rspamd

Contents

rspamd

About

Fast, free and open-source spam filtering system.

Rspamd filtering system is designed to be fast, modular and easily scalable system. Rspamd core is written in C language using event driven processing model. Plugins for rspamd can be written in Lua programming language. Rspamd is designed to process connections completely asynchronous and do not block anywhere in code.

Please see:

Installation

   1 #aptitude install rspamd redis
   2 ### BETTER FROM BACKPORTS
   3 aptitude install -t buster-backports redis rspamd

Show running configuration

   1 rspamadm configdump|less

Ports

https://rspamd.com/doc/workers/

Socket	Name	Beschreibung	Status
127.0.0.1:6379	redis	Key-Value-Storage	Aktiv
127.0.0.1:11332	rspamd worker-proxy	handles requests forwarding and milter protocol	Aktiv
127.0.0.1:11333	rspamd worker-normal	scan mail messages	Aktiv
127.0.0.1:11334	rspamd worker-controller	configuration actions	Aktiv
127.0.0.1:11335	rspamd worker-fuzzy	stores fuzzy hashes	Inaktiv

Configuration

Unix Permissions

Adjust Unix-Permissions

   1 find \
   2         /etc/rspamd/local.d \
   3         /var/lib/rspamd/dkim \
   4         -type f \
   5         -exec chown root:_rspamd {} \; \
   6         -exec chmod 0640 {} \;

redis backend

Older rspamd versions default to SQLite backends, nowadays redis hasbecome the default backend, but may need redundancy.

Ports

redis-server port tcp/6379
redis-sentinel port tcp/26379 (default)
redis-sentinel port tcp/5000

Redis OS optimizations

Redis complains to get some optimizations.

29516:M 22 Oct 2020 17:54:01.615 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
29516:M 22 Oct 2020 17:54:01.615 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo madvise > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled (set to 'madvise' or 'never').

redis replication

The idea is to have two servers.

Node1 is a writeable master,
node2 is a read-only slave replicating from master.

Any rspamd instance should write to node1, read from both and failover to node2 if node1 is gone. For higher redundancy, use sentinel.

The detailed redis.conf is lengthy with about 1865 lines of code. I'll stick to the changes from the defaults for my setup.

TLS enablement and hardening not yet included. First need a certificate.

redis replication master

/etc/redis/redis.conf

   1 ################################## NETWORK #####################################
   2 
   3 # By default, if no "bind" configuration directive is specified, Redis listens
   4 # for connections from all the network interfaces available on the server.
   5 # It is possible to listen to just one or multiple selected interfaces using
   6 # the "bind" configuration directive, followed by one or more IP addresses.
   7 #
   8 # Examples:
   9 #
  10 # bind 192.168.1.100 10.0.0.1
  11 # bind 127.0.0.1 ::1
  12 #
  13 # ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
  14 # internet, binding to all the interfaces is dangerous and will expose the
  15 # instance to everybody on the internet. So by default we uncomment the
  16 # following bind directive, that will force Redis to listen only into
  17 # the IPv4 loopback interface address (this means Redis will be able to
  18 # accept connections only from clients running into the same computer it
  19 # is running).
  20 #
  21 # IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
  22 # JUST COMMENT THE FOLLOWING LINE.
  23 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  24 #bind 127.0.0.1 ::1
  25 bind 127.0.0.1 ::1 IP.ADD.RE.SS
  26 …
  27 # If the master is password protected (using the "requirepass" configuration
  28 # directive below) it is possible to tell the replica to authenticate before
  29 # starting the replication synchronization process, otherwise the master will
  30 # refuse the replica request.
  31 #
  32 # masterauth <master-password>
  33 #
  34 # However this is not enough if you are using Redis ACLs (for Redis version
  35 # 6 or greater), and the default user is not capable of running the PSYNC
  36 # command and/or other commands needed for replication. In this case it's
  37 # better to configure a special user to use with replication, and specify the
  38 # masteruser configuration as such:
  39 #
  40 # masteruser <username>
  41 #
  42 # When masteruser is specified, the replica will authenticate against its
  43 # master using the new AUTH form: AUTH <username> <password>.
  44 masteruser replicator
  45 masterauth zail1vaiThihair6al6HohsetohaiNgood8eighaibakethee4Fahgeingoaz5uo
  46 …
  47 # Using an external ACL file
  48 #
  49 # Instead of configuring users here in this file, it is possible to use
  50 # a stand-alone file just listing users. The two methods cannot be mixed:
  51 # if you configure users here and at the same time you activate the exteranl
  52 # ACL file, the server will refuse to start.
  53 #
  54 # The format of the external ACL user file is exactly the same as the
  55 # format that is used inside redis.conf to describe users.
  56 #
  57 aclfile /etc/redis/users.acl
  58 …

This file contains the credentials and is going to be synced between the nodes. Unfortunately rspamd does not yet support redis acls and the user default must be configured.
/etc/redis/users.acl

   1 user replicator on +@all ~* >zail1vaiThihair6al6HohsetohaiNgood8eighaibakethee4Fahgeingoaz5uo
   2 user default    on +@all ~* >rau4aivie9she0thoo1JeiWul5doovohTh3dah5leinee3ahvie7aino6kee7Cha

Make sure /etc/redis/users.acl does not contain tabulators.

29516:M 22 Oct 2020 17:54:01.615 # Aborting Redis startup because of ACL errors: '/etc/redis/users.acl:1: username 'replicator  on' contains invalid characters. '/etc/redis/users.acl:2: username 'default     on' contains invalid characters. WARNING: ACL errors detected, no change to the previously active ACL rules was performed

node1 than node2

   1 systemctl stop rspamd.service
   2 systemctl restart redis-server.service
   3 systemctl start rspamd.service

check replication

Primary

   1 # redis-cli
   2 127.0.0.1:6379> AUTH secure_long_password
   3 OK
   4 ### WITHOUT A REPLICATING NODE
   5 127.0.0.1:6379> ROLE
   6 1) "master"
   7 2) (integer) 0
   8 3) (empty array)
   9 ### WITH A REPLICATING NODE
  10 127.0.0.1:6379> ROLE
  11 1) "master"
  12 2) (integer) 112
  13 3) 1) 1) "192.168.1.42"
  14       2) "6379"
  15       3) "112"
  16 127.0.0.1:6379> INFO

Secondary

   1 # redis-cli
   2 127.0.0.1:6379> AUTH secure_long_password
   3 OK
   4 ### REPLICATION BROKEN
   5 127.0.0.1:6379> ROLE
   6 1) "slave"
   7 2) "192.168.0.11"
   8 3) (integer) 6379
   9 4) "connect"
  10 5) (integer) -1
  11 ### REPLICATION WORKING
  12 127.0.0.1:6379> ROLE
  13 1) "slave"
  14 2) "80.64.180.48"
  15 3) (integer) 6379
  16 4) "connected"
  17 5) (integer) 70
  18 127.0.0.1:6379> INFO

redis replication slave

Additionally the replication slave has been pointed to the master.

/etc/redis/redis.conf

   1 ################################# REPLICATION #################################
   2 
   3 # Master-Replica replication. Use replicaof to make a Redis instance a copy of
   4 # another Redis server. A few things to understand ASAP about Redis replication.
   5 #
   6 #   +------------------+      +---------------+
   7 #   |      Master      | ---> |    Replica    |
   8 #   | (receive writes) |      |  (exact copy) |
   9 #   +------------------+      +---------------+
  10 #
  11 # 1) Redis replication is asynchronous, but you can configure a master to
  12 #    stop accepting writes if it appears to be not connected with at least
  13 #    a given number of replicas.
  14 # 2) Redis replicas are able to perform a partial resynchronization with the
  15 #    master if the replication link is lost for a relatively small amount of
  16 #    time. You may want to configure the replication backlog size (see the next
  17 #    sections of this file) with a sensible value depending on your needs.
  18 # 3) Replication is automatic and does not need user intervention. After a
  19 #    network partition replicas automatically try to reconnect to masters
  20 #    and resynchronize with them.
  21 #
  22 # replicaof <masterip> <masterport>
  23 replicaof 192.168.0.11 6379

rspamd client

Adjust the local configuration of each rspamd service
/etc/rspamd/local.d/redis.conf

   1 write_servers = "mail1.example.com:6379";
   2 #write_servers = "192.168.0.11";
   3 read_servers = "master-slave:mail1.example.com:6379:30,mail3.example.com:6379:10";
   4 #read_servers = "master-slave:192.168.0.11:6379:30;192.168.0.13:6379:10";
   5 #read_servers = "master-slave:mail3.example.com:6379:30,mail1.example.com:6379:10";
   6 #read_servers = "master-slave:192.168.0.13:6379:30;192.168.0.11:6379:10";
   7 password = rau4aivie9she0thoo1JeiWul5doovohTh3dah5leinee3ahvie7aino6kee7Cha

redis redundancy with sentinel

With multiple nodes it is possible to achieve

higher-availability,
redundancy,
faster learning,
consistent decisions and
maintainability.

Links

There is no setup with just 2 sentinels
src/sentinel.c

   1 // because it requires quorum ≥ 1.
   2 1645        if (quorum <= 0) return "Quorum must be 1 or greater.";
   3 …
   4 // because there must be more votes than 50% of the nodes
   5 // and the number of votes must be greater than the configured quorum).
   6 4026     voters_quorum = voters/2+1;
   7 4027     if (winner && (max_votes < voters_quorum || max_votes < master->quorum))
   8 4028         winner = NULL;

Example: 2 nodes, 1 down

   1 quorum=1
   2 voters=2
   3 voters_quorum=2/2+1=2
   4 max_votes=1
   5 max_votes < voters_quorum = 1 < 2 
   6 -> winner = NULL;

Install redis-sentinel

   1 aptitude install -t buster-backports redis-sentinel

Changes to sentinel.conf

Bind to port 5000
Bind to address bind 127.0.0.1 ::1 192.168.0.11
Set requirepass thai7eijae7Theizootei1la

/etc/redis/sentinel.conf

   1 # Example sentinel.conf
   2 
   3 # *** IMPORTANT ***
   4 #
   5 # By default Sentinel will not be reachable from interfaces different than
   6 # localhost, either use the 'bind' directive to bind to a list of network
   7 # interfaces, or disable protected mode with "protected-mode no" by
   8 # adding it to this configuration file.
   9 #
  10 # Before doing that MAKE SURE the instance is protected from the outside
  11 # world via firewalling or other means.
  12 #
  13 # For example you may use one of the following:
  14 #
  15 # bind 127.0.0.1 ::1 192.168.1.1
  16 bind 127.0.0.1 ::1 192.168.0.11
  17 #
  18 # protected-mode no
  19 
  20 # port <sentinel-port>
  21 # The port that this sentinel instance will run on
  22 #port 26379
  23 port 5000
  24 
  25 # By default Redis Sentinel does not run as a daemon. Use 'yes' if you need it.
  26 # Note that Redis will write a pid file in /var/run/redis-sentinel.pid when
  27 # daemonized.
  28 daemonize yes
  29 
  30 # When running daemonized, Redis Sentinel writes a pid file in
  31 # /var/run/redis-sentinel.pid by default. You can specify a custom pid file
  32 # location here.
  33 pidfile "/var/run/sentinel/redis-sentinel.pid"
  34 
  35 # Specify the log file name. Also the empty string can be used to force
  36 # Sentinel to log on the standard output. Note that if you use standard
  37 # output for logging but daemonize, logs will be sent to /dev/null
  38 logfile "/var/log/redis/redis-sentinel.log"
  39 
  40 # sentinel announce-ip <ip>
  41 # sentinel announce-port <port>
  42 #
  43 # The above two configuration directives are useful in environments where,
  44 # because of NAT, Sentinel is reachable from outside via a non-local address.
  45 #
  46 # When announce-ip is provided, the Sentinel will claim the specified IP address
  47 # in HELLO messages used to gossip its presence, instead of auto-detecting the
  48 # local address as it usually does.
  49 #
  50 # Similarly when announce-port is provided and is valid and non-zero, Sentinel
  51 # will announce the specified TCP port.
  52 #
  53 # The two options don't need to be used together, if only announce-ip is
  54 # provided, the Sentinel will announce the specified IP and the server port
  55 # as specified by the "port" option. If only announce-port is provided, the
  56 # Sentinel will announce the auto-detected local IP and the specified port.
  57 #
  58 # Example:
  59 #
  60 # sentinel announce-ip 1.2.3.4
  61 
  62 # dir <working-directory>
  63 # Every long running process should have a well-defined working directory.
  64 # For Redis Sentinel to chdir to /tmp at startup is the simplest thing
  65 # for the process to don't interfere with administrative tasks such as
  66 # unmounting filesystems.
  67 dir "/var/lib/redis"
  68 
  69 # sentinel monitor <master-name> <ip> <redis-port> <quorum>
  70 #
  71 # Tells Sentinel to monitor this master, and to consider it in O_DOWN
  72 # (Objectively Down) state only if at least <quorum> sentinels agree.
  73 #
  74 # Note that whatever is the ODOWN quorum, a Sentinel will require to
  75 # be elected by the majority of the known Sentinels in order to
  76 # start a failover, so no failover can be performed in minority.
  77 #
  78 # Replicas are auto-discovered, so you don't need to specify replicas in
  79 # any way. Sentinel itself will rewrite this configuration file adding
  80 # the replicas using additional configuration options.
  81 # Also note that the configuration file is rewritten when a
  82 # replica is promoted to master.
  83 #
  84 # Note: master name should not include special characters or spaces.
  85 # The valid charset is A-z 0-9 and the three characters ".-_".
  86 sentinel myid b7e6832629034548dd2d1e63cbac146b9dfd189b
  87 
  88 # sentinel auth-pass <master-name> <password>
  89 #
  90 # Set the password to use to authenticate with the master and replicas.
  91 # Useful if there is a password set in the Redis instances to monitor.
  92 #
  93 # Note that the master password is also used for replicas, so it is not
  94 # possible to set a different password in masters and replicas instances
  95 # if you want to be able to monitor these instances with Sentinel.
  96 #
  97 # However you can have Redis instances without the authentication enabled
  98 # mixed with Redis instances requiring the authentication (as long as the
  99 # password set is the same for all the instances requiring the password) as
 100 # the AUTH command will have no effect in Redis instances with authentication
 101 # switched off.
 102 #
 103 # Example:
 104 #
 105 # sentinel auth-pass mymaster MySUPER--secret-0123passw0rd
 106 
 107 # sentinel auth-user <master-name> <username>
 108 #
 109 # This is useful in order to authenticate to instances having ACL capabilities,
 110 # that is, running Redis 6.0 or greater. When just auth-pass is provided the
 111 # Sentinel instance will authenticate to Redis using the old "AUTH <pass>"
 112 # method. When also an username is provided, it will use "AUTH <user> <pass>".
 113 # In the Redis servers side, the ACL to provide just minimal access to
 114 # Sentinel instances, should be configured along the following lines:
 115 #
 116 #     user sentinel-user >somepassword +client +subscribe +publish \
 117 #                        +ping +info +multi +slaveof +config +client +exec on
 118 
 119 # sentinel down-after-milliseconds <master-name> <milliseconds>
 120 #
 121 # Number of milliseconds the master (or any attached replica or sentinel) should
 122 # be unreachable (as in, not acceptable reply to PING, continuously, for the
 123 # specified period) in order to consider it in S_DOWN state (Subjectively
 124 # Down).
 125 #
 126 # Default is 30 seconds.
 127 sentinel deny-scripts-reconfig yes
 128 
 129 # requirepass <password>
 130 #
 131 # You can configure Sentinel itself to require a password, however when doing
 132 # so Sentinel will try to authenticate with the same password to all the
 133 # other Sentinels. So you need to configure all your Sentinels in a given
 134 # group with the same "requirepass" password. Check the following documentation
 135 # for more info: https://redis.io/topics/sentinel
 136 
 137 # sentinel parallel-syncs <master-name> <numreplicas>
 138 #
 139 # How many replicas we can reconfigure to point to the new replica simultaneously
 140 # during the failover. Use a low number if you use the replicas to serve query
 141 # to avoid that all the replicas will be unreachable at about the same
 142 # time while performing the synchronization with the master.
 143 sentinel monitor mymaster 127.0.0.1 6379 2
 144 
 145 # sentinel failover-timeout <master-name> <milliseconds>
 146 #
 147 # Specifies the failover timeout in milliseconds. It is used in many ways:
 148 #
 149 # - The time needed to re-start a failover after a previous failover was
 150 #   already tried against the same master by a given Sentinel, is two
 151 #   times the failover timeout.
 152 #
 153 # - The time needed for a replica replicating to a wrong master according
 154 #   to a Sentinel current configuration, to be forced to replicate
 155 #   with the right master, is exactly the failover timeout (counting since
 156 #   the moment a Sentinel detected the misconfiguration).
 157 #
 158 # - The time needed to cancel a failover that is already in progress but
 159 #   did not produced any configuration change (SLAVEOF NO ONE yet not
 160 #   acknowledged by the promoted replica).
 161 #
 162 # - The maximum time a failover in progress waits for all the replicas to be
 163 #   reconfigured as replicas of the new master. However even after this time
 164 #   the replicas will be reconfigured by the Sentinels anyway, but not with
 165 #   the exact parallel-syncs progression as specified.
 166 #
 167 # Default is 3 minutes.
 168 sentinel config-epoch mymaster 0
 169 
 170 # SCRIPTS EXECUTION
 171 #
 172 # sentinel notification-script and sentinel reconfig-script are used in order
 173 # to configure scripts that are called to notify the system administrator
 174 # or to reconfigure clients after a failover. The scripts are executed
 175 # with the following rules for error handling:
 176 #
 177 # If script exits with "1" the execution is retried later (up to a maximum
 178 # number of times currently set to 10).
 179 #
 180 # If script exits with "2" (or an higher value) the script execution is
 181 # not retried.
 182 #
 183 # If script terminates because it receives a signal the behavior is the same
 184 # as exit code 1.
 185 #
 186 # A script has a maximum running time of 60 seconds. After this limit is
 187 # reached the script is terminated with a SIGKILL and the execution retried.
 188 
 189 # NOTIFICATION SCRIPT
 190 #
 191 # sentinel notification-script <master-name> <script-path>
 192 #
 193 # Call the specified notification script for any sentinel event that is
 194 # generated in the WARNING level (for instance -sdown, -odown, and so forth).
 195 # This script should notify the system administrator via email, SMS, or any
 196 # other messaging system, that there is something wrong with the monitored
 197 # Redis systems.
 198 #
 199 # The script is called with just two arguments: the first is the event type
 200 # and the second the event description.
 201 #
 202 # The script must exist and be executable in order for sentinel to start if
 203 # this option is provided.
 204 #
 205 # Example:
 206 #
 207 # sentinel notification-script mymaster /var/redis/notify.sh
 208 
 209 # CLIENTS RECONFIGURATION SCRIPT
 210 #
 211 # sentinel client-reconfig-script <master-name> <script-path>
 212 #
 213 # When the master changed because of a failover a script can be called in
 214 # order to perform application-specific tasks to notify the clients that the
 215 # configuration has changed and the master is at a different address.
 216 #
 217 # The following arguments are passed to the script:
 218 #
 219 # <master-name> <role> <state> <from-ip> <from-port> <to-ip> <to-port>
 220 #
 221 # <state> is currently always "failover"
 222 # <role> is either "leader" or "observer"
 223 #
 224 # The arguments from-ip, from-port, to-ip, to-port are used to communicate
 225 # the old address of the master and the new address of the elected replica
 226 # (now a master).
 227 #
 228 # This script should be resistant to multiple invocations.
 229 #
 230 # Example:
 231 #
 232 # sentinel client-reconfig-script mymaster /var/redis/reconfig.sh
 233 
 234 # SECURITY
 235 #
 236 # By default SENTINEL SET will not be able to change the notification-script
 237 # and client-reconfig-script at runtime. This avoids a trivial security issue
 238 # where clients can set the script to anything and trigger a failover in order
 239 # to get the program executed.
 240 
 241 sentinel leader-epoch mymaster 0
 242 
 243 # REDIS COMMANDS RENAMING
 244 #
 245 # Sometimes the Redis server has certain commands, that are needed for Sentinel
 246 # to work correctly, renamed to unguessable strings. This is often the case
 247 # of CONFIG and SLAVEOF in the context of providers that provide Redis as
 248 # a service, and don't want the customers to reconfigure the instances outside
 249 # of the administration console.
 250 #
 251 # In such case it is possible to tell Sentinel to use different command names
 252 # instead of the normal ones. For example if the master "mymaster", and the
 253 # associated replicas, have "CONFIG" all renamed to "GUESSME", I could use:
 254 #
 255 # SENTINEL rename-command mymaster CONFIG GUESSME
 256 #
 257 # After such configuration is set, every time Sentinel would use CONFIG it will
 258 # use GUESSME instead. Note that there is no actual need to respect the command
 259 # case, so writing "config guessme" is the same in the example above.
 260 #
 261 # SENTINEL SET can also be used in order to perform this configuration at runtime.
 262 #
 263 # In order to set a command back to its original name (undo the renaming), it
 264 # is possible to just rename a command to itsef:
 265 #
 266 # SENTINEL rename-command mymaster CONFIG CONFIG
 267 # Generated by CONFIG REWRITE
 268 protected-mode no
 269 user default on nopass ~* +@all
 270 sentinel current-epoch 0

rspamd client

Activate usage of sentinels in rspamd to determine write_servers and read_servers
/etc/rspamd/local.d/redis.conf

   1 sentinels = "192.168.0.11, 192.168.0.12, 192.168.0.13"; # Servers list (default port 5000)                                                                
   2 sentinel_watch_time = 1min;                             # How often Rspam will query sentinels for masters and slaves                                     
   3 sentinel_masters_pattern = "^mymaster.*$";              # Defines masters pattern to match in Lua syntax (no pattern means all masters)                   
   4 servers = "192.168.0.11, 192.168.0.12, 192.168.0.13";   # Defines the initial set of servers that would be used if no sentinel can be accessed            
   5

Always fix #Unix Permissions.

worker-controller

Create passwords for read-only and write access with rspamadm pw

   1 rspamadm pw
   2 Enter passphrase:
   3 $2$dc3s6ifn37iccs1tmnk74hzwxb6gpcbn$qak7a9wy1wcom7f99hwtxf1t3nxcht5pfsyd4t7w46qxrqofswgy
   4 rspamadm pw
   5 Enter passphrase:
   6 $2$6zfmwfmsebg31wwtrkxuezjuiiymddhi$6mbejg5camddsg1fqeu1oh1jnd15p1qsk1jbfkyzj97b5qbb8q5b

Change passwords for website
/etc/rspamd/local.d/worker-controller.inc

   1 ### RSPAMD local.d config
   2 
   3 count = 1;
   4 
   5 # password for read-only commands
   6 password = "$2$dc3s6ifn37iccs1tmnk74hzwxb6gpcbn$qak7a9wy1wcom7f99hwtxf1t3nxcht5pfsyd4t7w46qxrqofswgy";
   7 # password for write commands
   8 enable_password: "$2$6zfmwfmsebg31wwtrkxuezjuiiymddhi$6mbejg5camddsg1fqeu1oh1jnd15p1qsk1jbfkyzj97b5qbb8q5b";
   9 # list or map with IP addresses that are treated as secure
  10 # so all commands are allowed from these IPs without passwords
  11 secure_ip = "127.0.0.1";
  12 secure_ip = "::1";
  13 # directory where interface static files are placed (usually ${WWWDIR})
  14 static_dir = "${WWWDIR}";
  15 # path where controller save persistent stats about rspamd
  16 # (such as scanned messages count)
  17 #stats_path =

Always fix #Unix Permissions.

Check Webfrontend (over ssh-tunnel)

   1 ssh -L 8080:localhost:11334 mx1.rockstable.it

Then simply call in your browser: http://localhost:8080/

DomainKeys Identified Mail (DKIM)

Configure DKIM

   1 DOMAIN="rockstable.it"
   2 SELECTOR="$(date +%Y)"
   3 DKIM_PATH="/var/lib/rspamd/dkim"
   4 DKIM_FILE="$DKIM_PATH/$DOMAIN.$SELECTOR"
   5 
   6 install -o root -g _rspamd -m 2710 \
   7         -d "$DKIM_PATH"
   8 rspamadm dkim_keygen \
   9         -b 2048 -s "$SELECTOR" \
  10         -k "$DKIM_FILE".pem \
  11         |tee "$DKIM_FILE".txt
  12 2019._domainkey IN TXT ( "v=DKIM1; k=rsa; "
  13         "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1b+tmkhLzUAW0p2PpePX5XOXBqPobfUnkyEmcc4QJ6WArk67m8CSO1KStZMbK2PC81hWtSoMf4S0qprfn30ARRvlqMJYGuyE26Tk4yYZvG7oS6tszEB9HKe88SEjD6Ax6YMFtcNAZctd9kcjfLZI7YmTJXKkGaxJH8qNklr5oXco5Ka2ZQuSQKiOCiDoffeck6yQSNdMIH77GXzw"
  14         "K+g2v6dab57FSOFzbNXWEkdfqZd9Ig12/vLBhPQ4gWxlpeHKR/y6LLZXfi3xBS5XtWVrt6PHqYhsLt39X0lwJosoFGcq6AfUaCgTljHq1fhkvR5cS+JJ14dpTZ6cqnbii9V2QIDAQAB"
  15 ) ;

/etc/rspamd/local.d/dkim_signing.conf

   1 # If true, username does not need to contain matching domain
   2 ### ENABLE DKIM SIGNING FOR ALIAS SENDER ADDRESSES
   3 allow_username_mismatch = true;
   4 
   5 # Default selector to use
   6 # UNIFY TO REUSE CONFIG FOR DMARC
   7 selector = "2019";

Always fix #Unix Permissions.

Configure your TXT Record in DNS as in file
/var/lib/rspamd/dkim/rockstable.it.2019.txt

   1 $TTL    86400
   2 $ORIGIN rockstable.it.
   3 
   4 ; SOA RECORD WITH INCREMENTED SERIAL OMITTED
   5 
   6 ; DKIM DOMAINKEY
   7 2019._domainkey         TXT     ( "v=DKIM1; k=rsa; "
   8         "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5Ld6R37vRthQgqQlLkWs+HDxPNz/sTn/qCQooBtWMlTjz3487TM7owU4ryEg1RKsflxPvZrxcDnEthib6ckiH4LpFRYdK3kCkpoCNshPZruXcY0fV+Qv/pJ12nlKBe7jTcqAVhvbh/P6eyYdERCuDFN6yiWJtjKOKgt4sKZHtSR12ZPlPLHguR9C+rXQzoNbV69WaWOo0HpDaPEvj"
   9         "ZRXawEBfczQ7ArYzEu6V737PIlsBdEK29Jg/rQozBBN3ZzrfdR3gFHYytDZimVdx7rZ2KIvFR+E1l+EQnjw8EW/6Hk5yCjCr0HcgnWPJ88enNOS2EifhYLp8Wyocj+UFBcY1QIDAQAB"
  10 ) ;

Reload rspamd

   1 systemctl reload rspamd.service

Check it!

There should be a DKIM-Header in the mails you send. The selector is specified by s=2019.

   1 …
   2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockstable.it;
   3     s=2019; t=1602958680; h=from:from:sender:reply-to:subject:subject:date:date:
   4     message-id:message-id:to:to:cc:mime-version:mime-version:
   5     content-type:content-type:
   6     content-transfer-encoding:content-transfer-encoding:
   7     in-reply-to:in-reply-to:references:references;
   8     bh=VJsvh7GQqRsC7z/aMdedXfoWJ3TGCqWZKhAQC8zBYtU=;
   9     b=oJzj33E6XjYdJrvSIB1rrSnaZuWT4oD3xDUbn3VkACul6z+gaAwFhKLJXv8Z6MwtjWfxjb
  10     3iUwbdfthJ7d8h84XT+cIUWX9INGK9YUSBiG4TjArt3Y/7AtlW/6z0qz/6/T1US0ULTdlZ
  11     97/DGp31mhypWSEYK+kCEOFJbMRQ0ZzDipRMhygrbZgFONaap16FXh5SDwyCcbRHuM18A2
  12     wEKjiDbHz80OToPRECsfSQr+Pag1+VN5/4pXTeXziIIagt+V/tWMgd5afhrotLGhP8sEBf
  13     PYWuHe3UFICHnn2xX1gmm2ZZ1F4iv2RMiIRx0KqoTVJbf2oCr3n7O4jazhpYyQ==
  14 …

Authenticated Received Chain (ARC)

Just link to dkim_signing.conf because they are using the same backend for handling signatures.

   1 cd /etc/rspamd/local.d
   2 ln -s dkim_signing.conf arc.conf
   3 #ln -s /etc/rspamd/local.d/{dkim_signing.conf,arc.conf}
   4

Antivirus Checks

Make sure http is allowed to the following hosts to download virus definitions.

db.local.clamav.net
database.clamav.net

Install clamav-daemon

   1 aptitude install clamav-daemon clamav

Adjust ClamAV Config

Change LocalSocket
Add TCPAddr and TCPSocket

/etc/clamav/clamd.conf

   1 #Automatically Generated by clamav-daemon postinst
   2 #To reconfigure clamd run #dpkg-reconfigure clamav-daemon
   3 #Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
   4 #LocalSocket /var/run/clamav/clamd.ctl
   5 LocalSocket /run/clamav/clamd.ctl
   6 FixStaleSocket true
   7 LocalSocketGroup clamav
   8 LocalSocketMode 666
   9 # TemporaryDirectory is not set to its default /tmp here to make overriding
  10 # the default with environment variables TMPDIR/TMP/TEMP possible
  11 User clamav
  12 ScanMail true
  13 ScanArchive true
  14 ArchiveBlockEncrypted false
  15 MaxDirectoryRecursion 15
  16 FollowDirectorySymlinks false
  17 FollowFileSymlinks false
  18 ReadTimeout 180
  19 MaxThreads 12
  20 MaxConnectionQueueLength 15
  21 LogSyslog false
  22 LogRotate true
  23 LogFacility LOG_LOCAL6
  24 LogClean false
  25 LogVerbose false
  26 PreludeEnable no
  27 PreludeAnalyzerName ClamAV
  28 DatabaseDirectory /var/lib/clamav
  29 OfficialDatabaseOnly false
  30 SelfCheck 3600
  31 Foreground false
  32 Debug false
  33 ScanPE true
  34 MaxEmbeddedPE 10M
  35 ScanOLE2 true
  36 ScanPDF true
  37 ScanHTML true
  38 MaxHTMLNormalize 10M
  39 MaxHTMLNoTags 2M
  40 MaxScriptNormalize 5M
  41 MaxZipTypeRcg 1M
  42 ScanSWF true
  43 ExitOnOOM false
  44 LeaveTemporaryFiles false
  45 AlgorithmicDetection true
  46 ScanELF true
  47 IdleTimeout 30
  48 CrossFilesystems true
  49 PhishingSignatures true
  50 PhishingScanURLs true
  51 PhishingAlwaysBlockSSLMismatch false
  52 PhishingAlwaysBlockCloak false
  53 PartitionIntersection false
  54 DetectPUA false
  55 ScanPartialMessages false
  56 HeuristicScanPrecedence false
  57 StructuredDataDetection false
  58 CommandReadTimeout 30
  59 SendBufTimeout 200
  60 MaxQueue 100
  61 ExtendedDetectionInfo true
  62 OLE2BlockMacros false
  63 AllowAllMatchScan true
  64 ForceToDisk false
  65 DisableCertCheck false
  66 DisableCache false
  67 MaxScanTime 120000
  68 MaxScanSize 100M
  69 MaxFileSize 25M
  70 MaxRecursion 16
  71 MaxFiles 10000
  72 MaxPartitions 50
  73 MaxIconsPE 100
  74 PCREMatchLimit 10000
  75 PCRERecMatchLimit 5000
  76 PCREMaxFileSize 25M
  77 ScanXMLDOCS true
  78 ScanHWP3 true
  79 MaxRecHWP3 16
  80 StreamMaxLength 25M
  81 LogFile /var/log/clamav/clamav.log
  82 LogTime true
  83 LogFileUnlock false
  84 LogFileMaxSize 0
  85 Bytecode true
  86 BytecodeSecurity TrustSigned
  87 BytecodeTimeout 60000
  88 OnAccessMaxFileSize 5M
  89 ### ENABLE NETWORKING
  90 TCPAddr 127.0.0.1
  91 TCPSocket 3310

/etc/systemd/system/clamav-daemon.socket

   1 [Unit]
   2 Description=Clam AntiVirus userspace daemon
   3 
   4 [Install]
   5 WantedBy=sockets.target
   6 
   7 [Socket]
   8 ListenStream=
   9 ListenStream=/run/clamav/clamd.ctl
  10 ListenStream=127.0.0.1:3310

Reload systemd, enable socket restart clamav-daemon

   1 systemctl daemon-reload
   2 systemctl enable clamav-daemon.socket
   3 systemctl status clamav-daemon.socket
   4 systemctl enable clamav-daemon.service
   5 systemctl restart clamav-daemon.service
   6 systemctl status clamav-daemon.service

Check if daemon is listening ss -tulpen|grep 3310

   1 Netid  State   Recv-Q  Send-Q  Local Address:Port  Peer Address:Port                                                                                                                                                                                    
   2 tcp    LISTEN  0       15      127.0.0.1:3310      0.0.0.0:* users:(("clamd",pid=17811,fd=4)) uid:109 ino:414291 sk:d <->

Copy configuration

   1 cp /etc/rspamd/modules.d/antivirus.conf \
   2         /etc/rspamd/local.d/antivirus.conf

Enable Antivirus/ClamAV in Rspamd /etc/rspamd/local.d/antivirus.conf

   1 # Please don't modify this file as your changes might be overwritten with
   2 # the next update.
   3 #
   4 # You can modify 'local.d/antivirus.conf' to add and merge
   5 # parameters defined inside this section
   6 #
   7 # You can modify 'override.d/antivirus.conf' to strictly override all
   8 # parameters defined inside this section
   9 #
  10 # See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories
  11 # for details
  12 #
  13 # Module documentation can be found at  https://rspamd.com/doc/modules/antivirus.html
  14 
  15 antivirus {
  16   # multiple scanners could be checked, for each we create a configuration block with an arbitrary name
  17   clamav {
  18     # If set force this action if any virus is found (default unset: no action is forced)
  19     # action = "reject";
  20     # message = '${SCANNER}: virus found: "${VIRUS}"';
  21     # Scan mime_parts separately - otherwise the complete mail will be transferred to AV Scanner
  22     #scan_mime_parts = true;
  23     # Scanning Text is suitable for some av scanner databases (e.g. Sanesecurity)
  24     #scan_text_mime = false;
  25     #scan_image_mime = false;
  26     # If `max_size` is set, messages > n bytes in size are not scanned
  27     #max_size = 20000000;
  28     # symbol to add (add it to metric if you want non-zero weight)
  29     #symbol = "CLAM_VIRUS";
  30     # type of scanner: "clamav", "fprot", "sophos" or "savapi"
  31     type = "clamav";
  32     # For "savapi" you must also specify the following variable
  33     #product_id = 12345;
  34     # You can enable logging for clean messages
  35     #log_clean = true;
  36     # servers to query (if port is unspecified, scanner-specific default is used)
  37     # can be specified multiple times to pool servers
  38     # can be set to a path to a unix socket
  39     # Enable this in local.d/antivirus.conf
  40     servers = "127.0.0.1:3310";
  41     # if `patterns` is specified virus name will be matched against provided regexes and the related
  42     # symbol will be yielded if a match is found. If no match is found, default symbol is yielded.
  43     patterns {
  44       # symbol_name = "pattern";
  45       JUST_EICAR = '^Eicar-Test-Signature$';
  46     }
  47     #patterns_fail {
  48       # symbol_name = "pattern";
  49       #CLAM_PROTOCOL_ERROR = '^unhandled response';
  50     #}
  51     # `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned.
  52     whitelist = "/etc/rspamd/antivirus.wl";
  53   }
  54 }

Always fix #Unix Permissions.

Reload Rspamd

   1 systemctl reload rspamd.service

Integration with MTA

For integration with Postfix, please return to postfix#rspamd

Configurations

Services

Sports

Navigation

rspamd

About

Installation

Ports

Configuration

Unix Permissions

redis backend

Redis OS optimizations

redis replication

redis replication master

check replication

redis replication slave

rspamd client

redis redundancy with sentinel

rspamd client

worker-controller

DomainKeys Identified Mail (DKIM)

Configure DKIM

Authenticated Received Chain (ARC)

Antivirus Checks

Integration with MTA