From 1d9b3b00a73a5af29c26aa454d56756f52686a1c Mon Sep 17 00:00:00 2001
From: kaiyou <pierre@jaury.eu>
Date: Sun, 5 Nov 2017 16:54:23 +0100
Subject: [PATCH] Use rspamd as a milter service instead of deprecated rmilter

---
 core/dovecot/conf/dovecot.conf                        |  9 ++++-----
 core/dovecot/sieve/before.sieve                       |  5 +++++
 core/postfix/conf/main.cf                             |  2 +-
 services/rspamd/Dockerfile                            |  7 ++-----
 services/rspamd/conf/local.d/antivirus.conf           |  6 ++++++
 services/rspamd/conf/local.d/dkim_signing.conf        |  2 ++
 services/rspamd/conf/local.d/logging.inc              |  1 +
 services/rspamd/conf/local.d/milter_headers.conf      | 11 +++++++++++
 services/rspamd/conf/local.d/redis.conf               |  1 +
 services/rspamd/conf/local.d/worker-normal.inc        |  1 +
 services/rspamd/conf/local.d/worker-proxy.inc         |  8 ++++++++
 .../conf/{worker-normal.conf => worker-proxy.conf}    |  9 ++++-----
 12 files changed, 46 insertions(+), 16 deletions(-)
 create mode 100644 services/rspamd/conf/local.d/antivirus.conf
 create mode 100644 services/rspamd/conf/local.d/dkim_signing.conf
 create mode 100644 services/rspamd/conf/local.d/logging.inc
 create mode 100644 services/rspamd/conf/local.d/milter_headers.conf
 create mode 100644 services/rspamd/conf/local.d/redis.conf
 create mode 100644 services/rspamd/conf/local.d/worker-normal.inc
 create mode 100644 services/rspamd/conf/local.d/worker-proxy.inc
 rename services/rspamd/conf/{worker-normal.conf => worker-proxy.conf} (50%)

diff --git a/core/dovecot/conf/dovecot.conf b/core/dovecot/conf/dovecot.conf
index 7bf59474..6c897710 100644
--- a/core/dovecot/conf/dovecot.conf
+++ b/core/dovecot/conf/dovecot.conf
@@ -155,11 +155,10 @@ plugin {
   # Include the recipient in vacation replies so that DKIM applies
   sieve_vacation_send_from_recipient = yes
 
-  # extract spam score from
-  # X-Spam-Result: .... [<value> / <max_value] ...
-  sieve_spamtest_status_type = score
-  sieve_spamtest_status_header = X-Spamd-Result: .*\[(-?[[:digit:]]+\.[[:digit:]]+) .*\]
-  sieve_spamtest_max_header = X-Spamd-Result: .*\[.* ([[:digit:]]+\.[[:digit:]]+)\]
+  # extract spam score from headers
+  sieve_spamtest_status_type = strlen
+  sieve_spamtest_status_header = X-Spam-Level
+  sieve_spamtest_max_value = 15
 
   # Learn from spam
   imapsieve_mailbox1_name = Junk
diff --git a/core/dovecot/sieve/before.sieve b/core/dovecot/sieve/before.sieve
index 41774d90..e4eff51b 100644
--- a/core/dovecot/sieve/before.sieve
+++ b/core/dovecot/sieve/before.sieve
@@ -19,6 +19,11 @@ if allof (string :is "${extdata.spam_enabled}" "1",
   stop;
 }
 
+if exists "X-Virus" {
+  discard;
+  stop;
+}
+
 if string :is "${extdata.reply_enabled}" "1" {
   vacation :days 1 :subject "${extdata.reply_subject}" "${extdata.reply_body}";
 }
diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 60887a47..099a4354 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -93,7 +93,7 @@ smtpd_recipient_restrictions =
 # Milter
 ###############
 
-smtpd_milters = inet:milter:9900
+smtpd_milters = inet:antispam:9900
 milter_protocol = 6
 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
 milter_default_action = tempfail
diff --git a/services/rspamd/Dockerfile b/services/rspamd/Dockerfile
index 0214071a..6f6967e8 100644
--- a/services/rspamd/Dockerfile
+++ b/services/rspamd/Dockerfile
@@ -1,12 +1,9 @@
 FROM alpine:edge
 
-# We have to upgrade musl, or rspamd will not work.
-RUN echo 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories \
- && apk add --no-cache rspamd rsyslog ca-certificates
+RUN apk add --no-cache rspamd ca-certificates
 
 RUN mkdir /run/rspamd
 
 COPY conf/ /etc/rspamd
-COPY start.sh /start.sh
 
-CMD ["/start.sh"]
+CMD ["rspamd", "-i", "-f"]
diff --git a/services/rspamd/conf/local.d/antivirus.conf b/services/rspamd/conf/local.d/antivirus.conf
new file mode 100644
index 00000000..a72f79c1
--- /dev/null
+++ b/services/rspamd/conf/local.d/antivirus.conf
@@ -0,0 +1,6 @@
+clamav {
+  attachments_only = true;
+  symbol = "CLAM_VIRUS";
+  type = "clamav";
+  servers = "antivirus:3310";
+}
diff --git a/services/rspamd/conf/local.d/dkim_signing.conf b/services/rspamd/conf/local.d/dkim_signing.conf
new file mode 100644
index 00000000..9cf7c0f0
--- /dev/null
+++ b/services/rspamd/conf/local.d/dkim_signing.conf
@@ -0,0 +1,2 @@
+try_fallback = true;
+path = "/dkim/$domain.$selector.key";
diff --git a/services/rspamd/conf/local.d/logging.inc b/services/rspamd/conf/local.d/logging.inc
new file mode 100644
index 00000000..87f25257
--- /dev/null
+++ b/services/rspamd/conf/local.d/logging.inc
@@ -0,0 +1 @@
+type=console
diff --git a/services/rspamd/conf/local.d/milter_headers.conf b/services/rspamd/conf/local.d/milter_headers.conf
new file mode 100644
index 00000000..cb680cfa
--- /dev/null
+++ b/services/rspamd/conf/local.d/milter_headers.conf
@@ -0,0 +1,11 @@
+authenticated_headers = ["authentication-results"];
+skip_local = false;
+skip_authenticated = false;
+
+use = ["x-spamd-bar", "x-spam-level", "x-virus", "authentication-results"];
+
+routines {
+  x-virus {
+    symbols = ["CLAM_VIRUS", "FPROT_VIRUS", "JUST_EICAR"];
+  }
+}
diff --git a/services/rspamd/conf/local.d/redis.conf b/services/rspamd/conf/local.d/redis.conf
new file mode 100644
index 00000000..57f2f4ec
--- /dev/null
+++ b/services/rspamd/conf/local.d/redis.conf
@@ -0,0 +1 @@
+servers = "redis";
diff --git a/services/rspamd/conf/local.d/worker-normal.inc b/services/rspamd/conf/local.d/worker-normal.inc
new file mode 100644
index 00000000..a6ee8317
--- /dev/null
+++ b/services/rspamd/conf/local.d/worker-normal.inc
@@ -0,0 +1 @@
+enabled = false;
diff --git a/services/rspamd/conf/local.d/worker-proxy.inc b/services/rspamd/conf/local.d/worker-proxy.inc
new file mode 100644
index 00000000..90f11bc5
--- /dev/null
+++ b/services/rspamd/conf/local.d/worker-proxy.inc
@@ -0,0 +1,8 @@
+bind_socket = "*:11332";
+type = "proxy";
+milter = yes;
+timeout = 120s;
+upstream "local" {
+  default = yes;
+  self_scan = yes;
+}
diff --git a/services/rspamd/conf/worker-normal.conf b/services/rspamd/conf/worker-proxy.conf
similarity index 50%
rename from services/rspamd/conf/worker-normal.conf
rename to services/rspamd/conf/worker-proxy.conf
index fc3d7a5f..5d7b7e75 100644
--- a/services/rspamd/conf/worker-normal.conf
+++ b/services/rspamd/conf/worker-proxy.conf
@@ -1,6 +1,5 @@
-worker {
-    bind_socket = "*:11333";
-    .include "$CONFDIR/worker-normal.inc"
-    .include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/worker-normal.inc"
-    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/worker-normal.inc"
+worker "rspamd_proxy" {
+    bind_socket = "*:11332";
+    .include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/worker-proxy.inc"
+    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/worker-proxy.inc"
 }