From 1d9b3b00a73a5af29c26aa454d56756f52686a1c Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 5 Nov 2017 16:54:23 +0100 Subject: [PATCH] Use rspamd as a milter service instead of deprecated rmilter --- core/dovecot/conf/dovecot.conf | 9 ++++----- core/dovecot/sieve/before.sieve | 5 +++++ core/postfix/conf/main.cf | 2 +- services/rspamd/Dockerfile | 7 ++----- services/rspamd/conf/local.d/antivirus.conf | 6 ++++++ services/rspamd/conf/local.d/dkim_signing.conf | 2 ++ services/rspamd/conf/local.d/logging.inc | 1 + services/rspamd/conf/local.d/milter_headers.conf | 11 +++++++++++ services/rspamd/conf/local.d/redis.conf | 1 + services/rspamd/conf/local.d/worker-normal.inc | 1 + services/rspamd/conf/local.d/worker-proxy.inc | 8 ++++++++ .../conf/{worker-normal.conf => worker-proxy.conf} | 9 ++++----- 12 files changed, 46 insertions(+), 16 deletions(-) create mode 100644 services/rspamd/conf/local.d/antivirus.conf create mode 100644 services/rspamd/conf/local.d/dkim_signing.conf create mode 100644 services/rspamd/conf/local.d/logging.inc create mode 100644 services/rspamd/conf/local.d/milter_headers.conf create mode 100644 services/rspamd/conf/local.d/redis.conf create mode 100644 services/rspamd/conf/local.d/worker-normal.inc create mode 100644 services/rspamd/conf/local.d/worker-proxy.inc rename services/rspamd/conf/{worker-normal.conf => worker-proxy.conf} (50%) diff --git a/core/dovecot/conf/dovecot.conf b/core/dovecot/conf/dovecot.conf index 7bf59474..6c897710 100644 --- a/core/dovecot/conf/dovecot.conf +++ b/core/dovecot/conf/dovecot.conf @@ -155,11 +155,10 @@ plugin { # Include the recipient in vacation replies so that DKIM applies sieve_vacation_send_from_recipient = yes - # extract spam score from - # X-Spam-Result: .... [ / > /etc/apk/repositories \ - && apk add --no-cache rspamd rsyslog ca-certificates +RUN apk add --no-cache rspamd ca-certificates RUN mkdir /run/rspamd COPY conf/ /etc/rspamd -COPY start.sh /start.sh -CMD ["/start.sh"] +CMD ["rspamd", "-i", "-f"] diff --git a/services/rspamd/conf/local.d/antivirus.conf b/services/rspamd/conf/local.d/antivirus.conf new file mode 100644 index 00000000..a72f79c1 --- /dev/null +++ b/services/rspamd/conf/local.d/antivirus.conf @@ -0,0 +1,6 @@ +clamav { + attachments_only = true; + symbol = "CLAM_VIRUS"; + type = "clamav"; + servers = "antivirus:3310"; +} diff --git a/services/rspamd/conf/local.d/dkim_signing.conf b/services/rspamd/conf/local.d/dkim_signing.conf new file mode 100644 index 00000000..9cf7c0f0 --- /dev/null +++ b/services/rspamd/conf/local.d/dkim_signing.conf @@ -0,0 +1,2 @@ +try_fallback = true; +path = "/dkim/$domain.$selector.key"; diff --git a/services/rspamd/conf/local.d/logging.inc b/services/rspamd/conf/local.d/logging.inc new file mode 100644 index 00000000..87f25257 --- /dev/null +++ b/services/rspamd/conf/local.d/logging.inc @@ -0,0 +1 @@ +type=console diff --git a/services/rspamd/conf/local.d/milter_headers.conf b/services/rspamd/conf/local.d/milter_headers.conf new file mode 100644 index 00000000..cb680cfa --- /dev/null +++ b/services/rspamd/conf/local.d/milter_headers.conf @@ -0,0 +1,11 @@ +authenticated_headers = ["authentication-results"]; +skip_local = false; +skip_authenticated = false; + +use = ["x-spamd-bar", "x-spam-level", "x-virus", "authentication-results"]; + +routines { + x-virus { + symbols = ["CLAM_VIRUS", "FPROT_VIRUS", "JUST_EICAR"]; + } +} diff --git a/services/rspamd/conf/local.d/redis.conf b/services/rspamd/conf/local.d/redis.conf new file mode 100644 index 00000000..57f2f4ec --- /dev/null +++ b/services/rspamd/conf/local.d/redis.conf @@ -0,0 +1 @@ +servers = "redis"; diff --git a/services/rspamd/conf/local.d/worker-normal.inc b/services/rspamd/conf/local.d/worker-normal.inc new file mode 100644 index 00000000..a6ee8317 --- /dev/null +++ b/services/rspamd/conf/local.d/worker-normal.inc @@ -0,0 +1 @@ +enabled = false; diff --git a/services/rspamd/conf/local.d/worker-proxy.inc b/services/rspamd/conf/local.d/worker-proxy.inc new file mode 100644 index 00000000..90f11bc5 --- /dev/null +++ b/services/rspamd/conf/local.d/worker-proxy.inc @@ -0,0 +1,8 @@ +bind_socket = "*:11332"; +type = "proxy"; +milter = yes; +timeout = 120s; +upstream "local" { + default = yes; + self_scan = yes; +} diff --git a/services/rspamd/conf/worker-normal.conf b/services/rspamd/conf/worker-proxy.conf similarity index 50% rename from services/rspamd/conf/worker-normal.conf rename to services/rspamd/conf/worker-proxy.conf index fc3d7a5f..5d7b7e75 100644 --- a/services/rspamd/conf/worker-normal.conf +++ b/services/rspamd/conf/worker-proxy.conf @@ -1,6 +1,5 @@ -worker { - bind_socket = "*:11333"; - .include "$CONFDIR/worker-normal.inc" - .include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/worker-normal.inc" - .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/worker-normal.inc" +worker "rspamd_proxy" { + bind_socket = "*:11332"; + .include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/worker-proxy.inc" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/worker-proxy.inc" }