Rspamd
Rspamd is a fast, free and open-source spam filtering system.
Installation
To enable Rspamd add following line to your system configuration
services.rspamd.enable = true;
To use Rspamd with Postfix add
services.rspamd.postfix.enable = true;
Configuration
Bayesian spam training
To enable bayesian spam training, enable a Redis instance and configure it in Rspamd as a backend
services.rspamd = {
locals = {
"redis.conf".text = ''
servers = "${config.services.redis.servers.rspamd.unixSocket}";
'';
"classifier-bayes.conf".text = ''
backend = "redis";
autolearn = true;
'';
};
};
services.redis.servers.rspamd = {
enable = true;
# 0 disables listening to TCP ports and will only use unix sockets. Default
# unix socket path is /run/redis-${name}/redis.sock thus
# /run/redis-rspamd/redis.sock here.
port = 0;
user = config.services.rspamd.user;
};
Whitelist domain
To whitelist a specific domain (in this example the domain example.org) which otherwise gets rejected by Rspamd for various reasons, this custom configuration override can be added:
services.rspamd = {
enable = true;
overrides."whitelist.conf".text = ''
whitelist_from {
example.org = true;
}
'';
};
DKIM key
This module verifies the authenticity of emails through the analysis of DKIM signatures. In this example, we're configure a custom DKIM key file path suitable for the mailserver Maddy and adjust the group permissions for the Rspamd service.
services.rspamd = {
enable = true;
locals."dkim_signing.conf".text = ''
selector = "default";
domain = "example.org";
path = "/var/lib/maddy/dkim_keys/$domain_$selector.key";
'';
};
systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];
Secrets
Sometimes you need to provide secrets which should not be kept in the public store. In this example we add an API key to GPT module. You need to have the file with a name for example `ai.conf` with content:
api_key = "your_secret_key";
and prepare your GPT configuration - in this example it's only part of it, consult the GPT module documentation.
services.rspamd = {
overrides = {
"gpt.conf".text = ''
enabled = true;
#api_key = ""; # API KEY IN SECRETS!!!
.include(try=true; priority=10,duplicate=merge) "/var/spool/keys/ai.conf"
autolearn = true;
'';
};
};
Tips and tricks
Helper script to train rspamd
The following example enables rspamd-trainer as a daemon which will run every 10 minutes to check for mails in the inbox of myuser@example.com which should be used for spam/ham training.
services.rspamd-trainer = {
enable = true;
settings = {
HOST = "example.com";
USERNAME = "myuser@example.com";
INBOXPREFIX = "INBOX/";
};
secrets = [
# Do not use this in production. This will make passwords
# world-readable in the Nix store
"${pkgs.writeText "secrets" ''
PASSWORD = test123
''}"
];
};
The script will look into INBOX/report_ham and INBOX/report_spam respectivley for mails which will be feed into rspamd for training. After that they get moved to INBOX/learned_ham and INBOX/learned_spam. The report directories have to be created before that. You can do this using openssl:
# openssl s_client -connect example.com:993 -crlf
A login myuser@example.com test123
A create "INBOX/report_spam"
A create "INBOX/report_ham"
A create "INBOX/report_spam_reply"