try to get rspamd to work

2024-11-10 06:24:17 +00:00 · 2021-03-24 14:34:30 +01:00 · 2021-03-24 14:34:30 +01:00 · 72276db6da
commit 72276db6da
parent 8372eb72ce
9 changed files with 66 additions and 15 deletions
--- a/roles/email/defaults/main.yml
+++ b/roles/email/defaults/main.yml
@ -4,6 +4,12 @@ postfix_user_name: postfix #TODO do not run as root
 opendkim_user_name: opendkim
 opendkim_group_name: opendkim
 email_group_name: email
+email_network_prefix: "172.3.0"
+email_network_gateway: "{{ email_network_prefix }}.1"
+email_network: "{{ email_network_prefix }}.0/24"
+#email_local_send_network: "127.0.0.1"
+email_local_send_network: "172.3.0.1"
+

 email_domain: ratzupaltuff-test.famedly.de
 email_base_path: "/opt/email"
@ -25,8 +31,7 @@ postfix_smtpd_milters_ip: "{{ email_network_prefix }}.4" #todo automate that #cu
 postfix_docker_labels: {} #override e.g. for traefik

 postfix_hostname: "mail.{{ email_domain }}"
-postfix_sender_networks: "172.3.0.0/24" #, 127.0.0.0/24" #comma separated
-email_network_prefix: "172.3.0"
+postfix_sender_networks: "{{ email_network }}" #, 127.0.0.0/24" #comma separated

 #dovecot
 dovecot_user_name: vmail
@ -50,9 +55,9 @@ opendkim_docker_labels: {}
 opendkim_conf_path: "/etc/opendkim/opendkim.conf"
 opendkim_cert_path: "/etc/opendkim"
 opendkim_cert_filepath: "{{ opendkim_cert_path }}/{{ dkim_cert_filename }}"
-opendkim_sign_addresses: "172.3.0.1/24" #comma separated cidr notation
+opendkim_sign_addresses: "{{ email_network_prefix }}.1/24" #comma separated cidr notation
 opendkim_port: 8891
-opendkim_listening_address: "172.3.0.5"
+opendkim_listening_address: "{{ email_network_prefix }}.5"
 opendkim_listening_socket: "inet:{{ opendkim_port }}@{{ opendkim_listening_address }}"

 #rspamd
@ -67,5 +72,8 @@ rspamd_docker_ports: []
 rspamd_docker_labels: {}
 dkim_selector_name: ratzupaltuff-test #hostname or month/year
 dkim_cert_filename: "{{ dkim_selector_name }}.key.pem"
+#rspamd_listening_address: "{{ email_network_prefix }}.1" #v4 for any v4 interface
+rspamd_listening_address: "172.3.0.5" #v4 for any v4 interface
+rspamd_milter_listening_port: "11332"
 rspamd_docker_volumes:
-  - "{{ rspamd_host_base_path }}/static_runtime_data/:{{ rspamd_docker_static_runtime_data_path }}:rw"
+  - "{{ rspamd_host_base_path }}/static_runtime_data/:{{ rspamd_docker_static_runtime_data_path }}:rw"
--- a/roles/email/tasks/main.yml
+++ b/roles/email/tasks/main.yml
@ -12,9 +12,9 @@
      group: "{{ email_group_name }}"
    become: true

-#  - name: install postfix
-#    import_tasks: postfix.yml
-#    become: true
+  - name: install postfix
+    import_tasks: postfix.yml
+    become: true
    
  - name: install rspamd
    import_tasks: rspamd.yml
--- a/roles/email/tasks/postfix.yml
+++ b/roles/email/tasks/postfix.yml
@ -37,6 +37,7 @@
      restart_policy: unless-stopped
      recreate: true
      pull: true
+      hostname: "{{ postfix_docker_name }}"
      volumes:
        - "{{ postfix_base_path }}/spool:{{ postfix_container_spool_path }}"
        - "{{ postfix_base_path }}/config/main.cf:{{ postfix_container_config_path }}/main.cf"
--- a/roles/email/tasks/rspamd.yml
+++ b/roles/email/tasks/rspamd.yml
@ -42,6 +42,9 @@
    file:
      path: '{{ rspamd_host_base_path }}/config/{{ item.path }}'
      state: directory
+      owner: "{{ rspamd_user.name }}"
+      group: "{{ rspamd_user.group }}"
+      mode: '0700'
    with_filetree: '../templates/rspamd/configdir'
    when: item.state == 'directory'

@ -49,6 +52,9 @@
    template:
      src: 'rspamd/configdir/{{ item.path }}'
      dest: '{{ rspamd_host_base_path }}/config/{{ item.path }}'
+      owner: "{{ rspamd_user.name }}"
+      group: "{{ rspamd_user.group }}"
+      mode: '0700'
    with_filetree: '../templates/rspamd/configdir'
    when: item.state == 'file'

@ -73,9 +79,8 @@
      labels: "{{ rspamd_docker_labels }}"
      restart_policy: unless-stopped
      recreate: true
-      user: "{{ rspamd_user.uid }}:{{ rspamd_user.group }}"
+      hostname: "{{ rspamd_docker_name }}"
+      user: "{{ rspamd_user.uid }}:{{ rspamd_user.group }}" #not needed because rspamd forks processes into users
      pull: true
-      #command: "--insecure"
-      #command: "/usr/sbin/rspamd -f -l -p {{ rspamd_listening_socket }} -d {{ email_domain }} -k {{ rspamd_cert_path }}/{{ rspamd_cert_filename }} -s {{ rspamd_selector_name }}"
+      #command: "-u {{ rspamd_user.name }} -g {{rspamd_group_name }}"
      volumes: "{{ rspamd_docker_volumes }}"
-              # - "{{ rspamd_base_path }}/certs/{{ rspamd_cert_filename }}:{{ rspamd_cert_filepath }}"
--- a/roles/email/templates/postfix/main.cf
+++ b/roles/email/templates/postfix/main.cf
@ -610,7 +610,8 @@ debug_peer_level = 2
 # increase the verbose logging level by the amount specified in the
 # debug_peer_level parameter.
 #
-debug_peer_list = 127.0.0.1, 172.3.0.1 #TODO
+debug_peer_list = 127.0.0.1, 172.3.0.1 
+#TODO
 #debug_peer_list = some.domain

 # The debugger_command specifies the external command that is executed
@ -693,6 +694,10 @@ notify_classes = resource, software, bounce, 2bounce, delay, policy, protocol
 smtputf8_enable = no
 #Increase message size limit from 10MB(10240000) to 100MiB
 message_size_limit = 104857600
+milter_protocol = 6

-smtpd_milters = inet:{{ opendkim_listening_address }}:8891
-non_smtpd_milters = inet:{{ opendkim_listening_address }}:8891
+smtpd_milters = inet:{{ rspamd_listening_address }}:{{ rspamd_milter_listening_port }}
+non_smtpd_milters = inet:{{ rspamd_listening_address }}:{{ rspamd_milter_listening_port }}
+
+# skip mail without checks if something goes wrong
+milter_default_action = accept
--- a/roles/email/templates/rspamd/configdir/local.d/options.inc
+++ b/roles/email/templates/rspamd/configdir/local.d/options.inc
@ -0,0 +1,6 @@
+# /etc/rspamd/local.d/options.inc
+filters = "chartable,dkim,spf,surbl,regexp,fuzzy_check";
+
+# Local networks (default)
+# skip some checks like spf
+local_addrs = "{{ email_local_send_network }}";
--- a/roles/email/templates/rspamd/configdir/local.d/worker-normal.inc
+++ b/roles/email/templates/rspamd/configdir/local.d/worker-normal.inc
@ -0,0 +1,6 @@
+# /etc/rspamd/local.d/worker-normal.inc
+#bind_socket = "*:{{ rspamd_listening_port }}";
+bind_socket = "*:11333";
+#count = 1;
+#enabled = true; #default
+#enabled = false; #not needed in proxy selfscan mode
--- a/roles/email/templates/rspamd/configdir/local.d/worker-proxy.inc
+++ b/roles/email/templates/rspamd/configdir/local.d/worker-proxy.inc
@ -0,0 +1,18 @@
+# /etc/rspamd/local.d/worker-proxy.inc
+milter = yes; # Enable milter mode
+timeout = 120s; # Needed for Milter usually
+upstream "local" {
+  default = yes; # Self-scan upstreams are always default
+  self_scan = yes; # Enable self-scan
+}
+
+count = 4; # Spawn more processes in self-scan mode
+max_retries = 5; # How many times master is queried in case of failure
+discard_on_reject = false; # Discard message instead of rejection
+quarantine_on_reject = false; # Tell MTA to quarantine rejected messages
+spam_header = "X-Spam"; # Use the specific spam header
+reject_message = "Spam message rejected"; # Use custom rejection message
+
+bind_socket = "*:{{ rspamd_milter_listening_port }}";
+#count = 1;
+#enabled = true; #default
--- a/roles/email/tests/openrelaycheck.yml
+++ b/roles/email/tests/openrelaycheck.yml
@ -7,3 +7,5 @@
      - "MAIL FROM: test@{{ email_domain }}"
      - "RCPT TO: v.wilke@famedly.de"
      - "DATA" #not tested this file has to be reviewed!
+      - "."
+      - "QUIT"