spam

hosts/hetzner-vm/services/mail.nix

@@ -7,5 +7,6 @@
     ./mailserver/firewall.nix
     ./mailserver/webmail.nix
     ./mailserver/opendkim.nix
+    ./mailserver/rspamd.nix
   ];
 }

hosts/hetzner-vm/services/mailserver/dovecot.nix

@@ -51,6 +51,23 @@ let
 
     chmod 600 ${passwdFile}
   '';
+
+  pipeBin = pkgs.stdenv.mkDerivation {
+    name = "pipe_bin";
+    src = ./pipe_bin;
+    buildInputs = with pkgs; [ makeWrapper coreutils bash rspamd ];
+    buildCommand = ''
+      mkdir -p $out/pipe/bin
+      cp $src/* $out/pipe/bin/
+      chmod a+x $out/pipe/bin/*
+      patchShebangs $out/pipe/bin
+
+      for file in $out/pipe/bin/*; do
+        wrapProgram $file \
+          --set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin"
+      done
+    '';
+  };
 in {
   services.dovecot2 = {
     enable = true;
@@ -165,11 +182,24 @@ in {
       }
 
       plugin {
+          sieve_plugins = sieve_imapsieve sieve_extprograms
           sieve = file:${mail_config.sieve_directory}/%u/scripts;active=${mail_config.sieve_directory}/%u/active.sieve
           sieve_default = file:${mail_config.sieve_directory}/%u/default.sieve
           sieve_default_name = default
 
-          sieve_global_extensions = +vnd.dovecot.environment
+          # From elsewhere to Spam folder
+          imapsieve_mailbox1_name = Junk
+          imapsieve_mailbox1_causes = COPY
+          imapsieve_mailbox1_before = file:${./spam_sieve/report-spam.sieve}
+
+          # From Spam folder to elsewhere
+          imapsieve_mailbox2_name = *
+          imapsieve_mailbox2_from = Junk
+          imapsieve_mailbox2_causes = COPY
+          imapsieve_mailbox2_before = file:${./spam_sieve/report-ham.sieve}
+
+          sieve_pipe_bin_dir = ${pipeBin}/pipe/bin
+          sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
       }
       lda_mailbox_autosubscribe = yes
       lda_mailbox_autocreate = yes

hosts/hetzner-vm/services/mailserver/pipe_bin/rspam-learn-ham.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -o errexit
+exec rspamc -h /run/rspamd/worker-controller.sock learn_ham

hosts/hetzner-vm/services/mailserver/pipe_bin/rspam-learn-spam.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -o errexit
+exec rspamc -h /run/rspamd/worker-controller.sock learn_spam

hosts/hetzner-vm/services/mailserver/postfix.nix

@@ -148,7 +148,7 @@ in {
 
       tls_random_source = "dev:/dev/urandom";
 
-      smtpd_milters = [ "unix:/run/opendkim/opendkim.sock" ];
+      smtpd_milters = [ "unix:/run/opendkim/opendkim.sock" "unix:/run/rspamd/rspamd-milter.sock" ];
       non_smtpd_milters = [ "unix:/run/opendkim/opendkim.sock" ];
 
       milter_protocol = "6";

hosts/hetzner-vm/services/mailserver/rspamd.nix

@@ -0,0 +1,94 @@
+{ config, pkgs, lib, ... }:
+
+let
+  mail_config = (import ./config.nix { });
+
+  postfixCfg = config.services.postfix;
+  rspamdCfg = config.services.rspamd;
+  rspamdSocket = "rspamd.service";
+in {
+
+  services.rspamd = {
+    enable = true;
+    debug = mail_config.debug_mode;
+    locals = {
+      "milter_headers.conf" = {
+        text = ''
+          extended_spam_headers = yes;
+        '';
+      };
+      "redis.conf" = {
+        text = ''
+          servers = "127.0.0.1:6380";
+        '';
+      };
+      "classifier-bayes.conf" = {
+        text = ''
+          cache {
+            backend = "redis";
+          }
+        '';
+      };
+      "dkim_signing.conf" = {
+        text = ''
+          # opendkim does this
+          enabled = false;
+        '';
+      };
+    };
+
+    overrides = {
+      "milter_headers.conf" = {
+        text = ''
+          extended_spam_headers = true;
+        '';
+      };
+    };
+
+    workers.rspamd_proxy = {
+      type = "rspamd_proxy";
+      bindSockets = [{
+        socket = "/run/rspamd/rspamd-milter.sock";
+        mode = "0664";
+      }];
+      count = 1;
+      extraConfig = ''
+        milter = yes;
+        timeout = 120s;
+
+        upstream "local" {
+          default = yes;
+          self_scan = yes;
+        }
+      '';
+    };
+    workers.controller = {
+      type = "controller";
+      count = 1;
+      bindSockets = [{
+        socket = "/run/rspamd/worker-controller.sock";
+        mode = "0666";
+      }];
+      includes = [ ];
+    };
+
+  };
+
+  services.redis.servers.rspamd = {
+    enable = true;
+    port = 6380;
+  };
+
+  systemd.services.rspamd = {
+    requires = [ "redis-rspamd.service" ];
+    after = [ "redis-rspamd.service" ];
+  };
+
+  systemd.services.postfix = {
+    after = [ rspamdSocket ];
+    requires = [ rspamdSocket ];
+  };
+
+  users.extraUsers.${postfixCfg.user}.extraGroups = [ rspamdCfg.group ];
+}
+

hosts/hetzner-vm/services/mailserver/spam_sieve/report-ham.sieve

@@ -0,0 +1,15 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
+
+if environment :matches "imap.mailbox" "*" {
+  set "mailbox" "${1}";
+}
+
+if string "${mailbox}" "Trash" {
+  stop;
+}
+
+if environment :matches "imap.user" "*" {
+  set "username" "${1}";
+}
+
+pipe :copy "sa-learn-ham.sh" [ "${username}" ];

hosts/hetzner-vm/services/mailserver/spam_sieve/report-spam.sieve

@@ -0,0 +1,7 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
+
+if environment :matches "imap.user" "*" {
+  set "username" "${1}";
+}
+
+pipe :copy "sa-learn-spam.sh" [ "${username}" ];

hosts/hetzner-vm/services/restic.nix

@@ -12,6 +12,7 @@ let
     mail_config.vmail_config.directory
     mail_config.sieve_directory
     mail_config.dkim_directory
+    "/var/lib/redis-rspamd"
   ];
   timerConfig = {
     OnBootSec = "1m";