From 4082d5790d60c926802d41866eb10fe1f4f0e1ac Mon Sep 17 00:00:00 2001 From: Spitap Date: Tue, 4 Apr 2023 17:34:48 +0200 Subject: [PATCH] Added Rspamd installation --- modoboa_installer/config_dict_template.py | 39 ++++++++- .../scripts/files/nginx/modoboa.conf.tpl | 7 ++ .../scripts/files/postfix/main.cf.tpl | 25 +++--- .../files/rspamd/local.d/antivirus.conf.tpl | 11 +++ .../rspamd/local.d/dkim_signing.conf.tpl | 3 + .../files/rspamd/local.d/greylisting.conf.tpl | 2 + .../files/rspamd/local.d/mx_check.conf.tpl | 1 + .../scripts/files/rspamd/local.d/rbl.conf.tpl | 6 ++ .../scripts/files/rspamd/local.d/spf.conf.tpl | 6 ++ .../rspamd/local.d/worker-controller.inc | 1 + .../rspamd/local.d/worker-controller.inc.tpl | 1 + .../rspamd/local.d/worker-normal.inc.tpl | 1 + .../files/rspamd/local.d/worker-proxy.inc.tpl | 3 + modoboa_installer/scripts/postfix.py | 4 +- modoboa_installer/scripts/rspamd.py | 82 +++++++++++++++++++ 15 files changed, 178 insertions(+), 14 deletions(-) create mode 100644 modoboa_installer/scripts/files/rspamd/local.d/antivirus.conf.tpl create mode 100644 modoboa_installer/scripts/files/rspamd/local.d/dkim_signing.conf.tpl create mode 100644 modoboa_installer/scripts/files/rspamd/local.d/greylisting.conf.tpl create mode 100644 modoboa_installer/scripts/files/rspamd/local.d/mx_check.conf.tpl create mode 100644 modoboa_installer/scripts/files/rspamd/local.d/rbl.conf.tpl create mode 100644 modoboa_installer/scripts/files/rspamd/local.d/spf.conf.tpl create mode 100644 modoboa_installer/scripts/files/rspamd/local.d/worker-controller.inc create mode 100644 modoboa_installer/scripts/files/rspamd/local.d/worker-controller.inc.tpl create mode 100644 modoboa_installer/scripts/files/rspamd/local.d/worker-normal.inc.tpl create mode 100644 modoboa_installer/scripts/files/rspamd/local.d/worker-proxy.inc.tpl create mode 100644 modoboa_installer/scripts/rspamd.py diff --git a/modoboa_installer/config_dict_template.py b/modoboa_installer/config_dict_template.py index 72e4ebd..093bc5b 100644 --- a/modoboa_installer/config_dict_template.py +++ b/modoboa_installer/config_dict_template.py @@ -225,12 +225,45 @@ ConfigDictTemplate = [ ] }, { - "name": "amavis", + "name": "rspamd", "values": [ { "option": "enabled", "default": "true", }, + { + "option": "password", + "default": make_password, + } + { + "option": "dnsbl", + "default": "true", + }, + { + "option": "dkim_keys_storage_dir", + "default": "/var/lib/dkim" + }, + { + "option": "keys_path_map", + "default": "/var/lib/dkim/keys.path.map" + }, + { + "option": "selectors_path_map", + "default": "/var/lib/dkim/selectors.path.map" + }, + { + "option": "greylisting", + "default": "true" + } + ], + }, + { + "name": "amavis", + "values": [ + { + "option": "enabled", + "default": "false", + }, { "option": "user", "default": "amavis", @@ -366,7 +399,7 @@ ConfigDictTemplate = [ "values": [ { "option": "enabled", - "default": "true", + "default": "false", }, { "option": "config_dir", @@ -435,7 +468,7 @@ ConfigDictTemplate = [ "values": [ { "option": "enabled", - "default": "true", + "default": "false", }, { "option": "user", diff --git a/modoboa_installer/scripts/files/nginx/modoboa.conf.tpl b/modoboa_installer/scripts/files/nginx/modoboa.conf.tpl index 725402c..c52e710 100644 --- a/modoboa_installer/scripts/files/nginx/modoboa.conf.tpl +++ b/modoboa_installer/scripts/files/nginx/modoboa.conf.tpl @@ -37,6 +37,13 @@ server { try_files $uri $uri/ =404; } +%{rspamd_enabled} location /rspamd/ { +%{rspamd_enabled} proxy_pass http://localhost:11334/; +%{rspamd_enabled} +%{rspamd_enabled} proxy_set_header Host $host; +%{rspamd_enabled} proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +%{rspamd_enabled} } + location ~ ^/(api|accounts) { include uwsgi_params; uwsgi_param UWSGI_SCRIPT instance.wsgi:application; diff --git a/modoboa_installer/scripts/files/postfix/main.cf.tpl b/modoboa_installer/scripts/files/postfix/main.cf.tpl index 294c2a0..c112975 100644 --- a/modoboa_installer/scripts/files/postfix/main.cf.tpl +++ b/modoboa_installer/scripts/files/postfix/main.cf.tpl @@ -122,6 +122,11 @@ strict_rfc821_envelopes = yes %{opendkim_enabled}milter_default_action = accept %{opendkim_enabled}milter_content_timeout = 30s +# Rspamd setup +%{rspamd_enabled}smtpd_milters = inet:localhost:11332 +%{rspamd_enabled}milter_default_action = accept +%{rspamd_enabled}milter_protocol = 6 + # List of authorized senders smtpd_sender_login_maps = proxy:%{db_driver}:/etc/postfix/sql-sender-login-map.cf @@ -142,18 +147,18 @@ smtpd_recipient_restrictions = ## Postcreen settings # -postscreen_access_list = - permit_mynetworks - cidr:/etc/postfix/postscreen_spf_whitelist.cidr -postscreen_blacklist_action = enforce +%{rspamd_disabled}postscreen_access_list = +%{rspamd_disabled} permit_mynetworks +%{rspamd_disabled} cidr:/etc/postfix/postscreen_spf_whitelist.cidr +%{rspamd_disabled}postscreen_blacklist_action = enforce # Use some DNSBL -postscreen_dnsbl_sites = - zen.spamhaus.org=127.0.0.[2..11]*3 - bl.spameatingmonkey.net=127.0.0.2*2 - bl.spamcop.net=127.0.0.2 -postscreen_dnsbl_threshold = 3 -postscreen_dnsbl_action = enforce +%{rspamd_disabled}postscreen_dnsbl_sites = +%{rspamd_disabled} zen.spamhaus.org=127.0.0.[2..11]*3 +%{rspamd_disabled} bl.spameatingmonkey.net=127.0.0.2*2 +%{rspamd_disabled} bl.spamcop.net=127.0.0.2 +%{rspamd_disabled}postscreen_dnsbl_threshold = 3 +%{rspamd_disabled}postscreen_dnsbl_action = enforce postscreen_greet_banner = Welcome, please wait... postscreen_greet_action = enforce diff --git a/modoboa_installer/scripts/files/rspamd/local.d/antivirus.conf.tpl b/modoboa_installer/scripts/files/rspamd/local.d/antivirus.conf.tpl new file mode 100644 index 0000000..235ea0f --- /dev/null +++ b/modoboa_installer/scripts/files/rspamd/local.d/antivirus.conf.tpl @@ -0,0 +1,11 @@ +clamav { + symbol = "CLAM_VIRUS"; + type = "clamav"; + servers = "127.0.0.1:3310"; + patterns { + # symbol_name = "pattern"; + JUST_EICAR = '^Eicar-Test-Signature$'; + } +} + + diff --git a/modoboa_installer/scripts/files/rspamd/local.d/dkim_signing.conf.tpl b/modoboa_installer/scripts/files/rspamd/local.d/dkim_signing.conf.tpl new file mode 100644 index 0000000..0025c3b --- /dev/null +++ b/modoboa_installer/scripts/files/rspamd/local.d/dkim_signing.conf.tpl @@ -0,0 +1,3 @@ +try_fallback = false; +selector_map = "%selectors_path_map"; +path_map = "%keys_path_map"; diff --git a/modoboa_installer/scripts/files/rspamd/local.d/greylisting.conf.tpl b/modoboa_installer/scripts/files/rspamd/local.d/greylisting.conf.tpl new file mode 100644 index 0000000..cc44e3a --- /dev/null +++ b/modoboa_installer/scripts/files/rspamd/local.d/greylisting.conf.tpl @@ -0,0 +1,2 @@ +servers = "127.0.0.1:6379"; +%{postwhite_enabled}whitelisted_ip = "/etc/postfix/postscreen_spf_whitelist.cidr" diff --git a/modoboa_installer/scripts/files/rspamd/local.d/mx_check.conf.tpl b/modoboa_installer/scripts/files/rspamd/local.d/mx_check.conf.tpl new file mode 100644 index 0000000..1ead4ee --- /dev/null +++ b/modoboa_installer/scripts/files/rspamd/local.d/mx_check.conf.tpl @@ -0,0 +1 @@ +enabled = true; diff --git a/modoboa_installer/scripts/files/rspamd/local.d/rbl.conf.tpl b/modoboa_installer/scripts/files/rspamd/local.d/rbl.conf.tpl new file mode 100644 index 0000000..35b23ba --- /dev/null +++ b/modoboa_installer/scripts/files/rspamd/local.d/rbl.conf.tpl @@ -0,0 +1,6 @@ +# to disable all predefined rules if the user doesn't want dnsbl + +url_whitelist = []; + +rbls { +} diff --git a/modoboa_installer/scripts/files/rspamd/local.d/spf.conf.tpl b/modoboa_installer/scripts/files/rspamd/local.d/spf.conf.tpl new file mode 100644 index 0000000..85a98bc --- /dev/null +++ b/modoboa_installer/scripts/files/rspamd/local.d/spf.conf.tpl @@ -0,0 +1,6 @@ +spf_cache_size = 1k; +spf_cache_expire = 1d; +max_dns_nesting = 10; +max_dns_requests = 30; +min_cache_ttl = 5m; +disable_ipv6 = false; diff --git a/modoboa_installer/scripts/files/rspamd/local.d/worker-controller.inc b/modoboa_installer/scripts/files/rspamd/local.d/worker-controller.inc new file mode 100644 index 0000000..8490a18 --- /dev/null +++ b/modoboa_installer/scripts/files/rspamd/local.d/worker-controller.inc @@ -0,0 +1 @@ +enable_password = %controller_password diff --git a/modoboa_installer/scripts/files/rspamd/local.d/worker-controller.inc.tpl b/modoboa_installer/scripts/files/rspamd/local.d/worker-controller.inc.tpl new file mode 100644 index 0000000..8490a18 --- /dev/null +++ b/modoboa_installer/scripts/files/rspamd/local.d/worker-controller.inc.tpl @@ -0,0 +1 @@ +enable_password = %controller_password diff --git a/modoboa_installer/scripts/files/rspamd/local.d/worker-normal.inc.tpl b/modoboa_installer/scripts/files/rspamd/local.d/worker-normal.inc.tpl new file mode 100644 index 0000000..a6ee831 --- /dev/null +++ b/modoboa_installer/scripts/files/rspamd/local.d/worker-normal.inc.tpl @@ -0,0 +1 @@ +enabled = false; diff --git a/modoboa_installer/scripts/files/rspamd/local.d/worker-proxy.inc.tpl b/modoboa_installer/scripts/files/rspamd/local.d/worker-proxy.inc.tpl new file mode 100644 index 0000000..f64333f --- /dev/null +++ b/modoboa_installer/scripts/files/rspamd/local.d/worker-proxy.inc.tpl @@ -0,0 +1,3 @@ +upstream "local" { + self_scan = yes; +} diff --git a/modoboa_installer/scripts/postfix.py b/modoboa_installer/scripts/postfix.py index 6a2d743..ba1fcbc 100644 --- a/modoboa_installer/scripts/postfix.py +++ b/modoboa_installer/scripts/postfix.py @@ -60,7 +60,9 @@ class Postfix(base.Installer): "modoboa_instance_path": self.config.get( "modoboa", "instance_path"), "opendkim_port": self.config.get( - "opendkim", "port") + "opendkim", "port"), + "rspamd_disabled": "" if not self.config.get( + "rspamd", "enabled") else "#" }) return context diff --git a/modoboa_installer/scripts/rspamd.py b/modoboa_installer/scripts/rspamd.py new file mode 100644 index 0000000..5e7640b --- /dev/null +++ b/modoboa_installer/scripts/rspamd.py @@ -0,0 +1,82 @@ +"""Amavis related functions.""" + +import os + +from .. import package +from .. import utils + +from . import base +from . import backup, install + + +class Rspamd(base.Installer): + + """Rspamd installer.""" + + appname = "rspamd" + packages = { + "deb": [ + "rspamd", "redis" + ] + } + config_files = ["local.d/dkim_signing.conf", + "local.d/mx_check.conf", + "local.d/spf.conf", + "local.d/worker-controller.inc", + "local.d/worker-normal.inc", + "local.d/worker-proxy.inc"] + + @property + def config_dir(self): + """Return appropriate config dir.""" + return "/etc/rspamd" + + def get_config_files(self): + """Return appropriate config files.""" + _config_files = self.config_files + if self.config.get("clamav", "enabled"): + _config_files.append("local.d/antivirus.conf") + if self.app_config["dnsbl"]: + _config_files.append("local.d/greylisting.conf") + if not self.app_config["dnsbl"]: + _config_files.append("local.d/rbl.conf") + return _config_files + + def get_template_context(self): + _context = super().get_template_context() + code, controller_password = utils.exec_cmd( + r"rspamadm pw -p {}".format(self.app_config["password"])) + if code != 0: + utils.error("Error setting rspamd password. " + "Please make sure it is not 'q1' or 'q2'." + "Storing the password in plain. See" + "https://rspamd.com/doc/quickstart.html#setting-the-controller-password") + _context["controller_password"] = password + else: + _context["controller_password"] = controller_password + return _context + + def custom_backup(self, path): + """Backup custom configuration if any.""" + custom_config_dir = os.path.join(self.config_dir, + "/local.d/") + custom_backup_dir = os.path.join(path, "/rspamd/") + local_files = [f for f in os.listdir(custom_config_dir) + if os.path.isfile(custom_config_dir, f) + ] + for file in local_files: + utils.copy_file(file, custom_backup_dir) + if len(local_files) != 0: + utils.success("Rspamd custom configuration saved!") + + def restore(self): + """Restore custom config files.""" + custom_config_dir = os.path.join(self.config_dir, + "/local.d/") + custom_backup_dir = os.path.join(path, "/rspamd/") + backed_up_files = [f for f in os.listdir(custom_backup_dir) + if os.path.isfile(custom_backup_dir, f) + ] + for file in backed_up_files: + utils.copy_file(file, custom_config_dir) + utils.success("Custom Rspamd configuration restored.")