feature: provide initial Rspamd support (#2902)

This commit is contained in:
Georg Lauterbach 2023-01-05 08:39:00 +01:00 committed by GitHub
parent a00cdcdee9
commit 26ac48f34a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 118 additions and 0 deletions

View file

@ -65,6 +65,12 @@ RUN <<EOF
chmod 755 -R /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global chmod 755 -R /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global
EOF EOF
# -----------------------------------------------
# --- Rspamd ------------------------------------
# -----------------------------------------------
COPY target/rspamd/local.d/ /etc/rspamd/local.d/
# ----------------------------------------------- # -----------------------------------------------
# --- LDAP & SpamAssassin's Cron ---------------- # --- LDAP & SpamAssassin's Cron ----------------
# ----------------------------------------------- # -----------------------------------------------

View file

@ -67,6 +67,25 @@ Note: you probably want to [set `POSTFIX_INET_PROTOCOLS=ipv4`](#postfix_inet_pro
Set the timezone. If this variable is unset, the container runtime will try to detect the time using `/etc/localtime`, which you can alternatively mount into the container. The value of this variable must follow the pattern `AREA/ZONE`, i.e. of you want to use Germany's time zone, use `Europe/Berlin`. You can lookup all available timezones [here](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List). Set the timezone. If this variable is unset, the container runtime will try to detect the time using `/etc/localtime`, which you can alternatively mount into the container. The value of this variable must follow the pattern `AREA/ZONE`, i.e. of you want to use Germany's time zone, use `Europe/Berlin`. You can lookup all available timezones [here](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List).
##### ENABLE_RSPAMD
!!! warning "Current State"
Rspamd-support is under active development. Be aware that breaking changes can happen at any time. Moreover, you will _currently_ need to adjust Postfix's configuration _yourself_ if you want to use Rspamd; you may use [`user-patches.sh`][docs-userpatches].
You will need to add Rspamd to the `smtpd_milters` in Postfix's `main.cf`. This can easily be done with `sed`: `sed -i -E 's|^(smtpd_milters = .*)|\1,inet:localhost:11332|g' /etc/postfix/main.cf`. Moreover, have a look at the [integration of Rspamd into Postfx](https://rspamd.com/doc/integration.html). You will need to provide additional configuration files at the moment (to `/etc/rspamd/local.d/`) to make Rspamd run in milter-mode.
[docs-userpatches]: ./advanced/override-defaults/user-patches.md
!!! bug "Rspamd and DNS Block Lists"
When you use Rspamd, you might want to use the [RBL module](https://rspamd.com/doc/modules/rbl.html). If you do, make sure your DNS resolver is set up correctly (i.e. it should be a non-public recursive resolver). Otherwise, you [might not be able](https://www.spamhaus.org/faq/section/DNSBL%20Usage#365) to make use of the block lists.
Enable or disable Rspamd.
- **0** => disabled
- 1 => enabled
##### ENABLE_AMAVIS ##### ENABLE_AMAVIS
Amavis content filter (used for ClamAV & SpamAssassin) Amavis content filter (used for ClamAV & SpamAssassin)

View file

@ -103,6 +103,11 @@ ENABLE_SRS=0
ENABLE_POP3= ENABLE_POP3=
ENABLE_CLAMAV=0 ENABLE_CLAMAV=0
# Enables Rspamd
# **0** => disabled
# 1 => enabled
ENABLE_RSPAMD=0
# Amavis content filter (used for ClamAV & SpamAssassin) # Amavis content filter (used for ClamAV & SpamAssassin)
# 0 => Disabled # 0 => Disabled
# 1 => Enabled # 1 => Enabled

View file

@ -0,0 +1,10 @@
# documentation: https://rspamd.com/doc/modules/antivirus.html
ClamAV {
action = "reject";
scan_mime_parts = true;
message = '${SCANNER}: virus found: "${VIRUS}"';
type = "clamav";
log_clean = false;
servers = "127.0.0.1:3310";
}

View file

@ -0,0 +1,6 @@
# documentation: https://rspamd.com/doc/configuration/logging.html
type = "console";
level = "notice";
color = true;
systemd = false;

View file

@ -0,0 +1 @@
pidfile = false;

View file

@ -0,0 +1,4 @@
# documentation: https://rspamd.com/doc/configuration/redis.html
servers = "127.0.0.1:6379";
expand_keys = true;

View file

@ -129,6 +129,21 @@ function _install_dovecot
apt-get "${QUIET}" --no-install-recommends install "${DOVECOT_PACKAGES[@]}" apt-get "${QUIET}" --no-install-recommends install "${DOVECOT_PACKAGES[@]}"
} }
function _install_rspamd
{
_log 'trace' 'Adding Rspamd package signatures'
curl -sSfL https://rspamd.com/apt-stable/gpg.key | gpg --dearmor >/etc/apt/trusted.gpg.d/rspamd.gpg
echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/rspamd.gpg] http://rspamd.com/apt-stable/ bullseye main" \
>/etc/apt/sources.list.d/rspamd.list
echo "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/rspamd.gpg] http://rspamd.com/apt-stable/ bullseye main" \
>>/etc/apt/sources.list.d/rspamd.list
_log 'debug' 'Installing Rspamd'
apt-get "${QUIET}" update
apt-get "${QUIET}" --no-install-recommends install rspamd redis-server
}
function _install_fail2ban function _install_fail2ban
{ {
local FAIL2BAN_DEB_URL='https://github.com/fail2ban/fail2ban/releases/download/1.0.2/fail2ban_1.0.2-1.upstream1_all.deb' local FAIL2BAN_DEB_URL='https://github.com/fail2ban/fail2ban/releases/download/1.0.2/fail2ban_1.0.2-1.upstream1_all.deb'
@ -180,5 +195,6 @@ _pre_installation_steps
_install_postfix _install_postfix
_install_packages _install_packages
_install_dovecot _install_dovecot
_install_rspamd
_install_fail2ban _install_fail2ban
_post_installation_steps _post_installation_steps

View file

@ -91,6 +91,7 @@ function _environment_variables_general_setup
VARS[ENABLE_POP3]="${ENABLE_POP3:=0}" VARS[ENABLE_POP3]="${ENABLE_POP3:=0}"
VARS[ENABLE_POSTGREY]="${ENABLE_POSTGREY:=0}" VARS[ENABLE_POSTGREY]="${ENABLE_POSTGREY:=0}"
VARS[ENABLE_QUOTAS]="${ENABLE_QUOTAS:=1}" VARS[ENABLE_QUOTAS]="${ENABLE_QUOTAS:=1}"
VARS[ENABLE_RSPAMD]="${ENABLE_RSPAMD:=0}"
VARS[ENABLE_SASLAUTHD]="${ENABLE_SASLAUTHD:=0}" VARS[ENABLE_SASLAUTHD]="${ENABLE_SASLAUTHD:=0}"
VARS[ENABLE_SPAMASSASSIN]="${ENABLE_SPAMASSASSIN:=0}" VARS[ENABLE_SPAMASSASSIN]="${ENABLE_SPAMASSASSIN:=0}"
VARS[ENABLE_SPAMASSASSIN_KAM]="${ENABLE_SPAMASSASSIN_KAM:=0}" VARS[ENABLE_SPAMASSASSIN_KAM]="${ENABLE_SPAMASSASSIN_KAM:=0}"

View file

@ -101,6 +101,7 @@ function _register_functions
[[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_setup_function '_setup_fail2ban' [[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_setup_function '_setup_fail2ban'
[[ ${ENABLE_DNSBL} -eq 0 ]] && _register_setup_function '_setup_dnsbl_disable' [[ ${ENABLE_DNSBL} -eq 0 ]] && _register_setup_function '_setup_dnsbl_disable'
[[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]] && _register_setup_function '_setup_clamav_sizelimit' [[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]] && _register_setup_function '_setup_clamav_sizelimit'
[[ ${ENABLE_RSPAMD} -eq 1 ]] && _register_setup_function '_setup_rspamd'
_register_setup_function '_setup_dkim' _register_setup_function '_setup_dkim'
_register_setup_function '_setup_ssl' _register_setup_function '_setup_ssl'
@ -165,6 +166,12 @@ function _register_functions
[[ ${SMTP_ONLY} -ne 1 ]] && _register_start_daemon '_start_daemon_dovecot' [[ ${SMTP_ONLY} -ne 1 ]] && _register_start_daemon '_start_daemon_dovecot'
[[ ${ENABLE_UPDATE_CHECK} -eq 1 ]] && _register_start_daemon '_start_daemon_update_check' [[ ${ENABLE_UPDATE_CHECK} -eq 1 ]] && _register_start_daemon '_start_daemon_update_check'
if [[ ${ENABLE_RSPAMD} -eq 1 ]]
then
_register_start_daemon '_start_daemon_rspamd'
_register_start_daemon '_start_daemon_redis'
fi
# needs to be started before SASLauthd # needs to be started before SASLauthd
_register_start_daemon '_start_daemon_opendkim' _register_start_daemon '_start_daemon_opendkim'
_register_start_daemon '_start_daemon_opendmarc' _register_start_daemon '_start_daemon_opendmarc'

View file

@ -35,6 +35,8 @@ function _start_daemon_postsrsd { _default_start_daemon 'postsrsd' ;
function _start_daemon_postfix { _default_start_daemon 'postfix' ; } function _start_daemon_postfix { _default_start_daemon 'postfix' ; }
function _start_daemon_rsyslog { _default_start_daemon 'rsyslog' ; } function _start_daemon_rsyslog { _default_start_daemon 'rsyslog' ; }
function _start_daemon_update_check { _default_start_daemon 'update-check' ; } function _start_daemon_update_check { _default_start_daemon 'update-check' ; }
function _start_daemon_rspamd { _default_start_daemon 'rspamd' ; }
function _start_daemon_redis { _default_start_daemon 'redis' ; }
function _start_daemon_saslauthd function _start_daemon_saslauthd
{ {

View file

@ -33,6 +33,8 @@ function _misc_save_states
[[ ${ENABLE_FAIL2BAN} -eq 1 ]] && FILES+=('lib/fail2ban') [[ ${ENABLE_FAIL2BAN} -eq 1 ]] && FILES+=('lib/fail2ban')
[[ ${ENABLE_FETCHMAIL} -eq 1 ]] && FILES+=('lib/fetchmail') [[ ${ENABLE_FETCHMAIL} -eq 1 ]] && FILES+=('lib/fetchmail')
[[ ${ENABLE_POSTGREY} -eq 1 ]] && FILES+=('lib/postgrey') [[ ${ENABLE_POSTGREY} -eq 1 ]] && FILES+=('lib/postgrey')
[[ ${ENABLE_RSPAMD} -ne 1 ]] && FILES+=('lib/rspamd')
# [[ ${ENABLE_RSPAMD} -ne 1 ]] && FILES+=('lib/redis')
[[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && FILES+=('lib/spamassassin') [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && FILES+=('lib/spamassassin')
[[ ${SMTP_ONLY} -ne 1 ]] && FILES+=('lib/dovecot') [[ ${SMTP_ONLY} -ne 1 ]] && FILES+=('lib/dovecot')

View file

@ -89,6 +89,27 @@ function _setup_amavis
fi fi
} }
function _setup_rspamd
{
_log 'warn' 'Rspamd support is under active development, expect breaking changes at any time'
if [[ ${ENABLE_AMAVIS} -eq 1 ]] || [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
then
_shutdown 'You cannot run Amavis/SpamAssassin and Rspamd at the same time'
fi
if [[ ${ENABLE_CLAMAV} -eq 1 ]]
then
_log 'debug' 'Rspamd will use ClamAV'
mv /etc/rspamd/local.d/disabled/antivirus.conf /etc/rspamd/local.d/antivirus.conf
else
_log 'debug' 'Rspamd will not use ClamAV (which has not been enabled)'
fi
_log 'warn' 'Only running with default configuration'
_log 'warn' 'You will need to adjust the Postfix configuration yourself to use Rspamd as of now'
}
function _setup_dmarc_hostname function _setup_dmarc_hostname
{ {
_log 'debug' 'Setting up DMARC' _log 'debug' 'Setting up DMARC'

View file

@ -96,6 +96,24 @@ stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log stderr_logfile=/var/log/supervisor/%(program_name)s.log
command=/usr/sbin/amavisd-new foreground command=/usr/sbin/amavisd-new foreground
[program:rspamd]
startsecs=0
stopwaitsecs=55
autostart=false
autorestart=true
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
command=/usr/bin/rspamd --no-fork --user=rspamd --group=rspamd
[program:redis]
startsecs=0
stopwaitsecs=55
autostart=false
autorestart=true
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
command=redis-server --daemonize no --bind 127.0.0.1 --port 6379 --loglevel warning
[program:fetchmail] [program:fetchmail]
startsecs=0 startsecs=0
stopwaitsecs=55 stopwaitsecs=55