Replace SpamAssassin with Rspamd

Switching to Rspamd has some advantages: * It is probably faster than SA[1] (C + Lua vs Perl) * We can reduce the number of moving parts. Rspamd has built-in DKIM signing, greylisting, DMARC checking to name a few * It doesn't just mark the mail as spam/not-spam, it gives every mail a score and depending on the score it does either: nothing, greylist it, mark it as spam or reject it[2] (more actions is available and it can be tweaked) * Replies whitelisting[3] * It supports ARC signing, which can be useful * A cool looking WebUi :) * ... and more[4]... [1] https://rspamd.com/doc/tutorials/migrate_sa.html#why-migrate-to-rspamd [2] https://rspamd.com/doc/faq.html#what-are-rspamd-actions [3] https://rspamd.com/doc/modules/replies.html [4] https://rspamd.com/comparison.html

Replace SpamAssassin with Rspamd
bcf1c981 · Kristian Klausen · Sven-Hendrik Haase · f853a292 · bcf1c981 · bcf1c981
Commit bcf1c981 authored 4 years ago by Kristian Klausen Committed by Sven-Hendrik Haase 4 years ago
--- a/playbooks/apollo.yml
+++ b/playbooks/apollo.yml
@@ -27,7 +27,7 @@
    - { role: borg_client, tags: ["borg"] }
    - { role: certbot }
    - { role: nginx }
-    - { role: spampd, tags: ["mail"] }
+    - { role: rspamd, tags: ["mail"] }
    - { role: unbound, tags: ["mail"] }
    - { role: postfix, postfix_relayhost: "mail.archlinux.org", postfix_smtpd_public: true, postfix_patchwork_enabled: true, tags: ["mail"] }
    - { role: opendkim, dkim_selector: apollo, tags: ['mail'] }

--- a/playbooks/luna.yml
+++ b/playbooks/luna.yml
@@ -26,7 +26,7 @@
        - firewall
  roles:
    - nginx
-    - spampd
+    - rspamd
    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
 # luna is hosting mailman lists; this postfix role does not cater to this yet
 # TODO: make postfix role handle mailman config?

--- a/playbooks/mail.archlinux.org.yml
+++ b/playbooks/mail.archlinux.org.yml
@@ -10,7 +10,7 @@
    - { role: certbot }
    - { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }
    - { role: dovecot }
-    - { role: spampd, tags: ["mail"] }
+    - { role: rspamd, tags: ["mail"] }
    - { role: unbound, tags: ["mail"] }
    - { role: postfwd, tags: ['mail'] }
    - { role: archusers }

--- a/playbooks/orion.yml
+++ b/playbooks/orion.yml
@@ -11,7 +11,7 @@
    - { role: borg_client, tags: ['borg'] }
    - { role: opendkim, dkim_selector: orion, tags: ['mail'] }
    - { role: dovecot }
-    - { role: spampd, tags: ["mail"] }
+    - { role: rspamd, tags: ["mail"] }
    - { role: unbound, tags: ["mail"] }
    - { role: postfwd, tags: ['mail'] }
    - { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }

--- a/roles/dovecot/files/spam-to-folder.sieve
+++ b/roles/dovecot/files/spam-to-folder.sieve
+require ["mailbox", "fileinto"];
+if header "X-Spam" "Yes"{
+  fileinto :create "Junk";
+  stop;
+}
--- a/roles/dovecot/handlers/main.yml
+++ b/roles/dovecot/handlers/main.yml
@@ -3,3 +3,7 @@
 - name: reload dovecot
  service: name=dovecot state=restarted

+- name: run sievec
+  command: /usr/bin/sievec /etc/dovecot/sieve/{{ item }}
+  loop:
+    - spam-to-folder.sieve
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -18,6 +18,14 @@
 - name: install PAM config
  copy: src=pam.d.dovecot dest=/etc/pam.d/dovecot mode=0644 owner=root group=root

+- name: create dovecot sieve dir
+  file: path=/etc/dovecot/sieve state=directory owner=root group=root mode=0755
+
+- name: install spam-to-folder.sieve
+  copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve/ mode=0644 owner=root group=root
+  notify:
+    - run sievec
+
 - name: install dovecot cert renewal hook
  template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/dovecot owner=root group=root mode=0755


--- a/roles/dovecot/templates/dovecot.conf.j2
+++ b/roles/dovecot/templates/dovecot.conf.j2
@@ -44,6 +44,7 @@ plugin {
 	sieve_dir = ~/.sieve
 	sieve_global_dir = /etc/dovecot/sieve/global/
 	sieve_global_path = /etc/dovecot/sieve/default.sieve
+	sieve_before = /etc/dovecot/sieve/spam-to-folder.sieve

 	mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
 	mail_log_fields = uid box msgid size

--- a/roles/postfix/files/header_checks
+++ b/roles/postfix/files/header_checks
-/X-Spam-Status: Yes,/ REJECT Your message has been rejected by Spamassassin
--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -165,8 +165,8 @@ submission_recipient_restrictions=
  permit_sasl_authenticated,
  reject

-smtpd_milters=unix:/var/spool/opendkim/opendkim
-non_smtpd_milters=unix:/var/spool/opendkim/opendkim
+smtpd_milters=unix:/var/spool/opendkim/opendkim inet:localhost:11332
+non_smtpd_milters=unix:/var/spool/opendkim/opendkim inet:localhost:11332

 # Pass internal mails through filters so they get signed by opendkim
 # XXX: Be careful not to have filters that may reject mails!

--- a/roles/postfix/templates/master.cf.j2
+++ b/roles/postfix/templates/master.cf.j2
@@ -14,7 +14,6 @@
 # ==========================================================================
 {% if postfix_smtpd_public %}
 smtp      inet  n       -       n       -       -       smtpd
-    -o smtpd_proxy_filter=[127.0.0.1]:10025
    -o smtpd_client_connection_count_limit=20
    -o smtpd_proxy_options=speed_adjust
 {% else %}
@@ -30,7 +29,6 @@ submission inet n       -       n       -       -       smtpd
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_recipient_restrictions=$submission_recipient_restrictions
-    -o content_filter=smtp:[127.0.0.1]:10025
    -o smtpd_client_connection_count_limit=10
    #-o smtpd_milters=unix:/var/spool/opendkim/opendkim
 {% endif %}

--- a/roles/redis/tasks/main.yml
+++ b/roles/redis/tasks/main.yml
+---
+- name: install redis
+  pacman: name=redis state=present
+
+- name: start and enable redis
+  service: name=redis enabled=yes state=started
--- a/roles/rspamd/files/local.d/logging.inc
+++ b/roles/rspamd/files/local.d/logging.inc
+systemd = true;
+type = "console";
--- a/roles/rspamd/files/local.d/milter_headers.conf
+++ b/roles/rspamd/files/local.d/milter_headers.conf
+extended_spam_headers = true;
+use = ["authentication-results"];
+authenticated_headers = ["authentication-results"];
--- a/roles/rspamd/files/local.d/redis.conf
+++ b/roles/rspamd/files/local.d/redis.conf
+write_servers = "127.0.0.1";
+read_servers = "127.0.0.1";
--- a/roles/rspamd/handlers/main.yml
+++ b/roles/rspamd/handlers/main.yml
+---
+- name: reload rspamd
+  service: name=rspamd state=reloaded
--- a/roles/rspamd/meta/main.yml
+++ b/roles/rspamd/meta/main.yml
+---
+dependencies:
+  - role: redis
--- a/roles/rspamd/tasks/main.yml
+++ b/roles/rspamd/tasks/main.yml
+---
+- name: install rspamd
+  pacman: name=rspamd state=present
+
+- name: install config
+  copy: src=local.d/ dest=/etc/rspamd/local.d/ owner=root group=root mode=0644
+  notify:
+    - reload rspamd
+
+- name: start and enable rspamd
+  service: name=rspamd enabled=yes state=started
--- a/roles/spampd/files/sa-update.hook
+++ b/roles/spampd/files/sa-update.hook
-[Trigger]
-Operation = Install
-Operation = Upgrade
-Type = Package
-Target = spamassassin
-
-[Action]
-When = PostTransaction
-Exec = /usr/bin/systemctl start sa-update.service
--- a/roles/spampd/files/sa-update.service
+++ b/roles/spampd/files/sa-update.service
-[Unit]
-Description=sa-update
-
-[Service]
-Type=oneshot
-ExecStart=/usr/local/bin/sa-update.sh