 +systemctl restart tomcat8 
 +</code>
  
-edit file conf.d/ 90-plugin.conf+edit file /etc/dovecot/conf.d/90-plugin.conf
  
 +<file>
 plugin { plugin {
 +  ...
   fts = solr   fts = solr
   fts_solr = url=http://127.0.0.1:8080/solr/   fts_solr = url=http://127.0.0.1:8080/solr/
 +  ...
 +}
 +</file>
  
-edit conf.d/10-mail.conf +edit /etc/dovecot/conf.d/10-mail.conf 
 +<file>
 mail_plugins = fts fts_solr mail_plugins = fts fts_solr
 +</file>
  
-generate file /etc/cron.d/solr-optimize +Create file /etc/cron.d/solr-optimize 
 +<file>
 # dovecot-solr commits & optimization # dovecot-solr commits & optimization
 # http://wiki2.dovecot.org/Plugins/FTS/Solr # http://wiki2.dovecot.org/Plugins/FTS/Solr
Line 128: Line 151:
 # Optimize should be run somewhat rarely, e.g. once a day # Optimize should be run somewhat rarely, e.g. once a day
 23 3 * * *  root /usr/bin/curl -s http://localhost:8080/solr/update?optimize=true &>/dev/null 23 3 * * *  root /usr/bin/curl -s http://localhost:8080/solr/update?optimize=true &>/dev/null
 +</file>
  
------ +==== Fail2ban for dovecot ====
-use fail2ban with dovecot, add to +
-/etc/fail2ban/jail.local+
  
 +use fail2ban with dovecot to ban ips which try several times to authenticate unsuccessful, add to
 +/etc/fail2ban/jail.local
 +<code>
 [dovecot] [dovecot]
 enabled = true enabled = true
- +</code>
-____________+
  
  
-postfix:+===== Postfix =====
  
 +Install postfix
 +<code>
 aptitude install postfix aptitude install postfix
 +</code>
  
-add alias for root+Add alias for root 
 +<code>
 echo root: user@example.com >> /etc/aliases echo root: user@example.com >> /etc/aliases
 postalias /etc/aliases postalias /etc/aliases
 +</code>
  
-edit /etc/postfix/main.cfcomment out mydestination =+edit /etc/postfix/main.cf 
 +<file> 
 +#comment out 
 +#mydestination = ...
  
 delay_warning_time = 4h delay_warning_time = 4h
  
-smtpd_tls_cert_file=/etc/letsencrypt/live/rmm.li/fullchain.pem +smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem 
-smtpd_tls_key_file=/etc/letsencrypt/live/rmm.li/privkey.pem+smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
  
-#remove smtpd_use_tls=yes+#comment out 
 +#smtpd_use_tls=yes
 smtp_tls_security_level=may smtp_tls_security_level=may
 smtpd_tls_security_level=may smtpd_tls_security_level=may
Line 163: Line 196:
 smtpd_sasl_type = dovecot smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth smtpd_sasl_path = private/auth
- 
  
 smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
  
 # reject_unverified_recipient uses lmtp to verify if receiver exists. # reject_unverified_recipient uses lmtp to verify if receiver exists.
-smtpd_recipient_restrictions = reject_unverified_recipient, # ???check_policy_service unix:private/policyd-spf+smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unverified_recipient, reject_unauth_destination
  
 #allow bigger messages #allow bigger messages
 message_size_limit = 73400320 message_size_limit = 73400320
  
-virtual_mailbox_domaines+virtual_mailbox_domaines = example.com
 # Transport to dovecot # Transport to dovecot
 virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_transport = lmtp:unix:private/dovecot-lmtp
Line 179: Line 211:
 #map with aliases #map with aliases
 virtual_alias_maps = hash:/etc/postfix/virtual-alias-map virtual_alias_maps = hash:/etc/postfix/virtual-alias-map
 +# If you have some docker containers or similar stuff, we need to add the
 +# 172.17.0.0/16 subnet to mynetwork, so they are able to send mail.
 +# If you don't use that subnet, you can leave that directive on it's default setting.
 +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.17.0.0/16
 +</file>
 +
 +Our virtual alias map file. It maps some important accounts, propably some admin user wants to receive those mails.
 +/etc/postfix/virtual-alias-map
 +<file>
 +postmaster@example.com adminuser@example.com
 +www-data@example.com adminuser@example.com
 +root@example.com adminuser@example.com
 +</file>
 +
 +Postfix will spam syslog with every single connection it made. So we tell it not to log to syslog, you get the same information in mail.info anyway....
 +Edit file /etc/rsyslog.d
  
-file /etc/rsyslog.d 
 change line change line
 +<file>
 *.*;auth,authpriv.none -/var/log/syslog *.*;auth,authpriv.none -/var/log/syslog
 +</file>
 to to
 +<file>
 *.*;auth,authpriv.none,mail.none -/var/log/syslog *.*;auth,authpriv.none,mail.none -/var/log/syslog
 +</file>
  
-otherwise postfix will spam syslog with every single connection it made. you get the same information in mail.info anyway....+===== rspamd =====
  
---------------+The documentation about the functionality and configuration of rspamd is a bit sparse. 
 +The one here is working, but no garantees, that it is perfect....
  
-rspamd+==== Configuration ====
  
-see https://thomas-leister.de/en/mailserver-debian-stretch/+Install rspamd and redis.
  
-install:+<code>
 CODENAME=`lsb_release -c -s` CODENAME=`lsb_release -c -s`
 wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add - wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
Line 201: Line 253:
 aptitude update aptitude update
 aptitude install rspamd redis-server aptitude install rspamd redis-server
 +</code>
  
-edite /etc/redis/redis.conf +edit /etc/redis/redis.conf (according to rspamd.com) 
 +<file>
 maxmemory 500mb maxmemory 500mb
 maxmemory-policy volatile-lru maxmemory-policy volatile-lru
 +</file>
  
-files in /etc/rspamd/local.d +Config files in /etc/rspamd/local.d override defaults settings.
- +
-options.inc +
- +
-local_addrs = "127.0.0.0/8, 172.17.0.0/16, ::1"; +
- +
- +
-greylist.conf  +
- +
-whitelisted_ip="172.17.0.0/16" +
- +
- +
-worker-normal.inc+
  
 +Create /etc/rspamd/local.d/worker-normal.inc
 +<file>
 bind_socket = "localhost:11333"; bind_socket = "localhost:11333";
 +</file>
  
 +Create a passwordhash for the webinterface.
 +<code>
 +rspamadm pw
 +</code>
 +Then enter that hash in the file /etc/rspamd/local.d/worker-controller.inc
 +<file>
 +#password for read access
 +password = "$2$17qeh8cdsqxgufkz9or9ecm6uquj6duk$tbniammzqfxdigogkm1abdoa78pmfzag4u5xqkgswabpp8zxrkzb"
 +#password for write access. you need to set both. I know, it's stupid ;-)
 +enable_password = "$2$17qeh8cdsqxgufkz9or9ecm6uquj6duk$tbniammzqfxdigogkm1abdoa78pmfzag4u5xqkgswabpp8zxrkzb"
 +</file>
  
-worker-normal.inc (password webinterfaceis a hash, must be generated bz rspamadm pw) +/etc/rspamd/local.d/worker-proxy.inc (milter for postfix)
- +
-password = "a2oihr4qowaefasiodf" +
- +
- +
-worker-proxy.inc   (milter for postfix)+
  
 +<file>
 bind_socket = "localhost:11332"; bind_socket = "localhost:11332";
 milter = yes; milter = yes;
Line 238: Line 290:
     self_scan = yes;     self_scan = yes;
 } }
 +</file>
  
-milter_headers.conf+We want that rspamd adds some headers to the mails. For details see the documentation 
 +Create file /etc/rspamd/local.d/milter_headers.conf
  
 +<file>
 use = ["x-spam-status", "x-spam-level", "authentication-results"]; use = ["x-spam-status", "x-spam-level", "authentication-results"];
 skip_local = false; skip_local = false;
 authenticated_headers = ["authentication-results"]; authenticated_headers = ["authentication-results"];
 +</file>
  
- +rspamd is incredibly verbose. let's decrease logging: 
-logging.inc +Create /etc/rspamd/local.d/logging.inc 
 +<file>
 level = "warning"; level = "warning";
 +</file>
  
 +activate redis support
 +Create file /etc/rspamd/local.d/redis.conf
 +<file>
 +servers = "127.0.0.1";
 +</file>
  
-classifier-bayes.conf +For Bayes filter redis support needs to be activated explicitly 
 +Create /etc/rspamd/local.d/classifier-bayes.conf 
 +<file>
 backend = "redis"; backend = "redis";
 autolearn = true; autolearn = true;
 +</file>
  
 +==== Access to Rspamd Webinterface ====
  
-rdis.conf +To be able to access the rspamd webinterface we need to add a config file to apache
- +create /etc/apache2/conf-available/rspamd.conf
-servers = "127.0.0.1"; +
- +
- +
-create /etc/apache2/rspamd.conf+
  
 +<file>
 +RewriteEngine on
 +RewriteRule ^/rspamd$ /rspamd/ [R]
 <Location /rspamd> <Location /rspamd>
-        ProxyPass http://localhost:11334  +        ProxyPass http://localhost:11334 
-        ProxyPassReverse http://localhost:11334     +        ProxyPassReverse http://localhost:11334 
-        ProxyPreserveHost On                                                                               +        ProxyPreserveHost On
 </Location> </Location>
 +</file>
  
 +Then enable it:
 +<code>
 a2enconf rspamd a2enconf rspamd
 +</code>
  
-/etc/postfix/main.cf+==== Postfix integration ====
  
-#smtpd_milters = inet:localhost:11332 +Make postfix use rspamd, therefore add following lines to 
-#unix sockets is not configured correctly yet, use inet sockets +/etc/postfix/main.cf 
-smtpd_milters = unix:/var/lib/rspamd/milter.sock +<file> 
-non_smtpd_milters = unix:/var/lib/rspamd/milter.sock+#TODO: It would be more effective using unix sockets. 
 +#smtpd_milters = unix:/var/lib/rspamd/milter.sock 
 +smtpd_milters = inet:localhost:11332 
 +non_smtpd_milters = inet:localhost:11332
 milter_protocol = 6 milter_protocol = 6
 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
 # skip mail without checks if something goes wrong # skip mail without checks if something goes wrong
 milter_default_action = accept milter_default_action = accept
 +</file>
  
-add automatic spam movement and spam learning when user moves them:+==== Dovecot integration ====
  
-file /etc/dovecot/sieve/spam.sieve+We want Dovecot to automatically move new mails to spam folder when they were recognized as spam mail. Additionally, when the user moves mail to the spam folder or away from spam folder, rspamd should learn them as spam or ham.
  
 +Create file /etc/dovecot/sieve/spam.sieve
 +<file>
 require "fileinto"; require "fileinto";
  
Line 296: Line 370:
     fileinto "Junk";     fileinto "Junk";
 } }
 +</file>
  
  
-file /etc/dovecot/sieve/learn-spam.sieve +Create file /etc/dovecot/sieve/learn-spam.sieve 
 +<file>
 require ["vnd.dovecot.pipe", "copy", "imapsieve"]; require ["vnd.dovecot.pipe", "copy", "imapsieve"];
  
 pipe :copy "rspamc" ["learn_spam"]; pipe :copy "rspamc" ["learn_spam"];
 +</file>
  
- +Create file /etc/dovecot/sieve/learn-ham.sieve 
-file /etc/dovecot/sieve/learn-ham.sieve +<file>
 require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"]; require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
  
Line 318: Line 393:
  
 pipe :copy "rspamc" ["learn_ham"]; pipe :copy "rspamc" ["learn_ham"];
 +</file>
  
 +Since dovecot does not have write permission for /etc/dovecot/sieve we need to compile the sieve scripts by hand
 +<code>
 +sievec learn-ham.sieve
 +sievec learn-spam.sieve
 +sievec spam.sieve
 +</code>
 +
 +For the learning scripts to work, they need to be added to the dovecot configuration:
 edit /etc/dovecot/conf.d/90-plugin.conf edit /etc/dovecot/conf.d/90-plugin.conf
 +<file>
 plugin{ plugin{
 ... ...
 +  #to make spam stuff work
   sieve_plugins = sieve_imapsieve sieve_extprograms   sieve_plugins = sieve_imapsieve sieve_extprograms
   sieve_before = /etc/dovecot/sieve/spam.sieve   sieve_before = /etc/dovecot/sieve/spam.sieve
   sieve_global_extensions = +vnd.dovecot.pipe   sieve_global_extensions = +vnd.dovecot.pipe
   sieve_pipe_bin_dir = /usr/bin   sieve_pipe_bin_dir = /usr/bin
-    # From elsewhere to Spam folder +  # From elsewhere to Spam folder 
-    imapsieve_mailbox1_name = Junk +  imapsieve_mailbox1_name = Junk 
-    imapsieve_mailbox1_causes = COPY +  imapsieve_mailbox1_causes = COPY 
-    imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve+  imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
  
     # From Spam folder to elsewhere     # From Spam folder to elsewhere
-    imapsieve_mailbox2_name = * +  imapsieve_mailbox2_name = * 
-    imapsieve_mailbox2_from = Junk +  imapsieve_mailbox2_from = Junk 
-    imapsieve_mailbox2_causes = COPY +  imapsieve_mailbox2_causes = COPY 
-    imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve +  imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve...
-...+
 } }
 +</file>
  
-file /conf.d/20-imap.conf 
  
 +Edit file /conf.d/20-imap.conf
 +<file>
 protocol imap { protocol imap {
  mail_plugins = $mail_plugins imap_sieve  mail_plugins = $mail_plugins imap_sieve
Line 348: Line 435:
   mail_plugins = $mail_plugins sieve   mail_plugins = $mail_plugins sieve
 } }
 +</file>
  
-----+==== dkim and arc mail signing ====
  
-let rspamd dkim sign our mails:+To let Rspamd dkim sign outgoing mails, following is needed
  
 +<code>
 mkdir /etc/rspamd/dkim mkdir /etc/rspamd/dkim
 rspamadm dkim_keygen -b 2048 -s 2018 -k 2018.key > 2018.txt rspamadm dkim_keygen -b 2048 -s 2018 -k 2018.key > 2018.txt
-chown _rspamd:_rspamd -R dkim+chown _rspamd:_rspamd -R /etc/rspamd/dkim
 chmod 440 /etc/rspamd/dkim/* chmod 440 /etc/rspamd/dkim/*
 +</code>
  
-look at 2018.txt to see how dns entry should look like.+Look at 2018.txt to see how your dns entry should look like. and then make that DNS-entry.
  
 edit file dkim_signing.conf edit file dkim_signing.conf
 +<file>
 path = "/etc/rspamd/dkim/$selector.key"; path = "/etc/rspamd/dkim/$selector.key";
 selector = "2018"; selector = "2018";
  
 +# I need that, since in my case, usernames are without the domain.
 +# Otherwise he won't do any dkim signing.
 +allow_username_mismatch = true;
 +</file>
  
-cp -/etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf+If you provide mailinglists, mail forwarding or similar  stuff, you also want to use arc. It has the same config as dkim. So we'll just generate a symlink for it: 
 +<code> 
 +ln -/etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf 
 +</code>
  
----------------+==== Clamav integration ====
  
 setup clamav for use with rspamd setup clamav for use with rspamd
Line 412: Line 509:
  
 --------- ---------
 +apache reverse proxy for web interface
 +-----
 +
 more fail2ban more fail2ban
  
Line 434: Line 534:
 [postfix-sasl] [postfix-sasl]
 enabled = true enabled = true
 +
 +see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881449 to make it work
  
 [postfix-rbl] [postfix-rbl]
linux_server_manuals/dovecot_ldap_rspamd.1515826201.txt.gz · Last modified: 2018/01/13 06:50 by ronney