Rspamd: Difference between revisions

From NixOS Wiki
imported>Onny
Add note on enable bayesian spam training
Onny (talk | contribs)
Remove unstable notice
 
(3 intermediate revisions by 3 users not shown)
Line 13: Line 13:
=== Bayesian spam training ===
=== Bayesian spam training ===


To enable bayesian spam training, a [[Redis]] backend needs to get setup and configured in Rspamd
To enable bayesian spam training, enable a Redis instance and configure it in Rspamd as a backend


{{file|/etc/nixos/configuration.nix|nix|<nowiki>
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
Line 30: Line 30:
services.redis.servers.rspamd = {
services.redis.servers.rspamd = {
   enable = true;
   enable = true;
  # 0 disables listening to TCP ports and will only use unix sockets. Default
  # unix socket path is /run/redis-${name}/redis.sock thus
  # /run/redis-rspamd/redis.sock here.
   port = 0;
   port = 0;
  unixSocket = "/run/redis-rspamd/redis.sock";
   user = config.services.rspamd.user;
   user = config.services.rspamd.user;
};
};
Line 67: Line 69:
systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];
systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];
</nowiki>}}
</nowiki>}}
== Tips and tricks ==
=== Helper script to train rspamd ===
The following example enables [https://gitlab.com/onlime/rspamd-trainer rspamd-trainer] as a daemon which will run every 10 minutes to check for mails in the inbox of <code>myuser@example.com</code> which should be used for spam/ham training.
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
services.rspamd-trainer = {
  enable = true;
  settings = {
    HOST = "example.com";
    USERNAME = "myuser@example.com";
    INBOXPREFIX = "INBOX/";
  };
  secrets = [
    # Do not use this in production. This will make passwords
    # world-readable in the Nix store
    "${pkgs.writeText "secrets" ''
      PASSWORD = test123
    ''}"
  ];
};
</nowiki>}}
The script will look into <code>INBOX/report_ham</code> and <code>INBOX/report_spam</code> respectivley for mails which will be feed into rspamd for training. After that they get moved to <code>INBOX/learned_ham</code> and <code>INBOX/learned_spam</code>. The report directories have to be created before that. You can do this using openssl:
<syntaxhighlight lang="console">
# openssl s_client -connect example.com:993 -crlf
A login myuser@example.com test123
A create "INBOX/report_spam"
A create "INBOX/report_ham"
A create "INBOX/report_spam_reply"
</syntaxhighlight>


[[Category:Mail Server]]
[[Category:Mail Server]]
[[Category:Server]]

Latest revision as of 08:09, 31 May 2024

Rspamd is a fast, free and open-source spam filtering system.

Installation

To enable Rspamd add following line to your system configuration

/etc/nixos/configuration.nix
services.rspamd.enable = true;

Configuration

Bayesian spam training

To enable bayesian spam training, enable a Redis instance and configure it in Rspamd as a backend

/etc/nixos/configuration.nix
services.rspamd = {
  locals = {
    "redis.conf".text = ''
      servers = "${config.services.redis.servers.rspamd.unixSocket}";
    '';
    "classifier-bayes.conf".text = ''
      backend = "redis";
      autolearn = true;
    '';
  };
};

services.redis.servers.rspamd = {
  enable = true;
  # 0 disables listening to TCP ports and will only use unix sockets. Default
  # unix socket path is /run/redis-${name}/redis.sock thus
  # /run/redis-rspamd/redis.sock here.
  port = 0;
  user = config.services.rspamd.user;
};

Whitelist domain

To whitelist a specific domain (in this example the domain example.org) which otherwise gets rejected by Rspamd for various reasons, this custom configuration override can be added:

/etc/nixos/configuration.nix
services.rspamd = {
  enable = true;
  overrides."whitelist.conf".text = ''
    whitelist_from {
      example.org = true;
    }
  '';
};

DKIM key

This module verifies the authenticity of emails through the analysis of DKIM signatures. In this example, we're configure a custom DKIM key file path suitable for the mailserver Maddy and adjust the group permissions for the Rspamd service.

/etc/nixos/configuration.nix
services.rspamd = {
  enable = true;
  locals."dkim_signing.conf".text = ''
    selector = "default";
    domain = "example.org";
    path = "/var/lib/maddy/dkim_keys/$domain_$selector.key";
  '';
};

systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];

Tips and tricks

Helper script to train rspamd

The following example enables rspamd-trainer as a daemon which will run every 10 minutes to check for mails in the inbox of myuser@example.com which should be used for spam/ham training.

/etc/nixos/configuration.nix
services.rspamd-trainer = {
  enable = true;
  settings = {
    HOST = "example.com";
    USERNAME = "myuser@example.com";
    INBOXPREFIX = "INBOX/";
  };
  secrets = [
    # Do not use this in production. This will make passwords
    # world-readable in the Nix store
    "${pkgs.writeText "secrets" ''
      PASSWORD = test123
    ''}"
  ];
};

The script will look into INBOX/report_ham and INBOX/report_spam respectivley for mails which will be feed into rspamd for training. After that they get moved to INBOX/learned_ham and INBOX/learned_spam. The report directories have to be created before that. You can do this using openssl:

# openssl s_client -connect example.com:993 -crlf
A login myuser@example.com test123
A create "INBOX/report_spam"
A create "INBOX/report_ham"
A create "INBOX/report_spam_reply"