From d240521c1a39f6116b4697609c1a242ae7a6dbe6 Mon Sep 17 00:00:00 2001 From: genofire Date: Wed, 22 Jul 2020 23:56:53 +0200 Subject: [PATCH] improve rspamd (+sieve) --- defaults/main.yml | 1 + files/dovecot-spam.sieve | 9 ++++++ files/rspamd/learn-ham.sieve | 2 ++ files/rspamd/learn-spam.sieve | 2 ++ tasks/dovecot.yml | 16 ++++++++++- tasks/rspamd.yml | 38 ++++++++++++++++++++++++++ templates/rspamd/arc.conf | 5 ++++ templates/rspamd/classifier-bayes.conf | 3 ++ templates/rspamd/dkim_signing.conf | 5 ++++ templates/rspamd/milter_headers.conf | 2 ++ templates/rspamd/redis.conf | 1 + 11 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 files/dovecot-spam.sieve create mode 100644 files/rspamd/learn-ham.sieve create mode 100644 files/rspamd/learn-spam.sieve create mode 100644 templates/rspamd/arc.conf create mode 100644 templates/rspamd/classifier-bayes.conf create mode 100644 templates/rspamd/dkim_signing.conf create mode 100644 templates/rspamd/milter_headers.conf create mode 100644 templates/rspamd/redis.conf diff --git a/defaults/main.yml b/defaults/main.yml index ac9cb33..8c331f2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,3 +20,4 @@ mailserver_postfixadmin_default_aliases: webmaster: "webmaster@{{ mailserver_mail_domain }}" mailserver_rspamd_enabled: true +mailserver_rspamd_dkim_selector: "2020" diff --git a/files/dovecot-spam.sieve b/files/dovecot-spam.sieve new file mode 100644 index 0000000..779243b --- /dev/null +++ b/files/dovecot-spam.sieve @@ -0,0 +1,9 @@ +require "fileinto"; + +if header :contains "X-Spam-Flag" "YES" { + fileinto "Junk"; +} + +if header :is "X-Spam" "Yes" { + fileinto "Junk"; +} diff --git a/files/rspamd/learn-ham.sieve b/files/rspamd/learn-ham.sieve new file mode 100644 index 0000000..12cda81 --- /dev/null +++ b/files/rspamd/learn-ham.sieve @@ -0,0 +1,2 @@ +require ["vnd.dovecot.pipe", "copy", "imapsieve"]; +pipe :copy "rspamc" ["learn_ham"]; diff --git a/files/rspamd/learn-spam.sieve b/files/rspamd/learn-spam.sieve new file mode 100644 index 0000000..ef4634a --- /dev/null +++ b/files/rspamd/learn-spam.sieve @@ -0,0 +1,2 @@ +require ["vnd.dovecot.pipe", "copy", "imapsieve"]; +pipe :copy "rspamc" ["learn_spam"]; diff --git a/tasks/dovecot.yml b/tasks/dovecot.yml index c8d6ad6..56a334b 100644 --- a/tasks/dovecot.yml +++ b/tasks/dovecot.yml @@ -51,8 +51,22 @@ - conf.d/90-sieve.conf - conf.d/91-stats.conf +- name: dovecot - create sieve folder + file: + path: /srv/mail/sieve + state: directory + owner: vmail + group: vmail + +- name: dovecot - sieve default spam + copy: + src: dovecot-spam.sieve + dest: /srv/mail/sieve/spam.sieve + owner: vmail + group: vmail + - name: dovecot - start and enable on boot systemd: name: dovecot enabled: yes - state: restarted + state: started diff --git a/tasks/rspamd.yml b/tasks/rspamd.yml index 7efd802..1223905 100644 --- a/tasks/rspamd.yml +++ b/tasks/rspamd.yml @@ -4,3 +4,41 @@ state: latest name: - rspamd + - redis + +- name: rspamd - start and enable redis on boot + systemd: + name: redis + enabled: yes + state: started + +- name: rspamd - create config folder + file: + path: /etc/rspamd/local.d + state: directory + +- name: rspamd - config + template: + src: "rspamd/{{ item }}" + dest: "/etc/rspamd/local.d/{{ item }}" + with_items: + - arc.conf + - classifier-bayes.conf + - dkim_signing.conf + - milter_headers.conf + - redis.conf + #- worker-controller.inc + +- name: rspamd - install sieve + copy: + src: "rspamd/{{ item }}" + dest: "/srv/mail/sieve/{{ item }}" + with_items: + - learn-ham.sieve + - learn-spam.sieve + +- name: rspamd - start and enable on boot + systemd: + name: rspamd + enabled: yes + state: started diff --git a/templates/rspamd/arc.conf b/templates/rspamd/arc.conf new file mode 100644 index 0000000..87dcd2d --- /dev/null +++ b/templates/rspamd/arc.conf @@ -0,0 +1,5 @@ +path = "/var/lib/rspamd/dkim/$selector.key"; +selector = "{{ mailserver_rspamd_dkim_selector }}"; + +### Enable DKIM signing for alias sender addresses +allow_username_mismatch = true; diff --git a/templates/rspamd/classifier-bayes.conf b/templates/rspamd/classifier-bayes.conf new file mode 100644 index 0000000..8a60b20 --- /dev/null +++ b/templates/rspamd/classifier-bayes.conf @@ -0,0 +1,3 @@ +backend = "redis"; +new_schema = true; +expire = 8640000; diff --git a/templates/rspamd/dkim_signing.conf b/templates/rspamd/dkim_signing.conf new file mode 100644 index 0000000..87dcd2d --- /dev/null +++ b/templates/rspamd/dkim_signing.conf @@ -0,0 +1,5 @@ +path = "/var/lib/rspamd/dkim/$selector.key"; +selector = "{{ mailserver_rspamd_dkim_selector }}"; + +### Enable DKIM signing for alias sender addresses +allow_username_mismatch = true; diff --git a/templates/rspamd/milter_headers.conf b/templates/rspamd/milter_headers.conf new file mode 100644 index 0000000..73bc830 --- /dev/null +++ b/templates/rspamd/milter_headers.conf @@ -0,0 +1,2 @@ +use = ["x-spamd-bar", "x-spam-level", "authentication-results"]; +authenticated_headers = ["authentication-results"]; diff --git a/templates/rspamd/redis.conf b/templates/rspamd/redis.conf new file mode 100644 index 0000000..5a9c582 --- /dev/null +++ b/templates/rspamd/redis.conf @@ -0,0 +1 @@ +servers = "127.0.0.1";