Differences

This shows you the differences between two versions of the page.

--- linux_server_manuals:dovecot_ldap_rspamd [2018/01/15 17:16] – [rspamd] ronney
+++ linux_server_manuals:dovecot_ldap_rspamd [2018/01/28 18:49] (current) – [Clamav integration] ronney
@@ Line 153: / Line 153: @@
 </file>
-====== Fail2ban for dovecot ======
+==== Fail2ban for dovecot ====
 use fail2ban with dovecot to ban ips which try several times to authenticate unsuccessful, add to
@@ Line 163: / Line 163: @@
-====== Postfix ======
+===== Postfix =====
 Install postfix
@@ Line 211: / Line 211: @@
 #map with aliases
 virtual_alias_maps = hash:/etc/postfix/virtual-alias-map
+# If you have some docker containers or similar stuff, we need to add the
+# 172.17.0.0/16 subnet to mynetwork, so they are able to send mail.
+# If you don't use that subnet, you can leave that directive on it's default setting.
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.17.0.0/16
 </file>
@@ Line 233: / Line 237: @@
 </file>
-====== rspamd ======
+===== rspamd =====
+The documentation about the functionality and configuration of rspamd is a bit sparse.
+The one here is working, but no garantees, that it is perfect....
+==== Configuration ====
 Install rspamd and redis.
@@ Line 245: / Line 254: @@
 aptitude install rspamd redis-server
 </code>
 edit /etc/redis/redis.conf (according to rspamd.com)
@@ Line 252: / Line 260: @@
 maxmemory-policy volatile-lru
 </file>
 Config files in /etc/rspamd/local.d override defaults settings.
 Create /etc/rspamd/local.d/worker-normal.inc
 <file>
 bind_socket = "localhost:11333";
@@ Line 268: / Line 274: @@
 Then enter that hash in the file /etc/rspamd/local.d/worker-controller.inc
 <file>
+#password for read access
 password = "$2$17qeh8cdsqxgufkz9or9ecm6uquj6duk$tbniammzqfxdigogkm1abdoa78pmfzag4u5xqkgswabpp8zxrkzb"
+#password for write access. you need to set both. I know, it's stupid ;-)
+enable_password = "$2$17qeh8cdsqxgufkz9or9ecm6uquj6duk$tbniammzqfxdigogkm1abdoa78pmfzag4u5xqkgswabpp8zxrkzb"
 </file>
@@ Line 284: / Line 293: @@
 We want that rspamd adds some headers to the mails. For details see the documentation
-Create file /etc/rspamd/local.d//milter_headers.conf
+Create file /etc/rspamd/local.d/milter_headers.conf
 <file>
 use = ["x-spam-status", "x-spam-level", "authentication-results"];
@@ Line 290: / Line 300: @@
 authenticated_headers = ["authentication-results"];
 </file>
 rspamd is incredibly verbose. let's decrease logging:
@@ Line 298: / Line 307: @@
 </file>
+activate redis support
+Create file /etc/rspamd/local.d/redis.conf
+<file>
+servers = "127.0.0.1";
+</file>
-classifier-bayes.conf
+For Bayes filter redis support needs to be activated explicitly
+Create /etc/rspamd/local.d/classifier-bayes.conf
+<file>
 backend = "redis";
 autolearn = true;
+</file>
+==== Access to Rspamd Webinterface ====
-rdis.conf
+To be able to access the rspamd webinterface we need to add a config file to apache.
+create /etc/apache2/conf-available/rspamd.conf
-servers = "127.0.0.1";
-create /etc/apache2/rspamd.conf
+<file>
+RewriteEngine on
+RewriteRule ^/rspamd$ /rspamd/ [R]
 <Location /rspamd>
         ProxyPass http://localhost:11334
         ProxyPassReverse http://localhost:11334
         ProxyPreserveHost On
 </Location>
+</file>
+Then enable it:
+<code>
 a2enconf rspamd
+</code>
-/etc/postfix/main.cf
+==== Postfix integration ====
-#smtpd_milters = inet:localhost:11332
+Make postfix use rspamd, therefore add following lines to
-#unix sockets is not configured correctly yet, use inet sockets
+/etc/postfix/main.cf
-smtpd_milters = unix:/var/lib/rspamd/milter.sock
+<file>
-non_smtpd_milters = unix:/var/lib/rspamd/milter.sock
+#TODO: It would be more effective using unix sockets.
+#smtpd_milters = unix:/var/lib/rspamd/milter.sock
+smtpd_milters = inet:localhost:11332
+non_smtpd_milters = inet:localhost:11332
 milter_protocol = 6
 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
 # skip mail without checks if something goes wrong
 milter_default_action = accept
+</file>
-add automatic spam movement and spam learning when user moves them:
+==== Dovecot integration ====
-file /etc/dovecot/sieve/spam.sieve
+We want Dovecot to automatically move new mails to spam folder when they were recognized as spam mail. Additionally, when the user moves mail to the spam folder or away from spam folder, rspamd should learn them as spam or ham.
+Create file /etc/dovecot/sieve/spam.sieve
+<file>
 require "fileinto";
@@ Line 344: / Line 370: @@
     fileinto "Junk";
 }
+</file>
-file /etc/dovecot/sieve/learn-spam.sieve
+Create file /etc/dovecot/sieve/learn-spam.sieve
+<file>
 require ["vnd.dovecot.pipe", "copy", "imapsieve"];
 pipe :copy "rspamc" ["learn_spam"];
+</file>
+Create file /etc/dovecot/sieve/learn-ham.sieve
-file /etc/dovecot/sieve/learn-ham.sieve
+<file>
 require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
@@ Line 366: / Line 393: @@
 pipe :copy "rspamc" ["learn_ham"];
+</file>
+Since dovecot does not have write permission for /etc/dovecot/sieve we need to compile the sieve scripts by hand
+<code>
+sievec learn-ham.sieve
+sievec learn-spam.sieve
+sievec spam.sieve
+</code>
+For the learning scripts to work, they need to be added to the dovecot configuration:
 edit /etc/dovecot/conf.d/90-plugin.conf
+<file>
 plugin{
 ...
+  #to make spam stuff work
   sieve_plugins = sieve_imapsieve sieve_extprograms
   sieve_before = /etc/dovecot/sieve/spam.sieve
   sieve_global_extensions = +vnd.dovecot.pipe
   sieve_pipe_bin_dir = /usr/bin
-    # From elsewhere to Spam folder
+  # From elsewhere to Spam folder
-    imapsieve_mailbox1_name = Junk
+  imapsieve_mailbox1_name = Junk
-    imapsieve_mailbox1_causes = COPY
+  imapsieve_mailbox1_causes = COPY
-    imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
+  imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
     # From Spam folder to elsewhere
-    imapsieve_mailbox2_name = *
+  imapsieve_mailbox2_name = *
-    imapsieve_mailbox2_from = Junk
+  imapsieve_mailbox2_from = Junk
-    imapsieve_mailbox2_causes = COPY
+  imapsieve_mailbox2_causes = COPY
-    imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve
+  imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve...
-...
 }
+</file>
-file /conf.d/20-imap.conf
+Edit file /conf.d/20-imap.conf
+<file>
 protocol imap {
  mail_plugins = $mail_plugins imap_sieve
@@ Line 396: / Line 435: @@
   mail_plugins = $mail_plugins sieve
 }
+</file>
-----
+==== dkim and arc mail signing ====
-let rspamd dkim sign our mails:
+To let Rspamd dkim sign outgoing mails, following is needed:
+<code>
 mkdir /etc/rspamd/dkim
 rspamadm dkim_keygen -b 2048 -s 2018 -k 2018.key > 2018.txt
-chown _rspamd:_rspamd -R dkim
+chown _rspamd:_rspamd -R /etc/rspamd/dkim
 chmod 440 /etc/rspamd/dkim/*
+</code>
-look at 2018.txt to see how dns entry should look like.
+Look at 2018.txt to see how your dns entry should look like. and then make that DNS-entry.
 edit file dkim_signing.conf
+<file>
 path = "/etc/rspamd/dkim/$selector.key";
 selector = "2018";
+# I need that, since in my case, usernames are without the domain.
+# Otherwise he won't do any dkim signing.
+allow_username_mismatch = true;
+</file>
-cp -R /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
+If you provide mailinglists, mail forwarding or similar  stuff, you also want to use arc. It has the same config as dkim. So we'll just generate a symlink for it:
+<code>
+ln -s /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
+</code>
----------------
+==== Clamav integration ====
 setup clamav for use with rspamd
@@ Line 460: / Line 509: @@
 ---------
+apache reverse proxy for web interface
+-----
 more fail2ban