mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
feature: provide better rspamd suppport (#3016)
* added options to toggle OpenDKIM & OpenDMARC rspamd can provide DKIM signing and DMARC checking itself, so users should be able to disable OpenDKIM & OpenDMARC. The default is left at 1, so users have to to opt-in when the want to disable the features. * misc small enhancements * adjusted start of rspamd The order of starting redis + rspamd was reversed (now correct) and rspamd now starts with the correct user. * adjusted rspamd core configuration The main configuration was revised. This includes AV configuration as well as worker/proxy/controller configuration used to control the main rspamd processes. The configuration is not tested extensively, but well enough that I am confident to go forward with it until we declare rspamd support as stable. * update & improve the documentation * add tests These are some initial tests which test the most basic functionality. * tests(refactor): Improve consistency and documentation for test helpers (#3012) * added `ALWAYS_RUN` target `Makefile` recipies (#3013) This ensures the recipies are always run. Co-authored-by: georglauterbach <44545919+georglauterbach@users.noreply.github.com> * adjusted rspamd test to refactored test helper functions * improve documentation * apply suggestions from code review (no. 1 by @polarthene) Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> * streamline heredoc (EOM -> EOF) * adjust rspamd test (remove unnecessary run arguments) Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
This commit is contained in:
parent
2033eeaf54
commit
555fbb78c4
|
@ -71,20 +71,18 @@ Set the timezone. If this variable is unset, the container runtime will try to d
|
||||||
|
|
||||||
##### ENABLE_RSPAMD
|
##### ENABLE_RSPAMD
|
||||||
|
|
||||||
|
Enable or disable Rspamd.
|
||||||
|
|
||||||
!!! warning "Current State"
|
!!! warning "Current State"
|
||||||
|
|
||||||
Rspamd-support is under active development. Be aware that breaking changes can happen at any time. Moreover, you will _currently_ need to adjust Postfix's configuration _yourself_ if you want to use Rspamd; you may use [`user-patches.sh`][docs-userpatches].
|
Rspamd-support is under active development. Be aware that breaking changes can happen at any time.
|
||||||
|
|
||||||
You will need to add Rspamd to the `smtpd_milters` in Postfix's `main.cf`. This can easily be done with `sed`: `sed -i -E 's|^(smtpd_milters = .*)|\1,inet:localhost:11332|g' /etc/postfix/main.cf`. Moreover, have a look at the [integration of Rspamd into Postfx](https://rspamd.com/doc/integration.html). You will need to provide additional configuration files at the moment (to `/etc/rspamd/local.d/`) to make Rspamd run in milter-mode.
|
Currently, rspamd is integrated into Postfix as a milter. However, there is no official DKIM/DMARC support for rspamd in DMS as of now (WIP). To get more information, see [the detailed documentation page for Rspamd][docs-rspamd].
|
||||||
|
|
||||||
[docs-userpatches]: ./advanced/override-defaults/user-patches.md
|
!!! warning "Rspamd and DNS Block Lists"
|
||||||
|
|
||||||
!!! bug "Rspamd and DNS Block Lists"
|
|
||||||
|
|
||||||
When you use Rspamd, you might want to use the [RBL module](https://rspamd.com/doc/modules/rbl.html). If you do, make sure your DNS resolver is set up correctly (i.e. it should be a non-public recursive resolver). Otherwise, you [might not be able](https://www.spamhaus.org/faq/section/DNSBL%20Usage#365) to make use of the block lists.
|
When you use Rspamd, you might want to use the [RBL module](https://rspamd.com/doc/modules/rbl.html). If you do, make sure your DNS resolver is set up correctly (i.e. it should be a non-public recursive resolver). Otherwise, you [might not be able](https://www.spamhaus.org/faq/section/DNSBL%20Usage#365) to make use of the block lists.
|
||||||
|
|
||||||
Enable or disable Rspamd.
|
|
||||||
|
|
||||||
- **0** => disabled
|
- **0** => disabled
|
||||||
- 1 => enabled
|
- 1 => enabled
|
||||||
|
|
||||||
|
@ -114,16 +112,30 @@ Note: Emails will be rejected, if they don't pass the block list checks!
|
||||||
- **0** => DNS block lists are disabled
|
- **0** => DNS block lists are disabled
|
||||||
- 1 => DNS block lists are enabled
|
- 1 => DNS block lists are enabled
|
||||||
|
|
||||||
##### ENABLE_CLAMAV
|
##### ENABLE_OPENDKIM
|
||||||
|
|
||||||
- **0** => ClamAV is disabled
|
Enables the OpenDKIM service.
|
||||||
- 1 => ClamAV is enabled
|
|
||||||
|
- **1** => Enabled
|
||||||
|
- 0 => Disabled
|
||||||
|
|
||||||
|
##### ENABLE_OPENDMARC
|
||||||
|
|
||||||
|
Enables the OpenDMARC service.
|
||||||
|
|
||||||
|
- **1** => Enabled
|
||||||
|
- 0 => Disabled
|
||||||
|
|
||||||
##### ENABLE_POP3
|
##### ENABLE_POP3
|
||||||
|
|
||||||
- **empty** => POP3 service disabled
|
- **empty** => POP3 service disabled
|
||||||
- 1 => Enables POP3 service
|
- 1 => Enables POP3 service
|
||||||
|
|
||||||
|
##### ENABLE_CLAMAV
|
||||||
|
|
||||||
|
- **0** => ClamAV is disabled
|
||||||
|
- 1 => ClamAV is enabled
|
||||||
|
|
||||||
##### ENABLE_FAIL2BAN
|
##### ENABLE_FAIL2BAN
|
||||||
|
|
||||||
- **0** => fail2ban service disabled
|
- **0** => fail2ban service disabled
|
||||||
|
@ -776,6 +788,7 @@ you to replace both instead of just the envelope sender.
|
||||||
- **empty** => no default
|
- **empty** => no default
|
||||||
- password for default relay user
|
- password for default relay user
|
||||||
|
|
||||||
|
[docs-rspamd]: ./security/rspamd.md
|
||||||
[docs-faq-onedir]: ../faq.md#what-about-docker-datadmsmail-state-folder-varmail-state-internally
|
[docs-faq-onedir]: ../faq.md#what-about-docker-datadmsmail-state-folder-varmail-state-internally
|
||||||
[docs-tls]: ./security/ssl.md
|
[docs-tls]: ./security/ssl.md
|
||||||
[docs-tls-letsencrypt]: ./security/ssl.md#lets-encrypt-recommended
|
[docs-tls-letsencrypt]: ./security/ssl.md#lets-encrypt-recommended
|
||||||
|
|
38
docs/content/config/security/rspamd.md
Normal file
38
docs/content/config/security/rspamd.md
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
---
|
||||||
|
title: 'Security | Rspamd'
|
||||||
|
---
|
||||||
|
|
||||||
|
!!! warning "Implementation of Rspamd into DMS is WIP!"
|
||||||
|
|
||||||
|
## About
|
||||||
|
|
||||||
|
Rspamd is a "fast, free and open-source spam filtering system". It offers high performance as it is written in C. Visit [their homepage][homepage] for more details.
|
||||||
|
|
||||||
|
## Integration & Configuration
|
||||||
|
|
||||||
|
We provide a very simple but easy to maintain setup of RSpamd. The proxy worker operates in [self-scan mode][proxy-self-scan-mode]. This simplifies the setup as we do not require a normal worker. You can easily change this though by [overriding the configuration by DMS](#providing-overriding-settings).
|
||||||
|
|
||||||
|
### Providing & Overriding Settings
|
||||||
|
|
||||||
|
DMS brings sane default settings for Rspamd. They are located at `/etc/rspamd/local.d/` inside the container (or `target/rspamd/local.d/` in the repository). If you want to change these settings and / or provide your own settings, you can
|
||||||
|
|
||||||
|
1. place files at `/etc/rspamd/override.d/` which will override Rspamd settings and DMS settings
|
||||||
|
2. (re-)place files at `/etc/rspamd/local.d/` to override DMS settings and merge them with Rspamd settings
|
||||||
|
|
||||||
|
You can find a list of all Rspamd modules [on their website][modules].
|
||||||
|
|
||||||
|
### DMS' Defaults
|
||||||
|
|
||||||
|
You can choose to enable ClamAV, and Rspamd will then use it to check for viruses. Just set the environment variable `ENABLE_CLAMAV=1`.
|
||||||
|
|
||||||
|
DMS disables certain modules (clickhouse, dkim_signing, elastic, greylist, rbl, reputation, spamassassin, url_redirector, metric_exporter) by default. We believe these are not required in a standard setup, and needlessly use resources. You can re-activate them by replacing `/etc/rspamd/local.d/<MODULE>.conf` or overriding DMS' default with `/etc/rspamd/override.d/<MODULE>.conf`.
|
||||||
|
|
||||||
|
DMS does not set a default password for the controller worker. You may want to do that yourself. In setup where you already have an authentication provider in front of the Rspamd webpage, you may add `secure_ip = "0.0.0.0/0";` to `worker-controller.inc` to disable password authentication inside Rspamd completely.
|
||||||
|
|
||||||
|
## Missing in DMS' Current Implementation
|
||||||
|
|
||||||
|
We currently lack easy integration for DKIM signing. We use OpenDKIM though which should work just as well. If you want to use Rspamd for DKIM signing, you need to provide all settings yourself and probably also set the environment `ENABLE_OPENKIM=0`. Do not confuse the signing with checking DKIM signatures of other emails: Rspamd will check signatures from other emails, just not sign yours in the default configuration.
|
||||||
|
|
||||||
|
[homepage]: https://rspamd.com/
|
||||||
|
[modules]: https://rspamd.com/doc/modules/
|
||||||
|
[proxy-self-scan-mode]: https://rspamd.com/doc/workers/rspamd_proxy.html#self-scan-mode
|
|
@ -127,6 +127,7 @@ nav:
|
||||||
- 'SSL/TLS': config/security/ssl.md
|
- 'SSL/TLS': config/security/ssl.md
|
||||||
- 'Fail2Ban': config/security/fail2ban.md
|
- 'Fail2Ban': config/security/fail2ban.md
|
||||||
- 'Mail Encryption' : config/security/mail_crypt.md
|
- 'Mail Encryption' : config/security/mail_crypt.md
|
||||||
|
- 'Rspamd' : config/security/rspamd.md
|
||||||
- 'Troubleshooting':
|
- 'Troubleshooting':
|
||||||
- 'Debugging': config/troubleshooting/debugging.md
|
- 'Debugging': config/troubleshooting/debugging.md
|
||||||
- 'Mail Delivery with POP3': config/pop3.md
|
- 'Mail Delivery with POP3': config/pop3.md
|
||||||
|
|
|
@ -98,9 +98,23 @@ SPOOF_PROTECTION=
|
||||||
# - 1 => Enabled
|
# - 1 => Enabled
|
||||||
ENABLE_SRS=0
|
ENABLE_SRS=0
|
||||||
|
|
||||||
|
# Enables the OpenDKIM service.
|
||||||
|
# **1** => Enabled
|
||||||
|
# 0 => Disabled
|
||||||
|
ENABLE_OPENDKIM=1
|
||||||
|
|
||||||
|
# Enables the OpenDMARC service.
|
||||||
|
# **1** => Enabled
|
||||||
|
# 0 => Disabled
|
||||||
|
ENABLE_OPENDMARC=1
|
||||||
|
|
||||||
# 1 => Enables POP3 service
|
# 1 => Enables POP3 service
|
||||||
# empty => disables POP3
|
# empty => disables POP3
|
||||||
ENABLE_POP3=
|
ENABLE_POP3=
|
||||||
|
|
||||||
|
# Enables ClamAV, and anti-virus scanner.
|
||||||
|
# 1 => Enabled
|
||||||
|
# **0** => Disabled
|
||||||
ENABLE_CLAMAV=0
|
ENABLE_CLAMAV=0
|
||||||
|
|
||||||
# Enables Rspamd
|
# Enables Rspamd
|
||||||
|
|
|
@ -93,8 +93,8 @@ milter_protocol = 6
|
||||||
milter_default_action = accept
|
milter_default_action = accept
|
||||||
dkim_milter = inet:localhost:8891
|
dkim_milter = inet:localhost:8891
|
||||||
dmarc_milter = inet:localhost:8893
|
dmarc_milter = inet:localhost:8893
|
||||||
smtpd_milters = $dkim_milter,$dmarc_milter
|
smtpd_milters =
|
||||||
non_smtpd_milters = $dkim_milter
|
non_smtpd_milters =
|
||||||
|
|
||||||
# SPF policy settings
|
# SPF policy settings
|
||||||
policyd-spf_time_limit = 3600
|
policyd-spf_time_limit = 3600
|
||||||
|
|
3
target/rspamd/local.d/actions.conf
Normal file
3
target/rspamd/local.d/actions.conf
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
# documentation: https://rspamd.com/doc/configuration/metrics.html#actions
|
||||||
|
|
||||||
|
subject = "***SPAM*** %s"
|
13
target/rspamd/local.d/antivirus.conf
Normal file
13
target/rspamd/local.d/antivirus.conf
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# documentation: https://rspamd.com/doc/modules/antivirus.html
|
||||||
|
|
||||||
|
enabled = false;
|
||||||
|
|
||||||
|
ClamAV {
|
||||||
|
type = "clamav";
|
||||||
|
servers = "/var/run/clamav/clamd.ctl";
|
||||||
|
action = "reject";
|
||||||
|
message = '${SCANNER} FOUND VIRUS "${VIRUS}"';
|
||||||
|
scan_mime_parts = false;
|
||||||
|
symbol = "CLAM_VIRUS";
|
||||||
|
log_clean = true;
|
||||||
|
}
|
|
@ -1,10 +0,0 @@
|
||||||
# documentation: https://rspamd.com/doc/modules/antivirus.html
|
|
||||||
|
|
||||||
ClamAV {
|
|
||||||
action = "reject";
|
|
||||||
scan_mime_parts = true;
|
|
||||||
message = '${SCANNER}: virus found: "${VIRUS}"';
|
|
||||||
type = "clamav";
|
|
||||||
log_clean = false;
|
|
||||||
servers = "127.0.0.1:3310";
|
|
||||||
}
|
|
|
@ -1,6 +1,6 @@
|
||||||
# documentation: https://rspamd.com/doc/configuration/logging.html
|
# documentation: https://rspamd.com/doc/configuration/logging.html
|
||||||
|
|
||||||
type = "console";
|
type = "console";
|
||||||
level = "notice";
|
level = "silent";
|
||||||
color = true;
|
color = false;
|
||||||
systemd = false;
|
systemd = false;
|
||||||
|
|
3
target/rspamd/local.d/worker-controller.inc
Normal file
3
target/rspamd/local.d/worker-controller.inc
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
# documentation: https://rspamd.com/doc/workers/controller.html
|
||||||
|
|
||||||
|
bind_socket = "0.0.0.0:11334";
|
4
target/rspamd/local.d/worker-normal.inc
Normal file
4
target/rspamd/local.d/worker-normal.inc
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# documentation: https://rspamd.com/doc/workers/normal.html
|
||||||
|
|
||||||
|
enabled = false;
|
||||||
|
bind_socket = "127.0.0.1:11333";
|
18
target/rspamd/local.d/worker-proxy.inc
Normal file
18
target/rspamd/local.d/worker-proxy.inc
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
# documentation: https://rspamd.com/doc/workers/rspamd_proxy.html
|
||||||
|
# see also: https://rspamd.com/doc/quickstart.html#using-of-milter-protocol-for-rspamd--16
|
||||||
|
|
||||||
|
bind_socket = "127.0.0.1:11332";
|
||||||
|
|
||||||
|
milter = yes;
|
||||||
|
timeout = 120s;
|
||||||
|
|
||||||
|
upstream "local" {
|
||||||
|
default = yes;
|
||||||
|
self_scan = yes;
|
||||||
|
}
|
||||||
|
|
||||||
|
count = 2;
|
||||||
|
max_retries = 5;
|
||||||
|
discard_on_reject = false;
|
||||||
|
quarantine_on_reject = false;
|
||||||
|
spam_header = "X-Spam";
|
|
@ -88,6 +88,8 @@ function _environment_variables_general_setup
|
||||||
VARS[ENABLE_FAIL2BAN]="${ENABLE_FAIL2BAN:=0}"
|
VARS[ENABLE_FAIL2BAN]="${ENABLE_FAIL2BAN:=0}"
|
||||||
VARS[ENABLE_FETCHMAIL]="${ENABLE_FETCHMAIL:=0}"
|
VARS[ENABLE_FETCHMAIL]="${ENABLE_FETCHMAIL:=0}"
|
||||||
VARS[ENABLE_MANAGESIEVE]="${ENABLE_MANAGESIEVE:=0}"
|
VARS[ENABLE_MANAGESIEVE]="${ENABLE_MANAGESIEVE:=0}"
|
||||||
|
VARS[ENABLE_OPENDKIM]="${ENABLE_OPENDKIM:=1}"
|
||||||
|
VARS[ENABLE_OPENDMARC]="${ENABLE_OPENDMARC:=1}"
|
||||||
VARS[ENABLE_POP3]="${ENABLE_POP3:=0}"
|
VARS[ENABLE_POP3]="${ENABLE_POP3:=0}"
|
||||||
VARS[ENABLE_POSTGREY]="${ENABLE_POSTGREY:=0}"
|
VARS[ENABLE_POSTGREY]="${ENABLE_POSTGREY:=0}"
|
||||||
VARS[ENABLE_QUOTAS]="${ENABLE_QUOTAS:=1}"
|
VARS[ENABLE_QUOTAS]="${ENABLE_QUOTAS:=1}"
|
||||||
|
|
|
@ -103,7 +103,7 @@ function _register_functions
|
||||||
[[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]] && _register_setup_function '_setup_clamav_sizelimit'
|
[[ ${CLAMAV_MESSAGE_SIZE_LIMIT} != '25M' ]] && _register_setup_function '_setup_clamav_sizelimit'
|
||||||
[[ ${ENABLE_RSPAMD} -eq 1 ]] && _register_setup_function '_setup_rspamd'
|
[[ ${ENABLE_RSPAMD} -eq 1 ]] && _register_setup_function '_setup_rspamd'
|
||||||
|
|
||||||
_register_setup_function '_setup_dkim'
|
_register_setup_function '_setup_dkim_dmarc'
|
||||||
_register_setup_function '_setup_ssl'
|
_register_setup_function '_setup_ssl'
|
||||||
_register_setup_function '_setup_docker_permit'
|
_register_setup_function '_setup_docker_permit'
|
||||||
_register_setup_function '_setup_mailname'
|
_register_setup_function '_setup_mailname'
|
||||||
|
@ -167,13 +167,13 @@ function _register_functions
|
||||||
|
|
||||||
if [[ ${ENABLE_RSPAMD} -eq 1 ]]
|
if [[ ${ENABLE_RSPAMD} -eq 1 ]]
|
||||||
then
|
then
|
||||||
_register_start_daemon '_start_daemon_rspamd'
|
|
||||||
_register_start_daemon '_start_daemon_redis'
|
_register_start_daemon '_start_daemon_redis'
|
||||||
|
_register_start_daemon '_start_daemon_rspamd'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# needs to be started before SASLauthd
|
# needs to be started before SASLauthd
|
||||||
_register_start_daemon '_start_daemon_opendkim'
|
[[ ${ENABLE_OPENDKIM} -eq 1 ]] && _register_start_daemon '_start_daemon_opendkim'
|
||||||
_register_start_daemon '_start_daemon_opendmarc'
|
[[ ${ENABLE_OPENDMARC} -eq 1 ]] && _register_start_daemon '_start_daemon_opendmarc'
|
||||||
|
|
||||||
# needs to be started before postfix
|
# needs to be started before postfix
|
||||||
[[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_start_daemon '_start_daemon_postgrey'
|
[[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_start_daemon '_start_daemon_postgrey'
|
||||||
|
|
|
@ -35,7 +35,6 @@ function _misc_save_states
|
||||||
[[ ${ENABLE_FETCHMAIL} -eq 1 ]] && FILES+=('lib/fetchmail')
|
[[ ${ENABLE_FETCHMAIL} -eq 1 ]] && FILES+=('lib/fetchmail')
|
||||||
[[ ${ENABLE_POSTGREY} -eq 1 ]] && FILES+=('lib/postgrey')
|
[[ ${ENABLE_POSTGREY} -eq 1 ]] && FILES+=('lib/postgrey')
|
||||||
[[ ${ENABLE_RSPAMD} -eq 1 ]] && FILES+=('lib/rspamd')
|
[[ ${ENABLE_RSPAMD} -eq 1 ]] && FILES+=('lib/rspamd')
|
||||||
# [[ ${ENABLE_RSPAMD} -eq 1 ]] && FILES+=('lib/redis')
|
|
||||||
[[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && FILES+=('lib/spamassassin')
|
[[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && FILES+=('lib/spamassassin')
|
||||||
[[ ${SMTP_ONLY} -ne 1 ]] && FILES+=('lib/dovecot')
|
[[ ${SMTP_ONLY} -ne 1 ]] && FILES+=('lib/dovecot')
|
||||||
|
|
||||||
|
|
|
@ -84,8 +84,15 @@ function _setup_amavis
|
||||||
mv /etc/cron.d/amavisd-new /etc/cron.d/amavisd-new.disabled
|
mv /etc/cron.d/amavisd-new /etc/cron.d/amavisd-new.disabled
|
||||||
chmod 0 /etc/cron.d/amavisd-new.disabled
|
chmod 0 /etc/cron.d/amavisd-new.disabled
|
||||||
|
|
||||||
[[ ${ENABLE_CLAMAV} -eq 1 ]] && _log 'warn' 'ClamAV will not work when Amavis is disabled. Remove ENABLE_AMAVIS=0 from your configuration to fix it.'
|
if [[ ${ENABLE_CLAMAV} -eq 1 ]] && [[ ${ENABLE_RSPAMD} -eq 0 ]]
|
||||||
[[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && _log 'warn' 'Spamassassin will not work when Amavis is disabled. Remove ENABLE_AMAVIS=0 from your configuration to fix it.'
|
then
|
||||||
|
_log 'warn' 'ClamAV will not work when Amavis & rspamd are disabled. Enable either Amavis or rspamd to fix it.'
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
|
||||||
|
then
|
||||||
|
_log 'warn' 'Spamassassin will not work when Amavis is disabled. Enable Amavis to fix it.'
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -95,19 +102,45 @@ function _setup_rspamd
|
||||||
|
|
||||||
if [[ ${ENABLE_AMAVIS} -eq 1 ]] || [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
|
if [[ ${ENABLE_AMAVIS} -eq 1 ]] || [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]]
|
||||||
then
|
then
|
||||||
_shutdown 'You cannot run Amavis/SpamAssassin and Rspamd at the same time'
|
_log 'warn' 'Running rspamd at the same time as Amavis or SpamAssassin is discouraged'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ${ENABLE_CLAMAV} -eq 1 ]]
|
if [[ ${ENABLE_CLAMAV} -eq 1 ]]
|
||||||
then
|
then
|
||||||
_log 'debug' 'Rspamd will use ClamAV'
|
_log 'debug' 'Rspamd will use ClamAV'
|
||||||
mv /etc/rspamd/local.d/disabled/antivirus.conf /etc/rspamd/local.d/antivirus.conf
|
sedfile -i -E 's|^(enabled).*|\1 = true;|g' /etc/rspamd/local.d/antivirus.conf
|
||||||
|
# RSpamd uses ClamAV's UNIX socket, and to be able to read it, it must be in the same group
|
||||||
|
usermod -a -G clamav _rspamd
|
||||||
else
|
else
|
||||||
_log 'debug' 'Rspamd will not use ClamAV (which has not been enabled)'
|
_log 'debug' 'Rspamd will not use ClamAV (which has not been enabled)'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
_log 'warn' 'Only running with default configuration'
|
declare -a DISABLE_MODULES
|
||||||
_log 'warn' 'You will need to adjust the Postfix configuration yourself to use Rspamd as of now'
|
DISABLE_MODULES=(
|
||||||
|
clickhouse
|
||||||
|
dkim_signing
|
||||||
|
elastic
|
||||||
|
greylist
|
||||||
|
rbl
|
||||||
|
reputation
|
||||||
|
spamassassin
|
||||||
|
url_redirector
|
||||||
|
metric_exporter
|
||||||
|
)
|
||||||
|
|
||||||
|
for MODULE in "${DISABLE_MODULES[@]}"
|
||||||
|
do
|
||||||
|
cat >"/etc/rspamd/local.d/${MODULE}.conf" << EOF
|
||||||
|
#documentation: https://rspamd.com/doc/modules/${MODULE}.html
|
||||||
|
|
||||||
|
enabled = false;
|
||||||
|
|
||||||
|
EOF
|
||||||
|
done
|
||||||
|
|
||||||
|
# shellcheck disable=SC2016
|
||||||
|
sed -i -E 's|^(smtpd_milters =.*)|\1 inet:localhost:11332|g' /etc/postfix/main.cf
|
||||||
|
touch /var/lib/rspamd/stats.ucl
|
||||||
}
|
}
|
||||||
|
|
||||||
function _setup_dmarc_hostname
|
function _setup_dmarc_hostname
|
||||||
|
@ -580,7 +613,7 @@ EOF
|
||||||
-e "/dovecot_destination_recipient_limit =.*/d" \
|
-e "/dovecot_destination_recipient_limit =.*/d" \
|
||||||
/etc/postfix/main.cf
|
/etc/postfix/main.cf
|
||||||
|
|
||||||
gpasswd -a postfix sasl
|
gpasswd -a postfix sasl >/dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
function _setup_postfix_aliases
|
function _setup_postfix_aliases
|
||||||
|
@ -599,18 +632,36 @@ function _setup_SRS
|
||||||
postconf 'recipient_canonical_classes = envelope_recipient,header_recipient'
|
postconf 'recipient_canonical_classes = envelope_recipient,header_recipient'
|
||||||
}
|
}
|
||||||
|
|
||||||
function _setup_dkim
|
function _setup_dkim_dmarc
|
||||||
{
|
{
|
||||||
|
if [[ ${ENABLE_OPENDMARC} -eq 1 ]]
|
||||||
|
then
|
||||||
|
_log 'trace' "Adding OpenDMARC to Postfix's milters"
|
||||||
|
|
||||||
|
# shellcheck disable=SC2016
|
||||||
|
sed -i -E 's|^(smtpd_milters =.*)|\1 \$dmarc_milter|g' /etc/postfix/main.cf
|
||||||
|
fi
|
||||||
|
|
||||||
|
[[ ${ENABLE_OPENDKIM} -eq 1 ]] || return 0
|
||||||
|
|
||||||
_log 'debug' 'Setting up DKIM'
|
_log 'debug' 'Setting up DKIM'
|
||||||
|
|
||||||
mkdir -p /etc/opendkim && touch /etc/opendkim/SigningTable
|
mkdir -p /etc/opendkim/keys/ && touch /etc/opendkim/SigningTable
|
||||||
|
|
||||||
|
_log 'trace' "Adding OpenDKIM to Postfix's milters"
|
||||||
|
# shellcheck disable=SC2016
|
||||||
|
sed -i -E 's|^(smtpd_milters =.*)|\1 \$dkim_milter|g' /etc/postfix/main.cf
|
||||||
|
# shellcheck disable=SC2016
|
||||||
|
sed -i -E 's|^(non_smtpd_milters =.*)|\1 \$dkim_milter|g' /etc/postfix/main.cf
|
||||||
|
|
||||||
# check if any keys are available
|
# check if any keys are available
|
||||||
if [[ -e "/tmp/docker-mailserver/opendkim/KeyTable" ]]
|
if [[ -e "/tmp/docker-mailserver/opendkim/KeyTable" ]]
|
||||||
then
|
then
|
||||||
cp -a /tmp/docker-mailserver/opendkim/* /etc/opendkim/
|
cp -a /tmp/docker-mailserver/opendkim/* /etc/opendkim/
|
||||||
|
|
||||||
_log 'trace' "DKIM keys added for: $(ls /etc/opendkim/keys/)"
|
local KEYS
|
||||||
|
KEYS=$(find /etc/opendkim/keys/ -type f -maxdepth 1)
|
||||||
|
_log 'trace' "DKIM keys added for: ${KEYS}"
|
||||||
_log 'trace' "Changing permissions on '/etc/opendkim'"
|
_log 'trace' "Changing permissions on '/etc/opendkim'"
|
||||||
|
|
||||||
chown -R opendkim:opendkim /etc/opendkim/
|
chown -R opendkim:opendkim /etc/opendkim/
|
||||||
|
@ -889,7 +940,7 @@ function _setup_security_stack
|
||||||
|
|
||||||
sa-update --import /etc/spamassassin/kam/kam.sa-channels.mcgrail.com.key
|
sa-update --import /etc/spamassassin/kam/kam.sa-channels.mcgrail.com.key
|
||||||
|
|
||||||
cat >"${SPAMASSASSIN_KAM_CRON_FILE}" <<"EOM"
|
cat >"${SPAMASSASSIN_KAM_CRON_FILE}" <<"EOF"
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
RESULT=$(sa-update --gpgkey 24C063D8 --channel kam.sa-channels.mcgrail.com 2>&1)
|
RESULT=$(sa-update --gpgkey 24C063D8 --channel kam.sa-channels.mcgrail.com 2>&1)
|
||||||
|
@ -904,7 +955,7 @@ fi
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
EOM
|
EOF
|
||||||
|
|
||||||
chmod +x "${SPAMASSASSIN_KAM_CRON_FILE}"
|
chmod +x "${SPAMASSASSIN_KAM_CRON_FILE}"
|
||||||
fi
|
fi
|
||||||
|
@ -1003,11 +1054,11 @@ function _setup_mail_summary
|
||||||
_log 'debug' "${ENABLED_MESSAGE}"
|
_log 'debug' "${ENABLED_MESSAGE}"
|
||||||
_log 'trace' 'Creating daily cron job for pflogsumm report'
|
_log 'trace' 'Creating daily cron job for pflogsumm report'
|
||||||
|
|
||||||
cat >/etc/cron.daily/postfix-summary << EOM
|
cat >/etc/cron.daily/postfix-summary << EOF
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
/usr/local/bin/report-pflogsumm-yesterday ${HOSTNAME} ${PFLOGSUMM_RECIPIENT} ${PFLOGSUMM_SENDER}
|
/usr/local/bin/report-pflogsumm-yesterday ${HOSTNAME} ${PFLOGSUMM_RECIPIENT} ${PFLOGSUMM_SENDER}
|
||||||
EOM
|
EOF
|
||||||
|
|
||||||
chmod +x /etc/cron.daily/postfix-summary
|
chmod +x /etc/cron.daily/postfix-summary
|
||||||
;;
|
;;
|
||||||
|
@ -1051,11 +1102,11 @@ function _setup_logwatch
|
||||||
INTERVAL="--range 'between -7 days and -1 days'"
|
INTERVAL="--range 'between -7 days and -1 days'"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cat >"${LOGWATCH_FILE}" << EOM
|
cat >"${LOGWATCH_FILE}" << EOF
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
/usr/sbin/logwatch ${INTERVAL} --hostname ${HOSTNAME} --mailto ${LOGWATCH_RECIPIENT}
|
/usr/sbin/logwatch ${INTERVAL} --hostname ${HOSTNAME} --mailto ${LOGWATCH_RECIPIENT}
|
||||||
EOM
|
EOF
|
||||||
chmod 744 "${LOGWATCH_FILE}"
|
chmod 744 "${LOGWATCH_FILE}"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,7 @@ do
|
||||||
if dpkg --compare-versions "${VERSION}" lt "${LATEST}"
|
if dpkg --compare-versions "${VERSION}" lt "${LATEST}"
|
||||||
then
|
then
|
||||||
# send mail notification to postmaster
|
# send mail notification to postmaster
|
||||||
read -r -d '' MAIL << EOM
|
read -r -d '' MAIL << EOF
|
||||||
Hello ${POSTMASTER_ADDRESS}!
|
Hello ${POSTMASTER_ADDRESS}!
|
||||||
|
|
||||||
There is a docker-mailserver update available on your host: $(hostname -f)
|
There is a docker-mailserver update available on your host: $(hostname -f)
|
||||||
|
@ -39,7 +39,7 @@ Current version: ${VERSION}
|
||||||
Latest version: ${LATEST}
|
Latest version: ${LATEST}
|
||||||
|
|
||||||
Changelog: ${CHANGELOG_URL}
|
Changelog: ${CHANGELOG_URL}
|
||||||
EOM
|
EOF
|
||||||
|
|
||||||
_log_with_date 'info' "Update available [ ${VERSION} --> ${LATEST} ]"
|
_log_with_date 'info' "Update available [ ${VERSION} --> ${LATEST} ]"
|
||||||
|
|
||||||
|
|
|
@ -103,7 +103,7 @@ autostart=false
|
||||||
autorestart=true
|
autorestart=true
|
||||||
stdout_logfile=/var/log/supervisor/%(program_name)s.log
|
stdout_logfile=/var/log/supervisor/%(program_name)s.log
|
||||||
stderr_logfile=/var/log/supervisor/%(program_name)s.log
|
stderr_logfile=/var/log/supervisor/%(program_name)s.log
|
||||||
command=/usr/bin/rspamd --no-fork --user=rspamd --group=rspamd
|
command=/usr/bin/rspamd --no-fork --user=_rspamd --group=_rspamd
|
||||||
|
|
||||||
[program:redis]
|
[program:redis]
|
||||||
startsecs=0
|
startsecs=0
|
||||||
|
|
13
test/test-files/email-templates/rspamd-spam.txt
Normal file
13
test/test-files/email-templates/rspamd-spam.txt
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
HELO mail.example.test
|
||||||
|
MAIL FROM: spam@example.test
|
||||||
|
RCPT TO: user1@localhost.localdomain
|
||||||
|
DATA
|
||||||
|
From: Docker Mail Server <spam@example.test>
|
||||||
|
To: Existing Local User <user1@localhost.localdomain>
|
||||||
|
Date: Sat, 21 Jan 2023 11:11:11 +0000
|
||||||
|
Subject: Test Message rspamd-spam.txt
|
||||||
|
This is a test mail.
|
||||||
|
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
|
||||||
|
|
||||||
|
.
|
||||||
|
QUIT
|
12
test/test-files/email-templates/rspamd-virus.txt
Normal file
12
test/test-files/email-templates/rspamd-virus.txt
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
HELO mail.example.test
|
||||||
|
MAIL FROM: virus@example.test
|
||||||
|
RCPT TO: user1@localhost.localdomain
|
||||||
|
DATA
|
||||||
|
From: Docker Mail Server <dockermailserver@external.tld>
|
||||||
|
To: Existing Local User <user1@localhost.localdomain>
|
||||||
|
Date: Sat, 21 Jan 2023 11:11:11 +0000
|
||||||
|
Subject: Test Message rspamd-virus.txt
|
||||||
|
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
|
||||||
|
|
||||||
|
.
|
||||||
|
QUIT
|
96
test/tests/parallel/set1/spam_virus/rspamd.bats
Normal file
96
test/tests/parallel/set1/spam_virus/rspamd.bats
Normal file
|
@ -0,0 +1,96 @@
|
||||||
|
load "${REPOSITORY_ROOT}/test/helper/setup"
|
||||||
|
load "${REPOSITORY_ROOT}/test/helper/common"
|
||||||
|
|
||||||
|
BATS_TEST_NAME_PREFIX='[rspamd] '
|
||||||
|
CONTAINER_NAME='dms-test_rspamd'
|
||||||
|
|
||||||
|
function setup_file() {
|
||||||
|
_init_with_defaults
|
||||||
|
|
||||||
|
# Comment for maintainers about `PERMIT_DOCKER=host`:
|
||||||
|
# https://github.com/docker-mailserver/docker-mailserver/pull/2815/files#r991087509
|
||||||
|
local CUSTOM_SETUP_ARGUMENTS=(
|
||||||
|
--env ENABLE_CLAMAV=1
|
||||||
|
--env ENABLE_RSPAMD=1
|
||||||
|
--env ENABLE_OPENDKIM=0
|
||||||
|
--env ENABLE_OPENDMARC=0
|
||||||
|
--env PERMIT_DOCKER=host
|
||||||
|
--env LOG_LEVEL=trace
|
||||||
|
)
|
||||||
|
|
||||||
|
_common_container_setup 'CUSTOM_SETUP_ARGUMENTS'
|
||||||
|
|
||||||
|
# wait for ClamAV to be fully setup or we will get errors on the log
|
||||||
|
_repeat_in_container_until_success_or_timeout 60 "${CONTAINER_NAME}" test -e /var/run/clamav/clamd.ctl
|
||||||
|
|
||||||
|
_wait_for_service redis
|
||||||
|
_wait_for_service rspamd
|
||||||
|
_wait_for_service postfix
|
||||||
|
_wait_for_smtp_port_in_container
|
||||||
|
|
||||||
|
# We will send 3 emails: the first one should pass just fine; the second one should
|
||||||
|
# be rejected due to spam; the third one should be rejected due to a virus.
|
||||||
|
_run_in_container_bash "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user1.txt"
|
||||||
|
assert_success
|
||||||
|
_run_in_container_bash "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/rspamd-spam.txt"
|
||||||
|
assert_success
|
||||||
|
_run_in_container_bash "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/rspamd-virus.txt"
|
||||||
|
assert_success
|
||||||
|
|
||||||
|
_wait_for_empty_mail_queue_in_container "${CONTAINER_NAME}"
|
||||||
|
}
|
||||||
|
|
||||||
|
function teardown_file() { _default_teardown ; }
|
||||||
|
|
||||||
|
@test "Postfix's main.cf was adjusted" {
|
||||||
|
_run_in_container grep -q 'smtpd_milters = inet:localhost:11332' /etc/postfix/main.cf
|
||||||
|
assert_success
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "logs exist and contains proper content" {
|
||||||
|
_should_contain_string_rspamd 'rspamd .* is loading configuration'
|
||||||
|
_should_contain_string_rspamd 'lua module clickhouse is disabled in the configuration'
|
||||||
|
_should_contain_string_rspamd 'lua module dkim_signing is disabled in the configuration'
|
||||||
|
_should_contain_string_rspamd 'lua module elastic is disabled in the configuration'
|
||||||
|
_should_contain_string_rspamd 'lua module rbl is disabled in the configuration'
|
||||||
|
_should_contain_string_rspamd 'lua module reputation is disabled in the configuration'
|
||||||
|
_should_contain_string_rspamd 'lua module spamassassin is disabled in the configuration'
|
||||||
|
_should_contain_string_rspamd 'lua module url_redirector is disabled in the configuration'
|
||||||
|
_should_contain_string_rspamd 'lua module metric_exporter is disabled in the configuration'
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "normal mail passes fine" {
|
||||||
|
_should_contain_string_rspamd 'F (no action)'
|
||||||
|
|
||||||
|
run docker logs -n 100 "${CONTAINER_NAME}"
|
||||||
|
assert_success
|
||||||
|
assert_output --partial "stored mail into mailbox 'INBOX'"
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "detects and rejects spam" {
|
||||||
|
_should_contain_string_rspamd 'S (reject)'
|
||||||
|
_should_contain_string_rspamd 'reject "Gtube pattern"'
|
||||||
|
|
||||||
|
run docker logs -n 100 "${CONTAINER_NAME}"
|
||||||
|
assert_success
|
||||||
|
assert_output --partial 'milter-reject'
|
||||||
|
assert_output --partial '5.7.1 Gtube pattern'
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "detects and rejects virus" {
|
||||||
|
_should_contain_string_rspamd 'T (reject)'
|
||||||
|
_should_contain_string_rspamd 'reject "ClamAV FOUND VIRUS "Eicar-Signature"'
|
||||||
|
|
||||||
|
run docker logs -n 8 "${CONTAINER_NAME}"
|
||||||
|
assert_success
|
||||||
|
assert_output --partial 'milter-reject'
|
||||||
|
assert_output --partial '5.7.1 ClamAV FOUND VIRUS "Eicar-Signature"'
|
||||||
|
refute_output --partial "stored mail into mailbox 'INBOX'"
|
||||||
|
}
|
||||||
|
|
||||||
|
function _should_contain_string_rspamd() {
|
||||||
|
local STRING=${1:?No string provided to _should_contain_string_rspamd}
|
||||||
|
|
||||||
|
_run_in_container grep -q "${STRING}" /var/log/supervisor/rspamd.log
|
||||||
|
assert_success
|
||||||
|
}
|
|
@ -34,8 +34,6 @@ function teardown() { _default_teardown ; }
|
||||||
|
|
||||||
# These processes should always be running:
|
# These processes should always be running:
|
||||||
CORE_PROCESS_LIST=(
|
CORE_PROCESS_LIST=(
|
||||||
opendkim
|
|
||||||
opendmarc
|
|
||||||
master
|
master
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -46,6 +44,8 @@ ENV_PROCESS_LIST=(
|
||||||
dovecot
|
dovecot
|
||||||
fail2ban-server
|
fail2ban-server
|
||||||
fetchmail
|
fetchmail
|
||||||
|
opendkim
|
||||||
|
opendmarc
|
||||||
postgrey
|
postgrey
|
||||||
postsrsd
|
postsrsd
|
||||||
saslauthd
|
saslauthd
|
||||||
|
@ -58,6 +58,8 @@ ENV_PROCESS_LIST=(
|
||||||
--env ENABLE_CLAMAV=0
|
--env ENABLE_CLAMAV=0
|
||||||
--env ENABLE_FAIL2BAN=0
|
--env ENABLE_FAIL2BAN=0
|
||||||
--env ENABLE_FETCHMAIL=0
|
--env ENABLE_FETCHMAIL=0
|
||||||
|
--env ENABLE_OPENDKIM=0
|
||||||
|
--env ENABLE_OPENDMARC=0
|
||||||
--env ENABLE_POSTGREY=0
|
--env ENABLE_POSTGREY=0
|
||||||
--env ENABLE_SASLAUTHD=0
|
--env ENABLE_SASLAUTHD=0
|
||||||
--env ENABLE_SRS=0
|
--env ENABLE_SRS=0
|
||||||
|
@ -93,6 +95,8 @@ ENV_PROCESS_LIST=(
|
||||||
--env ENABLE_AMAVIS=1
|
--env ENABLE_AMAVIS=1
|
||||||
--env ENABLE_FAIL2BAN=1
|
--env ENABLE_FAIL2BAN=1
|
||||||
--env ENABLE_FETCHMAIL=1
|
--env ENABLE_FETCHMAIL=1
|
||||||
|
--env ENABLE_OPENDKIM=1
|
||||||
|
--env ENABLE_OPENDMARC=1
|
||||||
--env FETCHMAIL_PARALLEL=1
|
--env FETCHMAIL_PARALLEL=1
|
||||||
--env ENABLE_POSTGREY=1
|
--env ENABLE_POSTGREY=1
|
||||||
--env ENABLE_SASLAUTHD=1
|
--env ENABLE_SASLAUTHD=1
|
||||||
|
|
Loading…
Reference in a new issue