diff --git a/docs/content/config/security/rspamd.md b/docs/content/config/security/rspamd.md index b41e8adc..e9a95700 100644 --- a/docs/content/config/security/rspamd.md +++ b/docs/content/config/security/rspamd.md @@ -10,11 +10,9 @@ title: 'Security | Rspamd' ## About -Rspamd is a ["fast, free and open-source spam filtering system"][homepage]. DMS integrates Rspamd like any other service. You will need to enable Rspamd (via `ENABLE_RSPAMD=1`) manually as it is disabled by default. +Rspamd is a ["fast, free and open-source spam filtering system"][homepage]. DMS integrates Rspamd like any other service. We provide a very simple but easy to maintain setup of Rspamd. -We provide a very simple but easy to maintain setup of Rspamd. If you want to have a look at the default configuration files for Rspamd that DMS packs, navigate to [`target/rspamd/` inside the repository][dms-default-configuration]. Please consult the [section "The Default Configuration"](#the-default-configuration) section down below for a written overview. - -If you want to adjust Rspamd's configuration, have a look at the ["Providing Custom Settings & Overriding Settings" section](#providing-custom-settings-overriding-settings) down below. +If you want to have a look at the default configuration files for Rspamd that DMS packs, navigate to [`target/rspamd/` inside the repository][dms-default-configuration]. Please consult the [section "The Default Configuration"](#the-default-configuration) section down below for a written overview. !!! note "AMD64 vs ARM64" @@ -28,7 +26,13 @@ If you want to adjust Rspamd's configuration, have a look at the ["Providing Cus The proxy worker operates in [self-scan mode][proxy-self-scan-mode]. This simplifies the setup as we do not require a normal worker. You can easily change this though by [overriding the configuration by DMS](#providing-custom-settings-overriding-settings). -DMS does not set a default password for the controller worker. You may want to do that yourself. In setup where you already have an authentication provider in front of the Rspamd webpage, you may add `secure_ip = "0.0.0.0/0";` to `worker-controller.inc` to disable password authentication inside Rspamd completely. +DMS does not set a default password for the controller worker. You may want to do that yourself. In setups where you already have an authentication provider in front of the Rspamd webpage, you may want to [set the `secure_ip ` option to `"0.0.0.0/0"` for the controller worker](#with-the-help-of-a-custom-file) to disable password authentication inside Rspamd completely. + +### Persistence with Redis + +When Rspamd is enabled, we implicitly also start an instance of Redis in the container. Redis is configured to persist it's data via RDB snapshots to disk in the directory `/var/lib/redis` (_which is a symbolic link to `/var/mail-state/lib-redis/` when [`ONE_DIR=1`](../environment.md#one_dir) and a volume is mounted to `/var/mail-state/`_). With the volume mount the snapshot will restore the Redis data across container restarts, and provide a way to keep backup. + +Redis uses `/etc/redis/redis.conf` for configuration. We adjust this file when enabling the internal Redis service. If you have an external instance of Redis to use, the internal Redis service can be opt-out via setting the ENV [`ENABLE_RSPAMD_REDIS=0`](../environment.md#enable_rspamd_redis) (_link also details required changes to the DMS rspamd config_). ### Modules @@ -52,10 +56,6 @@ The [RBL module](https://rspamd.com/doc/modules/rbl.html) is enabled by default. If you want to use DNSBLs, **try to use your own DNS resolver** and make sure it is set up correctly, i.e. it should be a non-public & **recursive** resolver. Otherwise, you might not be able ([see this Spamhaus post](https://www.spamhaus.org/faq/section/DNSBL%20Usage#365)) to make use of the block lists. -### Missing in the Current Implementation - -We currently lack easy integration for [DKIM signing outgoing mails][dkim-signing-module]. We use OpenDKIM though which works just as well. If you want to use Rspamd for DKIM signing, you need to provide all settings yourself and probably also set the environment variable `ENABLE_OPENDKIM=0`. Rspamd will still check for valid DKIM signatures for incoming mail by default. - ## Providing Custom Settings & Overriding Settings ### Manually @@ -87,6 +87,8 @@ where `COMMAND` can be: 6. `set-common-option`: set the option `ARGUMENT1` that [defines basic Rspamd behaviour][basic-options] to value `ARGUMENT2` 7. `add-line`: this will add the complete line after `ARGUMENT1` (with all characters) to the file `/etc/rspamd/override.d/` +!!! example "An Example Is [Shown Down Below](#adjusting-and-extending-the-very-basic-configuration)" + !!! note "File Names & Extensions" For command 1 - 3, we append the `.conf` suffix to the module name to get the correct file name automatically. For commands 4 - 6, the file name is fixed (you don't even need to provide it). For command 7, you will need to provide the whole file name (including the suffix) yourself! @@ -97,7 +99,107 @@ You can also have comments (the line starts with `#`) and blank lines in `rspamd These simple commands are meant to give users the ability to _easily_ alter modules and their options. As a consequence, they are not powerful enough to enable multi-line adjustments. If you need to do something more complex, we advise to do that [manually](#manually)! -## Advanced Configuration +## Examples & Advanced Configuration + +### A Very Basic Configuration + +You want to start using Rspamd? Rspamd is disabled by default, so you need to set the following environment variables: + +```cf +ENABLE_RSPAMD=1 +ENABLE_OPENDKIM=0 +ENABLE_OPENDMARC=0 +ENABLE_AMAVIS=0 +ENABLE_SPAMASSASSIN=0 +``` + +This will enable Rspamd and disable services you don't need when using Rspamd. Note that with this setup, the default DKIM signing that DMS provides does not work (as it is disabled)! To solve this issue, look at [this subsection](#dkim-signing). + +### Adjusting and Extending The Very Basic Configuration + +Rspamd is running, but you want or need to adjust it? + +1. Say you want to be able to easily look at the frontend Rspamd provides on port 11334 (default) without the need to enter a password (maybe because you already provide authorization and authentication). You will need to adjust the controller worker: create a file called `rspamd-modules.conf` and add the line `set-option-for-controller secure_ip "0.0.0.0/0"`. Place the file `rspamd-modules.conf` inside the directory on the host you mount to `/tmp/docker-mailserver/` inside the container (in our documentation, we use `docker-data/dms/config` on the host for this purpose). And you're done! Note: this disables authentication on the website - make sure you know what you're doing! +2. You additionally want to enable the auto-spam-learning for the Bayes module? No problem, just add another line to `rspamd-modules.conf` that looks like this: `set-option-for-module classifier-bayes autolearn true`. +3. But the chartable module gets on your nerves? Just disable it by adding another line: `disable-module chartable +`. + +### DKIM Signing + +By default, DMS offers no option to generate and configure signing e-mails with DKIM. This is because the parsing would be difficult. But don't worry: the process is relatively straightforward nevertheless. The [official Rspamd documentation for the DKIM signing module][dkim-signing-module] is pretty good. Basically, you need to + +1. `exec` into the container +2. Run a command similar to `rspamadm dkim_keygen -s 'woosh' -b 2048 -d example.com -k example.private > example.txt`, adjusted to your needs +3. Make sure to then persists the files `example.private` and `example.txt` (created in step 2) in the container (for example with a Docker bind mount) +4. Create a configuration for the DKIM signing module, i.e. a file called `dkim_signing.conf` that you mount to `/etc/rspamd/local.d/` or `/etc/rspamd/override.d/`. We provide example configurations down below. We recommend mounting this file into the container as well (as described [here](#manually)); do not use [`rspamd-modules.conf`](#with-the-help-of-a-custom-file) for this purpose. + +??? example "DKIM Signing Module Configuration Examples" + + A simple configuration could look like this: + + ```cf + # documentation: https://rspamd.com/doc/modules/dkim_signing.html + + enabled = true; + + sign_authenticated = true; + sign_local = true; + + use_domain = "header"; + use_redis = false; # don't change unless Redis also provides the DKIM keys + use_esld = true; + check_pubkey = true; + + domain { + example.com { + path = "/path/to/example.private"; + selector = "woosh"; + } + } + ``` + + If you have multiple domains and you want to sign with the modern ED25519 elliptic curve but also with RSA (you will likely want to have RSA as a fallback!): + + ```cf + # documentation: https://rspamd.com/doc/modules/dkim_signing.html + + enabled = true; + + sign_authenticated = true; + sign_local = true; + + use_domain = "header"; + use_redis = false; # don't change unless Redis also provides the DKIM keys + use_esld = true; + check_pubkey = true; + + domain { + example.com { + selectors [ + { + path = "/path/to/com.example.rsa.private"; + selector = "dkim-rsa"; + }, + { + path = /path/to/com.example.ed25519.private"; + selector = "dkim-ed25519"; + } + ] + } + example.org { + selectors [ + { + path = "/path/to/org.example.rsa.private"; + selector = "dkim-rsa"; + }, + { + path = "/path/to/org.example.ed25519.private"; + selector = "dkim-ed25519"; + } + ] + } + } + ``` ### _Abusix_ Integration