Rspamd - Patrick Lewis Notes

## System configuration - Disable selinux. Update the configuration file at `/etc/sysconfig/selinux` and set the following ```bash SELINUX=disabled ``` - Reboot the server for it to take effect ```bash reboot ``` ## Installation of the Dependencies - Apply updates and install epel release ```bash dnf update -y dnf install epel-release -y ``` - Install packages ```bash dnf install git redis unbound nginx certbot python3-certbot-nginx -y ``` - Set redis to automatically start on boot ```bash systemctl enable redis ``` - Update the `supervised` setting in the `/etc/redis.conf` file from `no` to `systemd` ``` supervised systemd ``` - Start the redis service and check the status ```bash systemctl start redis systemctl status redis ``` - Test if redis is working ```bash redis-cli ping ``` ## Installation and Configuration Rspamd ##### Installation Rspamd - Add the rspamd repo, import signing key and install rspamd ```bash source /etc/os-release export EL_VERSION=`echo -n $PLATFORM_ID | sed "s/.*el//"` curl https://rspamd.com/rpm-stable/centos-${EL_VERSION}/rspamd.repo > /etc/yum.repos.d/rspamd.repo rpm --import https://rspamd.com/rpm-stable/gpg.key dnf install rspamd -y ``` - Set rspamd to automatically start on boot ```bash systemctl enable rspamd ``` ##### Configuration Rspamd - Add configuration to point rspamd to local redis server. Create the file at `/etc/rspamd/local.d/redis.conf` and add the following ``` read_servers = "127.0.0.1:6379"; write_servers = "127.0.0.1:6379"; ``` - Add options configuration to change dns settings for rpsamd. Create the file at `/etc/rspamd/local.d/options.inc` and add the following ```bash dns_max_requests = 128; dns { nameserver = "master-slave:127.0.0.1,8.8.8.8"; timeout = 30s; sockets = 32; retransmits = 5; } ``` - Add backend configuration for statistics to point to redis. Create the file at `/etc/rspamd/local.d/classifier-bayes.conf` and add the following ```bash servers = "127.0.0.1"; backend = "redis"; ``` - Change the score for when rspamd rejects emails. Create the file `/etc/rspamd/local.d/actions.conf` and add the following ```bash reject = 100; ``` - Disable greylisting, dkim, dkim_signing, and dmarc within rspamd since we check for those externally of rspamd. Create the following files - `/etc/rspamd/local.d/greylist.conf` - `/etc/rspamd/local.d/dkim.conf` - `/etc/rspamd/local.d/dkim_signing.conf` - `/etc/rspamd/local.d/dmarc.conf` Add the following in each file ```bash enabled = false; ``` - Generate the value to be used for setting the password for accessing the webgui. Run the following command. You will be asked to enter a passphrase. The result is a encrypted password ```bash rspamadm pw ``` - Create the file `/etc/rspamd/local.d/worker-controller.inc` and enter the password: ```bash password = "<insert result from previous command>"; ``` - Add the IP's of the mail servers as secure IP's so they dont get prompted to enter the password when using the api. Add to the file `/etc/rspamd/local.d/worker-controller.inc` the following line ```bash secure_ip = "127.0.0.1, xxx.xxx.xxx.xxx"; ``` - Set rspamd worker bind_socket. Create the file `/etc/rspamd/local.d/worker-normal.inc` and the following ```bash bind_socket = "127.0.0.1:11333"; ``` - Start rpsamd and check for any errors in `/var/log/rspamd/rspamd.log` ```bash systemctl start rspamd ``` - Check if rspamd answers to requests. The markup of the WebGui should be visible ```bash curl 127.0.0.1:11334 ``` - Then we check the api ```bash curl 127.0.0.1:11334/checkv2 ``` - Result should look something like this ```bash {"is_skipped":false,"score":0.0,"required_score":100.0,"action":"no action","thresholds":{"reject":100.0,"add header":6.0,"greylist":4.0},"symbols":{},"messages":{},"time_real":0.003437,"milter":{"remove_headers":{"X-Spam":0}}} ``` - Confirm our changes are active by checking the configdump. You should see a list of enabled and disabled modules. ```bash rspamadm configdump -m ``` - If you want to see more, you can dump the configuration into a file: ```bash rspamadm configdump > /etc/rspamd/configdump.txt ``` ## Configure unbound - Set unbound to start automatically at boot ```bash systemctl enable unbound ``` ## Configure firewalld - Allow ports ```bash firewall-cmd --zone=public --permanent --add-service=http ``` ```bash firewall-cmd --zone=public --permanent --add-port=8443/tcp ``` - Reload firewalld ```bash firewall-cmd --reload ``` ## Configure nginx - Set nginx to automatically start at boot ```bash systemctl enable nginx ``` - Add the configuration file to be used for the reverse proxy. Create the file `/etc/nginx/conf.d/RspamdProxy.conf`, add the following ```nginx server { listen 80; server_name <your domain>; } ``` - Start nginx ```bash systemctl start nginx ``` ## Certificate - Run certbot to get certificate for rspamd ```bash certbot --nginx -d <your domain> ``` - Cerbot will ask you for the domain name and a email address. Then the certificate will be generated and the configuration file will also be updated. Should now look like this ```nginx server { server_name <your domain>; listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/<your domain>/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/<your domain>/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = <your domain>) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name <your domain>; return 404; # managed by Certbot } ``` - Update ssl port, add proxy and additional headers to the configuration. Update it to look like the following ```nginx server { add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; server_name <your domain>; location / { root /usr/share/rspamd/www/; try_files $uri @proxy; } location @proxy { proxy_pass http://127.0.0.1:11334; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; } listen 8443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/<your domain>/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/<your domain>/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = <your domain>) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name <your domain>; return 404; # managed by Certbot } ``` - Restart nginx ```bash systemctl restart nginx ``` ## Rspamd Rules - Clone rspamd rules repo ```bash cd ~ git clone https://github.com/martinschaible/rspamd-rules.git ``` - Copy rspamd rules ```bash cp ~/rspamd-rules/local.d/* /etc/rspamd/local.d/ yes | cp ~/rspamd-rules/maps.d/* /etc/rspamd/maps.d/ ``` - Restart rspamd ```bash systemctl restart rspamd ``` ## Sources [Home · martinschaible/rspamd-installation-for-smartermail Wiki · GitHub](https://github.com/martinschaible/rspamd-installation-for-smartermail/wiki) [GitHub - martinschaible/rspamd-rules: Curated Multimaps and Rules for Rspamd](https://github.com/martinschaible/rspamd-rules)