From 1a0c2a351a0a7aafb24115079255cf621a4cc229 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> Date: Mon, 30 Jan 2023 08:23:58 +0100 Subject: [PATCH] rspamd: follow-up of #3016 (#3039) --- docs/content/config/security/rspamd.md | 4 ++-- target/rspamd/local.d/milter_headers.conf | 3 +++ target/scripts/startup/misc-stack.sh | 1 + target/scripts/startup/setup-stack.sh | 5 ++--- test/tests/parallel/set1/spam_virus/rspamd.bats | 3 +-- 5 files changed, 9 insertions(+), 7 deletions(-) create mode 100644 target/rspamd/local.d/milter_headers.conf diff --git a/docs/content/config/security/rspamd.md b/docs/content/config/security/rspamd.md index 9e5183fe..c5ff3359 100644 --- a/docs/content/config/security/rspamd.md +++ b/docs/content/config/security/rspamd.md @@ -25,13 +25,13 @@ You can find a list of all Rspamd modules [on their website][modules]. You can choose to enable ClamAV, and Rspamd will then use it to check for viruses. Just set the environment variable `ENABLE_CLAMAV=1`. -DMS disables certain modules (clickhouse, dkim_signing, elastic, greylist, rbl, reputation, spamassassin, url_redirector, metric_exporter) by default. We believe these are not required in a standard setup, and needlessly use resources. You can re-activate them by replacing `/etc/rspamd/local.d/.conf` or overriding DMS' default with `/etc/rspamd/override.d/.conf`. +DMS disables certain modules (clickhouse, elastic, greylist, neural, reputation, spamassassin, url_redirector, metric_exporter) by default. We believe these are not required in a standard setup, and needlessly use resources. You can re-activate them by replacing `/etc/rspamd/local.d/.conf` or overriding DMS' default with `/etc/rspamd/override.d/.conf`. DMS does not set a default password for the controller worker. You may want to do that yourself. In setup where you already have an authentication provider in front of the Rspamd webpage, you may add `secure_ip = "0.0.0.0/0";` to `worker-controller.inc` to disable password authentication inside Rspamd completely. ## Missing in DMS' Current Implementation -We currently lack easy integration for DKIM signing. We use OpenDKIM though which should work just as well. If you want to use Rspamd for DKIM signing, you need to provide all settings yourself and probably also set the environment `ENABLE_OPENKIM=0`. Do not confuse the signing with checking DKIM signatures of other emails: Rspamd will check signatures from other emails, just not sign yours in the default configuration. +We currently lack easy integration for DKIM signing outgoing mails. We use OpenDKIM though which works just as well. If you want to use Rspamd for DKIM signing, you need to provide all settings yourself and probably also set the environment `ENABLE_OPENDKIM=0`. Rspamd will still check for valid DKIM signatures for incoming mail by default. [homepage]: https://rspamd.com/ [modules]: https://rspamd.com/doc/modules/ diff --git a/target/rspamd/local.d/milter_headers.conf b/target/rspamd/local.d/milter_headers.conf new file mode 100644 index 00000000..477be130 --- /dev/null +++ b/target/rspamd/local.d/milter_headers.conf @@ -0,0 +1,3 @@ +# documentation: https://www.rspamd.com/doc/modules/milter_headers.html + +extended_spam_headers = true; diff --git a/target/scripts/startup/misc-stack.sh b/target/scripts/startup/misc-stack.sh index f723e1e0..ec585b69 100644 --- a/target/scripts/startup/misc-stack.sh +++ b/target/scripts/startup/misc-stack.sh @@ -72,6 +72,7 @@ function _misc_save_states [[ ${ENABLE_CLAMAV} -eq 1 ]] && chown -R clamav:clamav /var/mail-state/lib-clamav [[ ${ENABLE_FETCHMAIL} -eq 1 ]] && chown -R fetchmail:nogroup /var/mail-state/lib-fetchmail [[ ${ENABLE_POSTGREY} -eq 1 ]] && chown -R postgrey:postgrey /var/mail-state/lib-postgrey + [[ ${ENABLE_RSPAMD} -eq 1 ]] && chown -R _rspamd:_rspamd /var/mail-state/lib-rspamd [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && chown -R debian-spamd:debian-spamd /var/mail-state/lib-spamassassin chown -R postfix:postfix /var/mail-state/lib-postfix diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index 3985bf1b..04f0c806 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -118,10 +118,9 @@ function _setup_rspamd declare -a DISABLE_MODULES DISABLE_MODULES=( clickhouse - dkim_signing elastic greylist - rbl + neural reputation spamassassin url_redirector @@ -131,7 +130,7 @@ function _setup_rspamd for MODULE in "${DISABLE_MODULES[@]}" do cat >"/etc/rspamd/local.d/${MODULE}.conf" << EOF -#documentation: https://rspamd.com/doc/modules/${MODULE}.html +# documentation: https://rspamd.com/doc/modules/${MODULE}.html enabled = false; diff --git a/test/tests/parallel/set1/spam_virus/rspamd.bats b/test/tests/parallel/set1/spam_virus/rspamd.bats index 7c1ab02a..4a4eecf3 100644 --- a/test/tests/parallel/set1/spam_virus/rspamd.bats +++ b/test/tests/parallel/set1/spam_virus/rspamd.bats @@ -45,9 +45,8 @@ function teardown_file() { _default_teardown ; } @test "logs exist and contains proper content" { _service_log_should_contain_string 'rspamd' 'rspamd .* is loading configuration' _service_log_should_contain_string 'rspamd' 'lua module clickhouse is disabled in the configuration' - _service_log_should_contain_string 'rspamd' 'lua module dkim_signing is disabled in the configuration' _service_log_should_contain_string 'rspamd' 'lua module elastic is disabled in the configuration' - _service_log_should_contain_string 'rspamd' 'lua module rbl is disabled in the configuration' + _service_log_should_contain_string 'rspamd' 'lua module neural is disabled in the configuration' _service_log_should_contain_string 'rspamd' 'lua module reputation is disabled in the configuration' _service_log_should_contain_string 'rspamd' 'lua module spamassassin is disabled in the configuration' _service_log_should_contain_string 'rspamd' 'lua module url_redirector is disabled in the configuration'