DEV Community

loading...

Rspamd installation and OpenSMTPD configuration on it on OpenBSD

Heddi Nabbisen
An ICT designer/developer and a security monk with "a cool brain and a warm heart". OpenBSD/Rust etc. Interested in social issues and relationships. Founder of Scqr Inc.
Updated on ・3 min read

Summary

Thanks to poolpOrg's filter-rspamd, Rspamd filter in OpenSMTPD is provided as Ports package whose name is
opensmtpd-filter-rspamd in OpenSMTPD 6.6.0 or higher. It means it has not been necessary any longer to use rspamc in smtpd.conf.

This post shows how to install Rspamd and configure it on OpenBSD.

Environment

  • Server OS: OpenBSD 6.9
  • MTA (Mail transfer agent): OpenSMTPD 6.9
  • Spam filtering system: Rspamd 2.7
  • Command line shell: Fish 3.2

Tutorial

Here shows packages related to OpenSMTPD:

$ doas pkg_info -Q opensmtpd
libopensmtpd-0.6
opensmtpd-extras-6.7.1v0
opensmtpd-extras-mysql-6.7.1p0v0
opensmtpd-extras-pgsql-6.7.1p0v0
opensmtpd-extras-python-6.7.1v0
opensmtpd-extras-redis-6.7.1v0
opensmtpd-filter-admdscrub-0.1
opensmtpd-filter-dkimsign-0.4
opensmtpd-filter-dnsbl-0.2
opensmtpd-filter-rspamd-0.1.7p0
opensmtpd-filter-senderscore-0.1.1p0
opensmtpd-filter-spamassassin-0.7p0
Enter fullscreen mode Exit fullscreen mode

Several extras and also several filters :)


First, let's install Rspamd and also required packages, its OpenSMTPD filter and Redis. Rspamd in OpenBSD is highly configured and ready to use Redis as database by default.

$ doas pkg_add rspamd redis opensmtpd-filter-rspamd
quirks-3.633 signed on 2021-07-03T10:19:35Z
Ambiguous: choose package for rspamd
    0: <None>
    1: rspamd-2.7p0
    2: rspamd-2.7p0-hyperscan
Your choice: 2
rspamd-2.7p0-hyperscan:luajit-2.0.5p2: ok
rspamd-2.7p0-hyperscan:gcc-libs-8.4.0p6: ok
rspamd-2.7p0-hyperscan:blas-3.8.0p0: ok
rspamd-2.7p0-hyperscan:cblas-1.0p7: ok
rspamd-2.7p0-hyperscan:hyperscan-5.4.0-ssse3: ok
useradd: Warning: home directory `/var/redis' doesn't exist, and -m was not specified
rspamd-2.7p0-hyperscan:redis-6.2.1p0: ok
rspamd-2.7p0-hyperscan: ok
opensmtpd-filter-rspamd-0.1.7p0: ok
The following new rcscripts were installed: /etc/rc.d/redis /etc/rc.d/rspamd
See rcctl(8) for details.
New and changed readme(s):
    /usr/local/share/doc/pkg-readmes/opensmtpd-filter-rspamd
    /usr/local/share/doc/pkg-readmes/rspamd
Enter fullscreen mode Exit fullscreen mode

Besides, hyperscan is used as an option of local optimizations
on Rspamd performance, which is developed by Intel.

Next, enable daemons.

$ doas rcctl enable {redis, rspamd}
Enter fullscreen mode Exit fullscreen mode

And run them.

$ doas rcctl start {redis, rspamd}
redis(ok)
rspamd(ok)
Enter fullscreen mode Exit fullscreen mode

If you want to add custom configuration to Rspamd, it's available with ".conf" files.
In my case, I edited actions.conf to mitigate rejection by the filter.

$ cd /etc/rspamd/local.d

$ cat ../actions.conf
(...)
actions {
    reject = 15; # Reject when reaching this score
    add_header = 6; # Add header when reaching this score
    greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
(...)
    .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/actions.conf"
    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/actions.conf"
}

$ doas nvim actions.conf
Enter fullscreen mode Exit fullscreen mode

My actions.conf in local.d is like this:

reject = 27.0;
greylist = 19.0;
subject = "** Suspicious ** %s"
rewrite_subject = 12.0;
add_header = 7.0;
Enter fullscreen mode Exit fullscreen mode

When changing Rspamd configuration, it is necessary to restart the daemon:

$ doas rcctl restart rspamd
rspamd(ok)
rspamd(ok)
Enter fullscreen mode Exit fullscreen mode

Then, modify smtpd.conf in /etc/mail to execute (proc-exec) the filter.

$ cd /etc/mail

$ # create a backup if necessary:
$ doas cp -p smtpd.conf smtpd.conf.bak

$ doas nvim smtpd.conf
Enter fullscreen mode Exit fullscreen mode

Add these lines:

  (...)
+ filter "rspamd" \
+   proc-exec "filter-rspamd"
  (...)
  listen on egress \
    tls \
    pki (...) \
    auth-optional \
+   filter { "rspamd" } \
    tag MTA
  (...)
Enter fullscreen mode Exit fullscreen mode

Just 3 lines :)
Well, here, I actually added more lines:

+ filter "check_dyndns" \
+   phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \
+   disconnect "550 no residential connections"
+ filter "check_rdns" \
+   phase connect match !rdns \
+   disconnect "550 no rDNS"
+ filter "check_fcrdns" \
+   phase connect match !fcrdns \
+   disconnect "550 no FCrDNS"
  filter "rspamd" \
    proc-exec "filter-rspamd"
  (...)
-   filter { "rspamd" } \
+   filter { "check_dyndns", "check_rdns", "check_fcrdns", "rspamd" } \
Enter fullscreen mode Exit fullscreen mode

The 3 filters are builtin ones in OpenSMTPD.

Finally, restart the smtpd daemon:

$ doas rcctl restart smtpd
smtpd(ok)
smtpd(ok)
Enter fullscreen mode Exit fullscreen mode

Now OpenSMTPD calls Rspamd while transfering messages and the filter results are being stored in Redis.
Hope your trouble on spams and scams will get remarkably less.

Acknowledgments

I appeciate the Gilles (poolp) 's great article:

https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/

It enabled me to set up Rspamd working well with OpenSMTPD at last.

Discussion (0)