Use rspamd as a milter service instead of deprecated rmilter

core/dovecot/conf/dovecot.conf

@@ -155,11 +155,10 @@ plugin {
   # Include the recipient in vacation replies so that DKIM applies
   sieve_vacation_send_from_recipient = yes
 
-  # extract spam score from
-  # X-Spam-Result: .... [<value> / <max_value] ...
-  sieve_spamtest_status_type = score
-  sieve_spamtest_status_header = X-Spamd-Result: .*\[(-?[[:digit:]]+\.[[:digit:]]+) .*\]
-  sieve_spamtest_max_header = X-Spamd-Result: .*\[.* ([[:digit:]]+\.[[:digit:]]+)\]
+  # extract spam score from headers
+  sieve_spamtest_status_type = strlen
+  sieve_spamtest_status_header = X-Spam-Level
+  sieve_spamtest_max_value = 15
 
   # Learn from spam
   imapsieve_mailbox1_name = Junk

core/dovecot/sieve/before.sieve

@@ -19,6 +19,11 @@ if allof (string :is "${extdata.spam_enabled}" "1",
   stop;
 }
 
+if exists "X-Virus" {
+  discard;
+  stop;
+}
+
 if string :is "${extdata.reply_enabled}" "1" {
   vacation :days 1 :subject "${extdata.reply_subject}" "${extdata.reply_body}";
 }

core/postfix/conf/main.cf

@@ -93,7 +93,7 @@ smtpd_recipient_restrictions =
 # Milter
 ###############
 
-smtpd_milters = inet:milter:9900
+smtpd_milters = inet:antispam:9900
 milter_protocol = 6
 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
 milter_default_action = tempfail

services/rspamd/Dockerfile

@@ -1,12 +1,9 @@
 FROM alpine:edge
 
-# We have to upgrade musl, or rspamd will not work.
-RUN echo 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories \
- && apk add --no-cache rspamd rsyslog ca-certificates
+RUN apk add --no-cache rspamd ca-certificates
 
 RUN mkdir /run/rspamd
 
 COPY conf/ /etc/rspamd
-COPY start.sh /start.sh
 
-CMD ["/start.sh"]
+CMD ["rspamd", "-i", "-f"]

services/rspamd/conf/local.d/antivirus.conf

@@ -0,0 +1,6 @@
+clamav {
+  attachments_only = true;
+  symbol = "CLAM_VIRUS";
+  type = "clamav";
+  servers = "antivirus:3310";
+}

services/rspamd/conf/local.d/dkim_signing.conf

@@ -0,0 +1,2 @@
+try_fallback = true;
+path = "/dkim/$domain.$selector.key";

services/rspamd/conf/local.d/logging.inc

@@ -0,0 +1 @@
+type=console

services/rspamd/conf/local.d/milter_headers.conf

@@ -0,0 +1,11 @@
+authenticated_headers = ["authentication-results"];
+skip_local = false;
+skip_authenticated = false;
+
+use = ["x-spamd-bar", "x-spam-level", "x-virus", "authentication-results"];
+
+routines {
+  x-virus {
+    symbols = ["CLAM_VIRUS", "FPROT_VIRUS", "JUST_EICAR"];
+  }
+}

services/rspamd/conf/local.d/redis.conf

@@ -0,0 +1 @@
+servers = "redis";

services/rspamd/conf/local.d/worker-normal.inc

@@ -0,0 +1 @@
+enabled = false;

services/rspamd/conf/local.d/worker-proxy.inc

@@ -0,0 +1,8 @@
+bind_socket = "*:11332";
+type = "proxy";
+milter = yes;
+timeout = 120s;
+upstream "local" {
+  default = yes;
+  self_scan = yes;
+}

services/rspamd/conf/worker-proxy.conf

@@ -1,6 +1,5 @@
-worker {
-    bind_socket = "*:11333";
-    .include "$CONFDIR/worker-normal.inc"
-    .include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/worker-normal.inc"
-    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/worker-normal.inc"
+worker "rspamd_proxy" {
+    bind_socket = "*:11332";
+    .include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/worker-proxy.inc"
+    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/worker-proxy.inc"
 }