linux_server_manuals:dovecot_ldap_rspamd
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
linux_server_manuals:dovecot_ldap_rspamd [2018/01/14 11:29] – [rspamd] ronney | linux_server_manuals:dovecot_ldap_rspamd [2018/01/28 18:49] (current) – [Clamav integration] ronney | ||
---|---|---|---|
Line 153: | Line 153: | ||
</ | </ | ||
- | ====== Fail2ban for dovecot | + | ==== Fail2ban for dovecot ==== |
use fail2ban with dovecot to ban ips which try several times to authenticate unsuccessful, | use fail2ban with dovecot to ban ips which try several times to authenticate unsuccessful, | ||
Line 163: | Line 163: | ||
- | ====== Postfix | + | ===== Postfix ===== |
Install postfix | Install postfix | ||
Line 211: | Line 211: | ||
#map with aliases | #map with aliases | ||
virtual_alias_maps = hash:/ | virtual_alias_maps = hash:/ | ||
+ | # If you have some docker containers or similar stuff, we need to add the | ||
+ | # 172.17.0.0/ | ||
+ | # If you don't use that subnet, you can leave that directive on it's default setting. | ||
+ | mynetworks = 127.0.0.0/8 [:: | ||
</ | </ | ||
Line 233: | Line 237: | ||
</ | </ | ||
- | ====== rspamd | + | ===== rspamd ===== |
- | see https:// | + | The documentation about the functionality and configuration of rspamd is a bit sparse. |
+ | The one here is working, but no garantees, that it is perfect.... | ||
- | install: | + | ==== Configuration ==== |
+ | |||
+ | Install rspamd and redis. | ||
+ | |||
+ | < | ||
CODENAME=`lsb_release -c -s` | CODENAME=`lsb_release -c -s` | ||
wget -O- https:// | wget -O- https:// | ||
Line 244: | Line 253: | ||
aptitude update | aptitude update | ||
aptitude install rspamd redis-server | aptitude install rspamd redis-server | ||
+ | </ | ||
- | edite / | + | edit / |
+ | < | ||
maxmemory 500mb | maxmemory 500mb | ||
maxmemory-policy volatile-lru | maxmemory-policy volatile-lru | ||
+ | </ | ||
- | files in / | + | Config |
- | + | ||
- | options.inc | + | |
- | + | ||
- | local_addrs = " | + | |
- | + | ||
- | + | ||
- | greylist.conf | + | |
- | + | ||
- | whitelisted_ip=" | + | |
- | + | ||
- | + | ||
- | worker-normal.inc | + | |
+ | Create / | ||
+ | < | ||
bind_socket = " | bind_socket = " | ||
+ | </ | ||
+ | Create a passwordhash for the webinterface. | ||
+ | < | ||
+ | rspamadm pw | ||
+ | </ | ||
+ | Then enter that hash in the file / | ||
+ | < | ||
+ | #password for read access | ||
+ | password = " | ||
+ | #password for write access. you need to set both. I know, it's stupid ;-) | ||
+ | enable_password = " | ||
+ | </ | ||
- | worker-normal.inc (password webinterface. is a hash, must be generated bz rspamadm pw) | + | / |
- | + | ||
- | password = " | + | |
- | + | ||
- | + | ||
- | worker-proxy.inc | + | |
+ | < | ||
bind_socket = " | bind_socket = " | ||
milter = yes; | milter = yes; | ||
Line 281: | Line 290: | ||
self_scan = yes; | self_scan = yes; | ||
} | } | ||
+ | </ | ||
- | milter_headers.conf | + | We want that rspamd adds some headers to the mails. For details see the documentation |
+ | Create file / | ||
+ | < | ||
use = [" | use = [" | ||
skip_local = false; | skip_local = false; | ||
authenticated_headers = [" | authenticated_headers = [" | ||
+ | </ | ||
- | + | rspamd is incredibly verbose. let's decrease logging: | |
- | logging.inc | + | Create / |
+ | < | ||
level = " | level = " | ||
+ | </ | ||
+ | activate redis support | ||
+ | Create file / | ||
+ | < | ||
+ | servers = " | ||
+ | </ | ||
- | classifier-bayes.conf | + | For Bayes filter redis support needs to be activated explicitly |
+ | Create / | ||
+ | < | ||
backend = " | backend = " | ||
autolearn = true; | autolearn = true; | ||
+ | </ | ||
+ | ==== Access to Rspamd Webinterface ==== | ||
- | rdis.conf | + | To be able to access the rspamd webinterface we need to add a config file to apache. |
- | + | create / | |
- | servers = " | + | |
- | + | ||
- | + | ||
- | create / | + | |
+ | < | ||
+ | RewriteEngine on | ||
+ | RewriteRule ^/rspamd$ /rspamd/ [R] | ||
< | < | ||
- | ProxyPass http:// | + | ProxyPass http:// |
- | ProxyPassReverse http:// | + | ProxyPassReverse http:// |
- | ProxyPreserveHost On | + | ProxyPreserveHost On |
</ | </ | ||
+ | </ | ||
+ | Then enable it: | ||
+ | < | ||
a2enconf rspamd | a2enconf rspamd | ||
+ | </ | ||
- | / | + | ==== Postfix integration ==== |
- | # | + | Make postfix use rspamd, therefore add following lines to |
- | #unix sockets | + | / |
- | smtpd_milters = unix:/ | + | < |
- | non_smtpd_milters = unix:/ | + | #TODO: It would be more effective using unix sockets. |
+ | #smtpd_milters = unix:/ | ||
+ | smtpd_milters = inet: | ||
+ | non_smtpd_milters = inet:localhost: | ||
milter_protocol = 6 | milter_protocol = 6 | ||
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} | milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} | ||
# skip mail without checks if something goes wrong | # skip mail without checks if something goes wrong | ||
milter_default_action = accept | milter_default_action = accept | ||
+ | </ | ||
- | add automatic spam movement and spam learning when user moves them: | + | ==== Dovecot integration ==== |
- | file / | + | We want Dovecot to automatically move new mails to spam folder when they were recognized as spam mail. Additionally, |
+ | Create file / | ||
+ | < | ||
require " | require " | ||
Line 339: | Line 370: | ||
fileinto " | fileinto " | ||
} | } | ||
+ | </ | ||
- | file / | + | Create |
+ | < | ||
require [" | require [" | ||
pipe :copy " | pipe :copy " | ||
+ | </ | ||
- | + | Create | |
- | file / | + | < |
require [" | require [" | ||
Line 361: | Line 393: | ||
pipe :copy " | pipe :copy " | ||
+ | </ | ||
+ | |||
+ | Since dovecot does not have write permission for / | ||
+ | < | ||
+ | sievec learn-ham.sieve | ||
+ | sievec learn-spam.sieve | ||
+ | sievec spam.sieve | ||
+ | </ | ||
+ | For the learning scripts to work, they need to be added to the dovecot configuration: | ||
edit / | edit / | ||
+ | < | ||
plugin{ | plugin{ | ||
... | ... | ||
+ | #to make spam stuff work | ||
sieve_plugins = sieve_imapsieve sieve_extprograms | sieve_plugins = sieve_imapsieve sieve_extprograms | ||
sieve_before = / | sieve_before = / | ||
sieve_global_extensions = +vnd.dovecot.pipe | sieve_global_extensions = +vnd.dovecot.pipe | ||
sieve_pipe_bin_dir = /usr/bin | sieve_pipe_bin_dir = /usr/bin | ||
- | | + | |
- | imapsieve_mailbox1_name = Junk | + | imapsieve_mailbox1_name = Junk |
- | imapsieve_mailbox1_causes = COPY | + | imapsieve_mailbox1_causes = COPY |
- | imapsieve_mailbox1_before = file:/ | + | imapsieve_mailbox1_before = file:/ |
# From Spam folder to elsewhere | # From Spam folder to elsewhere | ||
- | | + | |
- | imapsieve_mailbox2_from = Junk | + | imapsieve_mailbox2_from = Junk |
- | imapsieve_mailbox2_causes = COPY | + | imapsieve_mailbox2_causes = COPY |
- | imapsieve_mailbox2_before = file:/ | + | imapsieve_mailbox2_before = file:/ |
- | ... | + | |
} | } | ||
+ | </ | ||
- | file / | ||
+ | Edit file / | ||
+ | < | ||
protocol imap { | protocol imap { | ||
| | ||
Line 391: | Line 435: | ||
mail_plugins = $mail_plugins sieve | mail_plugins = $mail_plugins sieve | ||
} | } | ||
+ | </ | ||
- | ---- | + | ==== dkim and arc mail signing ==== |
- | let rspamd | + | To let Rspamd |
+ | < | ||
mkdir / | mkdir / | ||
rspamadm dkim_keygen -b 2048 -s 2018 -k 2018.key > 2018.txt | rspamadm dkim_keygen -b 2048 -s 2018 -k 2018.key > 2018.txt | ||
- | chown _rspamd: | + | chown _rspamd: |
chmod 440 / | chmod 440 / | ||
+ | </ | ||
- | look at 2018.txt to see how dns entry should look like. | + | Look at 2018.txt to see how your dns entry should look like. and then make that DNS-entry. |
edit file dkim_signing.conf | edit file dkim_signing.conf | ||
+ | < | ||
path = "/ | path = "/ | ||
selector = " | selector = " | ||
+ | # I need that, since in my case, usernames are without the domain. | ||
+ | # Otherwise he won't do any dkim signing. | ||
+ | allow_username_mismatch = true; | ||
+ | </ | ||
- | cp -R / | + | If you provide mailinglists, |
+ | < | ||
+ | ln -s / | ||
+ | </ | ||
- | --------------- | + | ==== Clamav integration ==== |
setup clamav for use with rspamd | setup clamav for use with rspamd | ||
Line 455: | Line 509: | ||
--------- | --------- | ||
+ | apache reverse proxy for web interface | ||
+ | ----- | ||
+ | |||
more fail2ban | more fail2ban | ||
linux_server_manuals/dovecot_ldap_rspamd.1515929363.txt.gz · Last modified: 2018/01/14 11:29 by ronney