diff --git a/hosts/hetzner-vm/services/mail.nix b/hosts/hetzner-vm/services/mail.nix index 6e330f4..41ea1da 100644 --- a/hosts/hetzner-vm/services/mail.nix +++ b/hosts/hetzner-vm/services/mail.nix @@ -7,5 +7,6 @@ ./mailserver/firewall.nix ./mailserver/webmail.nix ./mailserver/opendkim.nix + ./mailserver/rspamd.nix ]; } diff --git a/hosts/hetzner-vm/services/mailserver/dovecot.nix b/hosts/hetzner-vm/services/mailserver/dovecot.nix index 320f52e..d65956d 100644 --- a/hosts/hetzner-vm/services/mailserver/dovecot.nix +++ b/hosts/hetzner-vm/services/mailserver/dovecot.nix @@ -51,6 +51,23 @@ let chmod 600 ${passwdFile} ''; + + pipeBin = pkgs.stdenv.mkDerivation { + name = "pipe_bin"; + src = ./pipe_bin; + buildInputs = with pkgs; [ makeWrapper coreutils bash rspamd ]; + buildCommand = '' + mkdir -p $out/pipe/bin + cp $src/* $out/pipe/bin/ + chmod a+x $out/pipe/bin/* + patchShebangs $out/pipe/bin + + for file in $out/pipe/bin/*; do + wrapProgram $file \ + --set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin" + done + ''; + }; in { services.dovecot2 = { enable = true; @@ -165,11 +182,24 @@ in { } plugin { + sieve_plugins = sieve_imapsieve sieve_extprograms sieve = file:${mail_config.sieve_directory}/%u/scripts;active=${mail_config.sieve_directory}/%u/active.sieve sieve_default = file:${mail_config.sieve_directory}/%u/default.sieve sieve_default_name = default - sieve_global_extensions = +vnd.dovecot.environment + # From elsewhere to Spam folder + imapsieve_mailbox1_name = Junk + imapsieve_mailbox1_causes = COPY + imapsieve_mailbox1_before = file:${./spam_sieve/report-spam.sieve} + + # From Spam folder to elsewhere + imapsieve_mailbox2_name = * + imapsieve_mailbox2_from = Junk + imapsieve_mailbox2_causes = COPY + imapsieve_mailbox2_before = file:${./spam_sieve/report-ham.sieve} + + sieve_pipe_bin_dir = ${pipeBin}/pipe/bin + sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment } lda_mailbox_autosubscribe = yes lda_mailbox_autocreate = yes diff --git a/hosts/hetzner-vm/services/mailserver/pipe_bin/rspam-learn-ham.sh b/hosts/hetzner-vm/services/mailserver/pipe_bin/rspam-learn-ham.sh new file mode 100644 index 0000000..76fc4ed --- /dev/null +++ b/hosts/hetzner-vm/services/mailserver/pipe_bin/rspam-learn-ham.sh @@ -0,0 +1,3 @@ +#!/bin/bash +set -o errexit +exec rspamc -h /run/rspamd/worker-controller.sock learn_ham \ No newline at end of file diff --git a/hosts/hetzner-vm/services/mailserver/pipe_bin/rspam-learn-spam.sh b/hosts/hetzner-vm/services/mailserver/pipe_bin/rspam-learn-spam.sh new file mode 100644 index 0000000..2a2f766 --- /dev/null +++ b/hosts/hetzner-vm/services/mailserver/pipe_bin/rspam-learn-spam.sh @@ -0,0 +1,3 @@ +#!/bin/bash +set -o errexit +exec rspamc -h /run/rspamd/worker-controller.sock learn_spam \ No newline at end of file diff --git a/hosts/hetzner-vm/services/mailserver/postfix.nix b/hosts/hetzner-vm/services/mailserver/postfix.nix index f89914c..e080593 100644 --- a/hosts/hetzner-vm/services/mailserver/postfix.nix +++ b/hosts/hetzner-vm/services/mailserver/postfix.nix @@ -148,7 +148,7 @@ in { tls_random_source = "dev:/dev/urandom"; - smtpd_milters = [ "unix:/run/opendkim/opendkim.sock" ]; + smtpd_milters = [ "unix:/run/opendkim/opendkim.sock" "unix:/run/rspamd/rspamd-milter.sock" ]; non_smtpd_milters = [ "unix:/run/opendkim/opendkim.sock" ]; milter_protocol = "6"; diff --git a/hosts/hetzner-vm/services/mailserver/rspamd.nix b/hosts/hetzner-vm/services/mailserver/rspamd.nix new file mode 100644 index 0000000..e7478b8 --- /dev/null +++ b/hosts/hetzner-vm/services/mailserver/rspamd.nix @@ -0,0 +1,94 @@ +{ config, pkgs, lib, ... }: + +let + mail_config = (import ./config.nix { }); + + postfixCfg = config.services.postfix; + rspamdCfg = config.services.rspamd; + rspamdSocket = "rspamd.service"; +in { + + services.rspamd = { + enable = true; + debug = mail_config.debug_mode; + locals = { + "milter_headers.conf" = { + text = '' + extended_spam_headers = yes; + ''; + }; + "redis.conf" = { + text = '' + servers = "127.0.0.1:6380"; + ''; + }; + "classifier-bayes.conf" = { + text = '' + cache { + backend = "redis"; + } + ''; + }; + "dkim_signing.conf" = { + text = '' + # opendkim does this + enabled = false; + ''; + }; + }; + + overrides = { + "milter_headers.conf" = { + text = '' + extended_spam_headers = true; + ''; + }; + }; + + workers.rspamd_proxy = { + type = "rspamd_proxy"; + bindSockets = [{ + socket = "/run/rspamd/rspamd-milter.sock"; + mode = "0664"; + }]; + count = 1; + extraConfig = '' + milter = yes; + timeout = 120s; + + upstream "local" { + default = yes; + self_scan = yes; + } + ''; + }; + workers.controller = { + type = "controller"; + count = 1; + bindSockets = [{ + socket = "/run/rspamd/worker-controller.sock"; + mode = "0666"; + }]; + includes = [ ]; + }; + + }; + + services.redis.servers.rspamd = { + enable = true; + port = 6380; + }; + + systemd.services.rspamd = { + requires = [ "redis-rspamd.service" ]; + after = [ "redis-rspamd.service" ]; + }; + + systemd.services.postfix = { + after = [ rspamdSocket ]; + requires = [ rspamdSocket ]; + }; + + users.extraUsers.${postfixCfg.user}.extraGroups = [ rspamdCfg.group ]; +} + diff --git a/hosts/hetzner-vm/services/mailserver/spam_sieve/report-ham.sieve b/hosts/hetzner-vm/services/mailserver/spam_sieve/report-ham.sieve new file mode 100644 index 0000000..da74b34 --- /dev/null +++ b/hosts/hetzner-vm/services/mailserver/spam_sieve/report-ham.sieve @@ -0,0 +1,15 @@ +require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"]; + +if environment :matches "imap.mailbox" "*" { + set "mailbox" "${1}"; +} + +if string "${mailbox}" "Trash" { + stop; +} + +if environment :matches "imap.user" "*" { + set "username" "${1}"; +} + +pipe :copy "sa-learn-ham.sh" [ "${username}" ]; \ No newline at end of file diff --git a/hosts/hetzner-vm/services/mailserver/spam_sieve/report-spam.sieve b/hosts/hetzner-vm/services/mailserver/spam_sieve/report-spam.sieve new file mode 100644 index 0000000..4024b7a --- /dev/null +++ b/hosts/hetzner-vm/services/mailserver/spam_sieve/report-spam.sieve @@ -0,0 +1,7 @@ +require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"]; + +if environment :matches "imap.user" "*" { + set "username" "${1}"; +} + +pipe :copy "sa-learn-spam.sh" [ "${username}" ]; \ No newline at end of file diff --git a/hosts/hetzner-vm/services/restic.nix b/hosts/hetzner-vm/services/restic.nix index bd78706..63ca893 100644 --- a/hosts/hetzner-vm/services/restic.nix +++ b/hosts/hetzner-vm/services/restic.nix @@ -12,6 +12,7 @@ let mail_config.vmail_config.directory mail_config.sieve_directory mail_config.dkim_directory + "/var/lib/redis-rspamd" ]; timerConfig = { OnBootSec = "1m";